Last week, the California Privacy Protection Agency (“Agency”) approved adoption of detailed new regulations under the CCPA that will include (among other notable components) a rule requiring annual cybersecurity audits for certain businesses (the “Rule”). The Rule, an updated version of draft cybersecurity audit regulations originally released by the Agency almost two years ago, will do more than just impose another compliance obligation—it could provide a useful window into what California regulators consider to be “reasonable” security practices for protecting personal information.
This post examines the new cybersecurity audit requirements under the CCPA, explores how they define “reasonable” security, and discusses the practical implications for businesses subject to the law.
Background: The Mandate for Cybersecurity Audits
The California Privacy Rights Act, passed by California voters through a ballot initiative in 2020, amended the CCPA to include a provision requiring the Agency to issue regulations requiring businesses whose processing of personal information presents a “significant risk” to consumers’ privacy or security to conduct annual cybersecurity audits, and establishing a process to ensure those audits are “thorough and independent.”
The Rule operationalizes this mandate. It specifies which businesses are subject to the audit requirement, what the audits must cover, and how they must be conducted. The Rule also clarifies the meaning of “significant risk,” tying it to both the scale of data processing and the nature of a business’s revenue streams.
Who Must Comply?
Under the Rule, a CCPA-covered business is required to conduct an annual cybersecurity audit if it meets either of the following criteria:
- It derives 50% or more of its annual revenues from selling or sharing consumers’ personal information; or
- It has annual gross revenues exceeding $26,625,000 (adjusted periodically for inflation) and, in the preceding calendar year, processed the personal information of 250,000 or more consumers or households, or the sensitive personal information of 50,000 or more consumers.
The Rule thus targets larger businesses, and those whose business models rely heavily on the monetization of personal information, reflecting the Agency’s view that these entities pose the greatest risk to consumer privacy and security.
The Audit Process: Independence and Objectivity
The Rule requires that cybersecurity audits be conducted by a “qualified, objective, independent professional.” The auditor may be internal or external, but they must have expertise in cybersecurity and auditing, and must be free from influence by the business’s owners, managers, or employees. If an internal auditor is used, the highest-ranking auditor must report directly to a member of executive management who does not have responsibility for the business’s cybersecurity program.
The business must make available to the auditor all information in the business’s possession, custody, or control that the auditor requests as relevant to the cybersecurity audit,” make good faith efforts to disclose “all facts relevant to the cybersecurity audit,” and is expressly prohibited from misrepresenting any fact relevant to the audit.
These requirements appear designed to ensure that audits are not mere box-checking exercises, but a more candid, impartial assessment of the business’s cybersecurity posture.
Defining “Reasonable” Security: The Audit as a Regulatory Roadmap
A key aspect of the Rule is the detailed list of cybersecurity controls and practices that define the scope of the required `audit. To that end, the Rule requires the auditor to assess, “if applicable,” the following controls and practices that comprise the business’s cybersecurity program:
- Authentication Controls: Use of multi-factor authentication (MFA), including phishing-resistant MFA for employees, contractors, and service providers; strong, unique passwords or passphrases.
- Encryption: Encryption of personal information both at rest and in transit.
- Access Controls: Restricting access to personal information to only those individuals, accounts, or applications that need it; limiting the number of privileged accounts; monitoring the creation of new accounts; and restricting physical access to personal information.
- Data Inventory and Management: Maintaining an inventory of data flows, hardware, and software;
- Secure Configuration of Hardware and Software: Secure configuration of systems; patch management; masking of sensitive personal information as appropriate.
- Vulnerability Management: Internal and external vulnerability scans, penetration testing, and vulnerability disclosure and reporting.
- Logging and Monitoring: Centralized storage, retention, and monitoring of audit logs; network monitoring and deployment of intrusion detection and prevention systems; data loss prevention tools.
- Malware Protection: Use of antivirus and antimalware solutions.
- System Segmentation: Segmentation of networks and limitation of ports, services, and protocols.
- Training and Awareness: Ongoing cybersecurity education and training for all personnel with access to information systems.
- Secure Development Practices: Adoption of secure coding and development best practices, including code reviews and testing.
- Vendor Oversight: Oversight of service providers, contractors, and third parties to ensure compliance with contractual and legal obligations.
- Data Retention and Disposal: Implementation of retention schedules and secure disposal of personal information that is no longer needed.
- Incident Response and Business Continuity: Documented incident response plans, regular testing of incident response capabilities, and business continuity and disaster recovery planning.
The audit must also assess how the business implements and enforces compliance with the controls the auditor deems applicable, and must document any gaps or weaknesses, along with a plan and timeline for remediation.
Importantly, the Rule recognizes that not every control will apply to every business. The auditor is tasked with determining which controls are appropriate, taking into account the size and complexity of the business, the nature and scope of its data processing, the state of the art, and the cost of implementation. This flexible, risk-based approach is consistent with broader cybersecurity best practices and acknowledges that “reasonable” security is not one-size-fits-all.
Even so, the codification of this list of controls and practices in the Rule is a strong indication of what the Agency itself will likely be looking for when it assesses whether any business subject to the CCPA has complied with the CCPA’s requirement to “implement reasonable security procedures and practices appropriate to the nature of the personal information.” All businesses subject to the CCPA should, therefore, consider the Rule as a framework for assessing the reasonableness of their own cybersecurity program, whether or not they meet the criteria for the Rule.
Audit Documentation and Certification
The Rule requires the business to create an audit report that is thorough and evidence-based. It must identify the specific evidence examined (such as documents reviewed, testing performed, and interviews conducted) and cannot rely primarily on management assertions. The report must detail the status of any identified gaps or weaknesses and the business’s plan to address them. The auditor must certify that the audit was conducted independently and impartially.
While businesses need not submit the full audit report to the Agency, they must submit a written certification of completion, signed by an executive with direct responsibility for cybersecurity audit compliance.
Implementation Timeline
The Rule provides a phased implementation that depends on a business’s gross revenue:
- Businesses with annual gross revenue over $100 million for 2026 (as of January 1, 2027) must complete their first audit by April 1, 2028, covering the 2027 calendar year.
- Businesses with annual gross revenue between $50 million and $100 million for 2027 as of January 1, 2028 must complete their first audit by April 1, 2029, covering the 2028 calendar year.
- Businesses with gross revenue under $50 million for 2028 must complete their first audit by April 1, 2030, covering the 2029 calendar year.
After the initial audit, a business must complete an audit for any year in which it meets the application criteria for the Rule as of January 1 of that year. For example, the Rule explains, if the business meets those criteria as of January 1, 2035, it must conduct an audit for the period from January 1, 2035 through January 1, 2036, and complete its audit report by April 1, 2036.
Next Steps
The new regulations will now be submitted by the Agency to the Office of Administrative Law (OAL), which will in turn have thirty working days to review the submission for compliance with the California Administrative Procedure Act. Once approved by the OAL, regulations typically take effect on one of four quarterly dates: January 1, if filed between September 1 and November 30; April 1, if filed between December 1 and February 29; July 1, if filed between March 1 and May 31; and October 1, if filed between June 1 and August 31. Under these rules, the earliest date the CCPA regulations could take effect would be October 1. As explained on the OAL website describing California’s rulemaking process, however, “effective dates may vary . . . if the agency demonstrates good cause for an earlier effective date.”
Regardless of the effective date, businesses will have some time to prepare, as the first audit reports and corresponding certifications to the Agency will not be due until April 1, 2028.
Practical Implications and Takeaways
- A Clearer Standard for “Reasonable” Security. The new Rule provides a detailed, regulator-endorsed checklist of security controls and practices that, if implemented appropriately, will likely be viewed as meeting the CCPA’s “reasonable” standard. But failure to implement those controls and practices without ample justification will likely be viewed as evidence that the business fell short.
- A Uniform Baseline. The Rule could help move away from the case-by-case, settlement-driven approach to defining security obligations. Instead, it could help establish a uniform baseline for reasonable security that applies to all CCPA-covered businesses, reducing uncertainty and leveling the playing field.
- Potential Litigation and Enforcement Risks. Although audit reports required by the Rule are not required to be submitted to regulators, they may be subpoenaed by the Agency or the attorney general in investigations or could potentially become discoverable in litigation following a data breach. To help reduce the likelihood that the reports are subject to compelled disclosure, businesses may wish to carefully consider how these reports are prepared, reviewed, and maintained, including the involvement of legal counsel where appropriate. Taking thoughtful steps in this regard can help ensure that sensitive information is handled in a manner that supports the company’s legal interests. At the same time, it will be essential to ensure that audit reports are thorough, accurate, and professionally prepared, while avoiding careless, speculative, or poorly considered statements that could be misconstrued or used against the business in regulatory or legal proceedings.
