Publications + Presentations

Update:

On July 24, 2025, the CPPA Board voted to approve revised regulations.

• An updated article Clarifying CCPA Requirements for When and How a Business Must Conduct Risk Assessments is available here: Clarifying CCPA Requirements for When and How a Business Must Conduct Risk Assessments
• An updated article Clarifying CCPA Requirements for the Use of Automated Decisionmaking Technology is available here: Clarifying CCPA Requirements for the Use of Automated Decisionmaking Technology. 
• An updated article Clarifying CCPA Requirements to Complete Cybersecurity Audits is available here: Clarifying CCPA Requirements to Complete Cybersecurity Audits

For further clarification on how these regulations impact your business or to discuss how to operationalize potential requirements, contact David Wilson at dwilson@keglerbrown.com.

---

Summary

• The CPPA Board voted to advance proposed draft regulations on November 8^th addressing the requirement to complete cybersecurity audits.
• Businesses that meet prescribed thresholds must conduct annual cybersecurity audits satisfying detailed thoroughness and independence requirements.
• The cybersecurity audit must assess and document the effectiveness of prescribed components.
• Covered businesses must submit written certification to the CPPA every calendar year.
• The certification must be signed and dated by a member of the board or governing body, or in certain circumstances the business’s highest-ranking executive with authority and must include a statement that the signer has reviewed and understands the findings of the cybersecurity audit.

---

On November 8th, the CPPA Board voted to advance proposed draft regulations related to required cybersecurity audits. Among other topics, the regulations address requirements with respect to cybersecurity audits, including independence, timing, scope requirements, and mandatory certifications and submissions to the CPPA. New automated decisionmaking technology and risk assessment requirements are some of the other requirements outlined in the proposed draft regulations. The regulations remain subject to additional rulemaking.

When is a Cybersecurity Audit Required?

An independent cybersecurity audit must be conducted by a business subject to the CCPA if the processing of personal information presents a significant risk to the consumers’ security.

A business’s processing of personal information presents a significant risk to consumers’ security and a cybersecurity audit must be completed if any of the below are true:

• The business has over $28 million in annual gross revenue for the preceding calendar year, and
  • Processed IP addresses or other personal information of 250,000 or more consumers in the preceding calendar year, or
  • Processed the sensitive personal information of 50,000 or more consumers in the preceding calendar year, or
• The business derives 50 percent or more of its annual revenue from selling or sharing personal information.

Are Cybersecurity Audits a New Concept?

The concept exists in several sectoral laws often focused on highly regulated industries (e.g., health care, financial services, or critical infrastructure).

The proposed regulations clarify that the requirements may apply to both bakeries and banks, expanding the reach of their concepts to additional businesses irrespective of whether those businesses are highly regulated (banks) or not (selling cakes, t-shirts, marketing services, etc.).

The regulations also apply to GLBA and certain other highly regulated businesses due to certain data (not entity) level exemptions contained in the CCPA.

Audits Require Independence

Every business required to complete a cybersecurity audit must do so using a qualified, objective, independent professional, and generally accepted standards and procedures. The auditor may be internal or external but must exercise objective and impartial judgement.

The regulations include detailed independence examples and factors. By way of example, the auditor must not participate in the business activities that they may assess in the current or subsequent cybersecurity audits, including developing procedures, preparing the business’s documents, or making recommendations regarding, implementing, or maintaining the business’s cybersecurity program.

The cybersecurity audit must include the auditor’s name, affiliation, and relevant qualifications.

Audits Require Thoroughness and a Detailed Scope

Among other prescribed requirements, the cybersecurity audit must:

1. Assess, document, and summarize each applicable component of the business’s cybersecurity program,
2. Specifically identify any gaps or weaknesses in the business’s cybersecurity program,
3. Specifically address the status of any gaps or weaknesses identified in any prior cybersecurity audit,
4. Specifically identify any corrections or amendments to any prior cybersecurity audits, and
5. Assess and document how the business’s cybersecurity program protects personal information from unauthorized access, destruction, use, modification, or disclosure; and protects against unauthorized activity resulting in the loss of availability of personal information, and specifically identify, assess, and document:
   • the business’s establishment, implementation, and maintenance of its cybersecurity program, including the related written documentation thereof (e.g., policies and procedures), that is appropriate to the business’s size and complexity and the nature and scope of its processing activities, taking into account the state of the art and cost of implementing the components of a cybersecurity program, including specific required components; and
   • specific listed components of the business’s cybersecurity program, as applicable, (e.g., multi-factor authentication, encryption, or zero trust architecture).

The above items include select excerpts and summaries from the detailed prescriptive required scope, but the text of the regulations includes over twenty categories of thoroughness, independence, and scope categories, with many detailed subcategories.

Cybersecurity Audit Timing

A business has 24 months from the effective date of the regulations to complete its first cybersecurity audit. Subsequent cybersecurity audits must be completed every calendar year.

Records and Retention

In addition to a broad personal information retention schedule and disposal requirements, the regulations require the auditor to retain all documents relevant to each cybersecurity audit for a minimum of five years after completion of the cybersecurity audit.

Certification of Completion

Each business required to complete a cybersecurity audit must submit a written certification of completion to the CPPA every calendar year. The written certification must be signed and dated by a member of the board or governing body, or if no such board or equivalent body exists, the business’s highest-ranking executive with authority. The certification must include a statement that the signer has reviewed and understands the findings of the cybersecurity audit.

What is Next?

In light of the California wildfires, the CPPA extended the comment period and rescheduled the hearing date to February 19^th. As of today, meaningful public comments have been submitted to the CPPA. If substantial changes are made, an additional fifteen-day comment period will apply. If substantial changes are not made, the regulations could be implemented as soon as April 2025¹. Continue reading here to learn more about what the ADMT regulations require.