On May 1, 2025, the California Privacy Protection Agency (CPPA) released updated California Consumer Privacy Act (CCPA) Regulations, emphasizing privacy impact assessments ("risk assessments"), cybersecurity audits, and automated decision-making ("May 2025 Proposed Regulations").
In our prior article, we outlined the need for organizations to begin planning and budgeting in Q3 2025 to meet the significant, long-lead-time requirements. This article aims to thoroughly explore Article 9 of the May 2025 proposed regulations titled "Cybersecurity Audits."
Article 9: Cybersecurity Audits
Under the proposed Article 9, organizations with over $100 million in revenue must complete their first cybersecurity audit report by April 2028. Organizations with between $50 million and $100 million in revenue must complete their first cybersecurity audit report by April 2029, while organizations with less than $50 million in revenue must do so by April 2030.
Section 7123 of the May 2025 proposed regulations, "Scope of Cybersecurity Audit and Audit Report," outlines the areas that the audit must consider. Many of the focus areas align with the National Institute of Standards and Technology Cybersecurity Framework 2.0 (NIST CSF), such as authentication, encryption, access management, secure configuration, internal and external vulnerability scans, network monitoring, data loss prevention, training, and incident response management. Below, we have highlighted certain requirements that organizations will need to focus on, which might be incremental to their existing cybersecurity program:
- Data map and data inventory – "Personal Information Inventories (e.g., maps and flows identifying where personal information is stored and how it can be accessed) and the classification and tagging of personal information."1
- Records retention schedules – "Retention schedules and proper disposal of personal information no longer required to be retained, by (1) shredding, (2) erasing, or (3) otherwise modifying the personal information in those records to make it unreadable or undecipherable through any means."2
- Remediation plan – "Document the business's plan to address the gaps and weaknesses identified [in the audit report], including the resources it has allocated to resolve them and the timeframe in which it will resolve them.3
- Written certification – "The written certification must be completed and submitted to the Agency via its website...stating 'I attest that I meet the requirements of section 7124, subsection (b), to submit this certification. Under penalty of perjury under the laws of the state of California, I hereby declare that the information contained within and submitted with this certification is true and correct and that the business has not made any attempt to influence the auditor's decisions or assessments regarding the cybersecurity audit."
The regulations note that a cybersecurity audit prepared for another purpose can be utilized, provided that such an audit evaluates the criteria set forth in the regulations. The regulation then cites the usage of the NIST CSF as a possibility.
The May 2025 proposed regulations have undergone multiple revisions, but following discussions with our outside counsel legal partners at the International Association of Privacy Professionals conference in April, we believe that this version — or a closely aligned one — will be adopted.
In our next article of this series, we will focus on the requirements in Article 10 of the May 2025 Proposed Regulations titled "Risk Assessments."
Footnotes
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
