Description
California Privacy Protection Agency (CPPA) cybersecurity audit regulations took effect January 1, 2026. Businesses meeting thresholds must conduct cybersecurity audits assessing their security posture. This is the first-of-its-kind among state data privacy laws. Audit certifications must be filed with CPPA on staggered deadlines.
Requirements
- Determine applicability based on revenue and data thresholds
- Plan cybersecurity audit scope and methodology
- Engage qualified auditor or internal team
- Assess security posture against CPPA requirements
- Document audit findings and remediation plans
Applicable To
Businesses deriving 50%+ revenue from selling PIBusinesses with $25M+ revenue processing 250K+ CA consumersBusinesses processing sensitive data of 50K+ CA consumers
Penalty Information
âš CCPA violations of $2,500 per violation; $7,500 per intentional violation. CPPA has direct enforcement authority.