United States of America: Privacy Protection Agency's Cybersecurity Audit Regulations

On 1 January 2026, the regulations adopted under the California Consumer Privacy Act (CCPA) enter into force following approval by the California Office of Administrative Law on 23 September 2025, establishing mandatory cybersecurity audit obligatio…

On 23 September 2025, the California Office of Administrative Law adopted the regulations under the California Consumer Privacy Act (CCPA) on cybersecurity audits, with phased compliance deadlines linked to annual gross revenue. Beginning on 1 Janua…

On 28 March 2025, the California Privacy Protection Agency (CPPA) published its revised draft regulations on cybersecurity audits before its Board meeting. This follows a public consultation that closed on 14 January 2025. The updates to the regulat…

On 14 January 2025, the California Privacy Protection Agency (CPPA) closes the public consultation on proposed regulations on California Consumer Privacy Act (CCPA) updates, cybersecurity audits, risk assessments, automated decision-making technolog…

On 22 November 2024, the California Privacy Protection Agency (CPPA) opened the public consultation on proposed regulations on California Consumer Privacy Act (CCPA) updates, cybersecurity audits, risk assessments, automated decision-making technolo…

On 28 August 2023, the California Privacy Protection Agency (CPPA) released materials ahead of its 8 September 2023 board meeting, including draft Cybersecurity Audit Regulations. The CPPA clarified that formal rulemaking processes for cybersecurity…