Digital Policy Alert logo

United States of America: Privacy Protection Agency's Cybersecurity Audit Regulations

Progress

Current status
adopted
01 Apr 2030 in force
01 Apr 2029 in force
01 Apr 2028 in force
01 Jan 2026 in grace period
23 Sep 2025 adopted
09 May 2025 under deliberation
28 Mar 2025 under deliberation
14 Jan 2025 processing consultation
22 Nov 2024 in consultation
28 Aug 2023 under deliberation

Scope

Implementers
United States of America
Policy Area
Data governance
Policy Instrument
Cybersecurity regulation
Regulated Economic Activity
cross-cutting
Government Branch
executive
Government Body
data protection authority
other regulatory body
Implementation Level
subnational

Timeline of events

01 Apr 2030
in force

California Consumer Privacy Act cybersecurity audit compliance regulations become applicable to businesses with revenues under USD 50 million

On 1 April 2030, businesses with annual gross revenues below USD 50 million reach the final compliance deadline under the California Consumer Privacy Act (CCPA) cybersecurity audit regulations and must submit certifications to the California Privacy…

Source
Event type order
Action type implementation
Government branch executive
Government body data protection authority
01 Apr 2029
in force

California Consumer Privacy Act cybersecurity audit compliance regulations become applicable to businesses with revenues between USD 50 million and USD 100 million

On 1 April 2029, businesses with annual gross revenues between USD 50 million and USD 100 million reach the second compliance deadline under the California Consumer Privacy Act (CCPA) cybersecurity audit regulations and must submit certifications to…

Source
Event type order
Action type implementation
Government branch executive
Government body data protection authority
01 Apr 2028
in force

California Consumer Privacy Act cybersecurity audit compliance regulations become applicable to businesses with revenues above USD 100 million

On 1 April 2028, businesses with annual gross revenues exceeding USD 100 million reach the first compliance deadline under the California Consumer Privacy Act (CCPA) cybersecurity audit regulations and must submit certifications to the California Pr…

Source
Event type order
Action type implementation
Government branch executive
Government body data protection authority
01 Jan 2026
in grace period

Regulations under California Consumer Privacy Act on cybersecurity audits enter into force with grace period

On 1 January 2026, the regulations adopted under the California Consumer Privacy Act (CCPA) enter into force following approval by the California Office of Administrative Law on 23 September 2025, establishing mandatory cybersecurity audit obligatio…

Source
Event type order
Action type in force with grace period
Government branch executive
Government body data protection authority
23 Sep 2025
adopted

Office of Administrative Law adopted regulations under California Consumer Privacy Act on cybersecurity audits

On 23 September 2025, the California Office of Administrative Law adopted the regulations under the California Consumer Privacy Act (CCPA) on cybersecurity audits, with phased compliance deadlines linked to annual gross revenue. Beginning on 1 Janua…

Source
Event type order
Action type adoption
Government branch executive
Government body other regulatory body
09 May 2025
under deliberation

California Privacy Protection Agency published second updated draft amendments to CCPA regulations including proposed cybersecurity audits

On 9 May 2025, the California Privacy Protection Agency (CPPA) published modified text of proposed regulations under the California Consumer Privacy Act (CCPA) establishing mandatory cybersecurity audits for businesses whose processing of consumers’…

Source
Event type order
Action type drafting
Government branch executive
Government body data protection authority
28 Mar 2025
under deliberation

California Privacy Protection Agency published updated draft amendments to CCPA regulations including proposed regulations on cybersecurity audits

On 28 March 2025, the California Privacy Protection Agency (CPPA) published its revised draft regulations on cybersecurity audits before its Board meeting. This follows a public consultation that closed on 14 January 2025. The updates to the regulat…

Source
Event type order
Action type drafting
Government branch executive
Government body data protection authority
14 Jan 2025
processing consultation

Closed consultation on CPPA proposed regulations on cybersecurity audits

On 14 January 2025, the California Privacy Protection Agency (CPPA) closes the public consultation on proposed regulations on California Consumer Privacy Act (CCPA) updates, cybersecurity audits, risk assessments, automated decision-making technolog…

Source
Event type order
Action type consultation closed
Government branch executive
Government body data protection authority
22 Nov 2024
in consultation

Opened consultation on CPPA proposed regulations on cybersecurity audits

On 22 November 2024, the California Privacy Protection Agency (CPPA) opened the public consultation on proposed regulations on California Consumer Privacy Act (CCPA) updates, cybersecurity audits, risk assessments, automated decision-making technolo…

Source
Event type order
Action type consultation opened
Government branch executive
Government body data protection authority
28 Aug 2023
under deliberation

Published draft Cybersecurity Audit Regulations

On 28 August 2023, the California Privacy Protection Agency (CPPA) released materials ahead of its 8 September 2023 board meeting, including draft Cybersecurity Audit Regulations. The CPPA clarified that formal rulemaking processes for cybersecurity…

Source
Event type order
Action type drafting
Government branch executive
Government body data protection authority