United States of America: California Privacy Protection Agency published updated draft amendments to CCPA regulations including proposed regulations on cybersecurity audits

On 28 March 2025, the California Privacy Protection Agency (CPPA) published its revised draft regulations on cybersecurity audits before its Board meeting. This follows a public consultation that closed on 14 January 2025. The updates to the regulations introduce a definition of "cybersecurity audit report" and provide a phased timeline for compliance. Businesses are required to complete their first audit by 1 January 2028, or by 1 January 2029 if they meet the audit threshold at a later date. The revisions also remove an earlier provision that granted a fixed 24-month implementation period and require businesses to explain how prior or existing cybersecurity audits meet the new requirements.