United States of America: California Consumer Privacy Act cybersecurity audit compliance regulations become applicable to businesses with revenues above USD 100 million

On 1 April 2028, businesses with annual gross revenues exceeding USD 100 million reach the first compliance deadline under the California Consumer Privacy Act (CCPA) cybersecurity audit regulations and must submit certifications to the California Privacy Protection Agency (CPPA) confirming completion of required cybersecurity audits. The regulations require annual cybersecurity audits, which have to be conducted by a qualified, objective, and independent professional, internal or external, using standards recognised in the auditing profession, including those issued by the American Institute of Certified Public Accountants, the Public Company Accountability Oversight Board, the Information Systems Audit and Control Association, or the International Organisation for Standardisation. The audit report must assess and document the business’s cybersecurity programme, specifically identify and evaluate gaps or weaknesses, address previously identified issues, and certify the independence of the auditor. Reports must be submitted to the business’s board of directors or the highest-ranking executive responsible for cybersecurity and retained for at least five years. Businesses must also provide an annual written certification to the CPPA confirming completion of the audit in accordance with these regulatory obligations.