Digital Policy Alert logo

United States of America: California Consumer Privacy Act cybersecurity audit compliance regulations become applicable to businesses with revenues between USD 50 million and USD 100 million

Policy overview

Description

California Consumer Privacy Act cybersecurity audit compliance regulations become applicable to businesses with revenues between USD 50 million and USD 100 million

On 1 April 2029, businesses with annual gross revenues between USD 50 million and USD 100 million reach the second compliance deadline under the California Consumer Privacy Act (CCPA) cybersecurity audit regulations and must submit certifications to…

Scope

Policy Area
Data governance
Policy Instrument
Cybersecurity regulation
Regulated Economic Activity
cross-cutting
Implementation Level
subnational
Government Branch
executive
Government Body
data protection authority

Complete timeline of this policy change

Hide details
2023-08-28
under deliberation

On 28 August 2023, the California Privacy Protection Agency (CPPA) released materials ahead of its …

2024-11-22
in consultation

On 22 November 2024, the California Privacy Protection Agency (CPPA) opened the public consultation…

2025-01-14
processing consultation

On 14 January 2025, the California Privacy Protection Agency (CPPA) closes the public consultation …

2025-03-28
under deliberation

On 28 March 2025, the California Privacy Protection Agency (CPPA) published its revised draft regul…

2025-05-09
under deliberation

On 9 May 2025, the California Privacy Protection Agency (CPPA) published modified text of proposed …

2025-09-23
adopted

On 23 September 2025, the California Office of Administrative Law adopted the regulations under the…

2026-01-01
in grace period

On 1 January 2026, the regulations adopted under the California Consumer Privacy Act (CCPA) enter i…

2028-04-01
in force

On 1 April 2028, businesses with annual gross revenues exceeding USD 100 million reach the first co…

2029-04-01
in force

On 1 April 2029, businesses with annual gross revenues between USD 50 million and USD 100 million r…

2030-04-01
in force

On 1 April 2030, businesses with annual gross revenues below USD 50 million reach the final complia…