United States of America: California Privacy Protection Agency published second updated draft amendments to CCPA regulations including proposed cybersecurity audits

On 9 May 2025, the California Privacy Protection Agency (CPPA) published modified text of proposed regulations under the California Consumer Privacy Act (CCPA) establishing mandatory cybersecurity audits for businesses whose processing of consumers’ personal information presents significant risk to security. The regulations require annual cybersecurity audits for entities meeting thresholds such as processing the personal information of 250'000 or more consumers or households in the preceding calendar year, or processing the sensitive personal information of 50'000 or more consumers. Each audit must be conducted by a qualified, objective, and independent professional, internal or external, using standards recognised in the auditing profession, including those issued by the American Institute of Certified Public Accountants, the Public Company Accountability Oversight Board, the Information Systems Audit and Control Association, or the International Organisation for Standardisation. The audit report must assess and document the business’s cybersecurity programme, specifically identify and evaluate gaps or weaknesses, address previously identified issues, and certify the independence of the auditor. Reports must be submitted to the business’s board of directors or highest-ranking executive responsible for cybersecurity and retained for at least five years. Businesses must also provide annual written certification to the CPPA confirming completion of the audit in accordance with these regulatory obligations.