United States of America: Office of Administrative Law adopted regulations under California Consumer Privacy Act on cybersecurity audits

On 23 September 2025, the California Office of Administrative Law adopted the regulations under the California Consumer Privacy Act (CCPA) on cybersecurity audits, with phased compliance deadlines linked to annual gross revenue. Beginning on 1 January 2026, the regulations will enter into force, and businesses subject to audit obligations must prepare to submit certifications to the CPPA within specified timeframes. The cybersecurity audit requirements are designed as part of the wider regulatory framework alongside risk assessments and automated decision-making technology obligations, providing the CPPA with formal supervisory mechanisms to monitor compliance. The phased deadlines establish a structured sequence for businesses of varying sizes to certify completion of required cybersecurity audits and formally report compliance to the CPPA.