United States of America: Regulations under California Consumer Privacy Act on cybersecurity audits enter into force with grace period

On 1 January 2026, the regulations adopted under the California Consumer Privacy Act (CCPA) enter into force following approval by the California Office of Administrative Law on 23 September 2025, establishing mandatory cybersecurity audit obligations together with requirements on risk assessments and automated decision-making technologies. Businesses subject to cybersecurity audit obligations must maintain compliance systems, internal procedures, and documentation to meet the supervisory requirements of the California Privacy Protection Agency (CPPA), in preparation for phased certification deadlines linked to annual gross revenue. The deadlines require the submission of certifications to the CPPA by 1 April 2028 for businesses with revenues exceeding USD 100 million, by 1 April 2029 for businesses with revenues between USD 50 million and USD 100 million, and by 1 April 2030 for businesses with revenues below USD 50 million.