
Gwen Takagawa
Senior Consultant, Coalfire (CIPP/US, CIPP/E, CIPM, PMP)
Cybersecurity


California’s privacy regulations are evolving, this time with new cybersecurity audit requirements under the California Consumer Privacy Act (CCPA). The California Privacy Protection Agency (CPPA) has proposed draft regulations that would require certain businesses to conduct annual cybersecurity audits and submit written certification to the CPPA confirming compliance.
The draft regulations also cover privacy risk assessments (more on these here) and automated decision-making (ADM) technologies.
While the initial public comment period for these draft regulations closed on February 19, 2025, the rules remain in flux.
In fact, based on turnover on the CPPA Board, pushback during public comment, conflict between the ADM regulations and newly introduced laws on related artificially intelligence (AI) technologies, and the estimated $9.7B financial impact of these regulations on businesses, changes are likely – only the extent of change remains in question.
But certain aspects will not change.
The CCPA is law. It requires (CCPA s1798.180(a)(14)) that the CPPA’s regulations include the following:
The fourth point above emphasizes that the CPPA is responsible for determining how broadly this requirement applies. The CPPA’s Board has debated this heavily, especially about concerns as to the financial impact on individual businesses. However, the Board did not receive an estimate as to this impact until Fall 2024, as part of the process towards releasing these regulations for public comment.
While there are thresholds defined in the proposed regulations, this is an area where further debate is likely.
As currently listed, the regulations allow for internal auditors only where they do not “participate in the business activities that the auditor may assess in the current or subsequence cybersecurity audits” and where the auditor reports “regarding cybersecurity audit issues directly to the business’s board of directors or governing body, not to business management that has direct responsibility for the business’s cybersecurity program.” That includes the Board or governing body conducting the auditor’s performance evaluation and determining the auditor’s compensation.
External auditors are allowed but must also remain objective and impartial.
Both internal and external auditors are prohibited from making recommendations regarding, implementing, or maintaining the business’s cybersecurity program.
The third point above mandates “independent” audits: this will not change. The details noted above may change, but the initial statement of reasons indicates these are based on FTC orders and auditing organizations’ auditing standards. Unless there compelling reasons emerge from public comment to apply a less stringent standard, these requirements will likely remain.
The law also only states that the CPPA must define the scope of the audit and that it must be thorough and independent. These are broad requirements captured in a few lines, while the proposed cybersecurity regulations span 11.5 pages. The CPPA has the authority and obligation to provide detail, but those details are subject to revision.
However, the requirement to report on the completion of a cybersecurity audit has not yet led to significant discussion or controversy. With the related reporting requirement in place for privacy risk assessments, some level of proactive reporting to the CPPA about cybersecurity audits seems likely to remain.
The draft regulations describe a written certification that the business has completed the cybersecurity audit:
Note that the findings of the audit itself are not included in the certification submission.
The audit itself addresses 18 cybersecurity elements. According to the Initial Statement of Reasons (pdf link) that accompanied the draft regulations, these elements are aligned with the NIST Cybersecurity Framework 2.0 and the Center for Internet Security Critical Security Controls (CIS Controls version 8).
In these draft regulations, the audit is required to include:
While the regulations state businesses are not required to complete a “duplicative cybersecurity audit,” any elements that do not cover the requirements in the regulation must be added as a supplement.
The CCPA includes a contentious element: a private right of action, or the ability for consumers to sue a business. This provision also includes statutory damages of $100-$750 per consumer per incident, or actual damages, whichever is greater.
In the CCPA, this is specifically related to a personal information security breach “as a result of the business’ violation of the duty to implement and maintain reasonable security procedures.” (CCPA s. 1798.150)
While the draft regulations do not explicitly address the private right of action, any CCPA-mandated cybersecurity audit is likely to be taken into consideration in determining whether a business maintained reasonable security procedures.
When will this new obligation come due? The draft regulations give businesses two years from the date the regulations become effective.
For businesses looking for assistance with a thorough and independent audit that complies with new CCPA requirements, Coalfire is an industry leader in cybersecurity compliance. Coalfire experts routinely provide businesses with cybersecurity assessments across 75+ frameworks.