Stay in the know
Receive timely insights and briefings from HSF Kramer, tailored to keep you informed and ahead
The California Privacy Protection Agency (CPPA) has unanimously adopted new regulations requiring certain businesses subject to the California Consumer Privacy Act (CCPA) to conduct annual audits of their cybersecurity programs, beginning later this decade.
The new regulations apply to businesses whose processing of personal information presents “significant risk” to consumers’ security. This includes businesses that either (i) derive more than 50% of their revenue from selling or sharing personal information or (ii) otherwise meet the CCPA revenue threshold and processed the personal information of at least 250,000 people or the sensitive personal information of at least 50,000 people in the preceding calendar year.
Such companies will be required to select a qualified, objective and independent auditor to evaluate their cybersecurity policies, procedures and practices. If the auditor is internal, it must not participate in business activities that it assesses in a cybersecurity audit, and the highest-ranking auditor must report directly to a member of executive management who does not have direct responsibility for the business’s cybersecurity program.
Such cybersecurity audits must assess the implementation and maintenance (including written policies and procedures) of a program that is appropriate to the business’s size and complexity and the nature and scope of its processing activities, how the business’s cybersecurity program protects personal information and how the business enforces compliance with the program. The regulation also lists a number of components that must be assessed if applicable, including authentication, encryption, account management and access controls, inventories and approval processes, secure configuration, vulnerability scans and penetration testing, audit log management, network monitoring and defenses, antivirus/antimalware protections, and network segmentation, among others.
The audit must follow generally accepted procedures and standards accepted in the profession of auditing, such as those adopted by the International Organization for Standardization. For its part, the business must make available all information in its possession, custody or control that the auditor requests as relevant, and make good faith efforts to disclose and accurately represent all relevant facts.
The auditor must produce a report satisfying a number of criteria, including:
Businesses subject to this regulation must submit a written certification of compliance to the CPPA by April 1 of each year, though they do not need to submit the audit report to the CPPA. The first deadline depends on the size of the business’s annual gross revenue:
We will continue to monitor these and other developments related to privacy and data security. Please reach out to HSF Kramer’s Data Protection and Privacy group for more information.
Special Counsel, Privacy Counsel, Silicon Valley
Associate, New York
The contents of this publication are for reference purposes only and may not be current as at the date of accessing this publication. They do not constitute legal advice and should not be relied upon as such. Specific legal advice about your specific circumstances should always be sought separately before taking any action based on this publication.
© Herbert Smith Freehills Kramer 2026
Receive timely insights and briefings from HSF Kramer, tailored to keep you informed and ahead