On September 23, 2025, the California Privacy Protection Agency confirmed that their cyber audit regulations will at long last go into effect on January 1, 2026.
You can be forgiven for losing track since these were first proposed in September 2023, but now is the time to start considering how they will apply to your company and budgeting for that impact.
If you need a refresher, check out our latest summary here or the regulations themselves here.
The extremely short version is that businesses subject to the rule will be required to annually produce a written audit report detailing their security program, its adherence to California’s very specific list of safeguards, and its weaknesses in protecting personal information.
If we’re already audited, does that cover it?
Probably not, at least not fully. The safeguards that have to be included in a California audit are more specific than regimes like SOC 2 that allow flexibility in tested controls. The contents of the audit report are also specific to California, so the law requires that the resulting output meet all of California’s requirements, even if an audit is done for another purpose.
Why prepare now?
If a business ever faces litigation or regulatory action related to a security incident, the audit report will provide adverse parties with a roadmap to the business's known security weaknesses. Preparing now will enable companies to understand how their current security programs compare to California’s requirements and then take steps to improve before the first audit period begins (not to mention the intrinsic reasons to improve security measures protecting personal information).
What should be done to prepare?
- Assess thresholds for application of the requirement, costs of compliance, and potential mitigations, particularly if the company hits relevant thresholds inconsistently or for reasons outside of core operations.
- Revise (or draft where needed) documentation of the security program and key policies like incident response to include safeguard requirements.
- Update (or create) data maps and ensure they are mapped against security controls.
- Pre-audit. Assess risks given the company’s security posture and identify high-priority items to remediate before the first audit. Do this under privilege to encourage a fulsome process and protect deliberations from future litigants. Properly crafted documentation at this stage can also be used to streamline the audit process itself.
- Review other audit frameworks. Companies that currently undergo regular cyber audits will need to assess the additional requirements of the California regulation. If there are significant differences, and in particular if current reports do not document security gaps and vulnerabilities as required for CCPA, at least a partial “pre-audit” as described above is recommended.
Understand that compliance efforts directed by nonlegal personnel will not be privileged. We expect litigants and regulators in privacy and security-related matters will begin regularly requesting these reports, suspecting they will demonstrate the company’s knowledge of security vulnerabilities and/or failure to address them. Some gaps will create greater legal risk than others, and experienced legal counsel can assist in prioritization and mitigation.
