California’s Cybersecurity Audit Rule

The Berkeley Center for Law & Technology hosted Jim Dempsey to explain California’s newly adopted cybersecurity audit rule, part of a broader package that also addresses automated decision‑making technology and risk assessments. Adopted on July 24 by the California Privacy Protection Agency, the rule fulfills obligations under the 2020 California Privacy Rights Act (CPRA) and mandates annual, independent audits for businesses whose processing of personal information presents a significant risk to consumers.

The regulation defines “significant risk” using size and data‑processing thresholds: firms with annual gross revenue over $26 million, processing data of at least 250,000 consumers (or 50,000 sensitive records), or data‑brokers earning 50 percent of revenue from selling personal information. Audits may be performed by internal or external auditors, though reporting responsibility was softened from the board to senior management. Large entities (> $100 million revenue) must file their first audit by April 2028, with staggered deadlines extending to 2031 for smaller covered firms.

Dempsey highlighted the rule’s practical nuances, noting the inflation‑adjusted revenue benchmark and the inclusion of employee data for B‑to‑B companies. He cited ongoing enforcement by the Department of Health and Human Services and California’s Attorney General, who have already begun demanding risk analyses and inventories. The rule also references the Center for Internet Security’s Critical Controls as a baseline for “reasonable” cybersecurity measures, echoing prior guidance from former AG Kamala Harris.

For companies operating in or serving California residents, the rule creates a substantial compliance imperative, driving demand for audit services and elevating cybersecurity to a board‑level concern. Early adoption and thorough documentation will be critical to avoid enforcement actions and to demonstrate reasonable security practices under California’s expanding privacy framework.