New CCPA Cybersecurity Requirements

California's CPPA finalized cybersecurity audit requirements as part of its recent CCPA rulemaking, introducing a compliance obligation with no precedent outside financial services. Businesses that derive 50% or more of annual revenue from selling or sharing personal information, process PI for 250,000 or more consumers, or process sensitive PI for 50,000 or more consumers will be required to undergo formal cybersecurity audits in a phased approach. These audits must be conducted by an independent qualified professional, cover 18 specific elements prescribed by the CPPA, receive senior executive sign-off, and result in a certification submitted to the agency. Audit documentation must be retained for five years. The combination of mandatory independent audits, official certification to a state regulator, and multi-year document retention creates significant new exposure — both regulatory and litigation risk — since audit findings that identify gaps will be preserved and potentially discoverable. Privacy professionals and technology vendors have a distinct role in satisfying one of the 18 required audit elements: demonstrating what personal information a company holds, where it lives, and how it flows. This is where data mapping tools move from being a recommended best practice to a functional compliance prerequisite. Companies should not wait for the phased deadlines to begin preparing. The time to act is now — formalizing security processes that may currently be informal, ensuring that written policies reflect actual operational practice rather than sitting on a shelf, and establishing close collaboration between privacy and security teams. Understanding the PI inventory is the predicate for everything else the audit will assess. The CPPA's cybersecurity audit framework marks a structural convergence of privacy and cybersecurity functions. Organizations that have historically treated these as separate disciplines will need to build shared processes and shared accountability. The 18-element audit scope — covering encryption, multifactor authentication, access controls, secure software development, and PI inventories — requires expertise from both sides. For companies that invest in data mapping infrastructure now, the audit preparation process will be substantially more manageable when the requirements take effect.

**Colleen** Hi, Laura. How are you doing today? **Laura** Colleen, so good to see you. I'm well. How are you? **Colleen** Very good. It's been a minute since we've had you on the privacy huddle, so welcome back. I bet a lot of folks watching know who you are, Laura, but in case they don't give folks an idea of what you do, your background, that kind of thing. **Laura** Oh, sure. Happy to do that. So I'm a partner at Kelly Dry in our privacy and information security group as well as our advertising group that counsels clients on consumer protection and privacy issues. Mostly represent clients who are facing regulatory inquiries from either the federal trade commissioner or state attorneys general, but also that work informs my counseling on both privacy and consumer protection issues. **Colleen** Got it. Well, thrilled that you're bringing this wealth of knowledge and information to talk about something that a few of our customers have been asking us about at Ketch. And so I wanted to bring in an expert like yourself to talk about this recent CCPA rulemaking. In July, the California Privacy Protection Agency voted to approve changes to CCPA, including ADMT, automated decision making, risk assessments, and cybersecurity audits. And so we've been getting questions from our customers about the practical implications of these changes. That's a lot of ground to cover. But today, I'm hoping you and I can focus on the cybersecurity changes and what that means for businesses. So can you start us off, Lauren? What are these cybersecurity changes? **Laura** Yeah. No. Happy to do that. And let me say that while the CPPA approved this rulemaking, it is before the OAL. And so we're waiting on their approval. Don't expect material changes to the cybersecurity provisions, but just worth a mention there. So in in its rulemaking, the CPPA finalized what it intends to be its requirements for cybersecurity audits. And a number of businesses in California are going to be required to do this in a phased approach beginning a few years from now. So where a business derives fifty percent or more of its annual revenue from selling or sharing consumer information, consumers' personal information, or if the business processed PI for two hundred and fifty thousand or more consumers or processed sensitive personal information of more than fifty thousand consumers, they're going to be held to this requirement. So the cybersecurity audit requirement is significant in a number of respects. It requires that an audit be performed by a qualified professional that has independence of the company. So that could be someone within a company, but there would need to be safeguards in place to make sure that person wasn't influenced by the company. It also requires that the auditor get approval from senior executives, and then a certification needs to be submitted to the CPPA. And the audit documents will need to be maintained for a number of years, for five years. And so all of this is really just brand new. Even for companies with mature cyber programs, this formalism outside of financial services has not been required previously. So what the CPPA wants these audits to cover are how a cybersecurity program protects personal information from unauthorized access, destruction, etcetera, but also protects the availability of that information. You know, protections against attacks that would shut down the service, for example. It identifies eighteen specific elements that the audit needs to cover. So gone are the days of just evaluating whether a program is reasonable or not. Quite prescriptive requirements. **Colleen** Wow. So, So, Laura, is this very unique to California? Do we see anything like this in the other US state privacy laws? **Laura** Yeah. That's a great question. So in financial services, we've seen in the last handful of years, for example, in New York, the DFS there required that financial institutions do more of this kind of work. And a couple of years ago, we also saw the Federal Trade Commission in its safeguards rulemaking require more prescriptive assessments. Not just assessments, but more prescriptive elements to a cyber security program. But requiring audits and requiring certifications of a senior official to the state, this is brand new and really groundbreaking creating new risks, not just regulatory risks, but litigation risks too. Because, of course, in the course of assessing a program's adequacy, it would be very much expected that there would be room for improvement. And so the circumstance will be that the companies are documenting that and required to keep those documents for years and years. I anticipate that at some point, we'll see follow on litigation and that there may be some unanticipated consequences. **Colleen** I see. Do you think this is a new ground for cybersecurity professionals as well as privacy or cybersecurity folks are more accustomed to this kind of audit requirement? **Laura** Yeah. It's a great question. So where privacy professionals and particularly the technology vendors who support us behind the scenes are particularly well suited is really understanding what personal information a company holds. And that is one of the eighteen elements that the CPPA requires. Some of the other elements are the kinds of things that comprehensive information security assessments typically evaluate, the use of encryption, the presence of multifactor authentication, how access controls have been defined and then implemented, things like whether the company follows secure software development life cycle, those kinds of elements are more typical in an information security assessment, but the information security professionals don't necessarily have the facility with understanding where PI is and how that is managed. **Colleen** Got it. So for the privacy program owners who's starting to grapple with this, what are some of the first steps or things they should look at within their program? Things available to them today, processes they already have in place or privacy tech they already have in place. How should they start to think about expanding the scope to cover this area? **Laura** So companies of all security maturities, if they're processing PI on the scale that we talked about at the top, really need to think about how to formalize their security processes so that they are appropriately subject to audit down the line. I'll say that while the regulation is prescriptive, what companies really want to focus on is how they're executing. Right? So having a policy which it was put on a shelf four or five years ago likely isn't enough. What companies need to do is evaluate how they're really managing it on the ground so that when it comes time to do this documented assessment, assessments that maybe have been occurring for some time, but it with less formality, that companies would be well positioned to do that. And it really starts with understanding what that PI is and then getting deep with your security team on how that PI is being protected. **Colleen** Got it. And then potentially some room for technology vendors to help here as well from data mapping product. Does that make sense? **Laura** That's exactly right. That is a predicate for all of the rest of this is understanding what you have so that you can then evaluate how you're protecting it. **Colleen** Yeah. It's interesting. That reminds me of other conversations that I've had with Alisa Hudnick on this topic of data mapping and this continued grappling with investing in data mapping tech. And she and I have talked so many times about how it's not necessarily spelled out in all the regulations, but it's such a foundational exercise that it's so helpful when it comes to showing your work and demonstrating compliance in so many areas. Right? **Laura** No. Exactly. And here, it is it's not called data mapping, but having personal information and system inventories will be required. And so it does get closer to being actually a prescriptive requirement from just being a really helpful tool. Either way, it is worth the investment because otherwise it will be near impossible to execute on the balance of the requirements. **Colleen** Well, Laura, thank you for this overview. Is there anything I haven't asked about that you would leave? **Laura** Gosh. I think, yeah, I think we could talk about this for hours, but that is the top line. And it was really a pleasure to spend a few minutes talking to you about it today, Colleen. **Colleen** Likewise. Thanks, Laura. We'll talk soon.