Keypoint: The California Privacy Protection Agency continued its rulemaking efforts by releasing revised draft cybersecurity audit regulations although the Agency has yet to initiate the formal rulemaking process.

In connection with its upcoming December 8 Board meeting, the California Privacy Protection Agency published revised draft cybersecurity audit regulations. In the below post, we provide background on the draft regulations and a brief summary of the notable changes.


The Agency initially published draft regulations on both cybersecurity audits and risk assessments in late August. Today, the Agency only released updated draft regulations on cybersecurity audits, referring to them as “Agenda Item 2 – Part 1.” Agenda Item 2 on the Board’s December 8 meeting agenda states that the CPRA Rules Subcommittee will provide an update and staff presentation of draft regulations on automated decisionmaking technology, risk assessments, and cybersecurity audits. Therefore, it appears possible the Agency may release additional draft regulations prior to the December 8 meeting.

As with its prior draft, the revised draft specifically states that the Agency has not yet started the formal rulemaking process and the draft regulations are only for the purposes of facilitating Board discussion and public participation.

Notable Changes

Applicability (§ 7120)

In the prior draft, the Agency outlined possible options for the types of businesses that would need to perform cybersecurity audits. The revised draft maintains the requirement that a business that derives 50% or more of its annual gross revenue from selling or sharing consumers’ personal information will need to complete a cybersecurity audit.

The revised draft deletes the optional language that businesses with a certain undefined annual gross revenue or number of employees also would be covered. Instead, the revised draft would apply the cybersecurity audit requirement to businesses that have a certain (as yet to be defined) annual gross revenue and meet one of three (as yet to be defined) thresholds based on the amount of personal information, sensitive information, or information of children under the age of 16 the business processes annually.

Scope of Cybersecurity Audits (§ 7123)

The prior draft contained two options for section 7123(b), which deals with the negative impacts to consumers’ security. The revised draft chooses the language in the second option but notes that Agency staff will propose further revisions based on Board feedback.

Under the revised draft the “cybersecurity audit shall assess and document any risks from cybersecurity threats, including as a result of any cybersecurity incidents, that have materially affected or are reasonably likely to materially affect consumers.”

Cybersecurity threat is defined as “any potential unauthorized occurrence on or conducted through a business’s information systems that may result in adverse effects on the confidentiality, integrity, or availability of a business’s information systems or any information residing therein.”

Cybersecurity incident is defined as “an unauthorized occurrence, or a series of related unauthorized occurrences, on or conducted through a business’s information systems, that actually or potentially jeopardizes the confidentiality, integrity, or availability of a business’s information systems or any information the system processes, or that constitutes a violation or imminent threat of violation of the business’s cybersecurity program.”

The Agency also refined the language in other parts of section 7123 such as by adding independent contractors and any other personnel to a number of sections and reworking sections 7123(e), (f) and (g), which deal with the types of information covered businesses would need to provide regarding security incidents.