California Cybersecurity Audits to Start This Year. How Compani…
California Cybersecurity Audits to Start This Year. How Compani…
Publish Date: 2026-05-10 10:54:00
Source Domain: www.pymnts.com
Using an unordered list, summarize the following article with between 4 and 8 key points. The California Privacy Protection Agency is preparing to begin cybersecurity audits of companies this year, signaling a major escalation in enforcement activity under California’s privacy regime even though formal audit certification deadlines do not begin until 2028, according to a new advisory from Arnold & Porter.
The alert warns companies not to treat the delayed certification timeline as a grace period. Instead, regulators expect organizations already to have cybersecurity audit practices and governance frameworks in place ahead of formal compliance deadlines.
The audits will be conducted by a newly created Audits Division within the California privacy agency, and led by Chief Privacy Auditor Sabrina Boyson Ross, a former public policy executive at Meta. The division is responsible for examining companies’ privacy and cybersecurity practices, processing risk assessment attestations and overseeing cybersecurity audit certifications required under the state’s updated privacy rules.
California’s audit regime stems from the state’s landmark privacy laws, the California Consumer Privacy Act and the California Privacy Rights Act, which together created one of the broadest privacy enforcement systems in the U.S. Unlike sector-specific cybersecurity requirements in states such as New York, California’s rules potentially apply across industries to any qualifying business whose handling of personal information is deemed to present “significant risk” to consumers’ privacy or security.
Although the agency has not formally announced the first audit targets, the Arnold & Porter advisory says businesses should expect regulators to focus on areas already prioritized by the enforcement division. Those include failures to honor consumer privacy rights requests, shortcomings in privacy policy disclosures, and practices that impede consumers from exercising rights to access, delete, correct or opt out of data sharing and sales.
The advisory also points to emerging enforcement priorities discussed publicly by California regulators, including chatbot-related practices, surveillance pricing, the use of data in large language models, and handling of sensitive personal information, including health data not covered by federal HIPAA protections.
Audits themselves are expected to be expansive, per the alert. Regulators may review cybersecurity programs, information systems, vendor and contractor management practices, and internal governance documentation. Interviews with personnel are also likely, though auditors are expected to require documentary support rather than relying solely on management assurances.
Related: EU Commission Pushes for Huawei, ZTE Exclusion Under New Cybersecurity Rules
The advisory stresses that audit findings could quickly evolve into enforcement actions. The Audits Division is expected to work closely with the agency’s Enforcement Division, meaning deficiencies uncovered during audits could be referred for penalties. Recent enforcement actions by CalPrivacy have resulted in fines ranging from roughly $345,000 to $1.35 million, and regulators have signaled interest in increasing penalties to preserve deterrence.
Arnold & Porter advises companies to begin immediate preparedness assessments, particularly organizations operating nationally that may not realize California’s rules apply to them. The regulations cover for-profit businesses doing business in California if they exceed certain revenue and data-processing thresholds or derive at least half of annual revenue from selling or sharing consumer information.
First, companies should structure audit readiness efforts carefully to preserve attorney-client privilege where possible. Although the regulations generally require only certification rather than disclosure of underlying audit reports, those materials could still become discoverable in litigation or subject to regulatory subpoenas. Arnold & Porter recommends involving outside counsel early to help establish a privilege framework before extensive documentation is generated.
Second, organizations should review cybersecurity governance structures to ensure designated program owners have sufficient authority, expertise and documented reporting responsibilities. Regulators are expected to scrutinize whether cybersecurity accountability structures are formally defined and operational.
Third, companies should evaluate their substantive cybersecurity controls against the 18 program components outlined in the regulations and document how those controls operate in practice.
The advisory also recommends identifying potential independent auditors now, even if formal certifications remain years away, because California’s rules ultimately require audits to be conducted by qualified and objective professionals.
Finally, Arnold & Porter says companies should coordinate cybersecurity audit preparation with separate privacy risk assessment obligations, as both regimes require extensive documentation of processing activities, controls and risk-management decisions.
