California — DPO, ROPA & DPIAs

California privacy law does not mandate a Data Protection Officer (DPO) or Records of Processing Activities (ROPA) in the manner required by the EU General Data Protection Regulation (GDPR). The California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act (CPRA), adopted an alternative compliance architecture centered on consumer rights (access, deletion, correction, opt-out), transparency obligations (privacy notices, purpose disclosures), and two newer operational requirements: cybersecurity audits and risk assessments.

The absence of a DPO mandate is deliberate. The CCPA imposes no requirement that businesses appoint a designated privacy officer, conduct formal data protection impact assessments (DPIAs) before processing, or maintain an inventory of processing activities analogous to GDPR Article 30. Instead, enforcement authority rests with the California Privacy Protection Agency (CPPA), established by the CPRA and operational since July 1, 2021, alongside the California Attorney General and California's 62 district attorneys.

What California DOES require instead: cybersecurity audits and risk assessments

On September 22, 2025, the CPPA's cybersecurity audit and risk assessment regulations were approved by the California Office of Administrative Law and filed with the Secretary of State, effective January 1, 2026. These regulations implement Cal. Civ. Code § 1798.185(a)(15), which authorizes the CPPA to adopt rules requiring businesses whose processing presents "significant risk to consumers' security" to perform annual cybersecurity audits and submit regular risk assessments.

Cybersecurity audit scope and triggers (11 Cal. Code Regs. §§ 7120–7124, effective January 1, 2026). A business must conduct an annual cybersecurity audit if it meets the general CCPA thresholds—annual gross revenue over $25 million, or processing personal information of at least 100,000 consumers/households, or deriving 50% or more of annual revenue from selling or sharing personal information—AND its processing presents "significant risk to consumers' security." Under the finalized regulations, processing presents significant risk if the business derives 50% or more of its annual revenue from selling or sharing consumers' personal information (the third CCPA threshold). The audit must be performed by an independent auditor (internal or external), who reports to the business's board of directors or highest-ranking executive not responsible for cybersecurity. The business must certify completion to the CPPA but need not submit the audit report itself. Compliance deadlines are staggered by revenue: businesses with $1 billion or more in annual revenue must complete their first audit by April 1, 2027; businesses with $50 million to $1 billion by April 1, 2029; businesses under $50 million by April 1, 2030.

Risk assessment scope and triggers (11 Cal. Code Regs. §§ 7150–7157, effective January 1, 2026). Businesses subject to the CCPA must conduct and document a risk assessment when processing presents heightened privacy risk. Triggers include: processing personal information of consumers the business has actual knowledge are under 16 years old; processing that involves selling or sharing personal information; processing sensitive personal information (e.g., Social Security numbers, precise geolocation, biometric data for unique identification, health or financial data); and processing that uses automated decisionmaking technology (ADMT) to make "significant decisions" (decisions producing legal or similarly significant effects). The risk assessment must identify and weigh the benefits of the processing to the business, consumer, other stakeholders, and the public against potential risks to consumers' rights, with the goal of restricting or prohibiting processing if privacy risks outweigh benefits. Businesses must retain risk assessments for three years. By April 1, 2028, businesses subject to risk assessment requirements must submit to the CPPA an attestation that required risk assessments were completed and a summary of their risk assessment information; the full risk assessment reports remain confidential and are not submitted unless the CPPA requests them during an investigation.

Practical contrast with GDPR. Unlike GDPR Article 35 DPIAs, which are required before high-risk processing begins and must assess necessity, proportionality, and measures to mitigate risk, California's risk assessments are retrospective and are submitted to the CPPA only in summary form on a fixed schedule (April 1, 2028, and biennially thereafter). Unlike GDPR Article 30 ROPAs, which inventory all processing activities and must be produced to a supervisory authority upon request, California imposes no general processing-inventory requirement. Unlike GDPR Article 37, which mandates DPO appointment for public authorities and entities whose core activities involve large-scale monitoring or special-category data processing, California leaves organizational privacy governance to business discretion—no designated officer, no independence requirements, no prohibition on conflicts of interest.

For businesses operating under both GDPR and CCPA, the regulatory burdens are cumulative, not harmonized. A controller subject to both regimes must maintain GDPR-compliant ROPAs, appoint a DPO if required under Article 37, conduct DPIAs under Article 35 before high-risk processing, AND separately comply with California's cybersecurity audit and risk assessment framework under the CPPA regulations.

Source: Cal. Civ. Code § 1798.185 Source: CPPA Cybersecurity Audit & Risk Assessment Regulations — Final Statement of Reasons (July 24, 2025) Source: CPPA Announcement — Regulations Approved (September 23, 2025)

California regulations specify the substantive elements every CCPA risk assessment must include under 11 Cal. Code Regs. § 7152. These requirements apply to any business conducting a risk assessment for processing activities identified in § 7150(b)—selling or sharing personal information, processing sensitive personal information (with narrow employment-payroll exceptions), using automated decisionmaking technology (ADMT) for significant decisions, extensive profiling, or training ADMT/AI capable of those uses. The regulations distinguish between the risk assessment itself (the full analytical exercise the business conducts) and the risk assessment report (a narrower written document that the business must create and retain). The report comprises only subsections (a)(1)–(3) and (a)(6)–(9) of § 7152; the remaining analytical steps are required for the assessment process but are not documented in the report businesses submit upon CPPA or Attorney General request.

Mandatory content: § 7152(a)(1)–(3) (documented in the report)

(1) Processing summary. A plain-language summary describing how the business will process the personal information, including collection, use, disclosure, and retention. The CPPA requires that businesses describe their purpose in non-generic terms. For example, rather than stating "marketing purposes," a compliant summary would specify "creating lookalike audiences for targeted advertising on Meta and Google using hashed email addresses and demographic attributes." For ADMT uses, the summary must also explain why the business is using ADMT instead of human decisionmaking, including the business's rationale for choosing automation.

(2) Categories of personal information. Identification of all categories of personal information involved in the processing, including categories of sensitive personal information (as defined in Cal. Civ. Code § 1798.140(ae)—Social Security numbers, precise geolocation, racial or ethnic origin, religious beliefs, union membership, mail/email/text content, genetic data, biometric identifiers, health data, sex life/sexual orientation, citizenship/immigration status, account credentials). The CPPA removed earlier draft language requiring businesses to document "actions to maintain the quality of personal information" in the May 2025 modifications to simplify implementation.

(3) Operational transparency elements. The risk assessment report must identify:

• (A) The business's purpose(s) for the processing activity, described in non-generic terms (paralleling the requirement in subsection (a)(1)).
• (B) Which category or categories of consumers' personal information the business processes for each identified purpose.
• (C) The categories of third parties, if any, with which the business shares consumers' personal information in furtherance of each identified purpose.
• (D) How long the business intends to retain consumers' personal information, or the criteria used to determine the retention period, for each identified purpose.
• (E) The business's cybersecurity program and data management practices relating to the processing activity.
• (F) Whether the processing activity is governed by other federal or state laws or regulations that address consumer privacy or data security, and if so, which ones.
• (G) For uses of ADMT (as set forth in § 7150(b)(3)–(6)), whether the business processes consumers' personal information solely and specifically for the purpose of quality and safety testing of the ADMT.

Subsections (a)(3)(E)–(G) were revised in May 2025 to remove language requiring businesses to document specific "actions and technology" in order to simplify implementation at this stage; businesses must identify the program and practices but need not provide granular technical implementation details in the report.

Mandatory content: § 7152(a)(6)–(9) (documented in the report)

(6) Benefit identification. Identification of the benefits of the processing activity to the business, consumers, other stakeholders, and the public, as applicable. The CPPA clarified that businesses need only identify benefits applicable to each type of stakeholder listed; if a processing activity confers no benefit to consumers but benefits the business and the public (for example, fraud detection that protects the payment ecosystem), the business identifies those applicable benefits and may note that direct consumer benefit is not applicable. Benefits must be described in non-generic terms—for example, not "operational efficiency," but "reducing loan-underwriting time from 72 hours to 15 minutes, enabling same-day credit decisions for applicants."

(7) Privacy-risk identification. Identification of the potential adverse consequences to consumers' privacy that could result from the processing activity. This element implements the statutory balancing test under Cal. Civ. Code § 1798.185(a)(15)(B), which directs the CPPA to adopt regulations requiring businesses to assess "whether the benefits of the business's processing of consumers' personal information justify the potential risks to the privacy of the consumers."

(8) Safeguards. Identification of safeguards that the business has implemented, or will implement before initiating the processing activity, to protect consumers' privacy and mitigate the risks identified in subsection (a)(7). For ADMT uses, safeguards must include measures to ensure the ADMT works as intended and does not result in unlawful discrimination (including compliance with California's Fair Employment and Housing Act, Unruh Civil Rights Act, and other anti-discrimination statutes). The CPPA removed earlier proposed requirements for businesses to document specific anti-discrimination testing protocols in May 2025, but the obligation to implement those safeguards and to identify them in the report remains.

(9) Weighing and outcome. Identification and weighing of the benefits of the processing (identified in subsection (a)(6)) against the potential privacy risks to consumers (identified in subsection (a)(7)). Section 7154 establishes the goal of this weighing: "The goal of a risk assessment is to identify and weigh the benefits of the processing of consumers' personal information against the potential risks to the privacy of consumers, with the goal of restricting or prohibiting the processing if the risks to the privacy of consumers outweigh the benefits of the processing." If the risks outweigh the benefits, the business is prohibited from proceeding with the processing activity under § 7154; if a business proceeds, that decision itself is documented in the report as the outcome of the balancing.

Additional analytical steps (NOT documented in the report)

Section 7152(a)(4), (a)(5), and (a)(10) set forth requirements that businesses must fulfill during the risk assessment process but that are not included in the risk assessment report businesses create and retain:

• (4) Any other additional benefits beyond those identified in subsection (a)(6) that the business considered.
• (5) Whether the business could achieve the same benefits while processing less personal information, processing personal information for a shorter period, or processing less sensitive categories of personal information, and if the business determines it could not, the business's rationale for that determination.
• (10) For ADMT uses, identification of any external parties that the business consulted in the preparation or review of the risk assessment, or if the business did not consult external parties, a plain-language explanation why it did not do so and which safeguards it has implemented to address risks to consumers' privacy arising from the lack of external consultation.

These elements are part of the assessment's analytical rigor but are deliberately excluded from the report to reduce documentation burden and to encourage candid internal deliberation. Businesses must still perform the analysis required by subsections (4), (5), and (10), but they do not document the outcome in the written report that could be requested by the CPPA or Attorney General.

Cross-reference: stakeholder involvement and ADMT-specific additions

Section 7151 requires businesses to involve "all individuals from across the business's organizational structure who are responsible for preparing, contributing to, or reviewing the risk assessment," and permits (but does not require) businesses to include external parties such as consultants, academics, or civil-society organizations. Section 7153 adds further content requirements for businesses training ADMT or AI capable of making significant decisions, establishing individual identity, performing physical or biological identification or profiling, generating deepfakes, or operating generative models. Those additional elements apply only to the training use cases enumerated in § 7150(b)(6) and are beyond the scope of the general risk assessment content framework in § 7152.

Retention and submission

Under § 7155, businesses must retain risk assessment reports for three years after the business ceases the processing activity to which the report relates. Under § 7157, businesses do not proactively submit the full risk assessment report to the CPPA; instead, they submit an annual summary certification by April 1, 2028 (covering 2026–2027 assessments) and annually thereafter. However, the CPPA or the California Attorney General may request the full risk assessment report at any time, and the business must produce it within 30 calendar days of that request (§ 7157(e)).

Effective date and transition

These requirements took effect January 1, 2026. Businesses that initiated high-risk processing before that date and continue it afterward must complete a compliant risk assessment by December 31, 2027 (§ 7155(b)).

Source: 11 Cal. Code Regs. § 7152 (effective Jan. 1, 2026) Source: CPPA Final Statement of Reasons — Cybersecurity Audit & Risk Assessment Regulations (July 24, 2025)

A business subject to the California Consumer Privacy Act must conduct and document a risk assessment when its processing of consumers' personal information presents significant risk to consumers' privacy, as defined by six enumerated triggers in 11 Cal. Code Regs. § 7150(b), effective January 1, 2026. The threshold question for CCPA compliance is not whether the business needs a data protection officer or a general processing inventory (neither is required), but whether the business engages in any of the six processing activities that mandate a formal risk assessment under the California Privacy Protection Agency's regulations implementing Cal. Civ. Code § 1798.185(a)(15).

Trigger 1: Processing personal information of children under 16 (§ 7150(b)(1))

A business must conduct a risk assessment when it processes personal information of consumers that the business has actual knowledge are less than 16 years of age. "Actual knowledge" is a statutory standard under the CCPA for children's data; constructive knowledge or "should have known" is insufficient. The regulations do not carve out any exception for this trigger — all processing of known-minor PI requires a documented risk assessment, regardless of purpose, volume, or sensitivity.

Trigger 2: Selling or sharing personal information (§ 7150(b)(2))

A business must conduct a risk assessment when it sells or shares personal information as those terms are defined in the CCPA. "Sell" means making available, disclosing, releasing, transferring, or otherwise communicating personal information to a third party for monetary or other valuable consideration (Cal. Civ. Code § 1798.140(ad)). "Share" means making available, disclosing, releasing, transferring, or otherwise communicating personal information to a third party for cross-context behavioral advertising, whether or not for monetary or other valuable consideration (§ 1798.140(ahh)). The regulations apply this trigger broadly: if the business engages in sale or sharing, it must conduct a risk assessment for that processing activity. Businesses that rely solely on service providers or contractors operating under contractual restrictions (Cal. Civ. Code § 1798.140(ag), (ah)) do not trigger this requirement for those processing relationships, but must assess any sale/share relationships separately.

Trigger 3: Processing sensitive personal information — with employment-payroll exceptions (§ 7150(b)(3))

A business must conduct a risk assessment when it processes sensitive personal information (SPI) as enumerated in Cal. Civ. Code § 1798.140(ae), which includes Social Security numbers, driver's license numbers, state ID card numbers, passport numbers; account log-in credentials combined with required security or access codes; precise geolocation (within a radius of 1,850 feet); racial or ethnic origin, religious or philosophical beliefs, or union membership; contents of mail, email, and text messages directed to the business where the business is not the intended recipient; genetic data; biometric information processed for the purpose of uniquely identifying a consumer; personal information collected and analyzed concerning a consumer's health; and personal information collected and analyzed concerning a consumer's sex life or sexual orientation.

The CPPA regulations provide four narrow employment and payroll exceptions to this trigger under § 7150(b)(3)(A)–(D). A business need not conduct a risk assessment when it processes SPI solely and specifically for:

(A) Administering compensation payments to employees or independent contractors, including determining the amount and method of payment, paying the compensation, and preparing and filing tax documents reflecting the compensation;

(B) Determining and storing employment authorization (for example, verifying work authorization under federal I-9 requirements by reviewing a passport or permanent resident card);

(C) Administering employment benefits (health insurance, retirement plans, paid time off, disability, workers' compensation, unemployment insurance); or

(D) Wage reporting as required by federal or state law.

These exceptions are conjunctive and purpose-limited. If the business processes the same SPI for a purpose beyond the enumerated exceptions — for example, using Social Security numbers both for payroll tax filing (exception D) and for background-check vendor matching (not an exception) — the business must conduct a risk assessment for the non-exempt processing. If the business processes health information solely for administering COBRA continuation coverage (exception C), no risk assessment is triggered; if it uses the same health data to train a wellness-program recommendation engine, a risk assessment is required.

Trigger 4: Using automated decisionmaking technology (ADMT) to make a significant decision (§ 7150(b)(4))

A business must conduct a risk assessment when it uses automated decisionmaking technology to make, or substantially facilitate, a significant decision concerning a consumer. The CPPA defines "significant decision" in 11 Cal. Code Regs. § 7001(ddd) as a decision that results in the provision or denial of:

• Financial or lending services (credit approval, loan underwriting, interest-rate determinations);
• Housing (rental applications, lease approvals, tenant screening);
• Education enrollment or opportunities (admissions decisions, access to educational programs, educational credentials such as degrees or diplomas, suspension or expulsion);
• Employment or independent contracting opportunities or compensation (hiring, allocation or assignment of work, performance evaluation, promotion, demotion, suspension, termination, or determination of compensation or benefits); or
• Healthcare services (access to care, insurance authorization, treatment recommendations generated by clinical decision-support systems).

"Automated decisionmaking technology" under § 7001(n) means any technology that processes personal information and uses computation to execute a decision or substantially facilitate human decisionmaking. The definition expressly includes profiling (evaluating aspects concerning a consumer's performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location, or movements). The regulations exclude ministerial technologies (web hosting, domain registration, caching, data storage, firewalls, anti-virus, spam-filtering, spellcheckers, calculators, databases, spreadsheets) provided that these technologies do not execute a decision, replace human decisionmaking, or substantially facilitate human decisionmaking.

The CPPA clarified in the May 2025 modifications that "allocation or assignment of work" for employees is a significant decision, but the agency received industry comment expressing concern that this definition sweeps too broadly — for example, treating an AI tool that assigns incoming calls at a call center as categorically equivalent to an AI hiring tool. The final regulation did not narrow the definition further, and the "allocation or assignment" language remains in § 7001(ddd)(4)(B) as a significant decision trigger.

Trigger 5: Using ADMT for extensive profiling (§ 7150(b)(5))

A business must conduct a risk assessment when it uses ADMT for extensive profiling of a consumer. Section 7001(oo) defines "extensive profiling" as:

(A) Profiling a consumer through systematic observation when the consumer is acting in their capacity as an applicant to an educational program, job applicant, student, employee, or independent contractor. "Systematic observation" includes methodical, regular, or continuous observation using technologies such as Wi-Fi or Bluetooth tracking, RFID, drones, video or audio recording or livestreaming, technologies that enable physical or biological identification or profiling, geofencing, location trackers, or license-plate recognition (§ 7001(eee)); or

(B) Profiling a consumer through systematic observation of a publicly accessible place where the business processes personal information about consumers who are in that place. This trigger applies, for example, to retail stores that deploy in-store tracking (Wi-Fi MAC address collection, video analytics for dwell-time measurement, license-plate recognition in parking lots) to profile shoppers' behavior and preferences.

The "extensive profiling" trigger is designed to capture surveillance-enabled profiling in workplace, educational, and public contexts that would not necessarily result in a discrete "significant decision" but still presents heightened privacy risk. A business that uses systematic observation to profile job applicants during a video interview (analyzing facial expressions, speech patterns, word choice) triggers both § 7150(b)(4) (if the ADMT makes or facilitates a hiring decision) and § 7150(b)(5) (extensive profiling via systematic observation of job applicants). A single processing activity can trigger multiple subsections of § 7150(b); the business satisfies the requirement by conducting one compliant risk assessment that addresses all applicable triggers.

Trigger 6: Training ADMT or AI for specified high-risk uses (§ 7150(b)(6))

A business must conduct a risk assessment when it processes personal information to train ADMT or artificial intelligence that the business intends to use:

(A) To make, or substantially facilitate, a significant decision (as defined in § 7001(ddd), discussed under Trigger 4 above);

(B) To establish the identity of a specific consumer (e.g., training a facial-recognition model used for authentication or access control);

(C) For physical or biological identification or profiling (e.g., training a biometric identification system, gait-recognition technology, voice-print matching, or health-status inference models that identify consumers based on physical or biological characteristics); or

(D) To generate synthetic content (training generative AI models capable of producing text, images, audio, or video, including deepfake-generation models).

Section 7001(fff) defines "train" as the process through which a technology discovers underlying patterns, learns a series of actions, or is taught to generate a desired output. Examples include adjusting the parameters of an algorithm used for ADMT, improving the algorithm that determines how a machine-learning model learns, and iterating the datasets fed into ADMT.

The CPPA narrowed this trigger significantly from earlier drafts, which would have required risk assessments for all processing used to train AI "capable of being used" for the enumerated purposes. The finalized regulation applies the trigger only when the business intends to use the trained ADMT or AI for the specified purposes. If a business is training a large language model for customer-service chatbot use (not a significant decision, not identity verification, not profiling, not deepfakes), the training activity does not trigger § 7150(b)(6). If the same business later uses that trained model to screen job applicants (a significant decision), the use triggers § 7150(b)(4), and the business must conduct a risk assessment at that point (or update an existing assessment if one was completed for comparable ADMT use).

Threshold applicability: businesses subject to the CCPA generally

The risk assessment obligation applies to any business subject to the CCPA — that is, a for-profit entity doing business in California that satisfies one or more of the three CCPA thresholds: (1) annual gross revenues exceeding $25 million; (2) annually buys, sells, receives, or shares the personal information of 100,000 or more consumers or households; or (3) derives 50% or more of its annual revenue from selling or sharing consumers' personal information (Cal. Civ. Code § 1798.140(d)). There is no separate revenue or volume threshold for the risk assessment requirement — if a business is subject to the CCPA and engages in any of the six processing activities enumerated in § 7150(b), it must conduct and document a risk assessment.

Nonprofits, government agencies, and for-profit entities that do not meet the CCPA business thresholds are not subject to the risk assessment requirement even if they engage in the enumerated processing activities.

Timing: before initiating processing, or by December 31, 2027, for pre-existing processing

Under 11 Cal. Code Regs. § 7155(a)(1), a business must conduct and document a risk assessment before initiating any processing activity identified in § 7150(b). For processing activities that the business initiated before January 1, 2026 (the effective date of the regulations), and that continue after that date, the business must complete a compliant risk assessment by December 31, 2027 (§ 7155(b)). This two-year transition window applies only to pre-existing processing; any new processing initiated on or after January 1, 2026, that triggers § 7150(b) requires a documented assessment before the processing begins.

Relationship to other legal requirements: avoid duplication when possible

Section 7156(a) permits a business that has conducted and documented a risk assessment to comply with another law or regulation (for example, a data protection impact assessment under GDPR Article 35, a privacy impact assessment under PIPEDA, or a privacy threshold analysis under the federal E-Government Act and OMB Circular A-130) to use that existing assessment to satisfy the CCPA risk assessment requirement, provided that the existing assessment meets all of the content requirements in Article 10 of the CPPA regulations (11 Cal. Code Regs. §§ 7150–7157). If the existing assessment does not cover all required elements, the business must supplement it with the missing information (§ 7156(b)). A business may also conduct a single risk assessment for a comparable set of processing activities — that is, a set of similar processing activities that present similar risks to consumers' privacy (§ 7156(c)).

Contrast with GDPR Article 35 DPIAs

The California risk assessment framework differs from the EU GDPR's data protection impact assessment (DPIA) requirement under Article 35 in four key respects:

1. Triggers are enumerated, not risk-based. GDPR Article 35(1) requires a DPIA when processing is "likely to result in a high risk to the rights and freedoms of natural persons," evaluated contextually; Article 35(3) lists examples (systematic monitoring, large-scale special-category processing, automated decisionmaking with legal/similarly significant effects). California's § 7150(b) establishes six bright-line triggers; businesses do not conduct a threshold risk assessment to determine whether a DPIA-like assessment is needed — the triggers themselves define the requirement.

1. Timing is retrospective for pre-existing processing. GDPR Article 35 requires a DPIA prior to processing; California permits businesses to complete assessments for pre-2026 processing by December 31, 2027, two years after the effective date.

1. Submission is summary-only and on a fixed schedule. Under GDPR Article 35, the controller must produce the full DPIA to the supervisory authority upon request, but does not submit it proactively. Under California § 7157, businesses submit an annual summary certification to the CPPA (first submission due April 1, 2028, covering assessments conducted in 2026–2027) and must produce the full risk assessment report within 30 days if the CPPA or California Attorney General requests it during an investigation.

1. Consultation with the supervisory authority is not required. GDPR Article 36 requires prior consultation with the supervisory authority when a DPIA indicates high residual risk that the controller cannot mitigate. California has no equivalent consultation requirement; if the risk assessment concludes that risks outweigh benefits, § 7154 establishes the goal of restricting or prohibiting the processing, but the business makes that determination internally and documents the outcome in the risk assessment report.

Source: 11 Cal. Code Regs. § 7150 (effective Jan. 1, 2026) Source: CPPA Final Statement of Reasons — Cybersecurity Audit & Risk Assessment Regulations (July 24, 2025) Source: Cal. Civ. Code § 1798.185(a)(15)

California businesses subject to the CCPA risk assessment requirement do not submit the full risk assessment report to the California Privacy Protection Agency (CPPA) on a proactive basis. Instead, under 11 Cal. Code Regs. § 7157, effective January 1, 2026, businesses follow a summary-attestation filing schedule for periodic compliance certification and must produce the full risk assessment report only upon request by the CPPA or California Attorney General. This submission architecture differs from the EU GDPR Article 35 data protection impact assessment (DPIA) framework, under which controllers do not proactively submit DPIAs to supervisory authorities but must produce them immediately upon request; California adds a scheduled summary submission layer that provides the CPPA with compliance visibility without requiring businesses to disclose the substantive risk analysis in each assessment.

First submission deadline: April 1, 2028

The first summary submission deadline is April 1, 2028 (§ 7157(a)). By that date, every business subject to the risk assessment requirement under § 7150(b) must submit to the CPPA a summary covering all risk assessments the business conducted and documented from January 1, 2026 (the regulations' effective date) through the end of the reporting period preceding the April 1 deadline. The CPPA designed this initial window—27 months from the effective date to the first filing—to give businesses time to operationalize the risk assessment process before the first filing obligation.

The April 1, 2028 submission is not optional. Failure to submit by that deadline exposes the business to enforcement action by the CPPA or the California Attorney General under Cal. Civ. Code § 1798.199.90 (civil penalties up to $2,500 per violation, or $7,500 per intentional violation or violation involving minors' personal information).

Subsequent submissions: annual cycle

After the first submission, businesses must submit updated summary certifications to the CPPA annually, covering successive periods with no gap in the months covered by successive submissions (§ 7157(a)). The regulation does not specify a fixed annual deadline (e.g., April 1 of each year) beyond the first submission. The CPPA's Final Statement of Reasons (July 24, 2025) states the agency's intent that submissions align with the calendar year for administrative simplicity, which would mean subsequent filings due each April 1, but the regulation itself leaves the timing to the "annual" and "no gap" requirements without further detail. Practitioners should monitor CPPA guidance for clarification of the annual deadline after April 1, 2028.

Businesses that cease to meet the CCPA business thresholds under Cal. Civ. Code § 1798.140(d) (annual gross revenue below $25 million, processing fewer than 100,000 consumers/households annually, and deriving less than 50% of annual revenue from selling or sharing personal information) are no longer required to submit risk assessment summaries, but must retain completed risk assessment reports for three years under § 7155(c).

Contents of the summary submission: § 7157(b)–(c) attestation elements

The summary submission is not the full risk assessment report described in § 7152. Instead, § 7157(b) requires the business to submit:

(1) Business identification and reporting period. The business's legal name, a point of contact with contact information (name, title, email, telephone), and the time period covered by the submission, stated by month and year.

(2) Count of risk assessments conducted and updated. The total number of risk assessments the business conducted and documented during the reporting period, broken down by each processing activity identified in § 7150(b)—selling or sharing PI (§ 7150(b)(2)), processing sensitive PI outside the employment exceptions (§ 7150(b)(3)), using ADMT to make significant decisions (§ 7150(b)(4)), using ADMT for extensive profiling (§ 7150(b)(5)), training ADMT/AI for specified high-risk uses (§ 7150(b)(6)), or processing PI of known minors under 16 (§ 7150(b)(1)).

(3) Compliance with the risk-benefit balancing requirement. For each risk assessment, the business must state whether the risk assessment concluded that privacy risks to consumers outweighed the benefits of the processing (as required by § 7152(a)(9)), and if so, whether the business restricted or prohibited the processing. Section 7154 establishes the goal of the risk assessment as "restricting or prohibiting the processing if the risks to the privacy of consumers outweigh the benefits." If a business concludes risks outweigh benefits but proceeds anyway, that decision is documented in the summary submission and may prompt the CPPA or Attorney General to request the full risk assessment report to investigate compliance with the statutory requirement that processing be "reasonably necessary and proportionate" under Cal. Civ. Code § 1798.100(c).

(4) Executive attestation (§ 7157(c)). The summary submission must include a signed attestation from the highest-ranking executive responsible for oversight of the business's risk-assessment compliance. The attestation must certify:

• That the designated executive has reviewed, understood, and approved the risk assessments conducted and documented during the reporting period;
• That the business initiated any processing activity identified in § 7150(b) only after conducting and documenting a compliant risk assessment (or, for processing initiated before January 1, 2026, that the business completed a retroactive risk assessment by December 31, 2027, as permitted by § 7155(b)); and
• The executive's name, title, signature, and date of certification.

The regulations do not specify the executive's precise role title, leaving businesses discretion to designate the Chief Privacy Officer, General Counsel, Chief Compliance Officer, or CEO. The attestation creates accountability for compliance oversight but does not require the executive to have personally conducted the risk assessments.

What businesses do NOT submit: the full risk assessment report remains confidential unless requested

The § 7157 summary submission does not include the substantive risk assessment report created under § 7152, including the plain-language processing summary, categories of personal information, operational transparency elements (purposes, retention periods, third-party categories, cybersecurity program, applicable federal/state laws), benefit identification, privacy-risk identification, safeguards, or the detailed weighing analysis and outcome. These elements remain confidential business records that the business retains internally and produces only upon request under § 7157(e).

Production upon request: 30 calendar days under § 7157(e)

Section 7157(e) authorizes the CPPA or the California Attorney General to request the full risk assessment report at any time. The business must produce the requested report(s) within 30 calendar days of receiving the request. The request for production is not conditioned on the CPPA or Attorney General opening a formal investigation; the agencies may request reports as part of a sweep, preliminary inquiry, or enforcement investigation.

Once produced, the risk assessment report is treated as confidential commercial information under California Public Records Act exemptions (Cal. Gov. Code § 6254(k), trade secrets and confidential commercial or financial information), and the CPPA may not publicly disclose the report absent a court order or a determination that the public interest in disclosure outweighs the business's confidentiality interest. However, the CPPA may use the report as evidence in an enforcement proceeding, and the report may be introduced in administrative or civil litigation under seal.

Retention requirement: three years after cessation of processing (§ 7155(c))

Under § 7155(c), a business must retain each risk assessment report for three years after the business ceases the processing activity to which the report relates. This retention trigger differs from typical GDPR practice for DPIAs, which EDPB guidance recommends retaining as long as the processing continues plus the national statute of limitations for supervisory-authority enforcement (typically 3–5 years). California's three-year post-cessation retention rule means a business that conducts a risk assessment in January 2026 for a processing activity that continues through December 2030 must retain the assessment until December 2033.

For ongoing processing activities, the business must retain the most recent risk assessment report indefinitely until three years after processing ceases. If the business updates the risk assessment during the life of the processing (for example, after a material change), the business may destroy the superseded assessment once the updated assessment is complete, or may retain both; the three-year retention obligation applies to the current assessment for as long as processing continues.

The three-year retention period aligns with the CPPA's statute of limitations for administrative enforcement. Under Cal. Civ. Code § 1798.199.95(a), the CPPA may commence an administrative enforcement action within three years from the date the violation occurred or, for continuing violations, from the date the violation ceased. Retaining the risk assessment for three years after processing ceases ensures the business can produce the report if the CPPA's investigation reaches back to the end of the retention period.

Cross-reference: cybersecurity audit submission operates on a different schedule

Businesses subject to the cybersecurity audit requirement under 11 Cal. Code Regs. §§ 7120–7124 follow a different submission schedule tied to annual revenue. Cybersecurity audit certifications (not the full audit reports) are due April 1, 2027 (businesses with annual gross revenue ≥ $1 billion), April 1, 2029 ($50M–$1B), or April 1, 2030 (< $50M). The cybersecurity audit certification is a one-time filing after the first audit, with subsequent annual audits submitted to the business's board or highest-ranking executive but not to the CPPA unless requested. The risk assessment summary submission, by contrast, is annual and ongoing beginning April 1, 2028. A business subject to both requirements must track and comply with both submission schedules independently.

Effective date and transition for pre-2026 processing: December 31, 2027 backstop

For processing activities that a business initiated before January 1, 2026 and that continue after that date, § 7155(b) gives the business until December 31, 2027 to complete and document a compliant risk assessment. Those retroactive assessments are included in the first summary submission due April 1, 2028. The regulation does not address whether a business that ceased a pre-2026 processing activity before completing a retroactive assessment must still complete one; § 7155(b) applies the December 31, 2027 deadline to processing that "continues after" January 1, 2026, suggesting businesses need not retroactively assess already-ceased processing. However, the absence of a risk assessment for ceased processing may be cited by the CPPA or Attorney General as evidence of noncompliance with the statutory requirement that processing be "reasonably necessary and proportionate" under Cal. Civ. Code § 1798.100(c), which applied to all CCPA-covered businesses from January 1, 2023 (the CPRA's operative date for that provision).

Source: 11 Cal. Code Regs. § 7157 (effective Jan. 1, 2026) Source: CPPA Final Statement of Reasons — Cybersecurity Audit & Risk Assessment Regulations (July 24, 2025) Source: CPPA Announcement — Regulations Approved (September 23, 2025)

California businesses subject to the cybersecurity audit requirement under 11 Cal. Code Regs. § 7120(b) must conduct an annual audit that produces a cybersecurity audit report containing ten mandatory elements specified in § 7123(e), effective January 1, 2026. The regulations distinguish between the audit (the independent examination process the auditor performs) and the audit report (the written document the business creates, retains, and provides to executive management). The audit report is not proactively submitted to the California Privacy Protection Agency (CPPA) or the California Attorney General; instead, the business submits a one-time certification of completion by the applicable revenue-tier deadline (April 1, 2027, for businesses with $1 billion or more in annual gross revenue; April 1, 2029, for $50 million–$1 billion; April 1, 2030, for under $50 million). The CPPA or Attorney General may request the full audit report at any time during an investigation.

Unlike GDPR Article 30 records of processing activities (ROPA), which inventory all processing operations and must be produced to a supervisory authority upon request, California's cybersecurity audit focuses on security controls rather than comprehensive processing transparency. The audit assesses whether the business's cybersecurity program adequately protects personal information from unauthorized access, destruction, use, modification, or disclosure, and protects against unauthorized activity resulting in loss of availability (§ 7123(a)).

Scope of the cybersecurity audit: § 7123(a)–(b)

The cybersecurity audit must assess the business's cybersecurity program (defined in § 7001(k) as "the policies, procedures, and practices that protect personal information from unauthorized access, destruction, use, modification, or disclosure; and protect against unauthorized activity resulting in the loss of availability of personal information"). Section 7123(a) requires the audit to be appropriate to the business's size and complexity and the nature and scope of its processing activities, taking into account the state of the art and cost of implementation—language that mirrors GDPR Article 32's "taking into account the state of the art, the costs of implementation" security standard but is applied here to the audit scope itself, not just to the security measures.

Under § 7123(b)(1), the cybersecurity audit must assess the business's information system as defined in § 7001(pp): "the resources organized for the processing of personal information, or that can provide access to personal information, including the use of a service provider or contractor." This express inclusion of service-provider and contractor processing means that if a business relies on third-party processors (for example, a cloud-services provider hosting personal information, a payroll vendor processing employee data, a marketing platform managing customer data), the cybersecurity audit must assess the security of those third-party systems to the extent they process personal information on behalf of the business. Section 7122(h)(1) requires service providers and contractors to make available to the auditor "all relevant information that the auditor requests to complete the business's cybersecurity audit," and § 7122(h)(2) prohibits them from misrepresenting any fact relevant to the audit.

Section 7123(b)(2) specifies that the audit must assess the components of a cybersecurity program that the auditor deems applicable to the business's information system. The regulations do not enumerate a fixed list of required security controls that every audit must cover. Instead, the auditor exercises professional judgment to determine which controls are applicable given the business's processing profile, the sensitivity of the personal information, the volume and scope of processing, and the risk environment. The CPPA's Final Statement of Reasons (July 24, 2025) states that this performance-based standard provides businesses with flexibility while ensuring thorough coverage of the security controls the auditor determines are necessary. Section 7123(b)(3) permits the auditor to assess additional components beyond those the auditor deems strictly applicable—for example, zero-trust architecture, deception technology, or advanced threat-hunting capabilities—if the business has implemented them or if the auditor believes they are relevant to a complete security assessment.

Required content of the cybersecurity audit report: § 7123(e)(1)–(10)

Every cybersecurity audit report must include ten elements under § 7123(e). These are mandatory documentation requirements, not optional:

(1) Articulation and explanation of effectiveness (§ 7123(e)(1)). The report must articulate and explain the effectiveness of each applicable component of the business's cybersecurity program that the auditor assessed. The CPPA modified this subsection in May 2025 to clarify that the audit report must do more than list security controls—the auditor must evaluate whether each control is effective in protecting personal information. For example, the report must not merely state "the business uses multi-factor authentication (MFA)"; it must explain whether the MFA implementation is effective (e.g., "MFA is enforced for all administrative accounts and covers 98% of employee access, but is not yet deployed for third-party vendor access to the CRM, creating a residual risk"). Subsection (e)(1) cross-references § 7123(a)–(b), meaning the effectiveness evaluation must be scoped to the components the auditor deemed applicable and any additional components the business or auditor decided to assess.

(2) Additional components and effectiveness (§ 7123(e)(2)). If the audit assessed any additional components beyond those the auditor deemed strictly applicable under § 7123(b)(2)—for example, if the business voluntarily implements advanced security controls not required for its processing profile—the audit report must identify and explain the effectiveness of those additional components. The CPPA added this subsection in April 2025 to ensure that when businesses go beyond baseline security, the audit captures and evaluates those enhancements. Subsection (e)(2) also requires the report to describe how the business implements and enforces compliance with the cybersecurity program components, incorporating a requirement originally in § 7123(b)(3). This means the report must explain not only that the business has a policy requiring encrypted data at rest, but also how the business enforces that policy—through technical controls (automated encryption in cloud storage), administrative controls (annual attestation by system owners), detective controls (quarterly scans for unencrypted data), and corrective controls (incident response when violations are detected).

(3) Identification and description of gaps or weaknesses (§ 7123(e)(3)). The audit report must identify and describe any gaps or weaknesses in the business's cybersecurity program that the auditor deemed to increase risk to consumers' personal information. This element parallels GDPR Article 35 DPIA's requirement to identify risks and evaluate their likelihood and severity, but is retrospective (assessing the current security posture) rather than prospective (assessing planned processing). The CPPA revised subsection (e)(3) in May 2025 to clarify that the reporting obligation covers gaps in any component the auditor assessed, including additional components. A "gap" is the absence of a security control the auditor deemed necessary; a "weakness" is a control that is present but ineffective or inadequately implemented. The Final Statement of Reasons emphasizes that auditors must exercise professional judgment in determining which gaps and weaknesses increase risk—not every finding must be reported, but those that materially affect the security of personal information must be documented.

(4) Recommendations for addressing gaps and weaknesses (§ 7123(e)(4)). For each gap or weakness identified in subsection (e)(3), the audit report must include the auditor's recommendations for addressing it. The CPPA removed earlier draft language requiring the business to document the resources it has committed or plans to commit to remediation; the final regulation requires only that the auditor recommend remediation, not that the business commit to or document a remediation plan. This modification was made in May 2025 "to simplify implementation at this time," per the Final Statement of Reasons. The auditor's recommendations need not be prescriptive (e.g., "implement Product X"); they may be principle-based (e.g., "deploy network segmentation to isolate sensitive personal information from general IT resources" or "enforce least-privilege access controls for database administrators").

(5) Status of prior gaps and weaknesses (§ 7123(e)(5)). If the business completed a prior cybersecurity audit, the current audit report must specifically address the status of any gaps or weaknesses identified in that prior audit. This creates an iterative improvement obligation: year-over-year audits track whether the business has remediated prior findings, partially remediated them, or left them unaddressed. For businesses completing their first audit under the regulations (April 1, 2027, for the largest businesses, April 1, 2029, or April 1, 2030, for smaller businesses), subsection (e)(5) does not apply because no prior audit exists. For subsequent annual audits, the auditor must identify each prior-year finding and report its current status—remediated, in progress, or still open. The regulations do not prohibit a business from proceeding with an open finding from year to year, but the fact of non-remediation is documented in each successive audit report and may be cited by the CPPA or Attorney General as evidence of inadequate security under Cal. Civ. Code § 1798.150 (private right of action for data breaches resulting from failure to implement reasonable security).

(6) Corrections or amendments to prior audits (§ 7123(e)(6)). The audit report must specifically identify any corrections or amendments to any prior cybersecurity audit. This subsection addresses the situation where the current auditor discovers that a prior audit contained an error (for example, a prior audit stated that encryption was enabled on a particular data store when in fact it was not, or a prior audit failed to identify a control gap that should have been reported). Subsection (e)(6) requires the current auditor to document the correction in the current report, creating an audit trail for the CPPA or Attorney General if they request historical audit reports during an investigation.

(7) Time period covered by the audit (§ 7123(e)(7)). The audit report must state the time period the audit covered. Under § 7121(a)(1)–(3), the first audit deadline for businesses with annual gross revenue of $1 billion or more is April 1, 2027; for $50 million–$1 billion, April 1, 2029; for under $50 million, April 1, 2030. Section 7121(b) establishes that after the first audit, the business must complete a cybersecurity audit annually, with no gap in the months covered by successive audits. The regulations do not fix a universal audit cycle (e.g., calendar year or fiscal year); businesses choose their audit period, document it in subsection (e)(7), and must repeat the audit annually on the same cycle. For example, a business with $2 billion in annual revenue must complete its first audit by April 1, 2027, covering a 12-month period ending no later than that date (e.g., January 1, 2026–December 31, 2026 if auditing on a calendar-year basis, or April 1, 2026–March 31, 2027 if auditing on a rolling 12-month basis). The second audit would cover the subsequent 12-month period, and so on annually.

(8) Highest-ranking auditor attestation (§ 7123(e)(8)). The audit report must include a signed and dated statement from the highest-ranking auditor certifying that:

• The auditor completed an independent review of the business's cybersecurity program and information system;
• The auditor exercised objective and impartial judgment on all issues within the scope of the audit;
• The auditor did not participate in activities that may compromise, or appear to compromise, the auditor's independence; and
• The information in the audit report is accurate and the auditor did not misrepresent any fact relevant to the audit.

The CPPA modified subsection (e)(8) in May 2025 to limit the attestation requirement to the highest-ranking auditor (previously the regulation required attestations from each auditor on the team) to simplify implementation. If the audit was performed by a single internal auditor, that individual signs. If the audit was performed by an external audit firm with a team, the lead engagement auditor signs. The attestation is personal accountability for the independence and accuracy of the audit.

(9) Auditor qualifications and hours (§ 7123(e)(9)). The audit report must include, for each auditor who participated in the audit, the auditor's name, affiliation, and relevant qualifications to complete the audit "in such detail as necessary to fully describe the nature of their qualifications," and the number of hours that auditor worked on the audit. Subsection (e)(9) does not specify minimum qualifications (e.g., CISSP, CISA, CISM certifications); the auditor and business determine what qualifications are "relevant" given the scope and complexity of the audit. However, the CPPA may scrutinize auditor qualifications if it requests the audit report during an investigation and finds that the auditor lacked the technical expertise to assess the business's processing (for example, an auditor with no cloud-security experience auditing a business whose entire information system is on AWS, Azure, or GCP). The hours-worked disclosure is a transparency mechanism to detect insufficient audit effort—a 10-hour audit of a business processing 500,000 consumers' sensitive personal information would raise a red flag.

(10) Responsible executives (§ 7123(e)(10)). The audit report must include the names and titles of no more than three individuals who are members of the business's executive management team with direct responsibility for the business's cybersecurity audit program. The CPPA added the "no more than three" cap in April 2025 "to provide flexibility for businesses that have many individuals responsible for their cybersecurity programs" (Final Statement of Reasons, p. 94). This subsection identifies accountability at the executive level but does not require a Data Protection Officer or equivalent designated role. A business may list its Chief Information Security Officer (CISO), Chief Privacy Officer (CPO), and General Counsel, or its Chief Executive Officer (CEO) if cybersecurity governance rests at that level. The regulation does not require the listed executives to have signed or approved the audit report (unlike the auditor attestation in subsection (e)(8) or the risk-assessment executive attestation in § 7157(c)); subsection (e)(10) is a disclosure of who holds executive responsibility, not an executive certification.

Auditor independence requirements: § 7122

Section 7122 establishes mandatory independence standards that apply to every cybersecurity audit. The CCPA statutory mandate under Cal. Civ. Code § 1798.185(a)(15)(A) requires the CPPA to "establish a process to ensure that audits are independent." The regulations implement this through both structural and behavioral independence rules.

Internal or external auditor permitted; independence is the standard, not employment relationship (§ 7122(a)). The auditor may be internal (an employee of the business) or external (an independent third-party audit firm or consultant), but in either case must satisfy three independence criteria:

1. Objective and impartial judgment. The auditor must exercise objective and impartial judgment on all issues within the scope of the cybersecurity audit and must be free to make decisions and assessments without influence by the business being audited, including the business's owners, managers, or employees.

1. No participation in activities that compromise independence. The auditor must not participate in activities that may compromise, or appear to compromise, the auditor's independence. Section 7122(b) gives four examples of prohibited activities:

• Developing, implementing, or maintaining the business's cybersecurity program;
• Preparing the business's documents or participating in the business activities that the auditor may review in the current or subsequent cybersecurity audit;
• Having direct financial interest in the business being audited (not applicable to internal auditors who are employees, but applicable to external auditors); or
• Having a close personal relationship with an individual who has direct responsibility for the business's cybersecurity program or information system, where that relationship could reasonably be expected to compromise the auditor's objectivity.

The CPPA's examples are illustrative, not exhaustive ("for example"). An auditor who designed the business's incident-response plan in Year 1 cannot audit that same plan in Year 2 (the auditor would be auditing their own work). An external audit firm that also sells cybersecurity consulting services to the business—for example, deploying a SIEM solution and then auditing the adequacy of SIEM logging—creates a prohibited conflict under subsection (b).

1. Not subordinate to individuals responsible for cybersecurity. Under § 7122(d), if the auditor is an internal auditor (an employee of the business), the auditor must not be subordinate to any individual who has direct responsibility for the business's cybersecurity program or information system. This prevents a CISO from directing an internal audit team that reports to the CISO to audit the CISO's own security program. Internal auditors performing cybersecurity audits under the CCPA must report to a separate executive (for example, the Chief Audit Executive reporting to the Audit Committee of the board of directors, or a General Counsel or Chief Compliance Officer who does not own the cybersecurity function).

Reporting to executive management (§ 7122(e)). Once the cybersecurity audit report is complete, the business must provide the report to a member of the business's executive management team who has direct responsibility for the business's cybersecurity audit program under § 7122(e). Earlier drafts required reporting to the board of directors or governing body; the CPPA revised the final regulation to allow reporting to executive management to accommodate businesses (particularly smaller businesses and LLCs) that do not have a formal board structure. The executive who receives the report must have direct responsibility for the audit program, not merely for cybersecurity generally. For many businesses this will be the CISO or the Chief Risk Officer; for smaller businesses it may be the CEO or General Counsel.

The regulations do not require the business to proactively submit the cybersecurity audit report to the CPPA or Attorney General. Instead, under § 7124, the business must submit a certification of completion to the CPPA by the applicable deadline (April 1, 2027 / 2029 / 2030 depending on revenue tier). The certification must include the business's name, a point of contact, a statement that the business completed the audit, the time period covered by the audit, and an attestation signed by the executive listed in subsection (e)(10). The CPPA or Attorney General may request the full audit report at any time, and the business must produce it; the report is treated as confidential commercial information under California Public Records Act exemptions but may be used as evidence in enforcement proceedings.

Business cooperation and no misrepresentation (§ 7122(c), (h)). Section 7122(c) requires the business to disclose all facts relevant to the cybersecurity audit to the auditor and prohibits the business from misrepresenting any fact relevant to the audit. Section 7122(h)(1) requires service providers and contractors to make available to the auditor all relevant information the auditor requests, and § 7122(h)(2) prohibits service providers and contractors from misrepresenting any fact relevant to the audit. Misrepresentation or obstruction of the audit exposes the business to enforcement by the CPPA or Attorney General under Cal. Civ. Code § 1798.199.90 (civil penalties up to $2,500 per violation, or $7,500 per intentional violation or violation involving minors).

Retention: five years after completion (§ 7122(g)). Both the business and the auditor must retain all documents relevant to each cybersecurity audit for a minimum of five years after completion of the audit. This retention period is longer than the three-year retention required for risk assessment reports under § 7155(c) and reflects the CPPA's expectation that cybersecurity audits will be requested during enforcement investigations that may reach back several years. The five-year retention applies to the audit report itself and to all supporting documentation—audit workpapers, evidence collected, correspondence with the business, service-provider responses, penetration-testing reports, vulnerability-scan results, and any other materials the auditor reviewed or created during the audit.

Contrast with GDPR Article 35 DPIA and Article 30 ROPA

California's cybersecurity audit framework occupies a middle ground between GDPR's security obligation under Article 32 (requiring controllers and processors to implement appropriate technical and organizational measures, taking into account the state of the art and costs of implementation) and GDPR's accountability documentation under Articles 30 (ROPA) and 35 (DPIA).

• Unlike GDPR Article 30 ROPA, which requires a comprehensive inventory of all processing operations with details on purposes, categories of data, recipients, retention periods, and security measures, California's cybersecurity audit is security-focused and does not require a processing inventory. A business subject to both GDPR and CCPA must maintain a GDPR-compliant ROPA separately; the CCPA cybersecurity audit does not substitute for it.

• Unlike GDPR Article 35 DPIA, which is a prospective risk assessment required prior to high-risk processing and must evaluate necessity, proportionality, and risks to data subjects' rights and freedoms, California's cybersecurity audit is a retrospective security assessment of the business's current controls. The California risk assessment under §§ 7150–7157 is closer to a GDPR DPIA, but it covers privacy risks broadly, not just security risks.

• Like SOC 2 Type II or ISO 27001 certification audits, California's cybersecurity audit evaluates the effectiveness of security controls over a defined period. However, the CCPA does not require certification to a specific standard (SOC 2, ISO 27001, NIST Cybersecurity Framework, CIS Controls); the auditor determines which components are applicable and assesses them using professional judgment. Section 7124(b) permits a business that has completed a cybersecurity audit, assessment, or evaluation under another law or regulation to use that existing work to satisfy the CCPA requirement, provided that the existing audit meets all of the requirements in Article 9 of the CPPA regulations (§§ 7120–7124). If a business has a current SOC 2 Type II report, it may use that report if the SOC 2 scope covered all applicable components of the CCPA cybersecurity program requirements and the report includes the ten elements required by § 7123(e). Most SOC 2 reports will require supplementation to meet CCPA requirements.

Source: 11 Cal. Code Regs. §§ 7122–7123 (effective Jan. 1, 2026) Source: CPPA Final Statement of Reasons — Cybersecurity Audit & Risk Assessment Regulations (July 24, 2025) Source: Cal. Civ. Code § 1798.185(a)(15)(A)

California imposes an annual cybersecurity audit requirement on businesses whose processing of consumers' personal information presents "significant risk to consumers' security" under 11 Cal. Code Regs. Article 9 (§§ 7120–7124), effective January 1, 2026. This requirement is distinct from the risk assessment framework under Article 10 and from any data protection officer (DPO) or records-of-processing-activities (ROPA) mandate. Unlike the EU GDPR Article 30 ROPA, which requires all controllers and processors to inventory their processing activities, California's cybersecurity audit applies only to a narrow subset of CCPA-covered businesses and focuses on cybersecurity program effectiveness, not processing inventory.

The cybersecurity audit regulations implement Cal. Civ. Code § 1798.185(a)(15)(A), which authorizes the California Privacy Protection Agency (CPPA) to "establish a process to ensure that businesses complete annual cybersecurity audits and regular risk assessments" for processing presenting significant risk to consumers' security.

Trigger: businesses deriving 50% or more of annual revenue from selling or sharing personal information

Under 11 Cal. Code Regs. § 7120(b), a business's processing presents "significant risk to consumers' security" if the business meets the threshold in Cal. Civ. Code § 1798.140(d)(1)(C) in the preceding calendar year: deriving 50 percent or more of its annual revenues from selling or sharing consumers' personal information. This is the third—and narrowest—of the three CCPA business thresholds. The other two CCPA thresholds (annual gross revenues exceeding $25 million, or processing the personal information of 100,000 or more consumers or households annually) do not trigger the cybersecurity audit requirement by themselves.

The CPPA's Final Statement of Reasons (July 24, 2025) explains that the agency chose the 50% revenue threshold to target "businesses whose core business model relies on monetizing consumers' personal information through sale or sharing," which the CPPA determined presents heightened security risk because "businesses that derive substantial revenue from such processing have strong financial incentives to collect and maintain large volumes of personal information, creating concentrated data repositories that are attractive targets for malicious actors."

"Sell" and "share" carry their CCPA-defined meanings. "Sell" means making available, disclosing, releasing, transferring, or otherwise communicating personal information to a third party for monetary or other valuable consideration (Cal. Civ. Code § 1798.140(ad)). "Share" means making available, disclosing, releasing, transferring, or otherwise communicating personal information to a third party for cross-context behavioral advertising, whether or not for monetary or other valuable consideration (§ 1798.140(ahh)).

A business that meets the 50% revenue threshold for selling/sharing in calendar year 2025, for example, becomes subject to the cybersecurity audit requirement for the 2026 audit period, and the first audit deadline depends on the business's annual gross revenue tier (see Staggered deadlines below).

Auditor independence and qualifications — § 7122

Section 7122 establishes independence requirements for auditors that parallel financial-audit independence standards but are adapted to cybersecurity. Every business required to complete a cybersecurity audit must do so using a qualified, objective, independent professional (internal or external to the business) using procedures and standards accepted in the profession of auditing. Section 7122(a) lists examples of acceptable standards: NIST Cybersecurity Framework, ISO/IEC 27001, ISO/IEC 27002, ISO/IEC 27017, ISO/IEC 27018, SOC 2, AICPA/CICA Generally Accepted Privacy Principles (GAPP), and Center for Internet Security (CIS) Controls. Use of one of these standards is not mandatory; they are illustrative, and a business may use other comparable frameworks provided the auditor follows procedures accepted in the auditing profession.

Independence requirements (§ 7122(b)):

The auditor—whether internal or external—must:

• Exercise objective and impartial judgment on all issues within the scope of the cybersecurity audit;
• Be free to make decisions and assessments without influence by the business being audited, including the business's owners, managers, or employees; and
• Not participate in activities that may compromise, or appear to compromise, the auditor's independence.

Section 7122(b)(1) provides concrete examples of prohibited activities: the auditor must not develop, implement, or maintain the business's cybersecurity program, nor prepare the business's documents or participate in the business activities that the auditor may review in the current or subsequent cybersecurity audit. This prohibition creates a functional separation analogous to the Sarbanes-Oxley Act § 201 prohibition on auditors providing certain non-audit services to audit clients.

An internal auditor may perform the cybersecurity audit provided that the internal auditor meets the independence criteria. Section 7122(c) clarifies that an internal auditor satisfies the independence requirement if the auditor: (1) is organizationally independent of the business functions responsible for cybersecurity (i.e., does not report to the CISO or IT security director within the reporting chain); (2) has no operational responsibilities for the cybersecurity program being audited; and (3) reports the audit findings to a member of the business's executive management team who does not have direct responsibility for the business's cybersecurity program, or to the board of directors or equivalent governing body.

For example, a Chief Audit Executive (CAE) reporting to the Audit Committee of the board, with no cybersecurity-implementation responsibilities, may lead the internal audit team conducting the cybersecurity audit. The CISO and the CISO's direct reports may not serve as the auditor, because they develop, implement, and maintain the cybersecurity program.

Scope of the audit and audit report — § 7123

Section 7123 defines what the audit must assess and what the business must document in the cybersecurity audit report. The business must create the report as part of the audit but does not submit the report to the CPPA proactively; instead, the business submits a certification of completion under § 7124, and the CPPA or California Attorney General may request the full audit report at any time.

Audit scope (§ 7123(a)–(d), performed by the auditor but not necessarily documented in the report):

The cybersecurity audit must assess the business's cybersecurity program—the policies, procedures, and practices that protect personal information from unauthorized access, destruction, use, modification, or disclosure, and that protect against unauthorized activity resulting in the loss of availability of personal information. The auditor must assess:

(a) Establishment, implementation, and maintenance of the cybersecurity program: whether the business has established a cybersecurity program, whether it has implemented that program, and whether it maintains the program over time;

(b) Adequacy and effectiveness: whether the cybersecurity program is reasonably designed to protect the security of personal information the business processes; whether the program is adequate in light of the volume and sensitivity of personal information the business processes and the risks posed by the business's processing activities; and whether the program is effective, meaning that it operates as the business designed it to operate;

(c) Compliance with applicable cybersecurity standards: whether the business's cybersecurity program complies with Cal. Civ. Code § 1798.150(a) (requiring reasonable security procedures and practices appropriate to the nature of the information to protect against unauthorized access, destruction, use, modification, or disclosure) and other federal or state laws requiring cybersecurity measures applicable to the business's processing activities; and

(d) Incident response and risk management: whether the business has established processes for identifying, assessing, and mitigating cybersecurity risks and responding to cybersecurity incidents (unauthorized occurrences on or conducted through a business's information systems that actually or potentially jeopardize the confidentiality, integrity, or availability of the business's information systems or the personal information they process).

Audit report contents (§ 7123(e), documented by the business and producible to CPPA/AG upon request):

The cybersecurity audit report that the business must create and retain for three years under § 7123(e) and (g) must include:

(1) Information system description: a description of the business's information system—the resources (network, hardware, and software) organized for the processing of personal information or that can provide access to personal information, including the use of service providers or contractors. The business must identify the policies, procedures, and practices that the cybersecurity audit assessed.

(2) Cybersecurity program leadership: identification of up to three job titles or roles of qualified individuals responsible for the business's cybersecurity program. The regulation caps this at three titles to avoid forcing businesses to disclose granular organizational details that could assist threat actors in social-engineering attacks.

(3) Applicable cybersecurity standards: identification of the cybersecurity audit standard(s) the auditor used (e.g., NIST CSF, ISO 27001, SOC 2), and identification of federal or state laws or regulations that require the business to implement cybersecurity measures applicable to the personal information the business processes.

(4) Testing performed: identification and description in detail of the testing the auditor performed, including penetration testing, tabletop exercises simulating cybersecurity incidents, review of logs and monitoring systems, and assessment of access controls, encryption, multi-factor authentication, and incident-response plans. Section 7123(e)(4) requires businesses to describe testing "in detail," which generated industry opposition during rulemaking on the grounds that detailed testing descriptions could serve as a roadmap for attackers. The CPPA retained the requirement, reasoning that the audit report is confidential (submitted only upon CPPA/AG request, not publicly disclosed) and that detailed documentation of testing is necessary for the CPPA to assess audit thoroughness.

(5) Findings: identification and description in detail of the auditor's findings, including gaps or deficiencies in the business's cybersecurity program that the auditor identified (e.g., absence of multi-factor authentication for privileged accounts, inadequate encryption of personal information in transit, failure to maintain current patches for operating systems, insufficient logging for security-event monitoring). The business must document the status of each gap or deficiency—whether it is remediated, in progress of remediation, or not yet remediated—and the timeline for completing remediation if remediation is in progress or planned.

(6) Recommendations: the auditor's recommendations for improving the business's cybersecurity program, including specific measures the business should implement to address identified gaps and deficiencies.

(7) Management response: the business's response to the auditor's findings and recommendations, including whether the business agrees or disagrees with each finding, the business's plan for addressing each finding, and the business's rationale if the business declines to implement a recommendation.

(8) Auditor certification: a certification signed by the highest-ranking auditor responsible for the cybersecurity audit, certifying that the auditor conducted the audit in accordance with procedures and standards accepted in the profession of auditing, that the auditor exercised objective and impartial judgment, and that the information in the audit report is accurate and complete to the best of the auditor's knowledge.

Timing requirements and staggered deadlines by revenue — § 7121

Section 7121 establishes a phased implementation schedule for the first cybersecurity audit, with deadlines staggered by the business's annual gross revenue to give smaller businesses more time to operationalize the requirement.

First audit deadlines:

• Businesses with annual gross revenue of $1 billion or more as of January 1, 2026: must complete the first cybersecurity audit and submit the certification of completion to the CPPA by April 1, 2027 (§ 7121(a)(1)).

• Businesses with annual gross revenue of $50 million or more but less than $1 billion: must complete the first audit and submit the certification by April 1, 2029 (§ 7121(a)(2)).

• Businesses with annual gross revenue of less than $50 million: must complete the first audit and submit the certification by April 1, 2030 (§ 7121(a)(3)).

The "annual gross revenue" threshold for determining which deadline applies is the business's revenue as of January 1, 2026—the effective date of the regulations. A business's revenue can fluctuate year-to-year; for purposes of the first-audit deadline, the business applies the January 1, 2026 revenue snapshot to determine whether it is subject to the 2027, 2029, or 2030 deadline.

Audit period and annual cycle (§ 7121(b)):

After the first audit, businesses must complete a cybersecurity audit annually. Each audit must cover a 12-month audit period, and the business must complete the audit and submit the certification of completion to the CPPA within four months after the end of the audit period.

Section 7121(b)(1) provides an illustrative example: "A business with annual gross revenue of $1 billion or more as of January 1, 2026, must complete a cybersecurity audit that covers the 12-month period from January 1, 2026, through December 31, 2026. The business must complete that audit and submit its certification of completion to the Agency no later than April 1, 2027. The business must then complete a second cybersecurity audit that covers the 12-month period from January 1, 2027, through December 31, 2027, and submit its certification of completion to the Agency no later than April 1, 2028."

A business may choose a different 12-month audit period aligned with its fiscal year, but once chosen, the period must remain consistent year-to-year unless the business obtains CPPA approval to change it.

Certification of completion — § 7124

Section 7124 specifies that businesses do not submit the full cybersecurity audit report to the CPPA on a proactive basis. Instead, the business must submit a certification of completion signed by a member of the business's executive management team who does not have direct responsibility for the business's cybersecurity program, or by a member of the business's board of directors or equivalent governing body.

This executive-certification requirement creates governance accountability. The executive certifying cannot be the CISO or IT Security Director—it must be someone outside the cybersecurity reporting chain (e.g., the CEO, CFO, General Counsel, or Chief Compliance Officer).

Certification contents (§ 7124(d)):

The certification must include:

(1) The business's legal name and contact information (name, title, email, and telephone number of the business's point of contact);

(2) A statement that the business has completed a cybersecurity audit in accordance with Article 9 of the CPPA regulations;

(3) The 12-month period covered by the audit, stated by month, day, and year;

(4) The date the business completed the audit; and

(5) The signature and title of the executive management team member or board member certifying completion, and the date of signature.

Production of the full audit report upon request:

Under § 7124(e), the CPPA or the California Attorney General may request the full cybersecurity audit report at any time. The business must produce the requested report within 30 calendar days of receiving the request. The report is treated as confidential commercial information under California Public Records Act exemptions (Cal. Gov. Code § 6254(k)), and the CPPA will not publicly disclose it absent a court order or a determination that the public interest in disclosure outweighs the business's confidentiality interest. However, the CPPA may use the report as evidence in an enforcement proceeding.

Retention: three years (§ 7123(g))

The business must retain the cybersecurity audit report for three years from the date the business submitted the certification of completion to the CPPA. This retention period parallels the CPPA's statute of limitations for administrative enforcement under Cal. Civ. Code § 1798.199.95(a) (three years from the date the violation occurred or, for continuing violations, from the date the violation ceased).

Leveraging existing audits (§ 7123(f)):

Section 7123(f) permits a business that has completed a cybersecurity audit, assessment, or evaluation to satisfy another legal requirement (for example, SOC 2 Type II for a SaaS vendor, ISO 27001 certification, or a HIPAA security risk assessment) to use that existing audit to satisfy the CCPA cybersecurity audit requirement, provided that the existing audit meets all of the requirements in Article 9. If the existing audit does not cover all required elements, the business must supplement it with the missing information. A business may also conduct a single cybersecurity audit for a comparable set of information systems or processing activities.

Cross-reference: distinct from risk assessment framework

The cybersecurity audit requirement under Article 9 is organizationally and substantively distinct from the risk assessment requirement under Article 10 (11 Cal. Code Regs. §§ 7150–7157). The audit assesses the effectiveness of the business's cybersecurity program—a retrospective evaluation of implemented controls. The risk assessment evaluates the benefits and privacy risks of specific processing activities—a prospective balancing test. Businesses subject to both requirements (those deriving 50%+ revenue from selling/sharing PI and engaging in processing activities enumerated in § 7150(b)) must complete both the annual cybersecurity audit and the required risk assessments, which operate on different submission schedules. Cybersecurity audit certifications are due April 1 each year (after the first staggered deadline); risk assessment summary certifications are due April 1, 2028 (covering assessments conducted from January 1, 2026 through the reporting period), and annually thereafter.

Enforcement and penalties

Failure to complete the required cybersecurity audit, failure to submit the certification of completion by the applicable deadline, or failure to produce the full audit report within 30 days of a CPPA or Attorney General request exposes the business to enforcement action under Cal. Civ. Code § 1798.199.90. Civil penalties are up to $2,500 per violation, or $7,500 per intentional violation or violation involving the personal information of consumers the business has actual knowledge are less than 16 years of age. Each month of noncompliance may constitute a separate violation.

Source: 11 Cal. Code Regs. §§ 7120–7124 (effective Jan. 1, 2026) Source: CPPA Final Statement of Reasons — Cybersecurity Audit & Risk Assessment Regulations (July 24, 2025) Source: Cal. Civ. Code § 1798.185(a)(15)(A)