California cybersecurity audits expand vendor risk

California businesses that handle large volumes of personal data now face annual cybersecurity audits under rules the state finalized in 2025, with parts of the package taking effect on January 1, 2026. (cppa.ca.gov) The California Privacy Protection Agency board adopted the regulations on July 24, 2025, under the California Consumer Privacy Act. The rules require an annual audit for businesses whose data processing presents a “significant risk to consumers’ security.” (cppa.ca.gov) That “significant risk” label reaches two main groups: companies that got at least 50% of prior-year revenue from selling or sharing Californians’ personal information, and companies with more than $25 million in annual gross revenue that processed data on at least 250,000 consumers or households, or sensitive data on at least 50,000 consumers. (natlawreview.com) A cybersecurity audit is a documented yearly check of whether a company’s security program matches the risks created by the data it collects, uses, sells, shares, or keeps. California’s final text says the audit must evaluate the business’s safeguards, identify gaps, and describe plans to fix material weaknesses. (cppa.ca.gov) The rule also pushes security into procurement. Lawyers tracking the regulation said companies that buy software, cloud storage, payroll tools, and other services are more likely to ask vendors for audit reports, security questionnaires, and contract promises before signing deals. (iapp.org) That same paperwork could surface after a breach. Attorneys told the International Association of Privacy Professionals that plaintiffs in class actions may use audit findings to argue a company knew about security weaknesses, while defendants may try to use the same records to show they had a structured security program and remediation process. (iapp.org) California has been moving toward this framework for years. The agency circulated draft cybersecurity audit language in September 2023, then carried the topic through formal rulemaking before the board’s 2025 vote. (cppa.ca.gov) The state also gave businesses extra time on the hardest pieces. The agency said the January 1, 2026 effective date did not mean immediate compliance for cybersecurity audits, risk assessments, and automated decisionmaking rules, which received additional implementation time. (cppa.ca.gov) Tradeoffs remain unsettled. Legal analyses have said the audits may help define what California considers “reasonable” security under state law, but they also create a fresh record for regulators, litigants, and customers to scrutinize after an incident. (iapp.org) For companies that touch California data, the practical shift is already visible: cybersecurity is no longer just an information-technology function, but a compliance document that can shape vendor reviews, board oversight, and breach litigation. (jdsupra.com)