California Cybersecurity Audits to Start This Year. How Compani…
California Cybersecurity Audits to Start This Year. How Compani…
Publish Date: 2026-05-10 10:54:00
Source Domain: www.pymnts.com
The California Privacy Protection Agency is preparing to begin cybersecurity audits of companies this year, signaling a major escalation in enforcement activity under California’s privacy regime even though formal audit certification deadlines do not begin until 2028, according to a new advisory from Arnold & Porter.
The alert warns companies not to treat the delayed certification timeline as a grace period. Instead, regulators expect organizations already to have cybersecurity audit practices and governance frameworks in place ahead of formal compliance deadlines.
The audits will be conducted by a newly created Audits Division within the California privacy agency, and led by Chief Privacy Auditor Sabrina Boyson Ross, a former public policy executive at Meta. The division is responsible for examining companies’ privacy and cybersecurity practices, processing risk assessment attestations and overseeing cybersecurity audit certifications required under the state’s updated privacy rules.
California’s audit regime stems from the state’s landmark privacy laws, the California Consumer Privacy Act and the California Privacy Rights Act, which together created one of the broadest privacy enforcement systems in the U.S. Unlike sector-specific cybersecurity requirements in states such as New York, California’s rules potentially apply across industries to any qualifying business whose handling of personal information is deemed to present “significant risk” to consumers’ privacy or security.
Although the agency has not formally announced the first audit targets, the Arnold & Porter advisory says businesses should expect regulators to focus on areas already prioritized by the enforcement division. Those include failures to honor consumer privacy rights requests, shortcomings in privacy policy disclosures, and practices that impede consumers from exercising rights to access, delete, correct or opt out of data sharing and sales.
The advisory also points…
