In advance of their December 8, 2023 meeting, the CPPA released additional revisions to the draft Cybersecurity Audit Regulations.  For a more complete discussion of the draft Regulations, please see my prior post here.  Aside from the surprise that they were not released on a Friday, there are three primary takeaways:

  • The size of business test has been refined to include suggested business sizes of $25 million, $50 million or $100 million, plus 
    • yearly processing personal information of 250,000/500,000 or 1,000,000 consumers or households, or
    • yearly processing sensitive personal information of 50,000/100,000 or 200,000 consumers; or
    • yearly processing of 50,000/100,000 or 200,000 consumers where the business has actual knowledge that the consumer is under 16.
  • The scope options in section 7123(b) have been slimmed down - maybe.  Option I was removed. This was one of the items that listed specific types of harms to be assessed, and included economic, physical and psychological harm.  Instead, a new (b) was added that does not include the specific items, but is broad enough to encompass them.  The CPPA also explicitly left it open for revisions based on Board comments.
  • The CPPA did not materially modify the detailed safeguards listed in 7123(c) that must be assessed in written policies and procedures.  If this subsection is not amended, the CCPA Cybersecurity Audit Regulation will be the most sweeping cybersecurity regulation in the country, and perhaps the world.  

Stay tuned for more….