CCPA Proposed Rule Released in 2025: Cybersecurity Audits Mandatory Starting 2028
In May 2025, the California Privacy Protection Agency (CPPA) released a proposed update to the CCPA regulations. Among these, Article 9: Cybersecurity Audits introduces one of the most impactful requirements for businesses handling personal data—mandatory security audits starting as early as 2028.
This update signals a shift: privacy notices and consent forms are no longer enough. Companies must now establish internal accountability systems that can stand up to regulatory scrutiny.
What is the CPPA and how does it relate to the CCPA?
The California Consumer Privacy Act (CCPA) was enacted in 2018 and remains one of the most comprehensive privacy laws in the United States. It was later expanded by the California Privacy Rights Act (CPRA) in 2020.
To enforce these laws, the California Privacy Protection Agency (CPPA) was established as the first dedicated privacy regulatory body in the U.S. The CPPA has rulemaking and enforcement powers, including the ability to investigate and fine companies for non-compliance.
The 2025 proposed regulations, including Article 9, are not yet final, but they are expected to be adopted in a form close to the current draft. Businesses should not wait for formal adoption to start preparing.
What does Article 9 require?
Article 9 of the May 2025 proposed regulations focuses on cybersecurity audits. Companies meeting certain revenue thresholds must conduct periodic internal audits and report the results to executive management, along with a formal certification to the CPPA.
The deadlines are as follows:
Companies with $100 million+ in annual revenue: by April 2028
Companies with $50–100 million in revenue: by April 2029
Companies under $50 million: by April 2030
The audits must assess the company’s practices against areas aligned with the NIST Cybersecurity Framework, such as encryption, access control, network monitoring, vulnerability scans, incident response, and employee training.
What should companies start preparing now?
Create a personal data map
You must be able to visually identify where personal information is stored, how it flows across systems, and who has access. This map will be essential for any audit or privacy impact assessment.
Establish a data retention schedule
Clearly define how long you retain personal data and how it is securely deleted when no longer needed. Acceptable disposal methods include shredding, erasure, or rendering the data unreadable.
Build your internal audit process
From access control to encryption policies, incident response plans, and executive reporting, your cybersecurity and compliance teams must coordinate to create a system that can withstand regulatory review.
Why should companies act now?
Although Article 9 is still in the proposed stage, CPPA has a track record of finalizing rules in line with its drafts. Moreover, because Article 9 aligns with NIST standards, it is likely to influence future federal or state regulations as well.
Many companies are already budgeting for compliance in Q3 and Q4 of 2025. Delaying your preparation could mean higher costs, rushed implementation, or regulatory exposure down the line.
Summary and practical advice
The 2025 proposed CCPA regulations signal a new phase in privacy enforcement—one that goes beyond policy and into measurable, auditable security operations.
To prepare:
Map your data flows
Set up data retention and disposal policies
Build your cybersecurity audit framework
Even if your organization is not yet directly subject to Article 9, aligning with its expectations now puts you ahead of future requirements and demonstrates your privacy maturity to clients and regulators alike.
© LexSoy Legal LLC. All rights reserved.