California Privacy Protection Agency Implements Mandatory Annual Cybersecurity Audit Rule for Businesses

The California Privacy Protection Agency adopted a new rule requiring certain businesses to conduct an annual cybersecurity audit, which went into effect on 1 January 2026. This regulation is the first of its kind among state data privacy laws in the U.S. and applies broadly to businesses subject to California's privacy framework. The rule mandates compliance efforts for affected companies, though specific technical requirements or thresholds for covered entities are not detailed in the notice. Its implementation may influence class litigation related to data breaches and cybersecurity failures. The requirement was initially adopted in 2025.