Skip to main content
Skip to navigation

Regulatory Policy

CPPA seeking comment on cybersecurity audit, risk assessment rule adds

By Adrianne Appel2023-02-13T19:00:00

California flag

The California Privacy Protection Agency (CPPA) is seeking comment on privacy rules requiring certain large businesses to conduct annual cybersecurity audits and risk assessments if the state believes they are placing consumer data at risk.

The California Privacy Rights Act (CPRA) mandated the agency write cybersecurity audit and risk assessment rules for businesses whose processing of consumer personal data presents “significant risk to consumers’ privacy or security,” according to the CPPA’s request for comments published Friday.

The agency also will write rules concerning use of automated decision-making technology by businesses regarding consumers’ opt-out rights and their access to data.

THIS IS MEMBERS-ONLY CONTENT

You are not logged in and do not have access to members-only content.

If you are already a registered user or a member, SIGN IN now.

Related articles

Premium
CPPA eyeing broad scope in early discussions around data risk assessments

2023-09-15T20:11:00Z By Adrianne Appel

Draft risk assessment regulations under the California Consumer Privacy Act are designed to prohibit businesses from handling consumer data if uncontrolled risks—to the security and privacy of the consumer, the public, or the business—outweigh the benefits.
News Brief
Latest CCPA sweep targets employee, applicant info protections

2023-07-17T14:37:00Z By Kyle Brasseur

The California Office of the Attorney General has turned its attention to the practices of large companies regarding the protection of the personal information of employees and job applicants as part of its latest investigative sweep under the California Consumer Privacy Act.
Opinion
Legacy of CCPA: A blueprint for prioritizing compliance

2023-03-02T14:00:00Z By Kyle Brasseur

Three years in, the promise of the California Consumer Privacy Act as a means of handing down eye-watering penalties against companies for data protection violations remains unfulfilled. And yet, the expanding U.S. data privacy legislation landscape is better for this.

More from Regulatory Policy

Article
New regulatory regimes for U.K. and EU ESG ratings firms could increase compliance costs

2025-11-28T17:04:00Z By Ruth Prickett

Environmental ratings are becoming big business as companies seek proof of sustainable and socially beneficial conduct. Firms that issue ratings on environmental, social and governance (ESG) performance are set to be regulated in the EU and U.K.
Article
FRC’s plans for more flexible enforcement gains support

2025-11-28T16:07:00Z By Neil Hodge

Plans to give the U.K.’s audit regulator more options to regulate firms for sloppy work have been largely well received by experts, who believe the current system is “inflexible,” “cumbersome,” and “slow.”
News Brief
FDIC eases leverage rules for banks, citing lower risk burdens

2025-11-26T19:20:00Z By Oscar Gonzalez

The U.S. Federal Deposit Insurance Corporation issued a final rule to change the leverage capital requirements for both large and community banks. The agency said the modification will ”reduce disincentives a banking organization may have to engage in lower-risk activities.”