As we previously covered in a post earlier this month, the California Privacy Protection Agency (“CPPA”) has published draft regulations on risk assessments and cybersecurity audits required by the California Consumer Privacy Act (“CCPA”), as amended by the California Privacy Rights Act (“CPRA”). On September 8, the CPPA held a public board meeting that included discussion of select portions of the regulations.

Prior to the meeting, the board circulated copies of the draft regulations for risk assessments and cybersecurity audits with annotations indicating which provisions were under discussion and different options for each. The draft regulations are still far from final, as the board gave several notes on clarifying language and typos.

Key Takeaways from the Discussion of the Draft Risk Assessment Regulations

  • The board is strongly considering a provision that would require businesses to list the names and titles of the individuals who prepared and contributed to the risk assessment, including any external parties consulted and the “highest-ranking executive . . . responsible for oversight of the business’s risk-assessment compliance.”
    • The board thinks this information is necessary for its ability to request additional information from the most knowledgeable people in the business.
    • The board raised the idea of only requiring title, rather than name, but this would only go so far to protect the identities of privacy officers and other board members connected with  the assessment.
  • The board is leaning against requiring businesses to renew their risk assessments every three years, and seems to favor instead an “as necessary” renewal process with a special requirement for businesses using automated decision-making technology for regulated activities, which will be outlined in a separate set of regulations yet to be drafted.

Key Takeaways from the Discussion of the Draft Cybersecurity Audit Regulations

  • The cyber audit discussion focused on potential scoping provisions. Three options were included for the board’s consideration. The board narrowed these options to either (1) a three-pronged approach with thresholds for processing of personal information, sensitive information, or minor data, or (2) a simple annual revenue requirement.
  • The board provided that it will consult with its economist advisors to determine an appropriate revenue threshold that would apply the requirement to businesses capable of bearing the costs of a cybersecurity audit.
  • The board also clarified that the regulations would apply only to “businesses” that meet the statutory thresholds for the application of CCPA regardless of whether they independently satisfy additional thresholds defined in the regulations.

The CPPA will post dates for future public meetings on its website.


Garrett is an associate in Baker McKenzie's North America Intellectual Property Group and is based in our San Francisco office. His practice focuses on helping clients build effective information governance programs, comply with privacy laws and regulations, and respond to cybersecurity incidents.


Justine focuses her practice on both proactive and reactive cybersecurity and data privacy services, representing clients in matters related to information governance, diligence in acquisitions and investments, incident preparedness and response, the California Consumer Privacy Act, privacy litigation, and cyber litigation.