+44 (0) 121 582 0192 [email protected]



In a significant development for data privacy in the United States, the California Data Protection Agency (CDPA) has just released a draft of regulations concerning CPRA Risk Assessments and Cybersecurity Audits for the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA). The release in August 2023 marks a crucial step forward in the ongoing efforts to strengthen consumer privacy and data security in California.


A Look at the CDPA’s Draft Regulations


The CDPA’s draft regulations on Risk Assessments and Cybersecurity Audits come when data breaches and privacy violations are rising. These regulations aim to provide more explicit guidelines and procedures for organisations operating within California, ensuring they adhere to the robust privacy standards set forth by the CCPA and CPRA.


Key Highlights of the Draft Regulations:


  1. Risk Assessment Protocols: The draft regulations lay out detailed procedures for conducting comprehensive risk assessments. This includes assessing the potential harm to consumers in case of a data breach, evaluating the likelihood of such breaches, and identifying security vulnerabilities within an organization’s data handling processes.
  2. Cybersecurity Audits: Organizations will be required to conduct regular cybersecurity audits to assess the effectiveness of their data security measures. The CDPA draft regulations prescribe the frequency and scope of these audits, emphasizing the need for proactive risk mitigation.
  3. Consumer Notification: In the event of a data breach, organizations will be expected to promptly notify affected consumers. The draft regulations specify the information that must be included in such notifications, ensuring transparency and accountability.
  4. Record-Keeping: Organizations will need to maintain detailed records of their risk assessments, cybersecurity audits, and data breach responses. These records serve as evidence of compliance and are essential for regulatory oversight.
  5. Third-Party Assessments: The CDPA draft regulations also address the role of third-party assessors who may be engaged to evaluate an organization’s cybersecurity measures. These assessors must meet specific qualifications and adhere to recognized standards.


The Impact on Businesses


The release of these draft regulations reinforces California’s commitment to maintaining its position as a trailblazer in data protection and privacy rights. Businesses operating in the state will need to be diligent in understanding and implementing these regulations to avoid non-compliance penalties, which can be substantial.

However, these regulations also present an opportunity for organizations to enhance their data security and privacy practices. By proactively addressing potential risks and vulnerabilities, companies can not only meet regulatory requirements but also build trust with their customers.


Next Steps


The CDPA is now seeking public input and feedback on these draft regulations. Interested parties, including businesses, privacy advocates, and legal experts, are encouraged to review and provide comments to shape the final regulations.

The release of the draft regulations on Risk Assessments and Cybersecurity Audits for CCPA CPRA represents a significant milestone in the ongoing evolution of data protection in California. It underscores the state’s commitment to safeguarding consumer data and sets a high bar for organizations to meet in terms of cybersecurity and risk management. As the CDPA works towards finalizing these regulations, the broader privacy community will be watching closely, with an eye on the potential impacts and implications for data privacy practices nationwide.

Don’t wait for audits to knock on your door! As draft Risk Assessment and Cybersecurity Audit regulations loom, proactive companies are gearing up. Secure your data fortress, document meticulously, and instill a culture of compliance. Stay ahead of the game,