What happened
New analysis published on April 15 details the practical impact of California's CCPA cybersecurity audit rule that took effect January 1, 2026. Covered businesses must conduct annual audits across 18 technical and organisational components, and AI-driven automated decision-making now requires data privacy risk assessments before initiating significant-risk processing activities.
Why it matters
This is the first state-level cybersecurity audit mandate of general applicability in the US. The rule creates a compliance template likely to be replicated by other states, and the audit requirements specifically encompass AI-powered profiling and sensitive data processing.
Action needed
Determine if your organisation meets the revenue thresholds (certifications due April 1, 2028 for $100M+ businesses). Map AI systems performing profiling or automated decisions against the risk assessment requirements. Begin annual audit planning now.