During the Jan. 14 California Privacy Protection Agency public comment session, cybersecurity and industry witnesses raised technical and procedural objections to the CPPA's proposed cybersecurity‑audit and risk‑assessment regulations, asking the agency to align the rules with existing frameworks and to clarify several drafting ambiguities.

Olga Medina, representing the Business Software Alliance, told the agency that existing certifications and audits such as ISO 27001 and SOC 2 should be recognized as meeting the CPPA's audit requirement and that risk‑assessment materials submitted to the agency should be treated as confidential. "Companies already perform a host of audits to manage cyber risks," Medina said, and she recommended allowing those audits to satisfy the proposed requirements.

Several industry witnesses objected to board‑level attestation requirements. Ben Galenbeck of the California Chamber of Commerce said placing responsibility for detailed audit findings on boards "misses the mark," arguing boards are not risk‑management experts and that requiring director attestations departs from other frameworks. Other speakers including business groups and cybersecurity consultants asked the CPPA to limit the scope of annual audits so they focus on high‑risk systems rather than enterprise‑wide processing solely because of company size.

Cybersecurity consultant Rocio Bridal (Rocio) and another practitioner at the hearing urged a clearer distinction between compliance audits and program effectiveness assessments. Rocio recommended restructuring the rule so that an audit documents compliance against stated requirements while a separate assessment measures program effectiveness and identifies mitigation plans. She also suggested a sequenced process in which audits are followed by documented remediation plans and board reporting of completed evaluations, rather than folding remedial planning into the audit itself.

Speakers asked the CPPA to avoid duplicative reporting and to ensure that required submissions do not create new privacy or privilege risks. Several witnesses urged the agency to clarify terms, limit proactive submission requirements, and coordinate with other federal and state frameworks to reduce unnecessary burden and preserve security resources.