Likely no. While the CCPA provides for statutory damages if certain personal information is exposed in a data breach due to a business’s failure to have reasonable and appropriate security in place, the CPRA goes a step further. The CPRA requires the California government to issue regulations requiring businesses whose processing of consumers’ personal information “presents a significant risk to consumers’ privacy or security” to perform an annual cybersecurity audit. The factors to be considered when determining whether processing poses a significant risk to the security of personal information include the size and complexity of the business and the nature and scope of the processing activities. Thus, it is possible that the regulations will not require all businesses to undergo a security audit, e.g., if they are not collecting or processing sensitive information.