The California Consumer Privacy Act (“CCPA”)1 has entered yet another new chapter – audits.
On January 1, 2026, the California Privacy Protection Agency (“CPPA”) regulations took effect, establishing comprehensive cybersecurity audit obligations for covered businesses – the first of its kind among state data privacy laws. The framework features staggered compliance dates, with obligations phasing in over time, and is poised to change how companies evaluate, document, and validate the effectiveness of their security programs under the CCPA.
These updates cap a multi-year rulemaking process that included significant engagement from both public and industry stakeholders. Although the regulations introduce several changes for businesses subject to the CCPA, one of the most significant is the requirement to conduct cybersecurity audits for any business whose processing activities present “significant risk to consumers’ privacy.” Companies should promptly identify if they are covered, align methodologies to the rule’s criteria, and plan against the staged timelines to ensure timely compliance.
These audit reports will certainly become key documents in regulatory investigations and litigation after inevitable cyberattacks. Accordingly, these procedures should be designed with care and a mock audit performed under advice of counsel so that there is adequate time to address any issues before the first formal audit report.
Background
The California Privacy Rights Act (“CPRA”), adopted by a California ballot initiative in 2020, amended the CCPA and directed the CPPA to create rules governing privacy practices for certain businesses processing consumers’ personal information. On September 23, 2025, the California Office of Administrative Law approved the final regulations proposed by the CPPA on July 24, 2025, including new regulations for automated decision-making technology, privacy risk assessments, and cybersecurity audits.
Together, these regulations reflect a significant increase in the compliance obligations imposed on businesses under the CCPA. They also, however, indicate a reference point for what California regulators will consider “reasonable” security practices for protecting personal information – a standard that may influence the benchmark for U,S, privacy and cybersecurity obligations more broadly.
Who Is Covered?
The cybersecurity audit regulation applies to any business whose processing of consumers’ personal information presents a “significant risk” to consumers’ security. The framework states a “significant risk” exists when either of the following conditions is met:
- The business derives 50% or more of its annual revenues from selling or sharing consumers’ personal information; or
- The business meets the annual revenue threshold (approximately $26 million, adjusted for inflation) and, in the calendar year, processed either (a) the personal information of 250,000 or more consumers or households, or (b) the sensitive personal information of 50,000 or more consumers.
The Cybersecurity Audit Requirements: Key Takeaways
Covered businesses must conduct annual cybersecurity audits through an objective and independent professional auditor, produce risk assessment reports, and submit a written certification of completion to the CPPA by April 1 each year.
Audit Timing and Phase-In
The law introduces a staggered phase-in for the first certification submission based on annual revenue:
- April 1, 2028, for businesses with over $100 million in revenue
- April 1, 2029, for businesses with $50-100 million in revenue
- April 1, 2030, for businesses with less than $50 million in revenue
Auditor Qualifications
Audits must be performed by a qualified, objective, and independent professional auditor applying professional auditing standards to evaluate the company’s cybersecurity program and information systems. This independence requirement suggests but does not necessarily mandate that businesses use an external auditing firm; but it does require that the auditor be able to exercise impartial judgment free from management’s influence, and audit findings cannot rely primarily on assertions or attestations by the business’s management.
Audit Report: Required Scope and Content
The audit report must be a formal written work product with required elements.
First, it must describe the business’s information systems and the procedures it uses. This includes identification of the business’s policies, procedures, and practices the cybersecurity audit assessed, the criteria used in conducting the audit, and the specific evidence examined by the auditor to support audit findings.
Second, the auditor must identify applicable components of the business’s cybersecurity program. The regulation offers a list of 18 potential components in-scope of the audit, such as multifactor authentication, encryption of personal information, account management and access controls, vulnerability scanning, and security incident response policies. Not every component is required, however, and ultimately it is the auditor who determines which components are applicable to the business, based on the size and nature of the business’s processing activities.
Third, the report must assess how the business protects consumer personal information through its cybersecurity program, including how effectively the business adheres to its own policies and procedures. It must identify any gaps or weaknesses and highlight any components that may increase the risk of unauthorized access, destruction, use, modification or disclosure of consumers’ personal information. The report must also detail remediation plans, corrections to prior audits, and the qualified individuals responsible for the cybersecurity program.
Fourth, if a business has had to provide breach notifications to affected customers or agencies, the report must indicate that such reports were made and include a sample copy of any such notifications, where applicable.
Last, the report must list the auditor’s name, affiliation, and qualifications, identify the individuals responsible for the cybersecurity program at the business, and include a signed statement by the highest-ranking auditor certifying the review was independent, objective and impartial.
Annual Certification to the CPPA
The new regulation does not require businesses to submit their complete audit. Instead, by April 1 of each qualifying year, businesses must submit a certification – signed by a member of executive management – attesting that the cybersecurity audit has been completed.
Leveraging Existing Audits
Businesses may rely on an existing cybersecurity audit prepared for another purpose to fulfill this new requirement if, standing alone or with supplemental materials, the prior audit satisfies the regulation’s reporting criteria.
Document Retention Policies and Disclosure Risks
All audit-related reports and documents must be retained for five years following submission of the certification. Companies should ensure these documents are preserved under robust retention protocols for at least five years after each audit.
Although only the certification of completion is required to be submitted, audits and all related documents should be prepared with an expectation of external scrutiny. The CPPA and the California Attorney General can subpoena audit reports, and potential plaintiffs in private class actions following data breaches are likely to target these documents during discovery.
Implications for Covered Businesses
Businesses processing California consumer data should conduct a scoping analysis to determine whether their processing presents a “significant risk” under the rule’s thresholds.
With an eye to looming phase-in dates, covered businesses should build a compliance plan that satisfies the regulation’s detailed documentation standards and prepare to select a qualified, independent auditor early to ensure compliance with deadlines.
Many companies may find it useful to start now so that they have time to do an initial mock audit and then remedy any issues so that the first formal audit report reflects a robust cybersecurity system.
Companies should ensure they have robust document retention programs in place for all audit materials and be prepared to provide these documents if required by an enforcement action by the CPPA or other legal proceeding.
