This five-part series provides an introductory roadmap to the California Consumer Privacy Act’s (CCPA) new cybersecurity audit requirement and the California Privacy Protection Agency’s (CalPrivacy) implementing regulations.
Across the series, we outline the core elements of the audit requirement, discuss practical considerations for designing and operating an audit program, and explore how these audits intersect with existing security frameworks, regulatory enforcement, and litigation risk. The goal is to help businesses operationalize CalPrivacy’s cybersecurity audit requirements in a practical way that accounts for existing obligations, constraints, and risk‑management processes, while also giving organizations an opportunity to “see around the corner” and avoid inadvertently increasing legal risk.
The series will proceed as follows:
- Part 2 – The How of CCPA Cyber Audits: Operationalizing the Requirements. How covered businesses can design and run a workable audit program in practice, including data-driven scoping around California personal information and sensitive information, structuring auditor independence, and core evidence and governance considerations.
- Part 3 – Where CCPA Cyber Audits Fit Within Existing Security Frameworks. How CalPrivacy audit requirements intersect with existing cybersecurity and risk frameworks (for example, the NIST Cybersecurity Framework) and other “reasonable security” obligations, and how organizations can leverage existing assessments to minimize duplication.
- Part 4 – Whose Name Is on the Line: Enforcement and Accountability. How CalPrivacy may use audit reports, certifications, and related materials in investigations and enforcement, and what the regime may mean for organizational governance and potential exposure for senior leadership.
- Part 5 – Why CCPA Audits Matter for Litigation. How audit reports and certifications are likely to surface in data breach and class action litigation, and ways to structure audit and documentation practices with that litigation risk in mind.
At the conclusion of the series, Troutman Pepper Locke plans to host a webinar on CalPrivacy’s cybersecurity audit. Registration information will be circulated at a later date.
I. Regulatory Background: CCPA, CalPrivacy, and Cybersecurity Audits
The CCPA, as amended by the California Privacy Rights Act (CPRA), is California’s comprehensive consumer privacy law. It grants California residents certain rights over their personal information and imposes obligations on regulated “businesses.”
The CPRA created CalPrivacy to serve as California’s dedicated privacy regulator. It is an independent enforcement and rulemaking body responsible for issuing regulations that interpret and operationalize the CCPA and for investigating potential violations.
With respect to cybersecurity audits, the CCPA directed CalPrivacy to issue regulations (1) requiring businesses whose processing of consumers’ personal information presents a “significant risk” to consumers’ privacy and security to perform a cybersecurity audit on an annual basis and (2) establishing a process to ensure that those audits are thorough and independent. In determining when processing of personal information may result in significant risk to consumers’ privacy and security, CalPrivacy was required to consider “the size and complexity of the business and the nature and scope of processing activities” — language that closely tracks similar phrases in cybersecurity frameworks describing factors businesses should weigh when designing and maintaining risk-based information security programs.
Pursuant to that mandate, CalPrivacy finalized a package of regulations addressing, among other things, the new cybersecurity audit requirements. Those regulations were approved by the Office of Administrative Law in September 2025 and became effective January 1, 2026.
II. Who Is Required to Complete CCPA Cybersecurity Audits?
To be subject to the CCPA’s cybersecurity audit requirement, an organization must:
- Meet the statutory definition of a “business” under the CCPA; and
- Engage in processing of personal information that the CCPA deems to present “significant risk” under its thresholds.
Accordingly, not every CCPA-covered business will be required to undergo an annual cybersecurity audit — only those that satisfy the “significant risk” criteria.
The “significant risk” analysis considers three factors: (1) the nature of the processing the business is engaged in; (2) the business’s annual revenue; and (3) the volume of personal and sensitive personal information processed. More specifically:
- If a business derives 50% or more of its annual revenue from selling or sharing personal information, that alone triggers the audit obligation — no other thresholds need to be met.
- The audit requirement also applies if the business had more than $26.625 million in annual gross revenue in the preceding calendar year and, during that same year, either (i) processed the personal information of 250,000 or more consumers or households, or (ii) processed the “sensitive personal information” (defined by the CCPA and modified in the regulations) of 50,000 or more consumers.
Although CalPrivacy frames these audits as targeting “significant risk” processing, the thresholds are likely to capture many businesses that do not see themselves as “high risk” from a breach or harm perspective. This includes companies that process even modest volumes of relatively low‑risk data, such as name, address, and other basic contact information. For example, the 250,000-consumer threshold represents less than 1% of California’s population (so it is not as high as it seems) and includes not just consumer data, but also business contacts and employees whose personal information is processed.
During the 45‑day comment period, stakeholders urged CalPrivacy to narrow the audit scope to align it more closely with actual risk of harm and statutory language, rather than relying on the mere processing of modest volumes of personal information (which is broadly defined under the CCPA), as the primary triggers. Stakeholders pointed to California’s data breach notification statute, which is limited to specific data elements that the legislature has deemed likely to cause harm if compromised. CalPrivacy responded that “the CCPA requires [CalPrivacy] to consider the size and complexity of the business, and the nature and scope of its processing activities, in determining whether a business’s processing of consumers’ personal information presents a significant risk to consumers’ security,” and that the thresholds appropriately reflect risk. While this language aligns with other security frameworks and the CCPA’s text, in practice, it treats selling/sharing or modest‑scale processing as a proxy for complexity and risk — even where the underlying data at issue (returning to the name and basic contact information example), if exposed, may not plausibly cause harm.
Practically, if CalPrivacy’s thresholds are met, a business must complete a thorough, independent cybersecurity audit. As a result, even businesses that have not traditionally viewed themselves as posing “significant risk” will need to assess carefully whether they fall within scope and be prepared to comply with the audit requirements.
The following decision table provides a high-level summary of when the CCPA’s cybersecurity audit requirement is triggered. It translates the statutory thresholds into a set of simple conditions, allowing businesses to compare their own characteristics (e.g., revenue, data volumes, and data use) against the criteria in each row. The table is intended as an overview only; key concepts such as “business,” “sell,” “share,” and “sensitive personal information” are defined terms under the CCPA and should be interpreted consistent with those definitions.
| Scenario No. | Business Characteristics | Cybersecurity Audit Obligation |
| 1 | Entity does not meet the statutory definition of a “business” under the CCPA. | No audit requirement. |
| 2 | Entity is a CCPA “business” and derives 50% or more of its annual revenue from selling or sharing personal information. | Audit required. |
| 3 | Entity is a CCPA “business,” had more than $26.625 million in annual gross revenue in the preceding calendar year, and during that same year processed the personal information of 250,000 or more consumers or households. | Audit required. |
| 4 | Entity is a CCPA “business,” had more than $26.625 million in annual gross revenue in the preceding calendar year, and during that same year processed the sensitive personal information of 50,000 or more consumers. | Audit required. |
| 5 | Entity is a CCPA “business” but does not meet any of the thresholds described in Scenarios 2–4. | No audit requirement. |
III. My Business Is Covered – Now What?
Businesses that meet the regulatory thresholds for cybersecurity audits must conduct audits that evaluate the design and effectiveness of their cybersecurity programs. The regulations define cybersecurity programs as the policies, procedures, and practices that protect personal information from unauthorized access, destruction, use, modification, or disclosure, and protect against unauthorized activity that results in the loss of personal information. A key point, which was confirmed by CalPrivacy’s responses to comments submitted during the 45‑day comment period, is that the regulations do not mandate any specific security controls or technologies. Instead, they explain how businesses must conduct independent, thorough audits that assess how the program protects personal information against unauthorized access, use, alteration, disclosure, destruction, and loss of availability. The audit should also examine how the program operates in practice, including the business’s written policies and procedures and the enforcement of compliance with those requirements.
Scoping what must be included in a CCPA cybersecurity audit will be a complex exercise, and we will explore this in greater depth in Part 2. CalPrivacy has explicitly stated in its rulemaking comments that the CCPA’s existing exemptions remain in play for purposes of the cybersecurity audit, including exemptions for GLBA‑regulated data and FCRA data — meaning those categories of information generally fall outside the audit requirement. At the same time, some information that companies might not normally think of as part of their “cybersecurity program” will still have to be included in a CCPA cybersecurity audit because the CCPA applies to it — even in situations where other state privacy laws might not. This can include, for example, certain information about business contacts (like employees of customers or vendors) and employees, which organizations may not historically treat as part of their core cybersecurity program.
A. Initial and Annual Cybersecurity Audits
Businesses subject to the audit requirement must complete an initial cybersecurity audit. Earlier drafts of the regulations would have required all covered businesses to do so within two years of January 1, 2026, but in response to comments, CalPrivacy adopted a three‑year phased implementation schedule and simplified certification requirements. Now, larger businesses must certify first, with smaller entities following in later years.
Below is a breakdown of the three‑year phased schedule:
| Group | Threshold | Initial Audit Period | Initial Audit Report Due |
| 1 | If annual gross revenue for 2026 was more than $100 million as of January 1, 2027 | January 1, 2027 – January 1, 2028 | April 1, 2028 |
| 2 | If annual gross revenue for 2027 was between $50 million and $100 million as of January 1, 2028 | January 1, 2028 – January 1, 2029 | April 1, 2029 |
| 3 | If annual gross revenue for 2028 was less than $50 million as of January 1, 2029 | January 1, 2029 – January 1, 2030 | April 1, 2030 |
Each annual audit must cover the 12‑month period, and the audit report for that period must be completed by April 1 of the following year.
B. Independence of the Auditor
Audits are to be conducted by a qualified, objective, independent professional using procedures and standards accepted in the auditing profession. Importantly, the auditor may be either internal or external to the business. However, even an internal auditor should be able to exercise objective and impartial judgment on issues within the scope of the audit, should be free from improper influence by the business being audited, and should not participate in the business activities that the auditor may be required to assess (i.e., a business’s auditor should not be “grading its own homework”).
C. Thoroughness and Evidence Requirements
The regulations also outline expectations regarding the thoroughness of the audit. For example, businesses are tasked with making information in their possession that is relevant to the audit available to the auditor and making a good‑faith effort to disclose relevant facts.
The regulations also clarify that audits should not depend solely on management assertions or attestations. Instead, audits should rely primarily on specific evidence, which may include documents and records, sampling and testing, interviews, and other corroborating materials.
D. Scope of the Cybersecurity Audit
The regulations identify 18 components of a cybersecurity program that may need to be evaluated, to the extent they are applicable to the business’ information systems. CalPrivacy has been explicit that these components are not prescriptive controls that every business must adopt. Rather, the audit must assess those components that are actually applicable to the particular business and its environment. This approach is significant because it continues to reflect a risk‑based model of cybersecurity, consistent with frameworks like NIST CSF and CIS 18: what is “reasonable” depends on factors such as the organization’s size, the nature and volume of the data it processes, the complexity of its systems, and the resources it has available. Importantly, a business may utilize a cybersecurity audit, assessment, or evaluation that it has prepared for another purpose, provided that it meets all the requirements of the regulations either on its own or through supplementation.
E. Executive Management Involvement
Reinforcing the theme that security is not just “security’s” problem, the regulations make clear that audits cannot live and die within compliance or technical teams. Audit reports are to be provided to a member of the business’ executive management team who has direct responsibility for the cybersecurity program, has sufficient knowledge of the audit, and is authorized to submit the certification. In line with the broader push for greater executive (and sometimes board‑level) involvement, the apparent aim is to ensure that senior leadership is informed about cybersecurity risks, program gaps, and remediation plans, and is positioned to make related resourcing and strategic decisions.
F. Retention of Audit Materials
Both the business and the auditor are to retain documents relevant to each cybersecurity audit for five years after the audit is completed. This retention requirement is designed to support potential future regulatory inquiries, enforcement actions, or follow‑on audits that may need to reference prior findings, methodologies, or remediation efforts.
G. Contents of the Cybersecurity Audit Report
The regulations specify in detail what the written cybersecurity audit report must contain. For example, the report should describe the business’s information systems and identify the components of the cybersecurity program that were evaluated. It should also identify and describe any gaps or weaknesses in the program, document the plans to address those issues, and note any corrections or amendments to prior cybersecurity audit reports.
The report should also identify up to three qualified individuals responsible for the business’s cybersecurity program. It should include the auditor’s name, affiliation, and relevant qualifications. In addition, the highest‑ranking auditor must sign a statement affirming that they completed an independent and thorough review in accordance with the regulatory requirements.
If the business issued any data breach notification letters during the relevant calendar year, the report should either attach those letters or provide a description of the notices. If the business was required to notify any California regulator of a breach, the report should include relevant information regarding that regulatory notice, as well.
H. Certificate of Completion
For each calendar year in which a business is required to conduct a cybersecurity audit, it must submit a written certification of completion to CalPrivacy confirming completion of the audit by April of the following year. That certification must be signed under penalty of perjury by a member of the executive management team who is directly responsible for cybersecurity‑audit compliance, has sufficient knowledge of the audit to provide accurate information, and has authority to submit the certification on the business’s behalf.
Importantly, the audit report itself is not automatically filed with CalPrivacy. CalPrivacy can, however, request or subpoena the report in connection with an investigation or enforcement action. As a result, businesses should operate on the assumption that their audit records, including the report, supporting evidence, and internal communications around the process, could later be scrutinized by regulators, or potentially become discoverable in litigation.