New Cybersecurity Audit Regulations Under CCPA: What Businesses Need to Know
On January 1, 2026, vital new regulations under the California Consumer Privacy Act (CCPA) came into force, instituting stringent cybersecurity audit requirements for businesses. Article 9 of the CCPA regulations now mandates annual comprehensive cybersecurity audits for certain businesses, with detailed reporting requirements. This regulation is crucial for addressing the escalating risks associated with consumer data vulnerabilities.
I. Scope and Applicability – Cal. Code Regs. Tit. 11, §7120
The new cybersecurity audit requirements specifically target businesses whose handling of consumers’ personal information poses a "significant risk to consumers’ security." A significant risk classification occurs if:
- The business generated 50% or more of its annual revenue from selling or sharing California consumers’ personal information in the preceding calendar year.
- The business had annual gross revenue exceeding $25 million, coupled with either:
- Processing the personal information of 250,000 or more consumers or households.
- Handling sensitive personal information of 50,000 or more consumers.
It’s key for businesses to evaluate their data processing activities accurately to confirm whether they fall under these requirements, which apply across consumer, employment, and business-to-business contexts.
II. When Audit Reports Are Due – Cal. Code Regs. Tit. 11, §7121
The deadlines for initial audit reports are staggered based on revenue levels. Businesses can expect to meet their first report by the following schedule:
| Annual Gross Revenue | Audit Report Due Date | Audit Period Covered |
|---|---|---|
| Over $100 million (by Jan. 1, 2027) | April 1, 2028 | Jan. 1, 2027 – Jan. 1, 2028 |
| $50 million – $100 million (by Jan. 1, 2028) | April 1, 2029 | Jan. 1, 2028 – Jan. 1, 2029 |
| Less than $50 million (by Jan. 1, 2029) | April 1, 2030 | Jan. 1, 2029 – Jan. 1, 2030 |
Post-April 1, 2030, businesses meeting significant-risk criteria by January 1 of any year must undertake a cybersecurity audit covering the subsequent 12 months, with reports due by April 1 of the following year. For example, a business identified as significant-risk as of January 1, 2035, must submit its audit report by April 1, 2036.
III. Requirements for Conducting the Audit – Cal. Code Regs. Tit. 11, §7122
Audits must be carried out by qualified professionals who possess cybersecurity expertise and adhere to established industry standards, which may include AICPA, PCAOB, ISACA, or ISO guidelines.
-
Independence: The auditor, whether internal or external, must maintain objectivity and impartial judgment. They must not be influenced by the business’s management or engage in activities that might undermine this independence.
-
Information Disclosure: The business is responsible for providing all relevant information and must not attempt to misrepresent facts.
-
Evidence-Based Findings: The audit findings should derive from tangible evidence, including documents, testing, and interviews, rather than mere assertions from management.
- Report Delivery: Findings must be directed to an executive responsible for the cybersecurity program, and all audit documentation must be preserved for a minimum of five years.
IV. What The Audit Must Cover – Cal. Code Regs. Tit. 11, §7123(a)-(d)
The primary objective of the audit is to evaluate how effectively the cybersecurity program protects personal information from unauthorized access, modification, destruction, or disclosure. The audit must assess various components, such as:
- The appropriateness of the cybersecurity program relative to the business’s size, complexity, and scope of processing activities, alongside the current state-of-the-art practices.
- Implementation enforcement of the cybersecurity program.
Specific areas of evaluation may include:
- Authentication Standards: Evaluation of multifactor authentication and password policies.
- Encryption: Safeguards for personal information both at rest and in transit.
- Access Controls: Management protocols for account access and permissions.
- Data Inventory Management: Procedures for data classification and protection.
- Secure Configuration: Ensuring up-to-date security practices and protocols.
- Vulnerability Management: Regular scanning and testing for system vulnerabilities.
- Incident Management: Preparedness and response capabilities for cybersecurity incidents.
Audits can go beyond these components as deemed appropriate.
V. What The Audit Must Include – Cal. Code Regs. Tit. 11, §7123(e)-(f)
The audit report must comprehensively include the following elements:
- A description of the information systems and assessed policies/procedures.
- An identification of key audit components, implementation details, and effectiveness assessments.
- A detailed account of gaps or weaknesses identified that could elevate risks.
- Documentation of the business’s planned remediation strategies.
- Any corrections or amendments to earlier audit reports.
- Specific identification of responsible qualified individuals for the cybersecurity program.
- Auditor’s credentials, including their name and affiliation.
- A signed certification from the auditor attesting to the independence of the audit.
Additionally, if applicable, the report must cite any consumer breach notifications issued.
It is also permissible for businesses to use existing cybersecurity audits that comply with Article 9, provided they fulfill all specified requirements.
VI. Annual Certification to CPPA – Cal. Code Regs. Tit. 11, §7124
Every business required to conduct an audit must submit a written certification to the California Privacy Protection Agency (CPPA) on an annual basis. The certification is due no later than April 1 following the audit year and must be completed by an executive with direct responsibility for cybersecurity compliance.
Key elements that must be included in the certification are:
- Business contact details.
- Confirmation of audit completion, including the period covered.
- An attestation of compliance with CCPA regulations under penalty of perjury.
The certification is submitted electronically via the CPPA’s website.
Navigating the new cybersecurity audit landscape presents both challenges and opportunities for businesses. By understanding and preparing for these regulations, organizations can bolster their cybersecurity frameworks, enhance consumer trust, and mitigate the risks associated with handling personal information.
