- within Technology topic(s)
- with Inhouse Counsel
- with readers working within the Business & Consumer Services and Retail & Leisure industries
On January 1, 2026, new California Consumer Privacy Act (CCPA) regulations went into effect, requiring, among other things, annual comprehensive cybersecurity audits and detailed reporting by businesses meeting specific thresholds of data processing. These requirements are laid out in Article 9 of the CCPA regulations, “Cybersecurity Audits."1
This article outlines the thresholds of applicability for the cybersecurity audit regulations, what the timeframe for compliance is, how a cybersecurity audit must be conducted according to the regulations, what must be covered in a cybersecurity audit, annual certification requirements, and enforcement and penalties under the CCPA.
I. Scope and Applicability – Cal. Code Regs. Tit. 11, §7120
The cybersecurity audit requirements are directed at businesses whose processing of consumers' personal information presents “significant risk to consumers' security.” “Significant risk to consumers' security” occurs if one of the following has happened:
1) In the preceding calendar year, the business derived 50 percent or more of its annual revenue from selling or sharing [California] consumers' personal information (per Cal Civil Code 1798.140(d)(1)(C))
2) In the preceding calendar year, the business had annual gross revenue over US$25 million and one of the following:
a) Processed the personal
information of 250,000 or more consumers or households
b) Processed the sensitive personal information of 50,000 or
more consumers
CCPA applies in consumer, employment, and business-to-business contexts, and it is important to accurately assess the processing thresholds to confirm if the cybersecurity audit requirement applies.
II. When Audit Reports Are Due – Cal. Code Regs. Tit. 11, §7121
Initial audit report deadlines are staggered by revenue. A business must complete its first cybersecurity audit report by the following schedule:
| Annual Gross Revenue | Audit Report Due Date | Audit Period Covered |
|---|---|---|
| Over US$100 million (as of Jan. 1, 2027) | April 1, 2028 | Jan. 1, 2027–Jan. 1, 2028 |
| US$50 million–US$100 million (as of Jan.1, 2028) | April 1, 2029 | Jan. 1, 2028–Jan. 1, 2029 |
| Less than US$50 million (as of Jan. 1, 2029) | April 1, 2030 | Jan. 1, 2029–Jan. 1, 2030 |
After April 1, 2030, if on January 1 of any year, a business meets the significant-risk criteria for the preceding year, it must complete a cybersecurity audit covering the next 12 months and complete its cybersecurity audit report for that period by April 1 of the following year. For example, for a business that meets the criteria as of January 1, 2035, its audit would cover the period from January 1, 2035 through January 1, 2036, and it would have to complete the cybersecurity audit report by April 1, 2036.
III. Requirements for Conducting the Audit – Cal. Code Regs. Tit. 11, §7122
The audit must be conducted by a qualified professional with cybersecurity and audit knowledge and expertise, using industry standards (e.g., AICPA, PCAOB, ISACA, ISO).
The auditor may be internal or external but must exercise objective, impartial judgment on all issues in the scope of the audit, be free from conflicts, and be uninfluenced by the business (including by the business's owners, managers, or employees). The auditor must not participate in activities that may compromise the auditor's independence. For example, the auditor must not participate in business activities that the auditor may assess in current or subsequent cybersecurity audits, including developing procedures, preparing the business's documents, making recommendations regarding the business's cybersecurity program (separate from articulating audit findings), or implementing, or maintaining the business's cybersecurity program.
When using an internal auditor, the highest-ranking auditor must report directly to an executive who does not have direct responsibility for the cybersecurity program, and that executive must conduct the auditor's performance reviews and, if applicable, set compensation for the auditor.
The business must provide all relevant information requested, disclose all relevant facts in good faith, and not misrepresent relevant facts.
Audit findings cannot rely primarily on management assertions or attestations; they must be grounded in and rely primarily on specific evidence, such as documents, testing/sampling, interviews.
The audit report must be provided to an executive with direct responsibility for the cybersecurity program.
The business and auditor must retain all documents relevant to each audit for at least five years.
IV. What The Audit Must Cover – Cal. Code Regs. Tit. 11, §7123(a)-(d)
The audit's overall objective is to assess how the cybersecurity program protects personal information against unauthorized access, destruction, use, modification, or disclosure, and against unauthorized activity resulting in loss of availability of personal information.
The audit must assess:
1) Whether the cybersecurity program (including its implementation, maintenance, and written documentation) is appropriate to the business's size, complexity, nature, and scope of processing activities, considering the state of the art and costs of implementation
2) How the business implements and enforces compliance with its program and the applicable components directly below
If applicable, the audit must also assess the following components:
1) Authentication (e.g., phishing resistant multi-factor authentication) and password standards
2) Encryption of personal information at rest and in transit
3) Account management and access controls, including least privilege access management, privileged access management, monitoring of new accounts, and physical access controls
4) Inventories and management of personal information inventories (e.g., data maps, flows, and access methods), classification and tagging of personal information hardware and software inventories, approval processes, allowlisting, and device controls
5) Secure configuration (e.g., updates/upgrades, cloud/on-prem security, default masking of sensitive personal information, patch management, change management)
6) Internal and external vulnerability scanning, penetration testing, and vulnerability disclosure/reporting programs
7) Audit log management (e.g., centralized storage, retention, monitoring)
8) Network monitoring and defenses (e.g., bot detection, Intrusion Detection System (IDS)/Intrusion Prevention System (IPS), Data Loss Prevention (DLP))
9) Anti-virus/antimalware protections
10) Segmentation of an information system (e.g., via properly-configured firewalls, routers, switches)
11) Limitation and control of ports, services, protocols
12) Cybersecurity threat awareness and maintaining current knowledge
13) Cybersecurity education and training for all users with system access (e.g., onboarding, annual, and after a personal information security breach)
14) Secure development and code review/testing best practices
15) Oversight of service providers, contractors, and third parties (e.g., ensuring compliance with CCPA contract requirements)
16) Data retention schedules and secure disposal of personal information to be no longer required (by shredding, erasing, or modifying personal information to be unreadable/undecipherable through any means)
17) Incident response management (e.g., documented incident response plan; testing of incident response capabilities; “security incident” broadly defined to include an occurrence actually or imminently jeopardizing confidentiality, integrity, or availability, and unauthorized activity)
18) Business continuity and disaster recovery (including data recovery and backups)
Audits may assess additional components beyond those listed where appropriate.
V. What The Audit Must Include – Cal. Code Regs. Tit. 11, §7123(e)-(f)
The audit report must include:
1) Description of the information system; identification of policies/procedures/practices assessed; criteria used for the audit; specific evidence examined to make decisions and assessments (e.g., documents reviewed, testing/sampling performed, interviews conducted), with an explanation for why the scope, criteria, and evidence justify the findings
2) Identification of applicable components discussed in section IV above and any additional components; description of implementation and enforcement of policies and procedures; explanation of effectiveness in preventing unauthorized access/use/disclosure/modification/destruction and availability loss
3) Detailed identification and description of the status of any gaps/weaknesses increasing risk of unauthorized access/destruction/use/disclosure/modification of consumers' personal information or risk of unauthorized activity resulting in loss of availability of personal information
4) Documentation of the business's plan and timeline to remediate identified gaps and weaknesses
5) Identification of any corrections or amendments to prior audit reports
6) Titles (up to three) of qualified individuals responsible for the cybersecurity program
7) Auditor's name, affiliation, relevant qualifications
8) A signed, dated certification by the highest-ranking auditor attesting to independent review, objectivity and impartiality, and evidence-based review uninfluenced by business management
9) If applicable, any sample or description of any consumer breach notifications provided to affected consumers under Civil Code 1798.82(a) (excluding any personal information)
10) If applicable, any sample or description of required breach notifications to agencies with privacy jurisdiction in California, including dates, incident details, and remediation measures
A business may use an existing cybersecurity audit/assessment prepared for another purpose if, on its own or with supplementation, it fully satisfies all requirements of Article 9. For example, an audit aligned to NIST Cybersecurity Framework 2.0 may be used if it meets every requirement above.
VI. Annual Certification to CPPA – Cal. Code Regs. Tit. 11, §7124
1) Each calendar year that a business is required to complete an audit, it must submit a written certification to the California Privacy Protection Agency (“CPPA”) that it completed the audit as required by Article 9.
2) Deadline: No later than April 1 following any year the business was required to complete an audit
3) The written certification must be completed by a member of the business's executive management team who is directly responsible for cybersecurity audit compliance, has sufficient knowledge of the audit to provide accurate information, and has authority to submit the certification.
4) The certification must be submitted via CPPA's website at https://cppa.ca.gov. It must include:
a. The business name and a contact person (including the contact's name, phone number, and email address)
b. A statement that the audit was completed
c. The audit period covered (by month and year)
d. An electronically signed attestation to the following statement: “I attest that I meet the requirements of California Code of Regulations, Title 11, section 7124, subsection (c), to submit this certification. Under penalty of perjury under the laws of the state of California, I hereby declare that the information contained within and submitted with this certification is true and correct and that the business has not made any attempt to influence the auditor's decisions or assessments regarding the cybersecurity audit.”
e. The signer's name, business title, and date of certification
Conclusion
California's Article 9 cybersecurity audit regime creates a comprehensive, evidence-driven audit obligation for businesses that cross defined risk thresholds, with staggered initial deadlines and annual cadence thereafter. To prepare, organizations should confirm whether they meet the “significant risk” criteria and align audit-ready controls across identity, encryption, access, inventories, configuration/patching/change management, vulnerability management, logging, monitoring, malware defenses, segmentation, secure development, third-party governance, data lifecycle, incident response, and continuity and recovery. They should also implement auditor independence structures and preserve audit workpapers and related materials for at least five years. Where available, leveraging existing audits aligned to recognized frameworks (e.g., NIST CSF 2.0) can accelerate compliance if all Article 9 elements are satisfied. Finally, businesses must track and meet the April 1 executive certification requirement to the CPPA for any year in which an audit is required.
Footnote
1. California Consumer Privacy Act (CCPA) Regulations, Article 9, Cybersecurity Audits. https://cppa.ca.gov/regulations/pdf/ccpa_statute_eff_20260101.pdf.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
[View Source]
