CCPA Cybersecurity Audit Requirements 2026: What Businesses Need to Know
New Cybersecurity Audit Regulations Under the CCPA
On September 23, 2025, the California Office of Administrative Law approved final regulations that add significant new requirements under the CCPA: mandatory cybersecurity audits, automated decision-making technology (ADMT) risk assessments, and expanded consumer rights around algorithmic processing. These regulations took effect on January 1, 2026, and mark a major shift from the CCPA’s original focus on transparency and opt-out rights to deeper accountability and security obligations.
If your business processes personal information of California consumers, you need to understand whether these new requirements apply to you and what steps you must take. Use our Privacy Law Calculator to determine which state privacy laws apply to your business overall.
Who Must Conduct Cybersecurity Audits?
The cybersecurity audit requirement applies to businesses whose processing activities present “significant risk to consumers’ privacy.” The regulations define two categories of businesses that meet this threshold:
Category 1: Large-Scale Processors
Businesses that meet all three of the following criteria:
- Annual gross revenue exceeding $25 million
- Process personal data of 250,000 or more consumers, or sensitive personal information of 50,000 or more consumers
- Processing presents significant risk to consumer privacy (as defined by the regulations)
Category 2: Data-Driven Revenue Businesses
Businesses that derive 50% or more of annual revenue from selling or sharing consumers’ personal information, regardless of their total revenue or processing volume.
Not sure if your business meets these thresholds? Our compliance calculator can help you assess your obligations across all state privacy laws, including California’s enhanced requirements.
What Must the Cybersecurity Audit Cover?
The audit must comprehensively assess how your cybersecurity program protects personal information. Specifically, auditors must evaluate:
- Unauthorized access prevention — controls that prevent unauthorized access to personal information
- Data integrity — protections against unauthorized destruction, use, or modification of personal data
- Disclosure controls — safeguards against unauthorized disclosure of personal information
- Availability protections — measures to prevent loss of availability of personal information
- Program governance — organizational structure, policies, and procedures supporting the cybersecurity program
The audit must be conducted by a qualified, independent auditor who operates independently and relies on their own analyses. Companies cannot simply self-certify — the auditor must be external or have sufficient organizational independence.
Certification Submission Deadlines
One of the most important details is the tiered submission schedule for cybersecurity audit certifications to the California Privacy Protection Agency (CPPA). The deadlines are based on your business’s annual gross revenue:
| Annual Gross Revenue | Certification Deadline |
|---|---|
| Over $100 million | April 1, 2028 |
| $50 million – $100 million | April 1, 2029 |
| Under $50 million | April 1, 2030 |
After the initial certification, audits must be conducted annually. Both the company and the auditor must retain all documents relevant to each audit for a minimum of five years.
ADMT Risk Assessments: The Other New Requirement
Alongside cybersecurity audits, the new regulations also require businesses that use automated decision-making technology (ADMT) to conduct risk assessments and provide consumers with expanded rights. Key requirements include:
- Pre-use notice — consumers must be informed when ADMT is being used to make decisions that produce legal or similarly significant effects
- Opt-out right — consumers can opt out of ADMT processing for significant decisions
- Access to logic — consumers can request meaningful information about the logic used in ADMT decisions
- Risk assessments — businesses must assess ADMT processing activities for risks to consumer privacy and submit assessments to the CPPA
For a broader look at how states handle automated decision-making, see our guide on automated decision-making and profiling under state privacy laws.
How to Prepare: A Practical Compliance Roadmap
Even though certification deadlines are in 2028–2030, businesses should start preparing now. Here is a practical roadmap:
Step 1: Determine Applicability (Now)
- Calculate whether your business meets the revenue and processing volume thresholds
- Inventory all personal information processing activities involving California consumers
- Identify whether you use any ADMT for decisions with legal or significant effects
Step 2: Gap Assessment (Q2 2026)
- Evaluate your existing cybersecurity program against the regulation’s requirements
- Identify gaps in documentation, governance, technical controls, and incident response
- Map your ADMT use cases and assess consumer-facing disclosure obligations
Step 3: Remediation and Program Building (Q3–Q4 2026)
- Implement any missing technical controls identified in the gap assessment
- Develop or update written information security policies
- Establish audit governance procedures and select a qualified auditor
- Build ADMT risk assessment processes and consumer-facing opt-out mechanisms
Step 4: Mock Audit (2027)
- Conduct a preliminary internal or mock audit to identify remaining issues
- Remediate findings before the formal audit
- Document everything — the CPPA will expect thorough records
Step 5: Formal Audit and Certification (2028+)
- Engage your independent auditor for the formal cybersecurity audit
- Submit certification to the CPPA by your applicable deadline
- Retain all audit documentation for at least five years
How This Connects to Existing CCPA Obligations
The cybersecurity audit requirements build on top of existing CCPA obligations. Businesses must still comply with all existing requirements including:
- Honoring consumer rights (access, delete, correct, opt-out) — see our DSAR guide
- Honoring Global Privacy Control (GPC) signals
- Providing required privacy policy disclosures
- Meeting data broker registration requirements under the California Delete Act
The new audit requirements add a security and accountability layer on top of these existing transparency obligations. For a complete compliance picture, use our California compliance checklist.
What Happens If You Don’t Comply?
The CPPA can enforce the cybersecurity audit regulations using its standard enforcement powers under the CCPA. As of 2026, penalties are:
- $2,663 per unintentional violation
- $7,988 per intentional violation or violation involving a minor
Given that cybersecurity audit failures could affect entire databases of consumer information, the per-violation penalty structure means fines could scale quickly. The CPPA has demonstrated its willingness to enforce aggressively in 2026, with the PlayOn $1.1M fine, Disney $2.75M settlement, and Ford $375K penalty all coming in the first quarter alone. See our penalties and fines guide for more on enforcement trends.
Frequently Asked Questions
Do small businesses need to conduct CCPA cybersecurity audits?
Only if they meet the threshold criteria. Most small businesses with less than $25 million in annual revenue and fewer than 250,000 consumer records will not be required to conduct audits. However, businesses that derive 50% or more of revenue from selling personal information are covered regardless of size.
Can we use an internal auditor?
The regulations require the auditor to operate independently. While the regulations do not explicitly prohibit internal audit functions, the auditor must have sufficient organizational independence and rely on their own analyses. Most businesses will likely engage external audit firms to ensure independence requirements are met.
How do the cybersecurity audit requirements interact with other state laws?
California’s cybersecurity audit requirement is currently the most prescriptive among US state privacy laws. However, several other states require risk assessments for high-risk processing. If you operate in multiple states, use our state comparison tool to understand overlapping requirements. A robust cybersecurity audit program for CCPA compliance will likely satisfy or exceed requirements in other states.
What frameworks can guide our cybersecurity audit?
The regulations do not mandate a specific framework, but established standards like NIST Cybersecurity Framework, ISO 27001, and SOC 2 provide strong foundations. The key is ensuring your program addresses all areas specified in the regulations: access controls, data integrity, disclosure safeguards, availability, and governance.
Last updated: March 30, 2026.
Disclaimer: PrivacyLawMap provides general information about US state privacy laws for educational purposes only. This is NOT legal advice. Privacy laws are complex and frequently amended. Consult with a qualified privacy attorney for advice specific to your business. PrivacyLawMap makes no warranties about the accuracy or completeness of this information.