The Essential CA Privacy Update Series Part 3: Cybersecurity Audit Requirements

By: Joyce Kim & Lael Bellamy 

California law now requires certain businesses to complete annual cybersecurity audits and file an electronic certification of completion with the California Privacy Protection Agency (“CalPrivacy”). The CalPrivacy’s final regulations took effect January 1, 2026, and the first audit period for the largest businesses begins January 1, 2027, so it’s important to start preparing now.

Here’s how to know if this applies to you and what you need to do.

Do the Cybersecurity Audit Requirements Apply to You?

WATCH OUT

The threshold requirements turn on whether your business processes personal or sensitive personal information, but these terms have specific legal meanings that are broader than you'd expect. "Personal information" includes online identifiers and IP addresses. "Sensitive personal information" includes precise geolocation, racial or ethnic origin, and government identifiers.

You need to conduct an annual cybersecurity audit and certification if you meet either of these thresholds in the preceding calendar year:

  • Your business had $26.625 million or more in annual gross revenue AND processed:

    • the personal information[1] of 250,000 or more consumers or households; or

    • the sensitive personal information of 50,000 or more consumers.

  • Your business derives 50% or more of its annual revenue from selling or sharing personal information.

Important Deadlines for Cybersecurity Audits and Annual Certification

WATCH OUT

The audit period for the largest businesses begins January 1, 2027, so teams should understand the requirements and begin preparing now.

Phase 1 — Largest Businesses

  • First annual certification due: April 1, 2028

  • Who: Businesses with 2026 annual gross revenue greater than $100M (measured as of January 1, 2027)

  • Audit period: January 1, 2027 – January 1, 2028

Phase 2 — Mid-Size Businesses

  • First annual certification due: April 1, 2029

  • Who: Businesses with 2027 annual gross revenue between $50M and $100M (measured as of January 1, 2028)

  • Audit period: January 1, 2028 – January 1, 2029

Phase 3 — Smaller Businesses

  • First annual certification due: April 1, 2030

  • Who: Businesses with 2028 annual gross revenue less than $50M

  • Audit period: January 1, 2029 – January 1, 2030

What You Need to Do

WATCH OUT

Existing security frameworks do NOT meet all of the CCPA cybersecurity audit requirements.

  • Use an objective, independent auditor. This may be someone internal or external to your business; however, internal auditors must have cybersecurity expertise and meet additional requirements, including:

    • “[T]he highest-ranking auditor must report directly to a member of the business’s executive management team who does not have direct responsibility for the business’s cybersecurity program. A member of the business’s executive management team who does not have direct responsibility for the business’s cybersecurity program must conduct the highest-ranking auditor’s performance evaluation, if any, and determine the auditor’s compensation.”[2]

    • “[T]he auditor must not participate in business activities that the auditor may assess in the current or subsequent cybersecurity audits, including developing procedures, preparing the business’s documents, making recommendations regarding the business’s cybersecurity program (separate from articulating audit findings), or implementing or maintaining the business’s cybersecurity program.”[3]

  • Base findings on actual evidence. The audit cannot rest on assertions or attestations by management.

  • Make sure your audit covers the required CCPA components alongside your standard cybersecurity framework. Required components include:

    • Titles of up to three qualified individuals running your cybersecurity program

    • Copies of any data breach notifications to consumers and/or agencies

    • Vendor management oversight ensuring contractual requirements for service providers, contractors, and third parties under sections 7051 and 7053 are met

    • Inventories of personal information, including data maps and flows, and hardware and software inventories

    • Secure configurations, such as masking sensitive information

    • Network monitoring and defenses (e.g., bot-detection, data-loss-prevention)

    • Segmentation of information systems

    • Cybersecurity awareness training tied to current threats

    • Multi-factor authentication and strong password practices

    • Encryption (in transit and at rest)

    • Restrictions on, and monitoring of, access controls

    • Other compliance and security configurations specific to your environment

What Does the Cybersecurity Audit Report Cover?

Your cybersecurity audit report must contain these elements:

  • Audit Scope and Methodology. Describe your information system, the evidence relied upon (documents, tests, interviews), and explain how that evidence supports the auditor’s findings.

  • Assessment of Controls. Show which components were assessed and how your cybersecurity policies are implemented. Explain how those controls actually work to prevent unauthorized access and data breaches.

  • Gaps and Weaknesses. Identify gaps and weaknesses, and document a remediation plan with specific timeframes.

  • Breach Notifications (if applicable). Attach sample notifications sent to consumers and regulators (with personal information removed). Include incident dates, details, and remediation measures.

  • Accountability and Certification. Submit a written certification from a member of your executive team attesting to the accuracy of the report. Provide auditor qualifications and the auditor’s signed certification confirming the audit was independent and evidence-based. Flag any corrections to previous reports.

Can You Leverage Established Cybersecurity Audit Frameworks?

Yes, BUT the Cybersecurity Audit contains additional requirements that are not found in any current cybersecurity framework including NIST CSF 2.0. Make sure you understand the requirements and update your audit scope against the regulations to identify any gaps.

On that note, if your team uses the NIST Cybersecurity Framework, make sure you’re on the current version, CSF 2.0 (released February 2024), which added more robust governance requirements. Some teams are working off the old version so it’s worth confirming if your team is up to date.

Your Action Plan

  • Determine whether you meet the revenue or processing thresholds.

  • Understand the unique requirements of the cybersecurity audit, including identifying the titles of up to three qualified individuals responsible for the program.

  • Engage a qualified, independent auditor who meets the regulation’s independence criteria.

  • Ensure your audit covers all required cybersecurity framework components AND CCPA cybersecurity program components, and identifies gaps with a remediation timeline.

  • By April 1 of the applicable year, electronically file the certification of completion with the CalPrivacy via CalPrivacy.ca.gov.

This is Part 3 in our series on California's new privacy regulations, click here to read Part 1 and Part 2.

[1]“Personal information” means information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. See Cal. Civ. Code § 1798.140.

[2]See Cal. Code Regs. tit. 11, § 7122(a)(3) (Thoroughness and Independence of Cybersecurity Audits) (2025).

[3]See Cal. Code Regs. tit. 11, § 7122(a)(2) (Thoroughness and Independence of Cybersecurity Audits) (2025).

Originally published by InfoLawGroup LLP. If you would like to receive regular emails from us, in which we share updates and our take on current legal news, please subscribe to InfoLawGroup’s Insights HERE. This summary does not constitute legal advice.  

Lael Bellamy & Joyce KimCybersecurity, Privacy Law, CCPA