CCPA Audit Readiness: The Requirements Are Here and the Clock Starts Now

CCPA Audit Requirements Are Here

CCPA privacy and cybersecurity audit requirements have gone from likely to a done deal, and the click is already running for in-scope organizations.

In July 2025, the California Privacy Protection Agency (CPPA) adopted detailed regulations that require certain CCPA-covered businesses to conduct annual, independent privacy and cybersecurity audits and certify compliance to the CPPA. The rules were approved by the Office of Administrative Law in September 2025 and come into effect January 1, 2026, with the first reports due as early as April 1, 2027 (depending on gross revenue).

If your organization is in scope, the time for dealing with it later has passed. Audit readiness means building a defensible privacy and security story now, not in January 2028. This story has to be supported by real evidence like tabletop exercise reports, decision logs, and implementation artifacts. Your board and the independent third party attesting to the accuracy of your report won't appreciate a last-minute, slapdash approach.

This article walks through:

1. What the new CCPA cybersecurity audit rules require
2. Who's in scope and when your first audit is due
3. Why you might care even if you're not in scope of annual CPPA audit filings
4. What does "audit-ready" look like in practice
5. Check out our post 5-Step Practical Roadmap to CCPA Audit Readiness for additional guidance

Remember, this article is for general information and education only. This is not legal advice. You should talk to your own counsel about how the law and rules apply to your specific facts.

What exactly is the new CCPA cybersecurity audit?

Under the new regulations, a cybersecurity audit is not just a “check the box” review of your practices. It’s defined as a comprehensive evaluation of a business’s cybersecurity program. The audit must assess the business's cybersecurity program not just superficially but on its ability to protect personal information from unauthorized access, destruction, use, modification, or disclosure as well as unauthorized activity resulting in the loss of availability of personal information. See § 7123 of Cal. Code Regs., tit. 11 for the full regulation on the scope, but understand that this evaluation is not cursory and not limited to your security controls. It looks at the entirety of an organization's privacy program.

Key features from the regulations and accompanying guidance include:

• Annual Reporting: In-scope business subject to the audit requirement must complete an audit every year, with no gaps in coverage between audit periods.  
• Independence: Audits must be performed by a qualified, objective, independent professional using generally accepted auditing standards and free from improper influence by management.  The professional can be internal or external, but if your audit is done internally, it cannot be done by any individual that reports to anyone with direct responsibility for the organization's cybersecurity program.
• Thoroughness: You must assess the program as a whole, including specific technical and organizational controls (encryption, MFA, access controls, patching, logging, training, vendor oversight, etc.).  
• Evidence‑Based: Audit findings can’t be based solely on management assertions. The report must identify the evidence examined (documents reviewed, testing performed, interviews conducted) and must describe any gaps or weaknesses and their remediation status in detail.
• Report with Certification: Each audit must produce a written report.  For each year you’re subject to audits, you must submit a certification to the CPPA by April 1 that the audit was completed in accordance with the rules. A member of executive management signs the certification attesting to its accuracy under penalty of perjury. See this helpful article by the IAPP if you're concerned about who will be your "designated individual."
• Retention: both the business and the auditor must keep the audit report and supporting documents for at least five years.  
  

If you're in scope, this requirement isn’t a one‑time project. It’s a new part of your annual privacy and security program management. Even if you're not in scope for an annual aduit, understanding these requirements may be crucial, since the CPPA already has the right to audit you.

Who is in scope for the new CCPA audit requirement?

The audit requirement doesn’t apply to every business regulated by CCPA. It applies when your processing of personal information presents a "significant risk" to consumers' security. The final regulations define that criteria by using revenue and data processing volume thresholds.

You must conduct annual cybersecurity audits if:

1. You are a “business” under the CCPA (for‑profit, doing business in CA, meeting the CCPA thresholds), and
2. Your processing presents “significant risk,” which is deemed true if either:
   • You derive more than 50% of your annual revenue from selling or sharing consumers' personal information (e.g., you are a data broker); or
   • You had annual gross revenue above the CCPA revenue threshold (as the the writing of this article, $25.625M) in the prior year and in that same year, you processed: (1) personal information of 250,000 or more consumers or households, or, (2) sensitive personal information of 50,000 or more consumers.

If that sounds like your ad‑tech stack, your consumer‑facing platform, or your high‑volume data product, you’re likely looking at needing a CCPA audit annually.

When is your first audit actually due?

The audit rules phase in over time, based on revenue. The effective date for the regulations is January 1, 2026, but the first cybersecurity audit reports aren't due until 2028, giving businesses some runway to inventory and mature their privacy program and cybersecurity practices and documentation.  

If you’re in the significant‑risk bucket, your first audit report and certification are due as follows: 

• April 1, 2028 if your 2026 annual gross revenue is over $100 million
• April 1, 2029 if your 2027 revenue is between $50 - 100 million
• April 1, 2030 if your 2028 revenue is under $50 million

Each audit covers the preceding calendar year (e.g., a report due April 1, 2028 covers roughly January 1, 2027 – January 1, 2028).  

In parallel, businesses subject to privacy risk assessment rules (for things like selling/sharing data, processing sensitive PI, or using ADMT) must start conducting those assessments by January 1, 2026, with the first risk-assessment summary and attestation due April 1, 2028.  

What's the bottom line then? 2026–2027 are your build/document/test years. By the end of 2027, you want to be running like you’re already in an audit cycle.

CPPA audits already existed before now!

Separate from the new annual cybersecurity audit requirement, the CPPA has long had authority to conduct its own Agency audits of any business, service provider, or contractor “to ensure compliance with any provision of the CCPA.”  

Key points about Agency audits include the following:  

• The Agency may audit you to investigate possible violations, or based on significant risk or history of non-compliance.
• Audits may be announced or unannounced.
• Failure to cooperate can lead to subpoenas, warrants, and enforcement actions.
  

So even if you’re not technically required to do an annual cybersecurity audit, building a documented, evidence-backed privacy and security program is not only in your best interest but also your best defense for a surprise visit from the CPPA.

What does a CCPA audit actually look at?

The regulations and commentary to the new requirements make it clear that the annual audit requirement is not a quick penetration test. It's a program-level snapshot and evaluation of an organization's policies, procedures, and practices and encapsulates what the CPPA believes "reasonable security" looks like in practice.

A compliant audit and report must:

1. Evaluate your full cybersecurity program, including:
   
   • Governance (roles, RACI, policies, risk management)
   • Technical controls (MFA, encryption, network security, logging, backups)
   • Organizational control s(training, vendor risk management, change management, development practices)
   • Incident response and business continuity
2. Describe and assess specific controls, for example:
   
   • Access controls and identity management
   • Multi-factor authentication
   • Encryption (in transit and at rest)
   • Secure configuration baselines
   • Patch and vulnerability management
   • Logging, monitoring, and anomaly detection
   • Data inventory and classification
   • Employee and contractor training
   • Vendor/service provider security oversight
3. Cite the evidence used to reach conclusions, such as:
   • Policies and procedures
   • System configuration and architecture diagrams
   • Logs, tickets, and monitoring output
   • Sampled test results (e.g., vulnerability scans, phishing exercises)
   • Interview notes with SMEs
   • Incident reports and tabletop exercise reports
4. Identify gaps and weaknesses explicitly and describe:
   • What the gap is
   • Why it matters (what is the risk to consumers)
   • Current status (open/partially mitigated/closed)
   • Remediation plan and timeline

It might seem scary to throw open the cellar doors, but an audit that doesn't go into these details and punts (e.g., "We're generally aligned with industry best practices" but includes no specific artifacts or gap register) will not meet the standard required by the CPPA.

What does "audit-ready" look like in practice?

Being audit-ready is not about having a perfect privacy program. Perfection will never exist, so transparency, care, and diligence are what regulators are looking for. It's about being able to prove, quickly and coherently, what you actually do as an organization and that you put some thought behind your privacy decisions.

Governance & Program Documentation

The following documents are often the first thing an auditor will inspect, and they set the context for the operationalization of your privacy program. You will need to be able to provide on demand the following:

• A current cybersecurity and privacy governance charter
• RACI for key functions (CISO, CPO, Legal Team, Product, Engineering, IT, HR, IRT)
• Your risk register with security/privacy risks, owners, and treatment plans
• Verson-controlled policy stack (security, privacy, incident response, acceptable use, BYOD, vendor risk, data retention, access management) with approved dates

Data Inventory, Mapping & Risk Assessments

Because the CCPA audits are keyed to significant risk processing, you will need a defensible view of what you process, where, and why. Auditors look for consistency, so be sure that your assessments match what our systems and logs actually show. You will need to provide the following:

• System-level data inventory (apps, services, databases, SaaS, logs)
• Data flows (especially cross-border, third-party sharing, and automated decision making training flows)
• Tagging of sensitive personal information and high-risk uses (children, precise geolocation, biometrics, health data)
• Privacy risk assessments for in-scope processing (selling/sharing, sensitive personal information, automated decision making, etc.), completed and maintained per the separate risk-assessment rules

Core Cybersecurity Controls & Evidence

Review each control domain and consider how your organization manages policy to procedure to proof. Your audit report has to describe the following controls and how effective they are. Having pre-organized evidence dramatically reduces pain when its time for the audit.

• Identity & Access Management: user lifecycle, least privilege, privileged access monitoring
• Multi-Factor Authentication: rollout coverage stats and exception rationale
• Endpoint & Network Security: edge detection and response (EDR) deployment, segmentation, firewall and web application firewall (WAF) configurations
• Encryption: where and how used; key management procedures
• Vulnerability Management: scan schedules, aging reports, patch SLAs, exception tracking
• Logging & Monitoring: log retention settings, SIEM rules/use-cases, alert handling playbooks
• Backups & Recovery: backup cadence, storage, test restore results

Incident Response

Incident response is where auditors see whether your program works under pressure. At the end of the day, however, incident response matters for much more than audit preparation. Privacy incidents are always a matter of when, not if, and preparation is the single best way to mitigate the potential for loss, reputational damage, and liability. As you prepare for an audit you will want to curate the following evidence:

• Current incident response plan and playbooks (legal playbook, scenario-specific response playbooks)
• Decision matrix / regulator trigger matrix (including CCPA notification analysis)
• Incident logs and post-incident reports from past events (even "near misses")
• Tabletop exercise materials and reports, such as:
  
  • Scenario briefs and injects
  • Participant list and roles
  • Facilitation notes and chat transcripts
  • Feedback workshop summaries
  • After-action reports with wins, gaps, and remediation tasks

A brief note about why tabletops matter (because our founder is a total evangelist for privacy tabletop exercises): In the context of the CCPA, the audit rules require you to describe and evaluate the effectiveness of your security controls, not just their existence. A well-documented tabletop is a clean, easy-to-show way to demonstrate that your team can assemble quickly, they know their roles, and that you run structured tests, capture lessons, and close the loop by makinog improvements. Those tabletop reports become core privacy evidence alongside your policies and logs.

Third-Party & Vendor Risk

The CCPA framework expects you to exercise reasonable and appropriate steps to ensure service providers and contractors use personal information consistently with your obligations. Vendors are an increasing source of risk in this interconnected world, and third party risk management impacts many areas of your privacy program, including incident response and DSR management. Given how much risk sits with vendors, auditors will pay close attention to:

• Vendor inventory and tiering (especially processors with sensitive or ADMT-related data)
• Standard contract and DPA templates align with CCPA (including security, subcontractor, audit, and deletion provisions)
• Due diligence artifacts (security questionnaires, SOC 2 or ISO certificates, DPIAs, and follow-up actions)
• Evidence of ongoing oversight (periodic reviews, contract enforcement, termination, and deprovisioning procedures)

Consumer Rights, Training, & Culture

Finally, you will need to show auditors that your program works for real people to let them manage their rights. The artifacts you provide for auditors here confirm to them that you're not just compliant on paper. The following artifacts prove your employees are properly handling requests:

• DSR metrics (counts, SLAs, denial reasons; records of access, deletion, correction, opt-out, and limit-use requests)
• DSR playbooks (how requests are authenticated, routed, and fulfilled)
• Employee training (curricula, completion statistics, and targeted training for high-risk roles such as IRT, developers, marketing, sales, and HR)