Understanding CCPA Cybersecurity Audits: Thresholds And Timelines

New rules under the CPPA's regulations require qualifying businesses to hire an independent, qualified auditor to complete annual cybersecurity audits. As we've written about before, California's privacy regulator, the California Privacy Protection Agency (CPPA), created hard deadlines for these mandatory cybersecurity audits. The staggered rollout gives larger companies less time to prepare, so understanding where your business falls on the timeline matters today.

Who Must Comply? A business must complete an annual CPPA cybersecurity audit if, in the preceding calendar year, its processing of consumers’ personal information presents a “significant risk to consumers’ security” under 11 CCR § 7120.

A business’s processing presents such risk if either of the following applies: the business derived 50 percent or more of its annual revenue from selling or sharing consumers’ personal information, regardless of the number of consumers whose data it processed; or the business had annual gross revenue exceeding $25 million and, in that same preceding calendar year, either: (1) processed the personal information of 250,000 or more consumers or households, or (2) processed the sensitive personal information of 50,000 or more consumers.

When Is Your First Audit Due? The CPPA built a three-staged implementation timeline based on annual revenue:

• April 1, 2028: businesses with revenue exceeding $100 million. The audit should cover January 1, 2027 through January 1, 2028.
• April 1, 2029: businesses with revenue between $50 - $100 million. The audit should cover January 1, 2028 through January 1, 2029.
• April 1, 2030: businesses with revenue under $50 million. The audit should cover January 1, 2029 through January 1, 2030.

After 2030, every qualifying business must complete an annual audit and submit its report to the CPPA by April 1 of each year.

What Does the Audit Cover? An independent auditor will assess the entire cybersecurity program. The auditor examines areas such as multifactor authentication, encryption, access controls, network monitoring, incident response planning, employee training, and data disposal practices. The auditor must maintain full independence throughout the process, and findings cannot rest primarily on the management team's own assertions. The final report must document any gaps in the cybersecurity program and include the company’s plan to address them.

What Must You Submit? After each audit, an executive with direct responsibility for cybersecurity compliance must submit a written certification to the CPPA by April 1 and sign it under penalty of perjury.

Putting it into Practice: Business that meet one of the two thresholds and expect to earn $100 million in revenue this year should begin strategizing how it will address a cybersecurity audit that will cover 2027 activities. This may mean that certain steps should be taken this year to address any potential gaps that the audit will review next year. While some companies may already be performing types of cybersecurity audits, it may be on different calendar cycles or may not encompass all areas expected by the CPPA. Companies should confirm now whether and when they might be in scope of these requirements, align on internal ownership and reporting, and start building an “audit-ready” compliance posture in order to meet the annual April 1 submission and executive certification requirements.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.