A new amendment to the California Consumer Privacy Act (CCPA) that took effect on January 1, 2026, now requires covered businesses to conduct annual cybersecurity audits and certify their findings to the state. The regulation was adopted by the California Privacy Protection Agency (CPPA), the agency created by the California Privacy Rights Act (CPRA) of 2020, and codified at Cal. Code Regs. tit. 11, §§ 7120–7124.
For midmarket and upper‑SMB organizations that handle large volumes of personal data from California residents – whether from customers, prospects, employees or partners – this is a real shift. The rule does not wait for a breach or complaint to determine whether your security program can stand up to a structured review against a defined set of controls.
SWK Technologies has put together this article to help your business better understand California’s new cybersecurity audit mandate — what it requires, which businesses are subject to it and what steps to take before first-year compliance deadlines arrive:
What the CCPA is and How the Audit Rule Changes It
The CCPA grants California residents more clearly-defined legal rights over their personally identifiable information (PII) — including the right to know what data businesses collect, the right to delete it and the right to opt out of its sale. The law generally applies to for-profit businesses that meet at least one of three thresholds at the time of this writing: (1) annual gross revenue above the inflation-adjusted $25 million baseline (raised to $26,625,000 as of 2025); (2) buying, selling or sharing the personal information of 100,000 or more California consumers or households in a year; or (3) deriving 50% or more of annual revenue from selling or sharing consumers’ personal information.
However, the cybersecurity requirements of the CPRA and CCPA were applied more implicitly, with businesses obligated to implement “reasonable security” practices under California Civil Code § 1798.150. What constituted “reasonable” was historically determined after-the-fact, often through FTC settlement agreements and state attorney general enforcement actions after a breach had already occurred.
The Audit Rule Defines “Reasonable Security” for the First Time
The CPPA Audit Rule has codified 18 specific cybersecurity control areas that an annual audit must evaluate. Taken together, these 18 components now function as California’s working blueprint for ‘reasonable’ cybersecurity. Commentators expect regulators and courts to treat them as a key benchmark in breach investigations and enforcement, not just for businesses formally in scope of the audit rule..
Earlier CCPA rulemaking focused on consumer rights — opt-out mechanisms, privacy notices, data subject request processes. The new, cybersecurity-focused Audit Rule requires businesses to evaluate their own security posture against a defined framework, document the findings, produce a remediation plan and attest to a state agency under penalty of perjury that the process was completed. The amendment was also finalized alongside two companion rules — one on risk assessments for high-risk data processing and one on automated decision-making technology — as part of the CPPA’s broader program of implementing CPRA’s data governance mandates.
How SMBs Will Be Affected by the CCPA Audit Rule
A business is subject to the 2026 Audit Rule if it meets the general CCPA applicability thresholds and its data processing activities present a “significant risk” to consumer security — defined by two separate criteria. The first applicability threshold includes businesses covered by the CCPA and meet all of these benchmarks: (1) annual gross revenue exceeding approximately $26.6 million; (2) processed personal information of 250,000 or more consumers or households; (3) processed sensitive personal information — such as Social Security numbers or precise geolocation data — of 50,000 or more consumers during the prior calendar year.
The second threshold applies to any CCPA-covered business that derives 50% or more of its annual revenue from selling or sharing consumer personal information, regardless of revenue size. Consumer, employee and business-to-business data all count toward volume thresholds.
Compliance Deadlines by Revenue Tier
The initial compliance deadlines are divided by revenue size, with larger enterprises needing to submit their reports earlier while smaller businesses under the immediate threshold have until 2030 at the latest. The first certifications are due to the CPPA by April 1 of the year following each business’s first required audit period:
| Annual Revenue | First Audit Period | Certification Due |
| Over $100 million | Jan. 1, 2027 – Jan. 1, 2028 | April 1, 2028 |
| $50 million – $100 million | Jan. 1, 2028 – Jan. 1, 2029 | April 1, 2029 |
| Under $50 million | Jan. 1, 2029 – Jan. 1, 2030 | April 1, 2030 |
After the initial phase-in, annual audits and certifications are required each subsequent year. The rule also includes proportionality language that scales audit scope to the business’s size, complexity, and nature of data processing.
No Grace Period for Compliance
Though the initial phase-in period for businesses under $50 million in revenue is relatively generous, SMBs should not take their certification for granted. The CPPA and the California Attorney General can require businesses to turn over their cybersecurity audit and risk‑assessment documentation in investigations or Agency audits. The regulations explicitly allow them to demand risk assessment reports at any time, with a 30‑day deadline to produce them (§7157(e)), and they require audit documentation to be retained for five years.
Enforcement
The CPPA’s enforcement division described its current posture as “a new era of privacy enforcement” at the agency’s September 2025 board meeting. Current CCPA penalties now run up to $2,663 per violation, or up to $7,988 per intentional violation and for violations involving children’s data, after the CPPA’s 2024 CPI adjustment, with each affected consumer and each day of non-compliance potentially treated as a separate violation. The division was processing more than 150 consumer complaints per week by the time the Audit Rule was finalized, with hundreds of open investigations.
What Your Business Needs for CCPA Compliance after 2026
Satisfying the cybersecurity audit requirement involves four core elements: a qualified auditor, an evidence-based evaluation of the 18 control areas, a written audit report with remediation plan and an annual certification submitted to the CPPA. Here is a closer look at each:
Auditor Requirements
The CPPA chose to permit both internal and external auditors, rejecting proposals that would have mandated third-party assessors. Either option is valid, provided the auditor qualifies as an objective, independent professional operating under recognized standards such as AICPA, PCAOB, ISACA or ISO frameworks.
However, the definition of “independence” is stricter for internally-based audits. To limit any conflicts of interest, internal auditors can only report to leaders who do not run the security program, and they cannot have designed or operated the controls they are evaluating. External auditors face less requirements in this case, as any potential compromise of the strictly-defined level of independence obligated with the new Audit Rule is treated as undermining.
The 18 Control Areas Under Evaluation
The audit must assess the business’s cybersecurity program across 18 enumerated components specified in § 7123. The auditor determines which apply given the business’s size and operations. The components span five functional areas:
- Authentication and access controls — phishing-resistant multi-factor authentication, strong password standards, least-privilege access, privileged account management, and physical access restrictions
- Data protection — encryption at rest and in transit, personal information inventories and data flow maps, hardware and software asset inventories, and data retention and secure disposal practices
- Infrastructure security — secure system configuration for cloud and on-premises environments, network segmentation, firewall and port controls, anti-malware, and patch and change management
- Detection and response — centralized audit log management and monitoring, intrusion detection and prevention, data loss prevention, vulnerability scanning and penetration testing, and incident response plans with regular testing
- Organizational controls — security education and training for all personnel, secure development practices, third-party and service provider oversight, and business continuity and disaster recovery planning
The auditor must evaluate implementation and effectiveness through document review, sampling, testing and interviews. The audit cannot rely primarily on executive management’s own assertions about the program.
The Audit Report
The audit report must identify which of the 18 components apply to the business, describe how each was assessed and provide evidence of implementation and effectiveness. Where gaps exist, the report must identify them specifically and include a remediation plan with timelines. The report must also document corrections made to findings from the prior audit cycle.
Additional required disclosures include the titles of up to three individuals responsible for the cybersecurity program, the auditor’s name, qualifications and signed independence certification, and — if applicable — samples of consumer breach notifications issued during the audit period. The full report and all supporting documentation must be retained for at least five years.
Annual Certification to the CPPA
Businesses do not need to submit their full audit reports to the CPPA. Instead, they file an annual written certification through the agency’s online portal by April 1 each year. The certification must be signed by a member of executive management who is directly responsible for cybersecurity audit compliance, has sufficient knowledge of the audit, and holds authority to make the submission. The executive certifies under penalty of perjury that the information is accurate and that no attempt was made to influence the auditor’s findings.
Existing Security Frameworks Matching with the New Audit Rule
It is important to note that businesses already operating under NIST CSF 2.0, SOC 2 Type II, ISO 27001 or CIS Controls v.8 are not starting from zero. Section 7123(f) of the regulation specifically notes that an audit conducted under NIST CSF 2.0 would likely meet the CPPA’s requirements, provided all Article 9 requirements are satisfied either on their own or through supplementation. The CPPA’s own impact analysis estimated that businesses with existing framework audits achieve roughly a 30% reduction in first-year compliance costs, based on public comments from participating organizations on the initial proposed rule.
Get Ready for California’s Cybersecurity Audit Standard
Your first step is getting a clear view of whether, when and how the CCPA cybersecurity Audit Rule is likely to apply to your business. SWK Technologies can help you review your current security controls against the new requirement and ensure you prepared to demonstrate compliance before your deadline hits.
Contact SWK here to get started on your cybersecurity review and ensure your security controls align with the new CCPA requirements.