Understanding CCPA Cybersecurity Audits: Thresholds and Timelines | Sheppard, Mullin, Richter & Hampton LLP
https://www.jdsupra.com/legalnews/understanding-ccpa-cybersecurity-audits-2437044/
Publish Date: 2026-05-05 13:53:00
Source Domain: www.jdsupra.com
New rules under the CPPA’s regulations require qualifying businesses to hire an independent, qualified auditor to complete annual cybersecurity audits. As we’ve written about before, California’s privacy regulator, the California Privacy Protection Agency (CPPA), created hard deadlines for these mandatory cybersecurity audits. The staggered rollout gives larger companies less time to prepare, so understanding where your business falls on the timeline matters today.
Who Must Comply? A business must complete an annual CPPA cybersecurity audit if, in the preceding calendar year, its processing of consumers’ personal information presents a “significant risk to consumers’ security” under 11 CCR § 7120.
A business’s processing presents such risk if either of the following applies: the business derived 50 percent or more of its annual revenue from selling or sharing consumers’ personal information, regardless of the number of consumers whose data it processed; or the business had annual gross revenue exceeding $25 million and, in that same preceding calendar year, either: (1) processed the personal information of 250,000 or more consumers or households, or (2) processed the sensitive personal information of 50,000 or more consumers.
When Is Your First Audit Due? The CPPA built a three-staged implementation timeline based on annual revenue:
- April 1, 2028: businesses with revenue exceeding $100 million. The audit should cover January 1, 2027 through January 1, 2028.
- April 1, 2029: businesses with revenue between $50 – $100 million. The audit should cover January 1, 2028 through January 1, 2029.
- April 1, 2030: businesses with revenue under $50 million. The audit should cover January 1, 2029 through January 1, 2030.
After 2030, every qualifying business must complete an annual audit and submit its report to the CPPA by April 1 of each year.
What Does the Audit Cover? An independent auditor will assess the entire cybersecurity program. The auditor…
