Mandatory Audits: California CCPA’s New Cybersecurity Requirements and Phased Deadlines

An audit will be required for businesses that meet certain thresholds, specifically those that process activities presenting a “significant risk to consumers’ security” and meet one of the following criteria:

1. The business derived 50% or more of its annual revenue in the prior year from selling or sharing personal information. OR
2. The business is subject to the CCPA and:
   • Processed the personal information of 250,000 or more California consumers or households in the prior calendar year.
   • OR Processed the sensitive personal information of 50,000 or more California consumers in the prior calendar year.

The Phased Audit Timeline

Cybersecurity audits will be phased in starting in 2028, with the timing of your first required audit based on your business’s gross annual revenue:

Export to Sheets

Audits must be completed annually for as long as the business continues to meet the criteria.

Your Next Steps for Cybersecurity Compliance

Compliance requires advanced planning. We recommend identifying if and when your business is likely to be subject to a cybersecurity audit and preparing to retain a qualified cybersecurity professional at that time.

Furthermore, given that auditors will rely on objective evidence rather than management assertions, consider conducting a cybersecurity dry run audit now. A dry run a year or two in advance will allow your business to develop processes for obtaining necessary information, identify any compliance gaps, and fix them sooner rather than later, ensuring you are prepared when the mandatory deadline arrives.

This material is provided for informational purposes only. It is not intended to constitute legal advice, nor does it create a client-lawyer relationship between ANR Law and any recipient. Recipients should consult with counsel before taking any actions based on the information contained within this material.