CCPA Cybersecurity Audit Requirements: Understanding Article 9 of the CalPrivacy Regulations

California's proposed CCPA cybersecurity audit regulations require certain businesses to conduct independent annual audits and executive certifications. This guide explains who is covered, what must be audited, and how to build a compliant cybersecurity governance program.

Share
CCPA Cybersecurity Audit Requirements: Understanding Article 9 of the CalPrivacy Regulations

Introduction

California continues to expand the operational obligations imposed on businesses under the California Consumer Privacy Act (CCPA). Among the most significant recent additions in the CalPrivacy’s implementing regulations is Article 9, which establishes mandatory cybersecurity audit requirements for certain businesses.

These requirements are not new in concept — they are grounded in Civil Code § 1798.185 (a)(14), which directs regulators to impose heightened oversight on businesses whose processing of personal information presents “significant risk” to consumers’ privacy or security. In particular, the statute calls for regulations requiring such businesses to conduct annual, independent cybersecurity audits, taking into account factors such as the size and complexity of the business and the nature and scope of its data processing activities.

Building on this statutory mandate, Article 9 of the CCPA regulations (Sections 7120–7124) requires organizations whose data processing activities present “significant risk to consumers’ security” to conduct regular independent cybersecurity audits and submit certifications of completion to the California Privacy Protection Agency (CalPrivacy).

The rules are extremely detailed. They do not simply require companies to maintain reasonable security practices. Instead, they require businesses to evaluate and document their entire cybersecurity program through periodic independent audits covering governance, technical controls, incident response, and vendor oversight.

In practice, these rules move California closer to the model used in sectors such as financial services, where formalized security audits and internal controls testing are already expected.

Practical Implications for Businesses

Article 9 significantly raises the bar for cybersecurity governance under the CCPA. For many organizations, compliance will require:

  • Formalizing cybersecurity programs
  • Documenting and operationalizing security controls
  • Implementing internal audit and governance functions
  • Engaging independent cybersecurity auditors
  • Developing robust evidence collection and documentation practices

The rules also signal a broader shift in privacy enforcement. Rather than relying solely on post-breach enforcement, regulators are increasingly requiring proactive governance mechanisms designed to prevent security failures before they occur.

Businesses that delay preparation may find themselves scrambling to build the operational infrastructure required to support a compliant cybersecurity audit, particularly given the level of rigor and documentation these rules demand.

When Do the Cybersecurity Audit Requirements Apply?

Article 9 does not apply to all CCPA-covered businesses. Instead, the obligation is triggered when a business’s processing activities present “significant risk to consumers’ security.”

Under Section 7120, this occurs when on January 1 of a particular year (the audit will cover the next 12 months) a business meets one of the following thresholds:

1. Businesses That Derive Significant Revenue From Selling or Sharing Personal Information

A business automatically falls within the audit requirement if it meets the CCPA threshold in Civil Code §1798.140(d)(1)© — meaning that 50% or more of its annual revenue comes from selling or sharing consumers’ personal information.

These businesses are presumed to present elevated security risks because large volumes of personal data are transferred to third parties.

2. Businesses Processing Large Volumes of Personal Information

A business must also conduct cybersecurity audits if it:

  • Meets the general CCPA applicability threshold in §1798.140(d)(1)(A) (annual revenue -as updated pursuant to 1798.185.(a)(5)- above $26,625,000), and
  • Processes large volumes of consumer data.

Specifically, this applies if the business processes:

  • Personal information of 250,000 or more consumers or households per year, or
  • Sensitive personal information of 50,000 or more consumers per year.

These thresholds ensure that large-scale data processing operations are subject to systematic security oversight.

When Must Businesses Complete Cybersecurity Audits?

Section 7121 introduces a phased compliance timeline based on business size.

Businesses With Over $100 Million in Annual Revenue for 2026

  • First audit report due: April 1, 2028
  • Audit period: January 1, 2027 — January 1, 2028

Businesses With Revenue Between $50M and $100M for 2026

  • First audit report due: April 1, 2029
  • Audit period: January 1, 2028 — January 1, 2029

Businesses With Revenue Below $50M for 2026

  • First audit report due: April 1, 2030
  • Audit period: January 1, 2029 — January 1, 2030

After April 1, 2030, businesses that meet the risk thresholds must conduct annual cybersecurity audits, covering each 12-month period.

Cybersecurity Audits Must Be Independent and Objective

One of the most important features of Article 9 is the requirement under Section 7122 that audits be conducted by a qualified and independent professional auditor using procedures and standards accepted in the profession (e.g. those provided by the American Institute of Certified Public Accountants, the Public Company Accountability Oversight Board, the Information Systems Audit and Control Association, or the International Organization for Standardization.)

The regulations allow either:

  • External auditors, or
  • Internal auditors

However, strict independence requirements apply.

The auditor must:

  • Have expertise in cybersecurity and cybersecurity auditing
  • Exercise objective and impartial judgment
  • Be free from influence by the business’s management
  • Avoid involvement in activities that would compromise independence

For example, auditors cannot design, implement, or maintain the cybersecurity program they are auditing.

If a company uses an internal auditor, additional governance safeguards apply:

  • The highest-ranking auditor must report to an executive not responsible for cybersecurity
  • That executive must control the auditor’s performance evaluation and compensation

This structure mirrors internal audit independence standards used in corporate governance frameworks.

What Must the Cybersecurity Audit Assess?

Section 7123 of the CCPA rules establishes the scope of the audit. At a high level, it requires auditors to evaluate the effectiveness of the business’s cybersecurity program in protecting personal information from:

  • Unauthorized access
  • Unauthorized use
  • Modification
  • Disclosure
  • Destruction
  • Loss of availability

The audit must also evaluate whether the cybersecurity program is:

  • Properly implemented
  • Documented
  • Maintained
  • Appropriate for the size, complexity, and processing activities of the business.

Each of the components of the audit is listed in Section 7123 (c) and discussed in the next section.

Required Components of the Cybersecurity Program

Article 9 does not treat cybersecurity as a high-level or abstract obligation. Instead, Section 7123 requires auditors to evaluate whether a business has implemented a comprehensive, operational cybersecurity program that is appropriately designed, documented, enforced, and continuously maintained.

At a baseline, the audit must assess whether the program effectively protects personal information against unauthorized access, use, disclosure, modification, destruction, and loss of availability, while also evaluating how well the program is implemented in practice — not just how it is written on paper.

Importantly, the regulations emphasize scalability and proportionality. The cybersecurity program must be appropriate to the business’s size, complexity, and processing activities, taking into account the state of the art and cost of implementation. This signals that regulators expect mature, risk-based programs — not one-size-fits-all controls.

Notably, the scope of the audit is not limited to the enumerated components. The regulations expressly allow auditors to assess additional elements of a cybersecurity program beyond those specifically listed, reinforcing that the framework is intended to be flexible and adaptive to evolving risks and technologies rather than a closed checklist. (Section 7123(d))

At the same time, the regulations provide flexibility in how businesses meet these requirements. A business may leverage an existing cybersecurity audit, assessment, or evaluation conducted for another purpose — such as one based on the NIST Cybersecurity Framework 2.0 — provided that it satisfies all requirements of Article 9, either on its own or through supplementation. This approach allows organizations to build on established security frameworks and prior audit efforts, rather than starting from scratch, while still ensuring that any gaps specific to the CCPA requirements are appropriately addressed. (Section 7123(f))

Below are the core components auditors must evaluate, along with practical implications for businesses:

Authentication Controls

Authentication is a foundational control area, and the rules go beyond generic requirements.

Businesses are expected to implement:

  • Multi-factor authentication (MFA) across personnel, contractors, and service providers — specifically including phishing-resistant MFA where feasible
  • Strong, unique passwords or passphrases, with minimum length requirements (eight characters in length at a minimum), prohibition on commonly used passwords, and no reuse across systems.
PRACTICE TIP: This reflects a clear regulatory expectation that multi-factor authentication is a baseline control, not an enhancement, and that password-only security is inherently inadequate. Organizations that continue to rely on legacy authentication models — particularly those lacking phishing-resistant MFA — will face significant difficulty demonstrating that their security program meets modern, “state of the art” standards during an audit.

Encryption

Personal information must be protected:

  • At rest
  • In transit
PRACTICE TIP: Encryption is treated as a baseline safeguard. The absence of encryption — especially for sensitive personal information — will be difficult to justify under a “state of the art” standard.

Account Management and Access Controls

The regulations impose detailed requirements around least-privilege access and lifecycle management.

Businesses must implement controls such as:

  • Restricting access to only what is necessary for job functions and revoking access promptly when no longer needed (including termination.) For example, an employee should only have access to the datasets required for their role — and that access must be removed or adjusted when responsibilities change or upon termination. This requirement also implies limiting service providers and third parties strictly to contractually defined purposes
  • Restricting and managing privileged accounts, including: (i) Limiting the number of privileged accounts and restricting them to only those with a defined business need; (ii) Constraining privileges to only the functions necessary to perform specific job duties; and (iii) Requiring that privileged access be used only when needed, rather than maintained as standing access. In practice, the regulations reflect a strong preference against standing administrative privileges, which are a common source of security breaches by requiring controls like just-in-time (JIT) accessand centralized privilege management. The rules push organizations toward a “zero standing privilege” (ZSP) model, where elevated access is tightly controlled, time-bound, and fully auditable.
  • Monitoring and tightly controlling the creation of all accounts — including employee, contractor, service provider, and privileged accounts — ensuring that access is authorized, appropriately scoped at issuance, and subject to ongoing oversight.
  • Enforcing physical access controls to safeguard personal information, including restricting facility and workspace access (e.g., badge systems), securing physical records and devices, and implementing practices such as clean desk policies to prevent unauthorized exposure.
PRACTICE TIP: The regulations make clear that “least privilege” is not a high-level concept — it is a granular, continuously enforced control framework that must operate across the full identity lifecycle and all user types, including employees, contractors, service providers, and third parties. In practice, this means implementing role-based access controls tied to defined business purposes, continuously monitoring and adjusting access as roles change, tightly governing account provisioning and deprovisioning, and enforcing strict controls over privileged access (including minimizing standing privileges and using just-in-time elevation). Organizations must also align access controls with contractual restrictions, maintain visibility into who has access to what data at all times, and integrate physical and logical access controls into a unified governance model. This is likely to be one of the most operationally demanding areas of compliance, requiring continuous identity governance and real-time oversight, rather than periodic or manual access reviews.

Data Inventory and System Mapping

Organizations must maintain a comprehensive and continuously updated view of their data and systems, including:

  • Detailed personal data inventories identifying what data is collected, where it resides, and who can access it
  • Data flow maps that trace how personal information is collected, used, shared, and transferred across systems and third parties
  • Classification and tagging frameworks that label data based on sensitivity and govern how it can be accessed, used, and disclosed
  • Complete hardware and software inventories, supported by allowlisting and formal approval processes to ensure that only authorized systems and applications can access or process personal information
  • Hardware and software approval controls, including processes to prevent the connection or use of unauthorized devices, systems, or applications within the business’s information environment
PRACTICE TIP: This requirement aligns closely with broader CCPA data governance obligations. In practice, companies cannot secure — or meaningfully govern — data they cannot locate, understand, or track. Effective compliance, therefore, depends on more than static data mapping; it requires a mature data governance framework that includes clear visibility into data lineage (how data moves and transforms across systems) and data provenance (where data originates and how it has been used over time).
This level of understanding is becoming more critical in the context of AI systems, where organizations must be able to trace training data sources, monitor downstream uses, and assess risks tied to data quality, bias, and unauthorized reuse. Without robust data lineage and provenance, businesses will struggle to validate AI outputs, respond to regulatory inquiries, or demonstrate accountability.
In practice, this is one area where many organizations lag behind. Building and maintaining accurate, real-time data inventories and flows across complex, distributed environments remains challenging — particularly given the limited maturity of tools that can operate effectively at scale across modern data ecosystems. As a result, companies often rely on incomplete or static documentation, which may fall short under audit scrutiny.

Secure Configuration and Patch Management

The audit must review whether the business has implemented and consistently maintains secure configuration and system management practices, including:

  • Software updates and upgrades, ensuring systems, applications, and dependencies are kept current to address known vulnerabilities and maintain security support
  • Security patch management, including the timely identification, prioritization, deployment, and verification of critical patches
  • Secure configuration of cloud and on-premises environments, ensuring systems are properly hardened and aligned with established security baselines
  • Masking of personal information, meaning the systematic obfuscation or redaction of sensitive data (e.g., replacing values with asterisks, tokens, or truncated formats) by default in applications to limit unnecessary exposure. The regulations specifically require masking for highly sensitive data elements identified in Civil Code § 1798.140(ae)(1)(A) and (B), such as Social Security numbers, driver’s license, state identification card, or passport numbers, and financial account or payment card information combined with access credentials. In practice, this requires organizations to ensure that such data is not fully displayed, logged, or accessible in plaintext unless strictly necessary for a defined business purpose. [Note: The rules available for download on the CalPrivacy website incorrectly cite to Civil Code § 1798.145(ae)(1)(A) and (B); the correct reference is § 1798.140(ae)(1)(A) and (B).]
  • Change management procedures, defined processes to review, approve, test, and document changes to systems or configurations to ensure that updates do not inadvertently weaken existing security controls
PRACTICE TIP: In practice, many organizations rely heavily on large service providers (e.g., AWS, Salesforce, and other cloud platforms) to host, manage, and process personal information — and, by extension, rely on the built-in security features of those platforms to support compliance. While these providers often offer robust security capabilities, reliance on a third-party platform is not, by itself, sufficient to meet regulatory requirements.
The regulations make clear that the business — not the service provider — remains accountable for the design, implementation, and enforcement of its cybersecurity program. This includes ensuring that security configurations are properly implemented, continuously maintained, and aligned with the business’s specific data processing activities and risk profile. Misconfigurations, overbroad access permissions, or failure to enable available security controls (e.g., encryption, logging, or segmentation) are common sources of breaches — and remain the responsibility of the business.
In addition, organizations must ensure that service providers operate within contractually defined limits, that their access is appropriately restricted, and that their activities are subject to ongoing oversight and audit. Ultimately, compliance requires a shared responsibility model: while service providers supply the infrastructure and tools, the business must actively configure, monitor, and govern those environments to ensure they meet regulatory expectations.

Vulnerability Testing

This includes:

  • Internal and external vulnerability scans
  • Penetration testing
  • Vulnerability disclosure programs
PRACTICE TIP: Internal and external vulnerability scans are critical tools for advancing a mature cybersecurity program, but they are not “set-and-forget” solutions. To be effective, they require sustained investment, operational bandwidth, and organizational buy-in over time. In practice, organizations often need to demonstrate tangible improvements and measurable risk reduction to leadership in order to justify continued investment and program expansion.
For this reason, it could be prudent to start with more limited or targeted scans, ensuring that the security team has the capacity to properly analyze, prioritize, and remediate findings before scaling to full-scope external assessments. Launching comprehensive scans without the resources to act on results can create a backlog, inefficiencies, and even increased risk visibility without mitigation.
There are also practical legal challenges around maintaining the confidentiality of vulnerability findings, particularly where reports may be discoverable in litigation or subject to regulatory scrutiny. This further underscores the importance of taking a deliberate, strategic approach — one that aligns with existing capabilities, leverages appropriate legal and governance structures (e.g., privilege where applicable), and incrementally builds toward a more mature and defensible vulnerability management program.

Audit-log Management

The regulations require businesses to implement robust audit-log management practices, including the centralized collection, storage, retention, and monitoring of logs across their information systems.

This includes:

  • Capturing logs that record key system and user activities, such as access to personal information, authentication events, configuration changes, and administrative actions
  • Maintaining centralized log storage to ensure consistency, integrity, and accessibility for monitoring and investigation
  • Establishing log retention policies that preserve records for a sufficient period to support security investigations, audits, and compliance obligations
  • Continuously monitoring and analyzing logs to detect suspicious or unauthorized activity, including anomalous access patterns or failed login attempts
PRACTICE TIP: Audit logs are a foundational element of any effective cybersecurity program. Without reliable logging, organizations lack visibility into how systems are used and whether controls are functioning as intended. In practice, logs are often underutilized or inconsistently maintained, limiting their value during incident response or audits.
The regulations signal a clear expectation that logging is not merely a technical feature, but a core governance and detection capability. Businesses should be able to demonstrate not only that logs are collected, but that they are actively reviewed, correlated, and used to identify and respond to security events in a timely manner.

Network Monitoring

Businesses must implement continuous network monitoring and defense capabilities designed to detect, analyze, and respond to unauthorized or anomalous activity across their systems.

Controls may include:

  • Intrusion detection and prevention systems (IDPS) to identify and block malicious activity, unauthorized access attempts, and exploitation of vulnerabilities
  • Bot detection and mitigation tools to identify automated threats, credential stuffing, and other abusive behaviors targeting systems and user accounts
  • Data loss prevention (DLP) technologies to monitor, detect, and prevent unauthorized access, use, or exfiltration of personal information
PRACTICE TIP: The regulations require organizations to move beyond passive defenses to active, real-time monitoring and threat detection. This means not just deploying tools, but ensuring they are properly configured, continuously maintained, and actively used to detect and respond to security incidents.

Antivirus and antimalware protections

Businesses must deploy and maintain antivirus and antimalware tools designed to detect, prevent, and remediate malicious software, including viruses, ransomware, spyware, and other threats. And, of course, these protections should be regularly updated, actively monitored, and applied across endpoints and systems to ensure ongoing defense against evolving threats.


Segmentation of Information Systems

Businesses must implement segmentation controls to separate systems, networks, and data environments in order to limit the spread of unauthorized access or malicious activity. This may include using firewalls, routers, switches, and network zoning techniques to isolate sensitive systems and personal information from less secure or publicly accessible environments.

PRACTICE TIP: Effective segmentation ensures that even if one part of the system is compromised, attackers cannot easily move laterally across the network. In practice, this is a critical safeguard for containing incidents and reducing overall risk exposure.

Limitation and control of ports, services, and protocols

Businesses must implement controls to restrict and manage the use of network ports, services, and communication protocols to only those that are necessary for legitimate business operations. This includes disabling or blocking unused ports and services

PRACTICE TIP: By reducing the number of open pathways into systems, organizations can significantly lower their attack surface and prevent unauthorized access or exploitation of vulnerabilities. In practice, this requires ongoing monitoring and configuration management to ensure that only approved and secure services are running across the environment.

Cybersecurity Awareness

Businesses must maintain ongoing cybersecurity awareness to ensure they can identify, understand, and respond to evolving threats. This includes staying informed about emerging vulnerabilities, attack techniques, and defensive measures relevant to their systems and data processing activities.

In practice, this requires organizations to:

  • Monitor threat intelligence sources and security advisories
  • Track developments in cybersecurity risks relevant to their industry and technology stack
  • Continuously evaluate and update security controls in response to new threats
PRACTICE TIP: Cybersecurity awareness is not limited to employee training — it reflects an organization’s ability to adapt its security posture in real time. Regulators expect businesses to demonstrate that their programs evolve alongside the threat landscape, rather than relying on static controls that may quickly become outdated.

Cybersecurity Education and Training

Businesses must implement a structured cybersecurity education and training program for all personnel with access to the organization’s information systems, including employees, contractors, and other authorized users.

This includes:

  • Initial training upon onboarding, covering core security policies, acceptable use, and threat awareness
  • Periodic (at least annual) refresher training to reinforce best practices and address evolving threats
  • Targeted training following security incidents, focusing on lessons learned and remediation of identified gaps.
PRACTICE TIP: Although the regulations do not explicitly require it, ideally training should go beyond the mandatory “online course” to become continuous, role-appropriate, and responsive to real-world risks. Organizations are expected not only to deliver training, but also to ensure it remains relevant and effective in addressing the changing threat landscape.

Secure Development Practices

Where applicable, auditors must assess whether the business has integrated security throughout the software development lifecycle (SDLC), rather than treating it as a post-development activity.

This includes:

  • Secure coding practices, such as adherence to established standards (e.g., OWASP) and the prevention of common vulnerabilities
  • Code review procedures, including peer reviews and security-focused reviews to identify flaws before deployment
  • Security testing processes, such as static and dynamic application security testing (SAST/DAST), dependency scanning, and pre-release validation

Vendor Oversight

Businesses must ensure that service providers, contractors, and third parties handle personal information in compliance with the CCPA and its implementing regulations. The rules explicitly require that these relationships be governed by contracts that meet the detailed requirements set forth in Sections 7051 (service providers and contractors)and 7053 (third parties).

At a high level:

Section 7051 (Service Providers and Contractors) requires contracts to:

  • Limit processing to specific, clearly defined business purposes
  • Prohibit selling, sharing, or using personal information outside the contractual scope
  • Require the service provider or contractor to provide the same level of privacy and security protection as the business
  • Obligate the provider to assist with compliance, including consumer requests, audits, and risk assessments
  • Grant the business audit and oversight rights, including the ability to monitor, test, and remediate non-compliance
  • Require notification if the provider can no longer meet its obligations

Section 7053 (Third Parties) imposes similar obligations, requiring:

  • Use of personal information only for limited and specified purposes
  • Compliance with CCPA requirements, including honoring opt-out rights and implementing appropriate security safeguards
  • Contractual rights for the business to monitor, audit, and remediate improper data use
  • Notification obligations if the third party cannot meet its compliance requirements
PRACTICE TIP: These requirements make clear that vendor oversight is not a passive, contractual exercise. Businesses must conduct ongoing due diligence, monitoring, and enforcement of vendor obligations. Entering into compliant contracts is the baseline, but it is insufficient — organizations must actively verify that service providers and third parties are operating within those constraints. Failure to do so may undermine the business’s ability to rely on statutory defenses and expose it to regulatory risk.

Data Retention and Disposal

Organizations must implement and enforce data retention and secure disposal processes to ensure that personal information is not retained longer than necessary for its disclosed purposes.

This includes:

  • Establishing defined retention schedules based on legal, regulatory, and business requirements
  • Regularly reviewing data holdings to identify information that is no longer needed
  • Securely disposing of personal information through methods such as shredding, erasing, or rendering data unreadable or undecipherable
PRACTICE TIP: Retaining data indefinitely increases risk. Effective retention and disposal practices are therefore a critical component of both privacy and security programs, helping to reduce the volume of data exposed in the event of a breach and demonstrating disciplined data governance.

Incident Response and Recovery

Auditors must assess whether the business has implemented and maintains effective incident response and recovery capabilities to detect, respond to, and recover from security incidents.

This includes reviewing:

  • A documented incident response plan, outlining procedures to identify, contain, investigate, and remediate security incidents
  • Incident response testing and exercises designed to validate the effectiveness of the plan and improve readiness over time
  • Business continuity and disaster recovery capabilities, including data backup, restoration processes, and the ability to maintain or quickly restore critical operations
PRACTICE TIP: The regulations take an expansive view of what constitutes a “security incident.” For these purposes, a security incident means “an occurrence that actually or imminently jeopardizes the confidentiality, integrity, or availability of the business’s information system or the personal information the system processes, stores, or transmits, or that constitutes a violation or imminent threat of violation of the business’s cybersecurity program; unauthorized access, destruction, use, modification, or disclosure of personal information; or unauthorized activity resulting in the loss of availability of personal information is a security incident.” As a result, organizations must demonstrate not just preparedness on paper, but the ability to operationalize response and recovery in real-world scenarios, minimizing both the impact and duration of incidents.

Business Continuity and Disaster-Recovery Plans

Businesses must implement and maintain business continuity and disaster recovery (BC/DR) plans designed to ensure the ongoing availability of systems and the timely restoration of operations following a disruption or security incident.

The regulations do not specify further, but business continuity and disaster recovery typically includes:

  • Business continuity planning, which focuses on maintaining critical operations during and immediately after a disruption (e.g., through redundancy, failover systems, and alternative workflows)
  • Disaster recovery planning, which focuses on restoring systems, data, and infrastructure after an incident, including clearly defined recovery time objectives (RTOs) and recovery point objectives (RPOs)
  • Regular data backups, including secure storage, testing of backup integrity, and validation of restoration processes
  • Identification of critical systems and dependencies, ensuring that recovery efforts are prioritized based on business impact.
PRACTICE TIP: Security is not only about preventing incidents, but also about ensuring resilience and recoverability. Organizations should be able to demonstrate that they can maintain or quickly restore access to personal information and critical systems in the face of disruptions, whether caused by cyberattacks, system failures, or other events. In practice, this requires not only documented plans, but also testing, coordination across business and IT functions, and alignment with real-world operational priorities.

What Must the Cybersecurity Audit Report Include?

The final audit report must provide a comprehensive and well-supported account of the assessment, demonstrating not only the auditor’s findings but also the basis for those conclusions. (See Regs 7123(e))

At a minimum, the report must:

(1) Describe the business’s information system and identify:

  • The policies, procedures, and practices assessed
  • The audit criteria applied
  • The specific evidence reviewed, including documents, testing, and interviews
  • Why the selected criteria and evidence support the auditor’s conclusions

(2) Identify the cybersecurity components assessed (including those required under the regulations and any additional areas reviewed), and:

  • Explain how the business implements and enforces its cybersecurity program
  • Evaluate the effectiveness of those controls in protecting personal information and ensuring system availability

(3) Identify and describe in detail any gaps or weaknesses, including:

  • How those deficiencies increase the risk of unauthorized access, use, disclosure, modification, destruction, or loss of availability of personal information

(4) Document the business’s remediation plan, including:

  • Specific corrective actions
  • Timelines for addressing identified issues

In addition, the report must include:

  • Any corrections or amendments to prior audit reports
  • The titles of up to three individuals responsible for the cybersecurity program
  • The auditor’s name, affiliation, and qualifications
  • A signed certification of independence, confirming that the audit was conducted objectively and not based primarily on management representations

Finally, where applicable, the report must address prior security incidents by including:

(1) A sample or description of breach notifications provided to affected consumers

(2) Copies or descriptions of regulatory notifications, including:

  • The nature and timing of the incident
  • The activities that triggered notification obligations
  • Remediation measures taken in response

Certification to CalPrivacy

In addition to completing the audit, businesses must submit a formal certification of completion to CalPrivacy.

This certification requirement is detailed and prescriptive. Specifically:

(1) It must be submitted annually by April 1 following any year in which the business is required to complete a cybersecurity audit

(2) It must be completed by a member of the business’s executive management team who:

  • Is directly responsible for cybersecurity audit compliance
  • Has sufficient knowledge of the audit to provide accurate information
  • Has the authority to submit the certification on behalf of the business

The certification must be submitted through CalPrivacy’s website and include:

  • The business’s name and designated point of contact (including contact details)
  • A statement confirming that the cybersecurity audit has been completed
  • The time period covered by the audit
  • The name, title, and signature of the certifying executive, along with the date of submission

Critically, the certification must include an attestation under penalty of perjury stating that:

  • The certifying individual meets the regulatory requirements to submit the certification
  • The information provided is true and correct
  • The business did not attempt to influence the auditor’s decisions or assessments
PRACTICE TIP: This requirement elevates the audit from a technical exercise to an executive-level accountability mechanism. By requiring a formal certification under penalty of perjury, the regulations ensure that senior leadership is directly responsible for both the integrity of the audit process and the accuracy of the representations made to the CalPrivacy.

Conclusion

The CalPrivacy’s cybersecurity audit rules represent one of the most operationally demanding components of the CCPA regulatory framework. By requiring independent audits, detailed program assessments, and executive certifications, the regulations push organizations toward a more mature and accountable approach to data security.

For businesses that process large volumes of consumer data, these requirements are not merely a documentation exercise. They represent a fundamental shift toward continuous cybersecurity governance and oversight.

Organizations that begin preparing early — by strengthening internal security programs and aligning them with recognized audit frameworks — will be best positioned to meet these obligations when the rules take effect.