866.254.0000
Contact Us
Services
Services
View All Services
SOC & Attestations
SOC & Attestations
SOC 1 / SSAE 18 Examination
SOC 2 Examination
SOC 3 Examination
SOC for Supply Chain
SOC for Cybersecurity
SOC Essentials for Early-Stage Companies
C5 Attestation
CSA STAR Programs
Payment Card Assessments
Payment Card Assessments
PCI DSS Validation
PCI SSF
PCI P2PE Validation
PCI PIN Assessments
PCI 3DS Compliance
ISO Certifications
ISO Certifications
ISO 27001
ISO 42001
ISO 27701
ISO 9001
ISO 22301
ISO-20000-1
ISO 14001
ISO 45001
ISO 50001
Privacy Assessments
Privacy Assessments
Global CBPR & PRP Certification
GDPR Assessment
International Privacy Assessments
US State Privacy Assessments
Microsoft SSPA/DPR Assessment
FERPA Assessment
EU Cloud Code of Conduct
Federal Assessments
Federal Assessments
FedRAMP®
CMMC / NIST SP 800-171
FISMA/NIST
ITAR
CJIS
IRAP
FTC Consent Decrees
DoD IL6
Healthcare Assessments
Healthcare Assessments
HITRUST Certification
HIPAA Compliance
HIPAA Express
EPCS-DEA Audits
Health Data Host (HDS) Certification
Penetration Testing
Penetration Testing
Application
Network
Mobile
Red Teaming
Social Engineering
Cloud
Physical
Hardware and IoT
Advanced Series
AI Red Teaming
Cybersecurity Assessments
Cybersecurity Assessments
Cloud Configuration Assessments
Ransomware Assessments
NIST Cybersecurity Framework Assessments
Schellman Software Security Assessment (S3A)
TISAX®
SWIFT Customer Security Programme
Internal Audit Co-Sourcing
Crypto and Digital Trust
Crypto and Digital Trust
Schellman Training
Schellman Training
Sustainability Services
Sustainability Services
AI Services
AI Services
Learning Center
Our Technology
About Us
About Us
About Us
Leadership Team
Leadership Team
Corporate Social Responsibility
Corporate Social Responsibility
Careers
Careers
Strategic Partnerships
Strategic Partnerships
ISO Certificate Directory
Contact Us

«  View All Posts

The CCPA Now Requires Annual Cybersecurity Audits Blog Feature
Emily Heintz

By: Emily Heintz

Print/Save as PDF

The CCPA Now Requires Annual Cybersecurity Audits

Cybersecurity Assessments | Privacy Assessments

Published: Oct 13, 2025

The California Consumer Privacy Act (CCPA) is reminiscent of Michael Meyers, Freddie Krueger, or Ghostface in that no matter how many times you think its presence is done, it keeps coming back with more. While privacy professionals have been tracking the slow rulemaking process for some time, the newly approved regulations may have startled others, fittingly just in time for spooky season. 

These regulations include several new requirements around risk assessments and consumers’ rights to access and opt-out of the use of automated decision-making technology (ADMT), and provided illustrative guidance on implementing requirements around notice, choice, and fulfillment of consumer requests. That said, everyone’s attention is drawn primarily to the new cybersecurity audit rules.  

Businesses meeting certain thresholds as defined under the CCPA are now required to conduct annual audits of their cybersecurity program. In this article, we’ll provide background on how the regulations came to be, what’s now required of businesses, and insight into how Schellman can make your compliance efforts less spooky. 

Rulemaking from the California Privacy Protection Agency 

The CCPA, passed in 2018, was amended in 2020 by the California Privacy Rights Act (CPRA). The CPRA established the California Privacy Protection Agency, the first dedicated state privacy authority in the United States tasked with enforcing the CCPA, developing regulations, and educating consumers and businesses about their privacy rights and obligations.   

The CPRA also introduced new requirements under the CCPA, including for businesses “whose processing of consumers’ personal information presents a significant risk to consumers’ privacy or security to... perform a cybersecurity audit on an annual basis.” However, the specifics around the implementation were not provided within the amendments, and the onus for dictating the requirements was punted to the California Privacy Protection Agency with their responsibilities to develop regulations. 

The agency has been working since 2023 to define the scope of and establish the process for conducting the audit. Initial public notice of the proposed rulemaking was issued on November 22, 2024, with an invitation for public commentary extending through February 19, 2025. The regulations, approved by the agency on July 24, 2025 and subsequently by the Office of Administrative Law on September 22, 2025, are set to become effective on January 1, 2026.  

Enforcement Trends and Compliance Expectations 

California was the first US state to introduce a data breach notification law back in 2002, so it’s unsurprising that there is a focus on ensuring that organizations are proactively confirming the security of their information systems processing personal information. There has also been a recent shift in the California Privacy Protection Agency’s attention to proactive compliance, infrastructural governance, and continuous rather than reactive improvement.   

The enforcement actions from 2025 alone should be enough to make a compliance professional jump out of their skin. Tractor Supply, Honda, and Todd Snyder were all targeted for similar themes: surface-level compliance measures coupled with weak contractual safeguards and ineffective implementation.  

The evolution of technology requires more accountability towards processing activities and respect for fellow consumers’ personal information. This means that as our operations become more advanced, fast-paced, and integrated, we will have to hit a moving target of “reasonable” security.   

The In-Scope Audit Components 

You may be thinking the scope of requirements seem familiar. And although you couldn’t describe the controls as being as prescriptive as ISO 27001, the regulation does offer a list of 18 potential components and subcomponents in-scope of the audit, including but not limited to:  

  • Access and authentication, including multi-factor authentication that is resistant to phishing attacks and restrictions for privileged accounts; 
  • Personal information, hardware, and software inventories; 
  • Secure configurations, including software updates, securing on-prem and cloud-based environments, masking, patch management, and change management; 
  • Vulnerability scans, penetration tests, and vulnerability disclosure and reporting; 
  • Audit log management; 
  • Secure development and coding best practices; 
  • Retention and disposal of personal information; 
  • Cybersecurity awareness, education, and training; and  
  • Incident response 

However, it is ultimately the auditor who is responsible for determining which components are or are not applicable to the business’s information system based on what is appropriate for their size and complexity and the nature and scope of its processing activities, with account for the state of the art and cost of implementation.   

Notably as well, auditors will be required to identify and describe in detail the status of any gaps or weaknesses of the applicable components, the business’ plan to address the gaps and weaknesses, and the timeframe for resolving them.  

The Threshold and Timing of Compliance 

Notably, the cybersecurity audit is only required for businesses whose processing of personal information poses a significant risk to consumers’ security.  

The California Privacy Protection Agency has defined “significant risk” as follows: 

  • The business derives 50% or more of its annual revenue from selling or sharing consumers’ personal information; OR 
  • The business has an annual gross revenue more than $26,625,000* in the preceding calendar year, and: 
    • Processed the personal information of 250,000 or more consumers or households in the preceding calendar year; OR 
    • Processed the sensitive personal information of 50,000 consumers in the preceding calendar year  

*Please note: this amount is adjusted every other year to reflect increases in the Consumer Price Index. You can monitor those updates here. 

If your organization meets the above criteria, the deadline for completion of your first cybersecurity audit is dependent on your revenue, as outlined below: 

Revenue Criteria 

Cybersecurity Audit Deadline 

 

  • Annual gross revenue for 2026 was more than $100 million as of January 1, 2027. 
  • The audit is required to cover the period of January 1, 2027, through January 1, 2028. 

 

April 1, 2028 

 

  • Annual gross revenue for 2027 was between $50 million and $100 million as of January 1, 2028.  
  • The audit is required to cover the period of January 1, 2028, through January 1, 2029. 

 

April 1, 2029 

 

  • Annual gross revenue for 2028 was less than $50 million as of January 1, 2029.  
  • The audit is required to cover the period of January 1, 2029, through January 1, 2030. 

 

April 1, 2030 

 

  • The processing of personal information poses a significant risk as of January 1 of the preceding year.  
  • The audit is required to cover January 1 of the current year, through January 1 of the following year. The report must be completed by April 1 of the following year. 

 

Thereafter 

Proactive Steps to Prepare for CCPA Cybersecurity Audits Now 

While the first round of audit reports is not due for another two and a half years, it is strongly recommended that organizations do not wait until 2027 or 2028 to evaluate their control effectiveness.   

Waiting until after January 1, 2028 to gauge the cybersecurity program implementation would place your organization in the three-month countdown period before your report is due. If any gaps or weaknesses are identified at that point, your organization would have to scramble to draft and execute a plan to remediate the issue.  

That scenario combined with the onslaught of other businesses rushing to conduct their audit at the last minute will lead to a lack of availability from audit firms, resulting in a recipe for professional panic. Luckily, you can prepare now and we’re here to help!  

At Schellman, we pride ourselves on helping our clients work towards their compliance goals and strengthening their security and privacy programs. We strongly believe that compliance does not belong on the back burner; like the California Privacy Protection Agency’s objectives, we aim to help our clients continuously and proactively improve their security posture to be in the best position to navigate emerging legislative requirements (all while calming fears).  

Organizations should consider proactively conducting an independent assessment against the components in 2026, to provide a level of confidence in the program when the review period begins January 1, 2027. Organizations interested in conducting a readiness assessment against the regulation can contact us today for more information on how Schellman can assist in navigating their complex security and privacy regulatory environment. 

For additional insights, check out these helpful resources:  

About Emily Heintz

Emily Heintz is a senior manager with Schellman based in New Orleans, Louisiana. She currently manages privacy assessments and certifications across the full suite of offerings, including CBPR / PRP, CCPA, GDPR, ISO 27701, and Microsoft DPRs. Prior to joining Schellman in 2020, Emily worked as a Project Manager on the U.S. Privacy team at a Fortune 1 retailer focusing on designing controls to comply with the CCPA and conducting privacy reviews of emerging technology solutions. She is an active member of the International Association of Privacy Professionals (IAPP), is a Fellow of Information Privacy (FIP), holding both the CIPP/US and CIPM certifications, and has obtained her CISSP.

4010 W Boy Scout Boulevard
Suite 600
Tampa, FL 33607

U.S. 1.866.254.0000

Outside the U.S.
1.813.288.8833

Resources
Company
Stay Up-to-Date

Sign up to receive Schellman's Weekly Read delivered every Friday morning.

© SchellmanPrivacy PolicyTerms of Use

“Schellman” is the brand name under which Schellman & Company, LLC and Schellman Compliance, LLC provide professional services. Schellman & Company, LLC and Schellman Compliance, LLC practice as an alternative practice structure in accordance with the AICPA Code of Professional Conduct and applicable law, regulations and professional standards. Schellman & Company, LLC is a licensed certified public accounting firm (Florida license number AD62941) registered with the Public Company Accounting Oversight Board (PCAOB) that provides attest services to its clients, and Schellman Compliance, LLC provides nonattest cybersecurity and compliance professional services to its clients. Schellman Compliance, LLC is not a licensed CPA firm. Schellman & Company, LLC and Schellman Compliance, LLC are independently owned and are not liable for the services provided by any other entity providing services under the Schellman brand. Our use of the terms “our firm” and “we” and “us” and terms of similar import, denote the alternative practice structure conducted by Schellman & Company, LLC and Schellman Compliance, LLC.