California's Consumer Privacy Act (CCPA) governs how businesses collect, use, and share the personal information of California residents. As of January 1, 2026, its reach expanded significantly. Businesses that once satisfied CCPA with a privacy policy and opt-out link now face cybersecurity audit mandates, formal risk assessments, and automated decision-making rules that require real operational controls, not just documentation.
For audit and advisory firms, the practical challenge is clear: scoping which clients trigger the new requirements, standing up engagement workflows for cybersecurity audits with certification deadlines staggered from 2028 through 2030, and managing evidence across an expanding client base. This article covers who must comply, what the core requirements look like, and how the new cybersecurity audits work.
The CPPA announced comprehensive regulations taking effect on January 1, 2026, expanding operational requirements and adding new workstreams like cybersecurity audits for certain businesses. The CPPA is testing whether programs work in practice, not just whether they exist on paper.
Enforcement patterns tell you where to focus your assessments. The CPPA has dedicated staff and a multi-million-dollar budget to sustain enforcement pressure. CPI-adjusted penalties now reach $2,663 per general violation and $7,988 for intentional violations or those involving minors. The agency has also signaled interest in coordinated enforcement with other privacy regulators, which matters for clients operating across state lines.
Recent enforcement actions show the CPPA is backing that capacity with action. In 2025, the agency penalized Tractor Supply $1.35 million and settled with American Honda Motor Co. for $632,500. The violations in those and other cases point to a clear enforcement focus:
These patterns confirm the CPPA's enforcement focus: whether controls actually function in production, not just whether documentation exists. Structure your assessments accordingly.
Figuring out whether a client is in scope isn't just a revenue question. Entity structure, subsidiary relationships, and vendor arrangements all factor in, so your coverage analysis needs to look at the full processing ecosystem, not just the business itself.
The CCPA statute applies to for-profit businesses that do business in California and meet any one of three thresholds:
Meeting a single threshold triggers full coverage. If your client clears the revenue bar alone, they can be in scope even with relatively modest data processing. The law counts unique identifiers such as cookies, device IDs, and IP addresses, so the 100,000-consumer threshold catches more businesses than many teams expect.
The statute extends to certain controlled entities that share consumers' personal information, regardless of common branding. If your client is part of a corporate family, you need to evaluate applicability at the entity level and at the group level.
Service providers and contractors pick up obligations through written contract requirements. In practice, you'll be looking for terms that restrict selling/sharing and limit processing to specified business purposes. You'll also want clauses covering assistance with consumer requests, deletion or return, breach notification, and written certification of compliance.
One point that catches some clients off guard: employment-related and B2B-related coverage is more limited and context-dependent than many teams assume. Nonprofits and government agencies generally fall outside CCPA scope. But the extraterritorial reach is broad. A business need not be located in California to be subject to the CCPA; it may be "doing business" in California if it conducts online transactions with California residents, has employees working there, or has other connections to the state.
The California DOJ outlines consumer rights to access, delete, correct, opt out of sale/sharing, limit uses of sensitive personal information, and be free from discrimination for exercising those rights. For practitioners, each right translates into testable controls across notices, request handling, and data governance.
Clients must maintain a Notice at Collection covering data categories and purposes, with links to the full privacy policy and opt-out mechanisms. Confirm the privacy policy is updated at least annually per CPPA regulations.
For clients that sell or share personal information, test whether opt-out mechanisms work in real user journeys, including honoring Global Privacy Control signals. Post-opt-out re-prompting controls often look clean in policy documents but break down in production, which is exactly what the CPPA tests for.
Verify that clients offer multiple request submission channels without dark patterns or unnecessary friction. You're looking for a documented workflow with testable controls: intake, identity verification, system-of-record queries, fulfillment within statutory timelines, escalation paths, and auditable logs. Beyond individual consumer requests, the 2026 regulations also add program-level work.
Risk assessment obligations are now in effect, with submissions due on a defined timeline: information about risk assessments conducted in 2026 and 2027 must be submitted to the CPPA by April 1, 2028, with subsequent years due by April 1 of the following year. Help clients complete assessments before they begin processing activities the regulations treat as presenting significant risk to consumers.
Automated decision-making technology (ADMT) obligations also apply from January 1, 2026, with specific rights and procedural requirements focused on ADMT used to make or facilitate significant decisions. Additional reporting milestones follow later. Both areas involve advisory work alongside compliance testing.
The cybersecurity audit requirement is one of the biggest new obligations in the 2026 regulations. Scoping and scheduling depend on whether a client triggers the requirement and where they fall in the staggered certification timeline.
Not every CCPA-covered business needs a cybersecurity audit. The requirement kicks in when a business meets the revenue threshold (approximately $26 million, CPI-adjusted) and at least one additional trigger under the CPPA's rulemaking:
Revenue threshold plus any one trigger means annual independent cybersecurity audits. Certification deadlines are staggered by revenue: $100 million and above must submit by April 1, 2028; $50-100 million by April 1, 2029; and below $50 million by April 1, 2030. The runway looks generous, but clients need documented cybersecurity programs in place well before your fieldwork starts.
The CPPA's cybersecurity audit rules span access control, data protection, system security, monitoring/detection, and governance. The practical step is turning that structure into a repeatable audit approach: standardized procedures mapped to the framework, with scope adjusted to the client's size, complexity, and processing activities.
The CPPA's rulemaking record recognizes alignment with NIST's Cybersecurity Framework as an acceptable way to help demonstrate reasonable security measures. If a client already operates a CSF-aligned program or holds existing certifications, you can often use that work as a baseline and test for CCPA-specific gaps.
You'll need to demonstrate cybersecurity and audit expertise and follow recognized professional standards. The CPPA's materials also address independence expectations designed to preserve objectivity, so plan early for independence considerations and required documentation.
Retention expectations deserve attention up front as well. The CPPA's meeting materials describe a five-year retention requirement for certain audit records.
Plan for an evidence-led audit. You'll typically rely on documents, technical testing, and interviews, not just management attestations, to support conclusions.
Businesses in scope must submit an annual cybersecurity audit certification to the CPPA, signed by an executive. They do not routinely submit the full audit report, but the CPPA and California Attorney General may request the underlying report during investigations. Service providers and contractors may also need to provide information your client needs for the audit, so set expectations in engagement letters about third-party cooperation and timing.
Given five-year retention requirements and the potential for regulatory requests, centralizing evidence collection in a single engagement platform helps reduce documentation gaps. Tools like Request Agent can validate uploaded evidence for relevance and audit-period currency as it arrives, keeping workpapers organized across multi-year audit cycles.
CCPA cybersecurity audits and privacy assessments involve layered evidence collection, controls testing across multiple requirement areas, and tight documentation requirements, exactly where manual processes break down at scale.
Fieldguide's engagement platform brings planning, evidence management, testing, and reporting into a single system, with AI that assists practitioners at specific workflow steps while practitioners maintain review and final judgment. For CCPA cybersecurity audits, the Testing Agent can analyze evidence against controls, execute testing, and produce exception or no-exception conclusions for practitioner review.
BerryDunn reported 30-50% efficiency gains and doubled engagement capacity using Fieldguide. As CCPA audit demand scales with staggered certification deadlines through 2030, that kind of capacity expansion matters. Request a demo to see how Fieldguide can help your firm get ahead of the curve.