Library

What is CCPA?

California residents value their privacy—and so do regulators. The California Consumer Privacy Act (CCPA) gives individuals more control over their personal information while holding organizations accountable for how they process, protect, and manage that data.

Why it matters: Failing to comply with CCPA isn’t just a legal risk—it’s a trust risk. With evolving enforcement and a growing list of affected businesses, every organization collecting or sharing Californians’ personal information needs a scalable, auditable strategy for compliance.

What is CCPA, and who does it apply to?

The CCPA, originally passed in 2018 and significantly amended by the California Privacy Rights Act (CPRA), is California’s comprehensive consumer privacy law. It mandates that certain for-profit businesses handling Californians’ personal information (PI) implement “reasonable security procedures and practices” and offer transparency and control to individuals about how their data is collected, used, or sold.

To determine applicability, look at three key thresholds. A business must comply with CCPA if it:

  1. Has annual gross revenue over $25 million,
  2. Processes personal information of 100,000+ California residents or households, or
  3. Derives 50% or more of annual revenue from selling or sharing Californians’ personal information.

Nonprofit organizations and government entities are generally exempt.

The CCPA is administered by the California Privacy Protection Agency (CPPA), along with the California Attorney General. Enforcement responsibility—and expectations—increased significantly once new regulations took effect on January 1, 2026.

CCPA has evolved from consumer protection to security auditing

When first enacted, CCPA focused on consumer rights: the right to know what personal data is collected, request deletion, opt out of its sale, and avoid discrimination. While these rights remain central, the 2020 amendments introduced by the CPRA expanded the law’s scope to include:

  1. Creation of the CPPA as a dedicated privacy regulator,
  2. Enhanced rights around sensitive personal information,
  3. And most recently, mandated cybersecurity audits and risk assessments for high-risk entities.

This marked a shift from policy-based disclosures to operational accountability. As of 2026, CCPA now requires certain businesses to conduct yearly cybersecurity audits when their data practices pose a “significant risk” to consumers.

Understanding the new cybersecurity audit requirements

Starting in 2028, subject businesses must submit an annual certification to the CPPA affirming that an independent cybersecurity audit has been completed. The audit is meant to ensure that your actual practice—not just your policies—effectively protects personal information.

If your business meets any of the following criteria, you may be required to complete these audits:

1. Revenue-based triggers:

You generate $25M+ in annual gross revenue and processed PI from at least 250,000 consumers or sensitive PI from at least 50,000 consumers in the prior year.

2. Data processing risk threshold:

50% or more of your revenue comes from selling or sharing consumer information.

These audits must be done by an independent and qualified professional. Independence means objective oversight—auditors can be internal only if strict controls separate them from control design and operations.

The audits use recognized professional standards (such as AICPA, PCAOB, ISACA, or ISO) and must rely on objective, testable evidence—not management say-so. Documentation must be detailed, specific, and retained for at least five years.

CCPA audit scope and key cybersecurity requirements

Audits under CCPA go beyond surface-level checklists. They assess the effectiveness of your entire cybersecurity program in protecting personal information across confidentiality, availability, and integrity principles.

Key control areas include:

  1. Multi-factor authentication (preferably phishing-resistant)
  2. Encryption at rest and in transit
  3. Role-based access control
  4. Asset inventory and system classification
  5. Secure system configuration
  6. Vulnerability and patch management
  7. Continuous logging and threat monitoring
  8. Security awareness training
  9. Incident response planning
  10. Disaster recovery and business continuity frameworks
  11. Vendor and third-party risk oversight

Auditors must describe your environment, the criteria applied, the specific evidence examined, and any identified gaps and remediation steps. While reports don’t get submitted to the CPPA by default, regulators may request them, and you must submit an annual certification of completion.

Common CCPA audit challenges

CCPA compliance is not a one-time exercise. Many businesses still treat it that way—and run into problems.

Scoping errors.

It’s not always obvious whether your organization must complete an annual audit. Determining if your processing poses “significant risk” means counting PI and sensitive PI correctly, applying thresholds, and monitoring annual volumes.

Misconceptions about certification.

There is no official “CCPA certification.” The law requires an independent audit each year with a formal certification of completion sent to regulators—backed by detailed work, not assumptions.

Weak evidence and management reliance.

Audits must involve documentation, testing, sampling, and walkthroughs. Relying solely on internal attestations doesn't meet regulatory expectations.

Independence violations.

Internal auditors must be functionally and operationally independent. Using consultants who designed your controls as your auditor introduces serious conflicts—and makes the audit invalid.

Gaps in framework alignment.

You may have existing cybersecurity audits (like SOC 2 or ISO 27001), but they won’t fulfill the CCPA requirement unless your evidence addresses all required audit components. Partial overlap is not enough.

What the future of CCPA looks like in 2026 and beyond

The 2026 rule update formalized how regulators will oversee compliance using structured, risk-based audits. That means even though formal deadlines begin in 2028, businesses should be ready now.

Enforcement pressure will increase.

Audits shift CCPA from theoretical to mandatory. Once phased deadlines go live—starting in 2028 for large enterprises ($100M+ revenue)—we can expect regulators to scrutinize the quality, completeness, and independence of reports.

Reuse of work will become more strategic.

The CPPA allows organizations to reuse parts of other audit frameworks (like NIST CSF 2.0 or ISO 27701). But that reuse must fully align with CCPA’s required criteria—not just broadly overlap. Maintaining reusable, mapped controls will be essential.

Privacy and security will converge operationally.

CCPA now expects not just Consumer Services or Legal teams, but InfoSec and GRC leaders to actively participate in audit readiness. Privacy is no longer a policy—it’s a system that must function.

Technology will drive audit scalability.

Manual audit prep won’t scale. As new frameworks and deadlines take hold, automating evidence collection and aligning controls across privacy, security, and regulatory domains will become the industry norm.

How Thoropass helps you meet the CCPA audit challenge

Compliance shouldn’t slow you down. Thoropass streamlines your path to CCPA audit readiness by combining automation, expertise, and advisory support under one system of record.

Unified control mapping.

Our platform aligns your existing SOC 2, ISO 27701, or NIST CSF controls to CCPA requirements, so you can reuse existing work where appropriate—and identify gaps early.

Automated evidence collection.

Thoropass automatically pulls records from your key systems, reducing manual tasks and ensuring consistent, auditable logs. Our AI-assisted evidence prescreening flags missing or insufficient documentation before an auditor ever sees it.

Independent assessment expertise.

Thoropass is an AICPA-registered CPA firm. Our auditors are qualified, objective, and never grade their own work. You can count on transparency, independence, and audit standards that meet CCPA expectations.

Built-in support for privacy frameworks.

With multi-framework support, including ISO/IEC 27701 and NIST CSF 2.0, Thoropass helps you establish privacy-by-design programs that align with CCPA—while boosting audit coverage for other frameworks.

Scalable documentation and visibility.

Our dashboards give you real-time insight into compliance status, risk posture, evidence readiness, and overdue actions. That means proactive management, not last-minute fire drills.

Get ahead of CCPA—before the deadlines arrive

CCPA cybersecurity audits aren’t optional for high-risk processors—they’re mandatory. And with audit program deadlines already defined, planning late puts your organization at risk of noncompliance.

Thoropass helps you stay ready—with less guesswork, more automation, and expert guidance that aligns to the latest rules. CCPA is evolving. With Thoropass, your compliance program evolves with it.

Schedule a discovery session today.

Get Started

Products

Thoropass AuditCompliance Automation
PentestingThoropass AIAccess ReviewsSecurity QuestionnairesRisk AssessmentTrust CenterIntegrations and APIs

Solutions

Get CompliantMaintain ComplianceIT Security AuditsThoropass vs. Audit FirmsThoropass vs. Vanta

Frameworks

SOC 1SOC 2HIPAAHITRUSTCyber EssentialsGDPRISO 27001ISO 27018ISO 42001CMMC Level 1NIST CSF 2.0PCI DSSOther Frameworks

Resources

Case Studies
BlogGuidesEventsGlossaryHelp Center

Industries

HealthcareSaaSFinTechOther Industries

Company

Our DifferenceMeet the ExpertsNewsroomCareersIndependence and ExcellenceBecome a PartnerTrust CenterContact us

Legal

MSADPAReport an IssueTerms and ConditionsPrivacy Policy

Certifications:

Laika Compliance, LLC dba Thoropass Assurance is a licensed certified public accounting firm registered with the American Institute of Certified Public Accountants (AICPA). Thoropass, Inc. dba Thoropass is a leading cybersecurity and compliance professional services and technology firm.

© Copyright 2025 Thoropass, Inc.

Linkedin Logo Streamline Icon: https://streamlinehq.com
X Logo Streamline Icon: https://streamlinehq.com
Video Player 1 Streamline Icon: https://streamlinehq.com