Top 3 Things to Know About California’s New Cybersecurity Mandate

November 6, 2025

Share

print-icon

Print

Cropped_shot_of_two_attractive_young_female_computer_programmers_working_together_in_a_server_room

Key insights

The California Privacy Protection Agency (CPPA) now mandates annual cybersecurity audits for organizations meeting certain thresholds. This affects both California companies and those doing business in the state.

breach-cta-icon

The CPPA also now requires privacy risk assessments for businesses engaged in high-risk processing activities, including handling sensitive personal information and targeted advertising to minors.

automate-process-icon

Organizations using automated decision-making technology such as AI or algorithms to make or influence significant decisions about consumers also face new compliance obligations.

Anaylze-Data-icon

Discover if your organization must conduct a cybersecurity audit.

Contact Us

Here are the top three things to know about California’s new cybersecurity mandate. The new California Privacy Protection Agency (CPPA) regulations have introduced sweeping new cybersecurity requirements for businesses handling consumer data under the California Consumer Privacy Act (CCPA).

Whether you’re a California-based company or simply do business in the state, these CCPA compliance requirement changes will impact how you manage, secure, and report on personal information.

Here’s what you need to know and why you should start preparing now.

1. Annual California cybersecurity audits are now mandatory for many businesses

The CPPA mandates annual cybersecurity audits for organizations meeting certain thresholds. If your business processes the personal information of 250,000 or more California residents, or handles sensitive personal information for 50,000 or more individuals, you’re likely in scope.

Additionally, if 50% or more of your revenue comes from selling or sharing personal information, you must comply with new CCPA compliance requirements.

What does the cybersecurity audit involve?

The audit must be conducted by a qualified, independent internal or external auditor. It’s not just a checklist — auditors will review your cybersecurity program’s effectiveness across organizational areas:

  • Policy documentation
  • Technical controls
  • Incident response
  • Evidence of ongoing risk management

Results must be reported to senior leadership and a certification submitted annually to CPPA.

Key CCPA cybersecurity audit deadlines

  • Effective date: January 1, 2026
  • First certifications due: April 1, 2028 (for larger businesses), with phased deadlines through 2029 and 2030 for smaller organizations

Why act now?

Preparing for an audit takes time. You’ll need to inventory your data, assess your controls, and gather evidence that safeguards are working. Early action could mean fewer surprises and a smoother path to CCPA compliance, so you’ll want to start thinking about strategies to mitigate cyber threats.

2. Privacy risk assessments for high-risk data processing

The CPPA also requires privacy risk assessments for businesses engaged in high-risk processing activities. This includes handling sensitive personal information, targeted advertising to minors, and other activities that could pose significant data privacy risks to consumers.

What’s included in a privacy risk assessment?

You’ll need to document the purposes and necessity of your data processing, weigh the benefits against the risks to consumers, and outline mitigation strategies. The assessment must align with CPPA-specified contents and be ready for submission on the agency’s timetable.

Key privacy risk assessment deadlines

  • Effective date: January 1, 2026
  • Submission cadence: Begins April 1, 2028 for covered entities

Why is this important?

Risk assessments aren’t just paperwork — they’re a chance to identify gaps, strengthen your privacy posture, and demonstrate accountability. Regulators will expect concrete mitigations and evidence you’re actively managing data privacy risks.

Understand the CPPA impact

Get in-depth details on California’s new cybersecurity audit rules and how your organization can comply.

Watch the Webinar

3. Automated decision-making technology (ADMT) compliance

If your organization uses automated decision-making technology (ADMT), such as AI or algorithms, to make or influence significant decisions about consumers (including employment, credit, housing, or insurance), you’ll face new CCPA compliance obligations.

What’s required for ADMT compliance?

You must provide plain-language notices before using ADMT, offer meaningful information about the logic and impacts of these technologies, and allow consumers to opt out of ADMT in significant decisions (with some exceptions).

Key ADMT compliance deadline

  • Compliance: Required by January 1, 2027

Why does this matter?

Transparency and consumer control are at the heart of these CCPA compliance requirements. As AI and automation become more prevalent, regulators want individuals to understand — and influence — how decisions about them are made.

How should businesses prepare for California’s cybersecurity audit rules?

Assess applicability

Determine if your business meets the thresholds for cybersecurity audit requirements or data privacy risk assessments. Inventory your data, review your processing activities, and confirm whether you sell or share personal information.

Prepare evidence

Start gathering documentation now. Initial documentation may include:

  • Policy documents
  • Penetration test results
  • Vulnerability assessments
  • Incident response reports
  • Proof of data encryption

Establish a central repository for CCPA compliance evidence.

Align with leading frameworks

Consider mapping your cybersecurity program to leading frameworks like NIST Cybersecurity Framework 2.0 or CIS Controls v8.1. This not only helps with CCPA compliance but can help strengthen your overall security posture.

Engage leadership

Audit certifications must be signed by your board or highest-level executive. Inform your leadership of the CCPA compliance requirements.

How CLA can help with California’s cybersecurity audit rules

Navigating these new CCPA regulations can be complex. Our cybersecurity team in helping organizations prepare for cybersecurity audits, conduct risk assessments, and build robust privacy programs.

The runway to compliance is short, and early action will help set your business up for success. Schedule a cybersecurity readiness assessment to get started.

Tags

Cybersecurity
Back to Insights

Contact us

Discover if your organization must conduct a cybersecurity audit.

Connect

kevin-villanueva

Kevin Villanueva

Principal

Featured articles

Article

article-icon
Driving AI’s Efficiency in Logistics With the Strength of Sage Intacct
Read Now

Article

article-icon
Arts and Culture Organizations: Use Dashboards for Better Reporting
Read Now

Article

article-icon
Grant Reporting Made Easier: Strategies for Nonprofits
Read Now
View More

Experience the CLA Promise

Sign up to receive custom information and insights delivered straight to your inbox.

Subscribe

Subscribe
Get started at GoDigital.CLAconnect.com

The information contained herein is for informational purposes only, general in nature and is not intended, and should not be construed, as legal, accounting, investment, or tax advice or opinion provided by CliftonLarsonAllen LLP (CLA) to the reader. Your use of the information does not create a client or any other contractual relationship between you and CLA. ©️2024 CliftonLarsonAllen LLP. For more information, visit godigital.CLAconnect.com. CLA (CliftonLarsonAllen LLP) is an independent network member of CLA Global. See CLAglobal.com/disclaimer.