Are You Ready — California Cybersecurity Audits Are Here!

The California Privacy Protection Agency’s (CalPrivacy) Executive Director Tom Kemp recently stated that the agency’s new Audits Division will begin conducting audits assessing companies’ compliance with California data privacy laws this year.¹

What Is the Role of the New Audits Division?

CalPrivacy was established in 2020 by the California Privacy Rights Act (CPRA), which amended the California Consumer Privacy Act (CCPA).² The agency is responsible for implementing and enforcing both statutes.

The CPRA required CalPrivacy to “appoint a Chief Privacy Auditor to conduct audits of businesses to ensure compliance” with the CCPA and CPRA.³ Accordingly, in February 2026, CalPrivacy formed the new Audits Division, led by Chief Privacy Auditor Sabrina Boyson Ross.⁴ Ross joined CalPrivacy after serving in senior privacy and policy leadership roles, most recently serving as the Director of Public Policy at Meta.⁵

The newly formed Audits Division, announced February 3, 2026, has been described by Executive Director Kemp as the “point folks” for cybersecurity audit certifications⁶ and is responsible for developing and applying privacy compliance audit procedures and examining businesses’ practices for compliance gaps.⁷ It will also be responsible for processing risk assessment attestations under Article 10 of the new CCPA regulations, as well as the cybersecurity audit certifications under Article 9.

When Should You Expect Audits To Start?

As directed by the CPRA, CalPrivacy created annual cybersecurity audit requirements⁸ for “businesses whose processing of consumers’ personal information presents significant risk to consumers’ privacy or security.”⁹ Although these audit requirements formally took effect January 1, 2026, initial cybersecurity audit certifications are not due until 2028 to 2030, depending on the business’s annual gross revenue in the preceding year.¹⁰

While this statutory deadline may appear to afford organizations ample time to complete their first cybersecurity audits, Executive Director Kemp’s recent announcement of audits beginning this year indicates otherwise.

Kemp has acknowledged that although audit certifications will not be due until at least 2028, CalPrivacy expects that “by nature, people are just doing cybersecurity audits anyway” given that “other regimes and other regulations” impose similar requirements.¹¹

Other states do have laws requiring cybersecurity audits. New York, for example, imposes cybersecurity program and audit-type obligations on financial services entities,¹² and a number of states have adopted insurance data security laws modeled on the National Association of Insurance Commissioners Model Law. However, California’s regulations uniquely extend cybersecurity audit certification obligations to any qualifying business across sectors.

In other words, do not treat this delayed certification deadline as a grace period: the Audits Division is here and expects your cybersecurity audit practices to be underway now.

What Will Be the Focus of These Audits?

CalPrivacy has not explicitly identified the initial focus of its audits, but Executive Director Kemp has stated that the division “may pre-announce a thematic audit in an area.”¹³ Businesses can expect the division to focus on areas of recent concern to the Enforcement Division, including the frustration of consumers’ exercise of their CCPA rights — the rights to access, correct, delete, and opt-out of the sale and sharing of personal data — and failure to comply with privacy policy requirements. In a recent panel discussion, representatives from the bipartisan Consortium of Privacy Regulators — including Michael Macko, Deputy Director of Enforcement for CalPrivacy, and Stacey Schesser, Supervising Deputy Attorney General for the California Department of Justice — cited other key priorities as including chatbot-related practices, surveillance pricing, the use of data in large language models, and practices surrounding sensitive data, including non-HIPAA covered health data.¹⁴

Audits can be expected to include review of information about the business’s cybersecurity program, information systems, and use of service providers or contractors.¹⁵ Auditors may also conduct interviews but will expect that facts relevant to the audit be based on more than attestations by business management.¹⁶

Could These Audits Lead to Enforcement Action?

The Audits Division will complement the Enforcement Division of CalPrivacy, and businesses should understand that violations discovered by the Audits Division could be referred to the Enforcement Division.¹⁷

Companies referred to the Enforcement Division for noncompliance could face significant fines. Recent enforcement actions included fines ranging from $345,178 to $1.35 million.¹⁸ And these fines could get even higher. In the panel discussion referenced above, Deputy Director Macko commented that there may be a risk that fines under the CCPA could become the “cost of doing business,” hinting at CalPrivacy’s interest in increasing fines to ensure they maintain deterrent value.

Audits Are Here — How Should You Prepare?

With these audits imminent, companies should consider immediately doing the following:

Determine whether the cybersecurity audit regulations apply to your organization. For-profit businesses “doing business in California”¹⁹ whose processing activities present a “significant risk to consumers’ privacy or security” are subject to the regulations.²⁰ Notably, the audit requirements are not limited to only those businesses based in California. A business presents a “significant risk” if, in the preceding calendar year, it met either of the following:

• Generated annual gross revenue exceeding $25 million and either (1) processed the personal information of 250,000 consumers or households, or (2) processed the sensitive personal information of 50,000 or more consumers²¹
• Derived 50% or more of its annual revenues from selling or sharing consumers’ personal information²²

Structure readiness work for privilege protection. Cybersecurity audit documentation may be discoverable in data breach and other litigation and is not automatically covered by attorney-client privilege. Although the CCPA regulations only require that businesses produce audit certification, not production of the underlying audit reports, those reports could nonetheless be subject to subpoenas from CalPrivacy or other regulators, either before or after certification. While understanding those risks, it is also important to recognize that early documentation could be instrumental in demonstrating commitment to strong cybersecurity policies and will not only be useful in any pre-certification audits, but can also serve as the basis for later CCPA required audits.²³ Companies should consider engaging outside counsel to direct the initial readiness assessment and establish a privilege framework before generating documentation.

Confirm whether cybersecurity program ownership meets audit standards. Most companies subject to the regulations will already have a cybersecurity program with designated owners. The CCPA requires that such “qualified individuals” be identified in the audit report²⁴ and companies should understand that auditors may assess whether those individuals have sufficient expertise and authority, and whether their roles, responsibilities, and reporting lines are formally documented. Companies should review their program governance against these criteria and close any gaps in documentation now.

Evaluate substantive program components. The CCPA regulations set out 18 cybersecurity program components²⁵ that the audit may assess depending on whether the auditor deems them “applicable to the business’s information system.” However, even components outside of those 18 could be assessed by an auditor.²⁶ Businesses should comprehensively evaluate their cybersecurity policies and controls against each component, identify gaps, and document the operation of effective controls.

Consider whether to engage an independent auditor. The CCPA regulations require businesses to retain a “qualified, objective, independent professional” auditor.²⁷ This could be an internal or external auditor so long as they are impartial and objective.²⁸ While a formal auditor is not necessarily required at this early stage, businesses might consider identifying potential auditors now to prepare for future audit requirements.

Coordinate readiness with Article 10 risk assessments. The cybersecurity audit certification required by Article 9 is distinct from the separate risk assessment obligation under Article 10,²⁹ which similarly requires businesses whose processing activities present a “significant risk to consumers’ privacy”³⁰ to conduct and document privacy risk assessments and to submit an annual attestation that the required assessments have been conducted.³¹ As with the audit regime, CalPrivacy may request the underlying risk assessments on demand.³² Although the triggers and deliverables differ, much of the underlying readiness work (mapping processing activities, identifying controls, and documenting rationales) supports both regimes, and companies should coordinate accordingly.

Organizations that have questions about conducting cybersecurity audits, or about the CCPA more generally, may contact any of the authors of this Advisory or their usual Arnold & Porter contact. Our Privacy, Cybersecurity & Data Strategy team would be pleased to assist with any questions about privacy compliance and enforcement.

© Arnold & Porter Kaye Scholer LLP 2026 All Rights Reserved. This Advisory is intended to be a general summary of the law and does not constitute legal advice. You should consult with counsel to determine applicable legal requirements in a specific fact situation.