Skip to content
graphical user interface

CCPA Compliance: New Requirements in 2026 and Beyond

Published
Jul 2, 2026
By
Molly Grant
Linda Sample
Topics
Share

California has raised the stakes for data privacy, layering new obligations onto the original California Consumer Privacy Act (CCPA) framework. The new CCPA compliance requirements signal a noticeable shift in how organizations protect and document consumer data. Reactive processes are no longer sufficient; organizations need to proactively manage their cybersecurity to mitigate potential exposures or vulnerabilities. Beginning January 1, 2026, three new compliance obligations apply to businesses subject to the CCPA, with deadlines phased in between 2026 and 2030, requiring organizations to consistently demonstrate compliance. As part two of the series, this article dives further into the upcoming changes to help organizations meet new standards and provides a practical timeline for preparing.

Key Takeaways

  • California’s updated CCPA regulations impose three new mandatory obligations: cybersecurity audits, AI governance for automated decision-making technology (ADMT), and formal risk assessments.
  • Organizations whose data processing activities pose significant risk to consumer security must complete annual independent cybersecurity audits covering 18 control categories.
  • Formal privacy risk assessments are required before initiating any new high-risk processing activity and must be documented and updated within 45 days of material changes.

Three New Key 2026 CCPA Regulatory Requirements

Recently, the CCPA introduced significant changes to enhance cybersecurity and better protect consumer data.

What Are the Cybersecurity Audit Requirements?

Article 9 of the CCPA introduces a formal, mandatory cybersecurity audit obligation for organizations whose data processing poses a significant risk to consumer security.

Steps to Prepare for a CCPA Cybersecurity Audit

1) Confirm whether you meet the cybersecurity audit threshold requirements. 

Note this is in addition to meeting the CCPA thresholds.

  • Derives 50% or more annual revenue from selling or sharing consumers’ personal information.
  • Has annual global gross revenue over $26.625M AND processes information of 250,000 or more California consumers or households.
  • Has annual global gross revenue of $26.625M AND processes sensitive personal information of 50,000 or more California consumers.

2) Conduct a readiness assessment before the formal audit begins.

  • Assess your current state to identify gaps and assign remediation accountability.

3) Select a qualified, objective, and independent auditor – either internal or external.

    • Internal auditors are permitted but must report to executive management w/ no direct responsibility for the cybersecurity function.
    • Auditors should review the actual cybersecurity program and the support evidence.

4) Conduct the audit across all 18 control categories.

Authentication & multi-factor authentication Segmentation of information systems
Encryption at rest and in transit Limitation & control of ports, services, & protocols
Account management & access controls Cybersecurity awareness
Inventory & management of personal information systems Cybersecurity education & training
Secure configuration of hardware & software Secure development & coding best practices
Vulnerability scans & penetration testing Oversight of service providers, contractors, and third parties
Audit-log management Retention schedules & proper disposal of personal information
Network monitoring & defense Incident response management
Antivirus & antimalware protections Business continuity & disaster recovery plans

5) Produce a comprehensive audit report that documents the controls assessed, evidence reviewed, gaps identified, and remediation plans. The report is delivered to executive leadership directly responsible for the cybersecurity program.

6) Submit the certification to the California Privacy Protection Agency (CPPA). This is a certification of completion, not the full report. It must be signed by a member of executive management who is responsible for the audit and has knowledge of the cybersecurity program.

7) Retain all audit documentation. Both the organization and auditor must retain all audit-related materials for a minimum of five years.

8) Know your submission deadlines based on annual gross revenue:

  • Over 100M by April 1, 2028
  • $50M-$100M by April 1, 2029
  • Under $50M by April 1, 2030

Best Practices for a CCPA Cybersecurity Audit

  • Conduct a gap assessment of your current cybersecurity program against audited control categories
  • Involve key stakeholders (IT, HR, legal, and business leadership)
  • Identify and engage an independent auditor prior to the audit engagement
  • Remediate gaps before the formal audit begins

What Is Automated Decision-Making Technology (ADMT)?

ADMT is California’s first AI governance framework, which becomes effective January 1, 2027. It’s defined as any technology that processes personal information and uses computation to replace or substantially replace human decision-making when the technology is used for “significant decision-making,” that results in the provision or denial of financial services, housing, employment, healthcare, and educational enrollment. The framework requires pre-use notices, opt-out rights, and access to information, human oversight, and risk assessments. Human reviewers must have the actual authority to override automated outcomes.

Where to Start with ADMT

  1. Be proactive, even though the compliance deadline is January 1, 2027
  2. Identify all current uses of AI, algorithmic scoring, and automated profiling tools
  3. Determine whether any constitute “significant decisions” about consumers
  4. If so, design pre-use notices, opt-out mechanisms, and access workflows
  5. Create and verify human review processes
  6. Select reviewers that have the knowledge, experience, and authority to override ADMT outputs

What Triggers a Mandatory CCPA Risk Assessment?

Starting January 1st 2026, a formal risk assessment is required before initiating any new processing activity that poses a significant privacy risk, such as ad targeting, sensitive data, AI/ADMT use, etc. The goal of the risk assessment is to determine whether the privacy risks of a processing activity are justified by its benefits to consumers, the organization and the public. Assessments must be documented, updated within 45 days of material changes, retained for a minimum of five years, and the initial annual certified report is due to the CPPA by April 1, 2028.

When Is a Risk Assessment Required?

  • Selling or sharing personal information
  • Processing sensitive personal information
  • Using automated decision-making technology (ADMT)
  • Using personal information to train ADMT or biometric recognition technologies
  • Using automated processing to systematically observe and draw inferences about consumer personal characteristics, such as abilities, health, behavior, or location when the consumer is acting an employment, contracting, business, or education settings.
  • Using automated processing to infer consumer characteristics based on presence at a sensitive location

 Best Practices When Conducting a Risk Assessment

  • Inventory all processing activities to identify which ones trigger assessment requirements
  • Build a formal assessment process documenting purpose, data types, retention practices third-party flows, and safeguards
  • Engage legal counsel early as executive attestations carry direct personal liability

CCPA 2026 Compliance Timeline

New Requirement Timeline
General Updated CCPA Regulation January 1, 2026 – Updated regulations became effective (notices, consent, privacy, etc.).
Risk Assessments January 1, 2026: Business must begin conducting risk assessments before initiating high-risk processing activities December 31, 2027 - Legacy processing deadline to complete risk assessments for covered processing activities beginning before January 2026 and continuing after that date. April 1, 2028 - First annual summary/attestation due to CPPA covering applicable 2026 and 2027 activities.
ADMT January 1, 2027 Includes pre-notices, opt-out rights in covered cases, and access rights regarding automated decision-making.
Cybersecurity Audits January 1, 2026 Audit rule framework becomes effective; submission deadlines are phased in by revenue tiers. First submissions due: April 1, 2028 - Business with over $100 million in annual gross revenue April 1, 2029 – Business with $50 million to $100 million in annual gross revenue April 1, 2030 – Business under $50 million in annual gross revenue

How EisnerAmper Can Help

California's 2026 CCPA updates require proactive documentation, phased implementation, and technical knowledge across cybersecurity, risk advisory, and AI governance. With a focus on strategy, security, compliance, and AI, our cyber risk team combines regulatory knowledge with practical guidance to help your organization meet the new regulatory updates and prepare for what’s next. Contact us below to get started.

What's on Your Mind?

a person in a black suit

Molly Grant

Molly Grant is a Manager in the firm's Risk and Compliance Services (RCS) Group.


Start a conversation with Molly

Receive the latest business insights, analysis, and perspectives from EisnerAmper professionals.