RatedWithAI

RatedWithAI

Accessibility scanner

AI PrivacyJuly 4, 2026

CCPA Cybersecurity Audit Requirements for AI Businesses 2026

Most CCPA-and-AI coverage focuses on the ADMT rules — notice, opt-out, access. But the CPPA finalized a separate regulation entirely: an annual cybersecurity audit requirement for businesses whose processing presents significant risk to consumer security. It has its own scope, its own auditor requirements, and its own phase-in schedule.

Annual
Cybersecurity audits required on a recurring yearly cadence once covered
Independent
Auditor must be qualified and objective, not self-certified internally
Phased
Compliance dates are staggered by annual gross revenue tier

Three Separate CPPA Regulations, Not One

When people say "California's new AI privacy rules," they're usually collapsing three distinct regulatory packages the CPPA adopted together into one thing. They're not the same requirement:

  • ADMT rules — pre-use notice, opt-out, and access rights for automated decision-making technology used in significant decisions.
  • Risk assessment rules — a documented, pre-processing risk analysis for activities that present significant risk to consumers.
  • Cybersecurity audit rules — an independent, recurring audit of the technical and organizational safeguards protecting personal information, for businesses whose processing presents significant risk to security specifically.

A business can be squarely in scope for the cybersecurity audit requirement without triggering ADMT obligations at all — the audit is about how well you protect the data, not about whether an algorithm made a decision about someone.

Who's Covered

Coverage turns on whether a business's processing of personal information presents significant risk to consumers' security — a test shaped by factors like the volume and sensitivity of data processed, and processing activities such as large-scale profiling or handling sensitive personal information. AI systems that ingest large training or inference datasets, run continuous behavioral profiling, or process biometric or health-adjacent data are precisely the kind of high-volume, high-sensitivity processing this threshold targets.

What the Audit Actually Has to Cover

  • Access controls and authentication, including for any AI training and inference pipelines
  • Encryption of personal information at rest and in transit
  • Vulnerability and patch management across systems that process personal information
  • Incident response planning and breach notification procedures
  • Vendor and service-provider security oversight, relevant for third-party model providers and data processors
  • Employee training and internal access-limitation controls

Phase-In: Don't Assume a Single Deadline

The CPPA staggered compliance dates by annual gross revenue, with the largest covered businesses on the hook first and smaller covered businesses given a longer runway before their first audit is due. Because the phase-in is revenue-tiered rather than uniform, businesses should confirm their specific compliance date against the regulation's revenue thresholds rather than assuming they have the same amount of time as a much larger competitor.

Compliance Checklist

Treat this as a distinct workstream from ADMT and risk-assessment compliance, not a subset of it.

Determine whether your processing meets the significant-risk-to-security thresholdStart here
Confirm your compliance deadline against your specific annual gross revenue tierEssential
Select a qualified, objective auditor independent of the function being auditedEssential
Map AI training, inference, and data pipelines into the audit scope, not just customer-facing systemsEssential
Review vendor and model-provider contracts for the security documentation the audit will requireEssential
Coordinate with your ADMT and risk-assessment workstreams so evidence isn't duplicated or missedOngoing

Security audits catch systems risk — not user-facing access barriers

A clean cybersecurity audit doesn't mean your site is usable by everyone. RatedWithAI scans your site for the accessibility issues that turn into complaints and lawsuits.

Scan Your Site for Free →

Frequently Asked Questions

Is the cybersecurity audit the same thing as the CCPA risk assessment?

No. They're separate regulations with separate triggers. The risk assessment documents the risks of a specific processing activity before you start it; the cybersecurity audit independently evaluates the safeguards protecting personal information on a recurring basis, regardless of which specific processing activities you've assessed.

Can we use our existing SOC 2 report to satisfy the CCPA audit?

Not directly. SOC 2 scope and criteria are negotiated between the business and its auditor for a specific customer-facing purpose, while the CPPA audit has a regulator-defined scope tied to CCPA's own risk categories. Some evidence may overlap, but the CCPA audit needs its own scoping and certification.

Does a small AI startup need to worry about this yet?

Only if the startup's processing independently meets the significant-risk-to-security threshold, which is more about data volume and sensitivity than company size. A startup processing large volumes of sensitive data through AI models can be in scope well before it reaches large-company revenue.

Who enforces the cybersecurity audit requirement?

The California Privacy Protection Agency (CPPA) oversees and enforces this regulation, separately from the California Attorney General's broader CCPA enforcement authority.

Related Guides