US CCPA Risk And Cyber Audits

Teams should treat Risk And Cyber Audits under the US CCPA as an operating workflow, not a generic privacy note: identify whether the business must do a risk assessment before selling or sharing personal information, processing sensitive personal information, using ADMT for a significant decision, or using personal information to train ADMT or AI; identify whether the business must do a cybersecurity audit because its processing presents significant risk to consumers' security; then assign legal, privacy, security, compliance, and executive owners who can approve the work and preserve evidence.

For cybersecurity audits, the first report deadlines in the regulations are April 1, 2028 for qualifying businesses with 2026 revenue above $100 million, April 1, 2029 for qualifying businesses with 2027 revenue between $50 million and $100 million, and April 1, 2030 for qualifying businesses with 2028 revenue below $50 million. For risk assessments, the regulations require the assessment before the processing starts, with older processing that continued into the effective period documented by no later than December 31, 2027.

Useful evidence is not just a privacy policy. Keep the source, threshold notes, notices, request logs, vendor terms, audit workpapers, approval trail, and submission records together so the team can show who made the decision, what triggered it, and when the report or certification was due.

For cybersecurity audits, the business and auditor must retain documents relevant to each audit for at least five years after completion, and the audit report must identify the systems assessed, the evidence reviewed, the gaps found, and the plan to address them. For risk assessments, the business must retain the assessment for as long as the processing continues or for five years after completion, whichever is later.

The common failure pattern is treating CCPA as one static notice instead of checking each trigger condition, deadline, and evidence requirement against current source material. Teams also create risk when they miss the specific owner for the audit or assessment, fail to preserve the required records, or assume a completed assessment can never need updating after a material change.

For cybersecurity audits, the audit has to be independent and objective, and the business must make relevant information available to the auditor. For risk assessments, the business must review and update them at least once every three years and within 45 calendar days after a material change that affects the processing or reduces the effectiveness of safeguards.