New CCPA Requirements for 2026

By John Pavolotsky

The new California Consumer Privacy Act Regulations (“CCPA Regulations”) went into effect on January 1, 2026. Pursuant to the CCPA Regulations, cybersecurity audits must be performed by a business that either (a) derives at least 50 percent of its annual revenues from selling or sharing consumers’ personal information (in effect, a data broker) or (b) (i) satisfies the annual revenue threshold (currently, $26.25 million) and (ii) processed the personal information of at least 250,000 consumers or households or processed the sensitive personal information of at least 50,000 consumers, in each case in the preceding calendar year. The audit must be performed by an audit professional using audit industry-accepted procedures and standards, such as ISO. If a business does not have a suitable auditor yet, it should consider engaging one as soon as possible. For more information, click here.