Privacy Podcast Episode One: A Practical Guide to the New CCPA Regulations

Key Takeaways

• New CCPA regulations effective January 1, 2026, introduce significant new obligations for businesses, including cybersecurity audits, risk assessments, and automated decision‑making technology (ADMT) requirements.
• Cybersecurity audits apply only to organizations whose processing presents a “significant risk” to consumers and roll out on a phased schedule through 2030.
• The regulations require detailed, evidence‑based audits — meaning businesses must prepare policies, logs, configurations, and documentation, not just attestations.
• New risk assessments are required for certain processing of sensitive personal information, ADMT, biometric data, and data sharing or selling activities.
• California’s new framework raises the compliance bar and will require companies to invest early, document thoroughly, and engage experienced auditors to avoid bottlenecks.
• Organizations should begin preparation now by reviewing data processing activities, identifying ADMT use, and assessing whether they will meet the newly defined thresholds.

Introduction

The California Consumer Privacy Act (CCPA) has evolved considerably since its original passage, and the latest wave of regulations — approved by the Office of Administrative Law on September 23, 2025, and effective January 1, 2026 — introduces some of the most sweeping changes to date. These updates reflect several years of engagement between the California Privacy Protection Agency (now rebranded as Cal Privacy) and a broad group of industry stakeholders.

In a recent Foley & Lardner LLP podcast, Steve Millendorf and Gabe Wild, both attorneys in the Technology Transactions, Cybersecurity, and Privacy Practice Group, walked through the regulations and their implications for businesses. Their discussion made one truth clear: these rules represent a significant operational uplift for many organizations, especially those processing large amounts of personal information or using automated decision‑making technologies.

Why the New CCPA Regulations Matter

California has long been at the forefront of privacy regulation in the United States. The latest expansion of the CCPA reflects the state’s continued commitment to consumer protection — particularly in an environment of increasing cybersecurity incidents, sophisticated data use practices, and rapid advancements in artificial intelligence.

The new rules focus on three major areas:

1. Cybersecurity audits
2. Privacy risk assessments
3. Automated decision‑making technology requirements

They also include clarifications to existing regulations and updated thresholds that determine which businesses fall within scope. While not every organization will be immediately impacted, the timelines are structured such that businesses must begin preparing now.

The New Cybersecurity Audit Requirements

Who Must Conduct Cybersecurity Audits?

Cybersecurity audits under the new Article 9 regulations apply only to businesses whose processing of personal information creates a “significant risk” to consumers’ security. The definition of significant risk varies across regulatory contexts, but for audits, businesses are included if they:

• Derive 50% or more of annual revenue from selling or sharing consumer personal information
  OR
• Meet the CCPA’s revenue threshold (currently $26.625 million) and process:
  • Personal information of 250,000 or more California consumers or households annually
  • OR sensitive personal information of 50,000 or more consumers annually

As Millendorf and Wild emphasized, these thresholds are intentionally high. Many businesses subject to the CCPA will never meet them. But for organizations that do, the requirements are extensive.

The Phased Timeline: What Businesses Need to Know

The timing for compliance is one of the most complex aspects of the regulations.

If annual revenue exceeds $100 million in 2026:

• Audit must cover calendar year 2027
• Certification due April 1, 2028

If annual revenue is between $50 million and $100 million in 2027:

• Audit must cover calendar year 2028
• Certification due April 1, 2029

If annual revenue is under $50 million in 2028:

• Audit must cover calendar year 2029
• Certification due April 1, 2030

After the initial cycle, audits recur annually, with each covering the prior calendar year.

Because audits must reflect a full year of activity, companies effectively have three months to complete and submit them — a timeline both attorneys described as exceedingly tight.

What Must the Cybersecurity Audit Include?

The required audit elements go far beyond checking whether a business has basic cybersecurity policies. Instead, the regulations reflect a comprehensive, highly technical, evidence‑based review.

Key categories include:

• Authentication protocols (including multi‑factor authentication)
• Encryption at rest and in transit
• Access controls and privilege management
• Secure configuration settings
• Internal and external vulnerability scanning
• Penetration testing
• Audit log management
• Network monitoring (including EDR and NDR tools)
• Secure coding practices
• Data retention and minimization policies
• Incident response plans

This approach reinforces a guiding principle: there is no privacy without security. Companies will need broad visibility across systems storing personal information — not just those used for narrowly defined privacy functions.

Internal vs. External Auditors 

Businesses may use internal auditors, but they must be:

• Qualified
• Objective
• Independent
• Not involved in day‑to‑day cybersecurity operations

As the podcast discussion noted, this requirement is difficult for many organizations. Internal cybersecurity staff typically manage the very systems being audited, creating unavoidable conflicts.

This means most businesses will rely on external cybersecurity auditors, who — due to the tight time window — are likely to be in exceptionally high demand. Companies should expect:

• Higher audit fees
• Scheduling bottlenecks
• Longer lead times
• Possible competition for qualified assessors

Millendorf and Wild compared the anticipated rush to tax season — except now organizations must complete both financial and cybersecurity audits at once.

Documentation Matters: Evidence, Not Promises

One of the most important takeaways from the conversation: auditors cannot rely on employee statements. They must verify compliance through evidence, meaning:

• Written policies
• Security logs
• System configurations
• Records of training
• Change management documentation
• Reports from scanning tools
• Incident response data

For companies with strong but undocumented cybersecurity practices, this may be the most significant lift. Without documentation, auditors cannot certify compliance.

Conclusion

The newly adopted CCPA regulations represent one of the most consequential expansions of privacy governance in the United States. For many companies, compliance will require substantial operational changes — especially for those using automated technologies or processing data at scale.

But preparation is achievable with early planning, disciplined documentation, and the right partners. By understanding the requirements now and taking proactive steps, businesses can reduce risk, streamline compliance, and prepare confidently for the new regulatory environment.

Interested in staying ahead of the latest privacy developments?

Listen to Foley’s Cybersecurity & Data Privacy Group podcast series, where our attorneys break down evolving regulations, emerging risks, and what they mean for your business.

Click to listen to the full podcast episode.

Click here to listen to Part Two of today’s episode OUT NOW!