Skadden, Arps, Slate, Meagher & Flom LLP and Affiliates

California’s Risk Assessment and Cybersecurity Audit Certification Requirements: What Companies Need to Know Now

Skadden Publication / Cybersecurity and Data Privacy Update

William E. Ridgway David A. Simon Lisa V. Zivkovic Dana E. Holmstrand

Executive Summary

  • What’s new: The CPPA’s regulations impose two new certification obligations on qualifying businesses — mandatory risk assessments and annual cybersecurity audits — each with distinct submission requirements.
  • Why it matters: The risk assessment submission requires companies to describe their processing activities and categories of personal information, providing regulators with a structured inventory of sensitive data processing. Poorly framed characterizations may invite regulatory scrutiny, surface inconsistencies with public privacy disclosures or create exposure in litigation. Recent enforcement, including a settlement exceeding $12 million, signals that CCPA penalties now warrant board-level attention.
  • What to do next: The 2028 submission deadline is not as distant as it appears. The requirement covers activities conducted in 2026 and 2027, and companies that wait risk having no time to remediate before they must disclose. Starting now gives companies time to identify and remediate issues before making regulator-facing submissions.

__________

Regulations from the California Privacy Protection Agency (CPPA) create two separate compliance workstreams: risk assessments and annual cybersecurity audits. Although the deadlines and submissions differ, both require planning now because the covered activity periods begin well before the first filings are due.

These submissions are not merely administrative. The risk assessment submission requires a company to describe its qualifying processing activities and the categories of personal information involved. Characterizations that are too granular, loosely worded or inconsistent with public-facing privacy disclosures may invite regulatory scrutiny or create litigation risk by supporting claims based on inconsistencies in the company’s public disclosures. The risk assessment report itself is subject to regulatory request. By contrast, the cybersecurity audit submissions consist of an attestation and certifying officer contact details. The underlying audit report is not submitted to the CPPA and, under the regulations, can be obtained only through compulsory process.

What’s Required: Two New Certification Obligations

1. Risk Assessments

Under Section 7150 of the regulations, a business must conduct a risk assessment before it engages in any of the following processing activities:

  • Selling or sharing personal information;
  • Processing sensitive personal information;
  • Processing personal information for targeted advertising;
  • Processing personal information to engage in profiling that presents certain enumerated risks (e.g., financial, physical, reputational or psychological harm);
  • Processing the personal information of consumers known to be under 16; or
  • Processing personal information to train automated decision-making technology (ADMT).

In practice, most companies of scale will trigger risk assessment requirements across multiple processing activities. Key submission requirements include:

  • Certified summaries must be submitted directly to the CPPA, signed by a senior officer under penalty of perjury.
  • Although the first submission deadline is 2028, the requirement covers assessments conducted in 2026 and 2027 — meaning the underlying work needs to start now.
  • A single assessment can cover a comparable set of similar processing activities and be updated as they evolve, reducing the compliance burden over time.
  • The risk assessment report is subject to regulatory request.

The certified summary requires a company to describe its “processing activities” and “categories of personal information” involved in each assessed activity. These descriptions appear deceptively simple. A description that is too granular, loosely worded or inconsistent with public-facing privacy disclosures can invite scrutiny or create ammunition for plaintiffs’ counsel. Careful thought must go into how each activity is characterized.

2. Cybersecurity Audits

Under § 7120 of the regulations, a business must complete an annual cybersecurity audit if its processing of consumers’ personal information “presents significant risk to consumers’ security.” The regulations specify that this threshold is met where a business:

  • Derives 50% or more of its annual revenue from selling or sharing consumers’ personal information; or
  • Has annual gross revenue exceeding $25 million and processed the personal information of 250,000 or more consumers or households in the preceding calendar year.

While many companies already conduct cybersecurity audits as a matter of sound governance practice, the CPPA’s regulations impose prescriptive requirements as to scope, methodology and reporting that existing processes may not fully satisfy. Key points include:

  • The audit must be conducted by a qualified, independent auditor meeting the regulations’ specific requirements.
  • Unlike the risk assessment, only an attestation (and certifying officer contact details) must be submitted to the CPPA. The underlying audit report is not required to be turned over.
  • The audit report must be retained, but unlike the risk assessment report, it cannot be requested by the CPPA under the regulations — it can only be obtained through a compulsory process.
  • Identifying the appropriate senior officer to make the certification is itself a meaningful undertaking that requires advance planning and legal coordination.
  • Companies with existing audit processes should assess whether those processes meet the regulations’ prescriptive requirements — and may be able to leverage existing work rather than start from scratch.

Unlike the risk assessment, the cybersecurity audit submission deadlines are phased based on the business’s gross revenue.1 For the largest businesses, the first audit covers January 1, 2027, through January 1, 2028, meaning the substantive audit work must be underway now.

Enforcement Is Escalating and Exposure Is Not Limited to California

Recent enforcement shows that CCPA issues can create exposure across civil penalties, private litigation, multistate regulatory actions and mandated privacy program obligations. In May 2026, the California attorney general, in cooperation with the CPPA and several district attorneys, announced a settlement exceeding $12 million against a major U.S. company — the largest CCPA penalty ever and nearly five times the prior record — arising from the sale of consumers’ precise location and behavioral data in violation of CCPA’s data minimization and purpose limitation requirements, as well as the company’s own privacy notices.

The regulatory settlement was only part of the exposure. The same conduct triggered:

  • A parallel class action — dozens of lawsuits consolidated into a single complaint in federal court — with key claims under the Federal Wiretap Act, the Stored Communications Act, the Fair Credit Reporting Act, invasion of privacy and unjust enrichment.
  • Enforcement actions by regulators in multiple other states, in addition to a Federal Trade Commission (FTC) order.
  • The company was also required to build a formal privacy compliance program and submit regular assessments to regulators.

State regulators are operating as a coordinated consortium: California, Connecticut, New York and others are sharing investigative intelligence and running multistate sweeps. A compliance gap that triggers scrutiny in one jurisdiction increasingly produces parallel action in others.

How Outside Counsel Can Help

A three-phase approach is recommended: (1) scoping and privilege structure, (2) vendor coordination and gap remediation before finalization, and (3) careful drafting of regulator-facing submissions.

For the cybersecurity audit, early engagement of counsel allows coordination with technical vendors whose capacity is limited, ensuring the work proceeds under appropriate legal structure from the outset.

1. Privileged engagement. Outside counsel can structure the engagement to support applicable attorney-client privilege and work-product protections, recognizing that the availability of those protections will depend on the facts and governing law. For cybersecurity audits, early engagement also helps coordinate technical vendors, whose capacity may be limited, under an appropriate legal structure from the outset. This approach is designed to protect candid internal analysis — including gap identification — from becoming a roadmap for plaintiffs or regulators in subsequent proceedings, to the extent those protections apply.

  • For the risk assessment, counsel conducts the substantive legal analysis directly under privilege.
  • For the cybersecurity audit, counsel engages and manages the technical vendor under a structure designed to preserve applicable privilege and work-product protections. Where a company has an existing audit process, counsel assesses whether it meets the regulations’ requirements and structures the engagement to build on that work.

2. Gap remediation and report drafting. Once the assessment or audit is complete, counsel works with the company to identify and fix gaps before anything is submitted or retained as a final document.

  • For the cybersecurity audit, counsel works directly with the vendor to revise the audit report to reflect remediated issues — so the final report accurately reflects the program as implemented, not as it existed before remediation.
  • For the risk assessment, counsel drafts and revises the assessment document to the same standard.
  • Both reports should withstand scrutiny —– the risk assessment report is subject to regulatory request, while the cybersecurity audit report must be retained and can only be obtained through compulsory process.

3. Submission preparation. The certified submission is a separate document from the underlying report, and it requires its own care. For the risk assessment, counsel structures the submission to accurately present the company’s program without volunteering detail that invites unnecessary scrutiny. For the cybersecurity audit, counsel coordinates the attestation and ensures the certifying officer is appropriately identified and prepared.

Why Starting Now Creates Long-Term Efficiency

One underappreciated feature of the risk assessment regulations is that a single assessment can cover a comparable set of similar processing activities and be updated as those activities evolve. Companies that build a well-structured framework now:

  • Do not need to start from scratch each time a processing activity is added or changes.
  • Can treat the assessment as a living document that grows with the business, rather than a recurring compliance burden.
  • Have meaningful runway to identify and remediate gaps before any submission is required — a critical advantage that disappears the closer companies get to the 2028 deadline.

Companies that begin early retain the ability to fix what they find before anything is submitted. Companies that wait may have no time to remediate before they must disclose. Proactive remediation is the single most significant factor in limiting enforcement exposure.

_______________

1 The submission deadlines for the cybersecurity audits are as follows:

  • April 1, 2028, for businesses with more than $100 million in 2026 gross revenue.
  • April 1, 2029, for businesses with $50 million to $100 million in 2027 gross revenue.
  • April 1, 2030, for businesses with less than $50 million in 2028 gross revenue.

This memorandum is provided by Skadden, Arps, Slate, Meagher & Flom LLP and its affiliates for educational and informational purposes only and is not intended and should not be construed as legal advice. This memorandum is considered advertising under applicable state laws.

BACK TO TOP