If your ecommerce business processes significant volumes of consumer data in California, a new regulation now on the books may soon require you to conduct — and formally certify — an annual cybersecurity audit. The requirement, finalized under the California Consumer Privacy Act (CCPA) and approved by the California Office of Administrative Law in September 2025, took effect on January 1, 2026, and represents one of the most prescriptive cybersecurity accountability measures any U.S. state has imposed to date.

We discuss what ecommerce leaders need to understand about the regulation, how it fits alongside existing cybersecurity practices, and what the compliance timeline looks like.  Importantly, we explain why some ecommerce companies may need to take action today in order to set the company up to comply with these new regulations, even through the first reporting deadline is not until April 2028.

Why This Regulation Exists

California has long been a frontrunner in consumer privacy law. The CCPA, as amended by the California Privacy Rights Act (CPRA), gave the California Privacy Protection Agency (CPPA) broad authority to develop regulations that protect consumers’ personal information. This cybersecurity audit requirement is the latest exercise of that authority.

The regulation’s purpose is straightforward: to ensure that businesses handling large quantities of personal information are not merely claiming to have adequate security — they are proving it through independent, structured audits. The CPPA has been clear that the intent is to move beyond self-assessment and toward verified, documented cybersecurity governance.

For ecommerce companies, which routinely collect payment data, browsing histories, purchase records, and other sensitive consumer information at scale, this regulation has particular relevance. The volume and sensitivity of data that flows through online storefronts places many ecommerce businesses squarely within the regulation’s scope.

Who Must Comply

Not every CCPA-covered business is subject to the cybersecurity audit requirement. The regulation applies only to businesses whose data processing presents a “significant risk” to consumer security. That threshold is met when a business either:

•   Derives 50% or more of its annual revenue from selling or sharing consumers’ personal information, or

•   Has annual gross revenue exceeding approximately $26 million (adjusted for inflation) and, in the calendar year, processed the personal information of 250,000 or more consumers or households, or the sensitive personal information of 50,000 or more consumers or households.

For mid-size and large ecommerce companies operating in California, these thresholds are not difficult to reach. A retailer with a healthy customer database and annual revenue above $26 million could easily process personal information at the volumes described above.

What the Regulation Requires

At its core, the regulation requires covered businesses to conduct a comprehensive annual cybersecurity audit performed by an objective, independent professional auditor. The audit must evaluate whether the business maintains a cybersecurity program that is appropriate for the size and complexity of its operations and the nature of the data it processes.

The CPPA has defined 18 potential components that may fall within the scope of the audit, including:

• Authentication (including multifactor authentication)
• Encryption of personal information, both at rest and in transit
• Account management and access controls
• Inventory and management of personal information and information systems
• Secure configuration of hardware and software
• Vulnerability scanning, penetration testing, and vulnerability disclosure programs
• Audit-log management, including centralized storage, retention, and monitoring
• Network monitoring and defenses
• Antivirus and anti-malware protections
• Network segmentation
• Port and protocol control
• Threat awareness and intelligence
• Security education and training
• Secure software development practices
• Third-party oversight and vendor management
• Data retention and disposal
• Incident response
• Business continuity and disaster recovery

Not all 18 components will necessarily apply to every business. The auditor is responsible for determining which components are relevant based on the business’s size, complexity, and data processing activities, using a risk-based approach that accounts for the state of the art and the cost of implementation.

Once the audit is complete, the business must submit a written certification to the CPPA — signed under penalty of perjury by a member of executive management — attesting that the audit was conducted. While the full audit report does not need to be submitted proactively, all audit-related reports and documentation must be retained for five years. The CPPA or the California Attorney General can demand production of the full audit report at any time, with a 30-day deadline to produce it.

How This Differs from Existing Cybersecurity Audits

Many ecommerce businesses already invest in cybersecurity assessments. SOC 2 reports, NIST Cybersecurity Framework evaluations, PCI DSS compliance for payment card data, and ISO 27001 certifications are common across the industry. A natural question is whether these existing efforts satisfy the new CCPA requirement.

The short answer: they may help, but they likely won’t be sufficient on their own.

There are several important distinctions. First, the CCPA audit must cover the calendar year from January through December, which may not align with the timing of existing audit cycles tied to fiscal years or shorter assessment windows. Second, while frameworks like SOC 2 and NIST CSF 2.0 can serve as strong foundations and may overlap meaningfully with the 18 CCPA components, additional scope, controls, and reporting elements are typically needed to meet all of the CCPA’s expectations. Finally, the CCPA audit carries a unique accountability mechanism: executive certification under penalty of perjury. That personal attestation by a named executive elevates the stakes in a way that most voluntary or market-driven audit frameworks do not.

Penalties for Non-Compliance

The enforcement structure under the CCPA gives the regulation real teeth. The CPPA and the California Attorney General both have authority to investigate and penalize non-compliant businesses. Current penalty amounts, adjusted for inflation, are up to $2,663 per violation, or up to $7,988 per intentional violation or violations involving children’s data.

Critically, each affected consumer and each day of non-compliance can be treated as a separate violation. For ecommerce businesses processing data for hundreds of thousands of consumers, the math can escalate quickly. A business that fails to conduct and certify its audit could face penalties that compound rapidly across its entire affected consumer base.

Beyond financial penalties, the reputational risk of an enforcement action — particularly one involving a public finding that a company failed to conduct basic cybersecurity audits — could be damaging in a competitive ecommerce market where consumer trust is a key differentiator.

The Private Litigation Risk: Breach Lawsuits and the “Reasonable Security” Question

Regulatory penalties are only part of the picture. Under Section 1798.150 of the California Civil Code, the CCPA grants consumers a private right of action when their nonencrypted and nonredacted personal information is subject to unauthorized access, exfiltration, theft, or disclosure as a result of a business’s failure to implement and maintain “reasonable security procedures and practices.” In practical terms, this means that if a covered ecommerce business suffers a data breach, affected consumers can sue — individually or as a class — without waiting for regulators to act.

The statutory damages available under this provision range from $100 to $750 per consumer per incident, or actual damages, whichever is greater. For an ecommerce company with hundreds of thousands of California customers, a single breach event could generate class action exposure in the tens or hundreds of millions of dollars. Courts consider factors including the nature and seriousness of the misconduct, the number of violations, the persistence and duration of the misconduct, and the defendant’s financial condition when setting statutory damage amounts within that range.

What makes the new cybersecurity audit requirement particularly consequential in this context is that it may effectively define what “reasonable security” looks like. California’s Attorney General has previously pointed to the Center for Internet Security’s Critical Security Controls as a baseline for reasonable security, and the 18 audit components in the new regulation map closely to recognized cybersecurity frameworks. A business that has conducted its CCPA cybersecurity audit, addressed identified gaps, and documented its remediation efforts will be in a much stronger position to defend against a private lawsuit claiming inadequate security. Conversely, a business that failed to conduct the audit — or conducted one that revealed significant weaknesses it never addressed — could find that its own audit documentation becomes a plaintiff’s most powerful exhibit.

It is also worth noting that the litigation landscape under Section 1798.150 continues to expand. Recent district court rulings have allowed proposed class actions to proceed even in scenarios beyond traditional data breaches, such as where businesses permitted third parties to collect consumer data through cookies and tracking technologies without adequate safeguards. For ecommerce businesses that rely heavily on third-party analytics, advertising pixels, and similar integrations, this broadening trend increases exposure.

The bottom line for ecommerce leaders: the cybersecurity audit is not just a regulatory compliance exercise. It is also a litigation risk management tool. Completing the audit thoroughly, remediating identified weaknesses, and retaining documentation for the required five years creates a defensible record that can be critical if a breach — and the inevitable lawsuit — occurs.

Timeline at a Glance

The compliance timeline is staggered by company revenue, giving businesses a phased runway to prepare:

While the first certification deadlines may feel distant, the audit periods begin well before those dates. Businesses in the highest revenue tier, for example, must begin their first auditable period on January 1, 2027 — less than nine months from now. That means the cybersecurity programs, policies, and documentation that will be evaluated need to already be in place before that date. 

What Ecommerce Businesses Should Do Now

Even if your first certification deadline is years away, the time to begin preparing is now. Start by evaluating whether your business meets the applicability thresholds. If it does, assess your current cybersecurity posture against the 18 components outlined in the regulation. Identify gaps between your existing audit practices (SOC 2, PCI DSS, NIST, etc.) and the CCPA’s specific requirements, particularly around calendar-year coverage, reporting transparency, and executive certification.

Engage with qualified auditors early. The pool of professionals experienced in conducting audits that meet the CCPA’s particular requirements is still developing, and early engagement will help ensure you’re not scrambling as deadlines approach.

Finally, recognize that this regulation signals a broader trend. California often sets the pace for other states, and similar cybersecurity audit mandates may follow elsewhere. Building a robust, auditable cybersecurity program today isn’t just about CCPA compliance — it’s a strategic investment in the long-term resilience and trustworthiness of your business.

Join the EIA today to help strengthen and shape policies that affect all ecommerce businesses. Together, we can continue to create the future of ecommerce. Subscribe to EIA email updates to stay informed on key developments and their impact on your business. 

Ecommerce Innovation Alliance provides members with analysis of litigation and regulatory developments affecting online commerce and digital marketing. This post is for informational purposes only and does not constitute legal advice.