Aeris & California Privacy Compliance
The CCPA is no longer just a privacy notice and consumer-request exercise. The CPRA amendments add new cybersecurity audit and risk assessment obligations that will require many businesses to document how they protect California consumers’ personal information.
Aeris Secure helps organizations determine whether the new requirements apply, prepare for the audit, close gaps, and document compliance before the first deadlines arrive. Our California Privacy Compliance Assessment can be performed as a standalone engagement, but for many organizations the strongest approach is to include the work as part of a SOC 2+ report.
The Deadline Is Closer Than It Looks
California’s privacy regulations take effect on January 1, 2026, with phased deadlines for the new CCPA cybersecurity audit requirement. Businesses that meet the applicability criteria should not wait until the report is due; the audit covers a prior operating period, which means the controls, evidence, and documentation need to be in place before the deadline year.
April 1, 2028
First audit report deadline for businesses with more than $100 million in annual gross revenue, based on the 2026 revenue measurement period.
April 1, 2029
First audit report deadline for businesses with $50 million to $100 million in annual gross revenue, based on the 2027 revenue measurement period.
April 1, 2030
First audit report deadline for remaining in-scope businesses, including covered businesses above the CCPA audit threshold but below $50 million, followed by an annual April 1 reporting cadence.
What the Assessment Covers
The CCPA cybersecurity audit is expected to assess whether the business has established, implemented, and maintained an appropriate cybersecurity program for protecting personal information. The auditor determines the audit material and applicable procedures, but the regulation points to a clear set of program areas that organizations should be ready to support with evidence.
- Applicability, scope, and audit-period readiness
- Cybersecurity program documentation, policies, and procedures
- Authentication, multi-factor authentication, and access controls
- Encryption, secure configuration, vulnerability management, and penetration testing
- Audit logging, monitoring, malware protections, segmentation, and network defenses
- Inventory and management of personal information and supporting systems
- Secure development practices and change management
- Service provider, contractor, and third-party oversight
- Retention, disposal, incident response, and business continuity
- Gap documentation, remediation planning, responsible owners, and audit report support
Why We Recommend SOC 2+
A standalone California Privacy Compliance Assessment can help satisfy a focused need, especially for organizations that are not pursuing broader assurance reporting. When a business already needs SOC 2, or expects customers, partners, or regulators to scrutinize the results, we strongly recommend completing the CCPA cybersecurity audit work as a SOC 2+ add-on.
SOC 2+ allows the CCPA/CPRA cybersecurity audit criteria to be mapped into a recognized attestation reporting framework. This generally carries more weight than an internal-only assessment because it gives the work more structure, creates a stronger independent assurance package, and helps stakeholders understand not only that the assessment was performed, but how the controls were evaluated. Management-provided report sections can add helpful context, but they are not a substitute for having the additional criteria addressed through the SOC 2+ engagement.
Readiness Consulting and Year-Round Compliance Support
Many organizations will need practical help before they are ready for a CCPA cybersecurity audit. Aeris can assist with applicability analysis, scoping, control drafting, policy and procedure development, readiness reviews, evidence preparation, and remediation planning.
For organizations starting with incomplete documentation, we can help translate the regulation into practical controls, policies, procedures, and evidence expectations that fit the business and can be tested during the assessment.
We also use a compliance management platform to keep the audit organized. Requirements are mapped to controls, evidence is tracked against the right obligations, open tasks are assigned and monitored, and remediation work stays visible from readiness through reporting.
The same approach supports year-round compliance. Instead of rebuilding the audit file once a year, organizations can maintain mapped requirements, reusable controls, evidence, and remediation status as laws, vendors, systems, and business processes change.
Prepare Before the Audit Period Starts
The first CCPA cybersecurity audit deadlines may look far away, but the audit periods begin earlier. Organizations that wait until the report is due may discover that policies, controls, evidence, and remediation history were not maintained in a way that supports a defensible audit. Aeris helps you get ahead of the requirement and build a compliance record that can stand up to review.
California Privacy Compliance Assessment Options
Choose the level of support that matches your audit deadline, current readiness, and reporting needs.
Readiness
- Applicability Review
- Scope & Deadline Planning
- Control Gap Assessment
- Policy & Procedure Review
- Remediation Roadmap
Standalone Assessment
- CCPA Audit Framework
- Evidence Request List
- Control & Evidence Review
- Findings Documentation
- Remediation Support
- Assessment Report Support
SOC 2+ Add-On
- CCPA Criteria Mapping
- SOC 2+ Reporting Strategy
- Audit Evidence Alignment
- Independent Assurance Support
- Management Context Support
- Ongoing Compliance Tracking
Need to know if this applies to you?
The new CCPA audit requirement has phased deadlines, but readiness needs to start before the audit period begins. We can help you determine scope, prepare evidence, and choose the right reporting path.
Get Started