California companies may have less time than they think to prepare for privacy audits. The California Privacy Protection Agency’s (CPPA) new Audits Division, created in February 2026, is expected to begin assessing companies’ compliance with the California Consumer Privacy Act (CCPA) this year, according to Executive Director Tom Kemp. This is a notable remark because—while the formal deadline to submit cybersecurity audit certifications does not begin until 2028 for some businesses—the CPPA expects companies to already be building and maintaining real audit-ready compliance programs.
So, what will these audits likely look at? The CPPA has not laid out a full roadmap, but recent comments suggest the CPPA may focus on practical problem areas that have already drawn enforcement attention. That includes whether consumers can actually exercise their rights to access, correct, delete, and opt out, whether privacy policies are accurate and complete, and how businesses handle newer risk areas like chatbots, large language models, surveillance pricing, and sensitive data. Auditors may also review a company’s cybersecurity program, internal governance, systems, and vendor relationships. If they find serious gaps, those issues could be referred for enforcement, where penalties have already reached six and seven figures.
The messaging is clear: if your organization does business in California or operates nationally, it’s time to stop treating audit obligations as a future paperwork exercise and start treating them as a present compliance priority. Companies should assess whether the rules apply to them, test whether their cybersecurity program is properly documented and owned by qualified personnel, and align their audit readiness work with California’s separate risk assessment requirements. These audits may be new, but the expectation to be prepared is already here.
