Frequently Asked Questions

Cal. Civ. Code § 1798.100(e) requires businesses to implement reasonable security procedures and practices appropriate to the nature of the personal information.

The CPRA amendments added explicit obligations for risk assessments and cybersecurity audits for businesses processing personal information that presents significant risk. Failure to maintain reasonable security is also the centerpiece of the CCPA's private right of action under § 1798.150 for breaches involving certain categories of personal information.

Under the California Privacy Protection Agency's regulations, businesses whose processing presents "significant risk" — based on revenue thresholds and processing volume — must conduct annual cybersecurity audits and risk assessments.

The audit must be thorough and independent and must result in a written report covering 18 specified components — encryption, MFA, access controls, vulnerability management, incident response, and more. The audit can be performed by a qualified internal team functionally independent from security operations or by a qualified third party. We perform the third-party version.

The full CCPA/CPRA security baseline plus the CPPA's specific cybersecurity-audit and risk-assessment components.

We map controls to NIST CSF 2.0 and CIS Controls v8, evaluate vendor and service-provider obligations under § 1798.140, review consumer-rights workflows for security implications (right to delete, right to know), and assess breach-readiness under California's notification statute (§ 1798.82). For multi-state clients we also map findings to other state privacy laws (Virginia, Colorado, Connecticut, Utah, Texas).

The CCPA private right of action allows California consumers to sue for $100–$750 per consumer per incident — without proof of actual damages — for breaches involving certain personal information caused by failure to maintain reasonable security.

This is the primary class-action driver for California breaches. A documented assessment that supports a "reasonable security" defense materially reduces litigation and settlement exposure. Where engaged under counsel, our assessment is structured as privileged work product.

CPRA risk assessments are privacy-impact-assessment-style documents required for processing that presents significant risk to consumers — particularly profiling, sensitive personal information, automated decision-making, and certain advertising activities.

They sit alongside the cybersecurity audit but address different questions — disproportionate impact, necessity, safeguards, and consumer rights. We typically perform both in parallel for clients subject to both requirements, sharing controls and evidence across the two work products.

Through a unified privacy and cybersecurity control matrix that maps each obligation to a single set of controls and policies.

Most CCPA-covered businesses also face Virginia VCDPA, Colorado CPA, Connecticut CTDPA, Texas TDPSA, and Utah UCPA — each with overlapping but distinct requirements. For dual-regulated businesses (e.g., a healthcare SaaS subject to HIPAA and CCPA), we map HIPAA controls forward into CCPA, eliminating duplication.