For most of its existence, the California Consumer Privacy Act has been enforced reactively. A consumer complaint, a journalist’s test of an opt-out link, or a sweep announcement triggered an investigation, and the matter played out as a negotiation with lawyers on both sides. That model is changing. In 2026, the California Privacy Protection Agency — which now brands itself CalPrivacy — expects to begin conducting proactive compliance audits through a newly created Audits Division. Some of those audits will be unannounced.

This is a structural shift, not a rhetorical one. The agency has hired a Chief Privacy Auditor, stood up a dedicated unit, and finalized the regulations that give auditors something concrete to test against. The amended CCPA regulations covering automated decisionmaking technology (ADMT), risk assessments, and cybersecurity audits took effect January 1, 2026. CalPrivacy’s leadership has stated publicly that businesses should expect audits this year. Companies that have treated CCPA compliance as a documentation exercise to be completed if and when someone asks are about to discover that the question is now being asked first, and answered by an auditor reviewing records rather than by counsel managing a dispute.

This article explains what the Audits Division is, what its authority covers, what an unannounced audit means in practice, what auditors will examine, how this track differs from the Attorney General’s enforcement model, and how to build an audit-ready posture before the knock comes.

What the Audits Division Is and Where Its Authority Comes From

The Audits Division is an operational unit inside CalPrivacy created to carry out the audit power the agency has held since its inception but rarely exercised. That power comes directly from statute. California Civil Code section 1798.199.65 authorizes the agency to audit a business’s compliance with the CCPA, and the implementing regulations describe when and how an audit may be conducted. Critically, the statute and regulations do not require the agency to first establish that a violation has occurred. An audit can be initiated as a compliance check, not only as the back end of an enforcement action.

In early 2026 the agency formalized this capability. It announced the Audits Division and named a Chief Privacy Auditor to lead it, signaling that audits would become a standing function rather than an occasional tool. CalPrivacy’s executive leadership has said directly that businesses should expect CCPA compliance audits in 2026 as the division builds out.

The regulatory basis for selecting audit targets is broad. Under the CCPA regulations, the agency may decide to audit when a business’s processing of personal information presents significant risk to consumer privacy or security, or where the history of a business’s noncompliance with the CCPA or other privacy laws warrants review. In plain terms, the more sensitive the data you handle, the more automated your decisions about consumers, and the worse your compliance track record, the higher your audit exposure. The audit can examine the practices of businesses, service providers, and contractors alike — the obligations and the scrutiny flow down the data chain.

What an Unannounced Audit Means in Practice

The phrase that has drawn the most attention is unannounced. CalPrivacy has indicated the Audits Division will use both announced and unannounced audits to check compliance.

An announced audit follows a familiar pattern. The agency sends notice, defines a scope, and requests documents on a timeline. The business assembles records, involves counsel, and responds in an orderly process. There is room to prepare.

An unannounced audit removes that preparation window. In practice it means the demand for records can arrive without advance warning, and the agency expects that the foundational compliance artifacts — the ones the regulations require a business to maintain on an ongoing basis — already exist and are current. You cannot draft a risk assessment in response to an audit notice if the regulation required you to have completed it months earlier. The unannounced audit is designed precisely to test whether compliance is a maintained operational state or a document produced on demand.

This is why the maintenance and retention requirements in the regulations matter so much. The regulations require businesses to retain risk assessments and to be able to produce them, and to keep the records that demonstrate cybersecurity audits and ADMT compliance. An unannounced audit converts those retention obligations from background paperwork into the first thing an auditor verifies. If the artifact is missing, late, or unsigned, the gap is visible immediately and cannot be papered over.

What Auditors Will Examine

The finalized regulations give auditors a concrete checklist. Expect scrutiny in four areas in particular.

Risk Assessments with Executive Certification

Businesses whose processing presents significant risk to consumers’ privacy — including selling or sharing personal information, processing sensitive personal information, using personal information to train ADMT, and certain profiling — must conduct and document risk assessments before initiating that processing. The regulation specifies what each assessment must contain: the categories of personal information, the purpose, the benefits, the negative impacts, and the safeguards adopted to address them.

The part that elevates audit risk is the certification and attestation requirement. The risk-assessment framework requires senior leadership accountability — an executive must certify that the assessment was conducted and is accurate. That signature converts a compliance document into a statement of personal and organizational accountability. An auditor will look not only for the assessment itself but for the executive sign-off, the date, and whether the assessment was completed before the high-risk processing began. We cover the personal-liability dimension of this in detail in our analysis of the CCPA risk-assessment executive attestation requirement.

Cybersecurity Audit Requirements

The regulations require certain businesses — those whose processing presents significant risk to security, defined by thresholds tied to revenue and the volume and sensitivity of personal information processed — to complete an annual cybersecurity audit. The audit must be independent, must assess and document the business’s cybersecurity program against enumerated components (authentication, encryption, access controls, vendor oversight, incident response, and more), and must identify gaps and remediation.

Compliance is phased in by business size, but the obligation is now live, and the regulation requires a written certification of completion. An auditor from the Audits Division will want to see that the cybersecurity audit was performed, that it was genuinely independent, that it covered the required components, and that identified deficiencies were tracked to resolution. A thin, self-serving audit that asserts everything is fine will not satisfy the independence and rigor the regulation demands.

ADMT Notices and Consumer Rights

The ADMT rules impose obligations on businesses that use automated decisionmaking technology to make significant decisions about consumers — decisions affecting financial services, housing, employment, education, healthcare, and similar areas. Businesses must provide a pre-use notice explaining the use of ADMT, must offer consumers the ability to opt out of certain ADMT uses, and must honor a right to access information about how the technology was used to make a decision about them.

Auditors will test whether ADMT notices exist, whether they are clear and complete, whether opt-out mechanisms actually function, and whether access requests are honored within the required timeframes. Because ADMT use is one of the explicit triggers for a risk assessment, an ADMT deployment without a corresponding documented assessment is a compound exposure.

Data-Broker Registration and Delete Act Compliance

Separately from the core CCPA regulations, California’s Delete Act (the data broker provisions) requires data brokers to register with CalPrivacy annually and, beginning with the rollout of the DROP (Delete Request and Opt-out Platform), to honor deletion requests submitted through that centralized mechanism. The agency has already pursued enforcement against brokers that failed to register, and registration status is trivially easy for an auditor to verify against the public registry.

If your business meets the definition of a data broker, expect the audit to confirm registration, fee payment, and readiness to process DROP requests. Failure to register is among the most clear-cut and least defensible findings an auditor can make.

How the Audits Division Differs From the Attorney General’s Enforcement Track

California is unusual in having two authorities that enforce its consumer privacy law: the Attorney General and CalPrivacy. Understanding the difference matters for how you prepare.

The Attorney General’s track is classic enforcement. It investigates suspected violations, often through public sweeps focused on a theme — opt-out signals, mobile apps, employee and job-applicant data — and resolves matters through settlements and civil penalties. Recent settlements have reached into the millions of dollars and have emphasized that defective opt-out mechanisms and Global Privacy Control failures are treated as serious violations. This is adversarial, complaint- or theory-driven, and oriented toward penalties.

The Audits Division’s track is different in posture. An audit is not, by itself, an accusation. It is a proactive examination of whether your compliance program functions as the regulations require. The trigger is risk and history rather than a specific alleged violation. The output is findings about your program’s adequacy. That said, the tracks are connected: audit findings can surface conduct that leads to enforcement, and the agency’s Enforcement Division can act on what an audit reveals. The practical distinction is that the audit tests the existence and quality of your compliance infrastructure — your assessments, your cybersecurity audit, your notices, your records — whereas an enforcement action tests a specific behavior. A business can have clean opt-out plumbing and still fail an audit because it never documented its risk assessments or never obtained executive certification.

The two-track reality means a defensible website and a working opt-out are necessary but not sufficient. The audit asks for the paperwork behind the practice, and that paperwork must be complete, current, and signed.

Audit-Readiness Checklist

Build the following before an audit notice — announced or not — arrives.

  • Inventory your high-risk processing. Identify every activity that triggers a risk-assessment obligation: selling or sharing personal information, processing sensitive personal information, using data to train ADMT, and qualifying profiling. Map each to a data flow.
  • Complete and retain risk assessments. For each triggering activity, produce a written assessment containing the required elements, and confirm it was completed before processing began. Maintain a retention system that can produce any assessment on demand.
  • Obtain and date executive certification. Ensure the required senior-leadership attestation is signed and dated for every risk assessment. Treat the signature as a controlled, accountable act, not a formality. See our executive attestation analysis for the liability implications.
  • Determine whether you owe a cybersecurity audit. Apply the revenue and data-volume thresholds. If you qualify, commission an independent audit covering all enumerated components, track remediation of findings, and retain the written certification of completion.
  • Verify your ADMT compliance. Confirm pre-use notices exist and are clear, opt-out mechanisms function, and access requests are honored on time. Cross-check that every ADMT use has a corresponding documented risk assessment.
  • Confirm data-broker registration. If you are a data broker, verify current registration with CalPrivacy, fee payment, and operational readiness for DROP deletion requests.
  • Test consumer-rights operations end to end. Submit your own access, deletion, correction, and opt-out requests. Confirm Global Privacy Control signals are honored automatically. Keep logs that prove timeliness.
  • Validate service-provider and contractor contracts. Ensure downstream agreements contain the required CCPA terms and that vendors can demonstrate their own compliance, since auditors can examine the chain.
  • Centralize your evidence. Maintain a single, current repository of assessments, certifications, audit reports, notices, contracts, and request logs so any document can be produced quickly — the difference between a clean unannounced audit and a damaging one.
  • Assign an audit response owner. Designate who receives an audit demand, who coordinates the response, and how counsel is engaged, so an unannounced request does not cause an internal scramble.

Conclusion

The arrival of the Audits Division marks the moment California privacy compliance stops being something a business can defer until challenged. With the ADMT, risk-assessment, and cybersecurity-audit regulations live since January 1, 2026, and with CalPrivacy stating plainly that audits should be expected in 2026, the relevant question is no longer whether your privacy program would survive scrutiny in principle. It is whether the documents that prove it exist today, are current, and are signed.

Unannounced audits reward businesses that treat compliance as a maintained operational state and expose those that treat it as a document to be produced on request. The work — inventorying high-risk processing, completing and certifying risk assessments, commissioning independent cybersecurity audits, operationalizing ADMT notices and consumer rights, and confirming data-broker obligations — cannot be compressed into the window after a notice arrives, because for unannounced audits there is no such window. Build the posture now, while the choice of timing is still yours.

This article is provided for informational purposes only and does not constitute legal advice.