As 2025 came to a close, the California Privacy Protection Agency (CalPrivacy) finalized its California Consumer Privacy (CCPA) Regulations. The Regulations refine and expand on the obligations in CCPA, and together they define the privacy rules for in-scope businesses.

For a long time now, privacy pros have been proselytizing the importance of organizations having a good understanding of what personal information they process and how, and California’s newly approved regulations show us that CalPrivacy agrees.

The cybersecurity audit obligation

Within the Regulations is an obligation for in-scope businesses to conduct annual cybersecurity audits and submit a report on them to CalPrivacy. The audit must assess implementation and maintenance of the business’s cybersecurity program, how the program is enforced, and certain specified elements of a data protection program that the auditor “deems applicable.”

The elements outlined in the regulations include authentication measures, encryption, account management and access tools, and “[i]nventory and management of personal information and the business’s information system.” 

More specifically, “Personal information inventories (e.g., maps and flows identifying where personal information is stored, and how it can be accessed) and the classification and tagging of personal information (e.g., how personal information is tagged and how those tags are used to control the use and disclosure of personal information)[.]”

“Deems applicable” … What does that mean?

So, let’s talk about the word “applicable.” CalPrivacy didn’t use “necessary” or “essential” when it wrote these Regulations; it used applicable, which, according to Merriam Webster, is synonymous with “appropriate,” “useful,” and “practical.” 

So, when is a personal information inventory “applicable”? If you are a company that meets the scoping thresholds for cybersecurity audits, a data inventory is going to be useful, appropriate, and practical—i.e., applicable. Take it from us, we’ve been doing this for a long time.

QUALIFICATION CRITERIA

Compliance Thresholds for CCPA Cybersecurity Audit Requirement

  • Derive 50% or more of annual revenue from “selling” or “sharing” Californians’ personal information (as defined in CCPA);
  • Process the personal information of 250,000 or more Californians in a calendar year and have annual gross revenues of at least $25.625 million; or
  • Process the sensitive personal information of 50,000 or more Californians in a calendar year and have annual gross revenues of at least $2.625 million.

What does this mean for businesses?

Some businesses may be in great shape for a data inventory obligation—after all, it’s not the first time we’ve seen it. The EU General Data Protection Regulation (GDPR) requires controllers and processors to maintain ROPAs, or records of processing activities (Article 30), as do many GDPR-copycat laws. The Minnesota Consumer Digital and Data Privacy Act has a data inventory obligation for controllers (Section 325M16, Sub.2(c)). 

On its face, the data inventory obligation in the CCPA Regulations isn’t as extensive as, say, ROPAs; however, the systems-based inventory used by many cybersecurity teams doesn’t give you what you need to comply with aspects of the CCPA like privacy rights and accurate disclosures.

Rounding out compliance means combining these system inventories and data maps and extending them to include information required for complying with privacy requirements: 

  • Where did the data come from? Identifying all collection points – web forms, third-party integrations, employee systems, customer interactions – allows you to draft accurate privacy notices that reflect your real-life practices and respond to individual rights requests asking “what information do you have about me?”
  • What is the purpose for which we collected it? Documenting business purposes for each data category ensures your privacy notice accurately discloses how you use personal information and establishes the lawful basis required by privacy laws. 
  • How are we using it? Assessing data flows across marketing, analytics, customer service, and other business functions lets you spot privacy risks during impact assessments and ensures your disclosures match reality; inaccurate statements can violate unfair and deceptive trade practice laws, as well as privacy regulations.
  • What permissions do we have to use it? Understanding your legal basis – consent, contract, legitimate interest – and retention periods determines your obligations around data minimization, storage limitation, and honoring deletion requests without disrupting operations or violating other legal requirements.
  • With what third parties and vendors are we sharing it? Tracking which vendors receive personal information enables you to maintain required data processing agreements, accurately disclose sharing practices in your privacy notice, respond to consumer questions about data sharing, and manage third-party privacy risks that could expose your business to enforcement.

While California’s new requirements focus on cybersecurity audits, building a comprehensive data inventory on the foundations of privacy best practices means you don’t have to scramble every time a new regulation drops. Instead, you’ll be better positioned for whatever comes next, whether that’s California’s audit requirement, Minnesota’s explicit inventory mandate, or the next state privacy law on the horizon.

Does this sound overwhelming? Red Clover has tools and guidance to help you get your inventory process off the ground.

Red Clover data inventory resources

  • Data Inventory Roadmap: An easy-to-understand guide to help you understand what personal data your business handles, how it’s used, where it’s stored, and how it moves through your systems and vendors.
  • Data Inventory Template: An Excel workbook where you can document and maintain information on your business’s data flows. 

Need more help?

California’s cybersecurity audit requirement gives privacy and security teams an excellent opportunity to stop working in parallel and start working together. 

When these teams collaborate on data inventory…

  • Both teams work from one shared source instead of maintaining conflicting documentation that requires reconciliation
  • Organizations can respond faster to regulator questions and reduce the risk of inaccurate statements in privacy notices or audit reports
  • Business units get interviewed once instead of answering the same questions separately for security and privacy teams

Our downloadable resources will get you started, but understanding your systems may take more expertise and bandwidth than you have in-house. If that’s the case, give us a call. Send us an email.