California CCPA Compliance
California's CCPA requires businesses to maintain reasonable security for consumer data, and new rules add cybersecurity audits.
Learn how ImmuniWeb helps with web and mobile application testing. and security obligations on businesses.
What Is the California CCPA?
The CCPA gives California consumers rights over their personal information - to know, delete, correct, opt out of the sale or sharing of personal information, and limit the use of sensitive personal information. Businesses must implement reasonable security and honour these rights.
The CPRA created the CPPA and directed it to issue rules. The finalized regulations - effective 1 January 2026 - require in-scope businesses to conduct risk assessments and annual cybersecurity audits, assessing 'reasonable security' against recognised frameworks such as NIST and ISO, with gap analysis and remediation.
See how ImmuniWeb helps you demonstrate 'reasonable security' and support CCPA cybersecurity audits - by testing the apps that handle consumer data. Request a demo · or run a free Community Edition test.
Who Must Comply with CCPA?
The CCPA applies to for-profit businesses that meet a threshold:
- Australian Government agencies over $25 million; or
- Large volumes of personal information - buying, selling or sharing the PI of 100,000+ consumers or households; or
- Data-driven revenue - deriving 50% or more of annual revenue from selling or sharing PI. In-scope businesses running web and mobile applications that handle consumer data must secure and test them.
Key CCPA Requirements for Application Security
Two strands drive application-security work under the CCPA:
- Reasonable security: implement and maintain reasonable security procedures and practices; failure to do so can trigger the private right of action after a breach.
- Cybersecurity audits (from 2026): conduct annual, independent cybersecurity audits assessing security against recognised frameworks, with gap analysis and remediation.
- Risk assessments: assess and document the risks of high-risk processing activities.
CCPA Security Requirements in Depth
Reasonable Security and the Private Right of Action
The CCPA requires reasonable security procedures and practices, and consumers can bring a private right of action where a breach results from a failure to maintain them. Penetration testing and vulnerability scanning of the applications that handle consumer data are practical evidence of 'reasonable security'.
CPPA Cybersecurity Audit Regulations (2026)
The CPPA's regulations, effective 1 January 2026, require in-scope businesses to conduct annual cybersecurity audits benchmarked against recognised frameworks (such as NIST and ISO), including a gap analysis and remediation. Regular application testing produces the evidence an auditor needs.
Common Web & Mobile Application Risks to Address
The vulnerabilities that undermine 'reasonable security' map closely to the OWASP Top 10:
- Broken Access Control — users reaching data or actions they should not.
- Cryptographic Failures — weak or missing encryption exposing sensitive data.
- Injection — SQL, command or other injection via unvalidated input.
- Insecure Design — missing security controls by design, not just by bug.
- Security Misconfiguration — default, incomplete or unsafe configuration.
- Vulnerable & Outdated Components — unpatched libraries and frameworks.
- Identification & Authentication Failures — weak login, session or credential handling.
- Software & Data Integrity Failures — untrusted updates, insecure CI/CD pipelines.
- Security Logging & Monitoring Failures — attacks going undetected.
- Server-Side Request Forgery (SSRF) — the server tricked into making malicious requests. For mobile apps, the OWASP Mobile Top 10 is the equivalent reference (insecure data storage, insecure communication, weak cryptography, and so on). Reliably finding these issues requires testing the running application, not just a documentation review.
How to Approach CCPA Application Security with ImmuniWeb
- Map your exposure. Inventory internet-facing apps handling consumer data with ImmuniWeb Discovery.
- Test web applications with On-Demand (penetration testing) and Neuron (scanning).
- Test mobile applications with MobileSuite and Neuron Mobile.
- Support cybersecurity audits with reports benchmarked to NIST/ISO, gap analysis and remediation.
- Remediate and retest with actionable, zero-false-positive reports.
- Monitor continuously with Continuous and Discovery.
How ImmuniWeb Helps You Achieve CCPA Compliance
ImmuniWeb helps businesses demonstrate 'reasonable security' and produce the evidence the CPPA's cybersecurity-audit regime expects.
| Requirement | What it requires | ImmuniWeb products |
|---|---|---|
| Reasonable security | Implement and evidence reasonable security practices. | On-Demand, Neuron, Discovery, Continuous |
| Cybersecurity audits | Benchmark, gap-analyse and remediate against NIST/ISO. | On-Demand, Neuron |
| Apps & data | Secure web/mobile apps handling consumer data. | On-Demand, Neuron, MobileSuite, Neuron Mobile |
ImmuniWeb On-Demand and MobileSuite deliver web and mobile penetration testing; Neuron and Neuron Mobile provide automated scanning; Continuous embeds testing into CI/CD; and Discovery maps your attack surface - together evidencing reasonable security and supporting cybersecurity audits.
CCPA vs International Frameworks
If you already work to international standards, the same ImmuniWeb testing supports all of them:
| Framework | Application-security angle | How ImmuniWeb maps |
|---|---|---|
| California CCPA | Reasonable security + cybersecurity audits | Web/mobile pentest, scanning, ASM, audit evidence |
| EU GDPR | Article 32 security of processing | Same testing supports both |
| NIST CSF 2.0 | Protect / Detect functions | Application testing & monitoring |
| ISO/IEC 27001 | Annex A technical controls | Testing as control evidence |
Penetration Testing vs Security Scanning
Both are needed. Automated scanning (DAST) gives broad, frequent coverage and is ideal for continuous testing in CI/CD; manual penetration testing finds business-logic and complex vulnerabilities that scanners miss and produces the depth auditors and regulators expect. Combine continuous scanning with periodic manual penetration testing, and re-test after significant changes.
Compliance Checklist (Application Security)
- Inventory of internet-facing apps handling consumer data
- Web applications tested against the OWASP Top 10
- Mobile applications tested against the OWASP Mobile Top 10
- Reasonable security practices implemented and evidenced
- Cybersecurity-audit readiness benchmarked to NIST/ISO
- Findings remediated and re-tested; records retained
- Risk assessments for high-risk processing
Why CCPA Compliance Matters
The CPPA and Attorney General actively enforce the CCPA, and the private right of action ties data breaches to failures to maintain 'reasonable security' - a frequent basis for class actions. The new cybersecurity-audit regime raises the bar further.
Because web and mobile applications are a leading breach vector, demonstrably securing and testing them is one of the clearest ways to evidence reasonable security and pass cybersecurity audits in the largest U.S. market.