Contact Us Submit RFP

  • Search For

Contact Us Submit RFP
insight-ingle-left-2
insight-ingle-left-3
Go back to Articles

February 19, 2026

Is Your Insurance Company Exempt from CCPA? New Audit Rules Might Say No

The California Privacy Protection Agency (Agency) Board adopted finalized rules on cybersecurity audits, risk assessments, and automated decision-making technology (ADMT).

The regulations (1) updated existing CCPA regulations; (2) implemented requirements for certain businesses to conduct risk assessments and complete annual cybersecurity audits; (3) implemented consumers’ rights to access and opt–out of businesses’ use of ADMT; and (4) clarified when insurance companies must comply with the CCPA.  

The most significant requirement is to conduct cybersecurity audits for any business whose processing activities present “significant risk to consumers’ privacy.” The regulations became effective on January 1, 2026. 

Does CCPA Apply to Insurance Carriers? The Data-Level Exemption

Requirements apply only to data not already covered by insurance-specific privacy laws. Insurance carriers often assume they are fully exempt due to the Gramm-Leach-Bliley Act (GLBA) or the California Insurance Information and Privacy Protection Act (IIPPA). Examples of data covered by insurance-specific privacy laws include claims data, underwriting files, policyholder information. However, the new regulations clarify that this is a data-level exemption, not an entity-level one.

You may be subject to the cybersecurity audit if you handle:

  • Employee/HR data: Information on California employees, job applicants, and contractors is not exempt under GLBA/IIPPA and is fully subject to CCPA
  • Marketing data: Data collected from website visitors (via cookies/pixels) who are browsing but have not yet applied for a policy
  • B2B data: Contact information for vendor representatives or business partners

The regulation defines “significant risk” (and thus mandatory audits) if you meet the standard CCPA revenue threshold (>$25M gross revenue) AND meet one of the following criteria regarding your CCPA-covered (non-GLBA) data:

  • Volume threshold: You processed the personal information of 250,000+ consumers/households in the preceding year (e.g., 250k unique website visitors tracked for marketing)
  • Sensitive data threshold: You processed the sensitive personal information of 50,000+ consumers (e.g., 50k job applicants/employees, or marketing data that infers sensitive traits)
  • Revenue from data: You derive 50% or more of your revenue from selling or sharing personal information

The following factors should be considered:

Jurisdictional “Nexus” Test

  • Physical presence: Do you have offices, employees, or exclusive agents in CA? This could even be having one remote employee working from home in California.
  • Economic activity: Do you actively market to California residents or write policies for risks located in California?
  • Licensure: Are you licensed by the California Department of Insurance?

Revenue

  • Is your gross annual revenue over $25,000,000? (not just California revenue)

Identify Data Subject to CCPA

  • What data would be considered exempt (GLBA or insurance-specific privacy laws) vs non-exempt. Examples of non-exempt data include website visitors (marketing cookies), employee/HR records, job applicants, B2B vendor contacts.

“Significant Risk” Thresholds

  • Does your non-exempt data volume meet one of the following:
    • Volume: Processed personal information of 250,000+ consumers in the preceding calendar year (unique website visitors in California where you collected cookies/IP addresses)
    • Sensitivity: Processed sensitive personal information of 50,000+ consumers; “sensitive” includes precise geolocation, social security numbers (for HR), or sexual orientation/health info (if collected outside of a policy application)
    • Revenue: You derive 50% or more of your annual revenue from selling or sharing personal information.
  • If Yes, you must submit a cybersecurity audit report annually.  

ADMT Trap

  • Do you use ADMT for “significant decisions” on non-exempt data?
  • If Yes, you must conduct a risk assessment and potentially a cybersecurity audit if the tool poses a high risk to consumers. Risk assessments must meet specific criteria and be documented in a formal report. The risk assessment must be completed before initiating processing activity and at least once every three years, or within 45 days of a material change relating to the processing activity.  

2026 Cybersecurity Audit Requirements: Scope and Controls

The cybersecurity audit must assess how the business’s cybersecurity program: protects personal information from unauthorized access, destruction, use, modification, or disclosure; and protects against unauthorized activity resulting in the loss of availability of personal information. The audit must address the following, if applicable:

  1. Authentication
  2. Encryption
  3. Account management and access controls: Specifically limiting access to the privileges and access to personal information that is necessary for the specific business purposes
  4. Inventory and management of personal information and the business’s information system
  5. Secure configuration of hardware and software
  6. Internal and external vulnerability scans, penetration testing and vulnerability disclosure and reporting
  7. Audit log management, including the centralized storage, retention and monitoring of logs
  8. Network monitoring and defenses
  9. Antivirus and antimalware protections
  10. Segmentation of an information system (e.g., via properly configured firewalls, routers, switches)
  11. Limitation and control of ports, services and protocols
  12. Cybersecurity awareness
  13. Cybersecurity education and training 
  14. Secure development and coding best practices, including code reviews and testing
  15. Oversight of service providers , contractors and third parties
  16. Retention schedules and proper disposal of personal information no longer required to be retained.
  17. How the business manages its responses to security incidents
  18. Business continuity and disaster recovery plans, including data recovery capabilities and backups

Audit Reporting Standards: Gaps, Weaknesses, and Certification

The regulation includes detailed requirements for inclusion in the audit report, including a description of  the business’s information system. The report must identify (A) the policies, procedures, and practices that the cybersecurity audit assessed; (B) the criteria used for the cybersecurity audit; and (C) the specific evidence examined to make decisions and assessments, such as documents reviewed, sampling and testing performed, and interviews conducted. 

The report must identify in detail the status of any gaps or weaknesses of the policies and procedures that the auditor deemed to increase the risk of unauthorized access, destruction, use, modification, or disclosure of consumers’ personal information; or increase the risk of unauthorized activity resulting in the loss of availability of personal information. It must also disclose management’s plans to address any gaps and weaknesses.  

The report is signed and dated by the highest-ranking auditor that certifies they completed an independent review of the business’s cybersecurity program and information system, exercised objective and impartial judgment on all issues within the scope of the cybersecurity audit, and did not rely primarily on assertions or attestations by the businesses management.  

Businesses may utilize a cybersecurity audit or evaluation prepared for another purpose, if it meets the requirements of the regulation.  

Key Deadlines: CCPA Audit Submission and Compliance Dates

Businesses have 24 months to complete their first cybersecurity audit and submit its certification of completion to the Agency by April 1, 2028. The audit must cover the period January 1, 2027 through January 1, 2028. Cybersecurity audits must be each year, covering the full 12 month period.  

Cybersecurity audits must be performed by a qualified, objective and independent professional auditor, applying professional auditing standards to evaluate the company’s cybersecurity program. The auditor may be internal or external to the business but must exercise objective and impartial judgment, and ensure activities do not compromise independence.  

Automated Decision-Making Technology Requirements

A business that uses ADMT for a significant decision prior to January 1, 2027, must be in compliance with the requirements of the regulation no later than January 1, 2027. A business that uses ADMT on or after January 1, 2027, must be in compliance with the requirements of the regulation any time it is using ADMT for a significant decision. 

Business must provide:

  • Pre-use notice 
  • Right to opt out of ADMT, or method to appeal the decision to a human reviewer with the authority to overturn the decision
  • Right to access ADMT, which includes an explanation of how the ADMT is used to make the decision or how the decision will be made if the consumer opts out.  

CCPA Readiness & Cybersecurity Audit Services for Insurance

Johnson Lambert supports CCPA regulation readiness and compliance through the following services:

  • Readiness Assessment and Gap Analysis: We will assess your current data governance, privacy and cybersecurity policies to identify where they fall short of the new mandates. The deliverable is a detailed roadmap for compliance.
  • SOC 2 + Privacy: A SOC 2 including the privacy criteria will provide a single report to partners or regulators proving that you have controls in place and operating throughout the year to protect consumer privacy.
  • Cybersecurity Audit Pre-Assessment and Annual Audit: A pre-assessment will identify gaps in control design and operation to meet the requirements of the CCPA. This will prepare your team for the official audit that will cover the full year of 2027.
  • Data Mapping and Inventory: Our team will trace how personal information enters your organization, storage locations, and who it is shared with. This data inventory will be required to respond to consumer requests within the 45-day statutory limit.   
  • Third-Party Risk Management: Evaluate vendor management processes to ensure alignment with the required contractual updates, and necessary security and privacy controls.  

Contact the Johnson Lambert team to identify the path that best suits your insurance company’s needs.

Kim Mobley

Kim Mobley

Partner

View Bio

Ensure Your Compliance. Protect Your Data.

From initial gap analysis to the final signed cybersecurity audit report, our team provides the independent, objective oversight required by the CPPA.

Get Started with a Pre-Assessment

Related Insights

Is Your Insurance Company Exempt from CCPA? New Audit Rules Might Say No

The California Privacy Protection Agency (Agency) Board adopted finalized rules on cybersecurity audits, risk assessments, and automated decision-making technology (ADMT).

The regulations (1) updated existing CCPA regulations; (2) implemented requirements for certain businesses to conduct risk assessments and complete annual cybersecurity audits; (3) implemented consumers’ rights to access and opt–out of businesses’ use of ADMT; and (4) clarified when insurance companies must comply with the CCPA.  

The most significant requirement is to conduct cybersecurity audits for any business whose processing activities present “significant risk to consumers’ privacy.” The regulations became effective on January 1, 2026. 

Does CCPA Apply to Insurance Carriers? The Data-Level Exemption

Requirements apply only to data not already covered by insurance-specific privacy laws. Insurance carriers often assume they are fully exempt due to the Gramm-Leach-Bliley Act (GLBA) or the California Insurance Information and Privacy Protection Act (IIPPA). Examples of data covered by insurance-specific privacy laws include claims data, underwriting files, policyholder information. However, the new regulations clarify that this is a data-level exemption, not an entity-level one.

You may be subject to the cybersecurity audit if you handle:

  • Employee/HR data: Information on California employees, job applicants, and contractors is not exempt under GLBA/IIPPA and is fully subject to CCPA
  • Marketing data: Data collected from website visitors (via cookies/pixels) who are browsing but have not yet applied for a policy
  • B2B data: Contact information for vendor representatives or business partners

The regulation defines “significant risk” (and thus mandatory audits) if you meet the standard CCPA revenue threshold (>$25M gross revenue) AND meet one of the following criteria regarding your CCPA-covered (non-GLBA) data:

  • Volume threshold: You processed the personal information of 250,000+ consumers/households in the preceding year (e.g., 250k unique website visitors tracked for marketing)
  • Sensitive data threshold: You processed the sensitive personal information of 50,000+ consumers (e.g., 50k job applicants/employees, or marketing data that infers sensitive traits)
  • Revenue from data: You derive 50% or more of your revenue from selling or sharing personal information

The following factors should be considered:

Jurisdictional “Nexus” Test

  • Physical presence: Do you have offices, employees, or exclusive agents in CA? This could even be having one remote employee working from home in California.
  • Economic activity: Do you actively market to California residents or write policies for risks located in California?
  • Licensure: Are you licensed by the California Department of Insurance?

Revenue

  • Is your gross annual revenue over $25,000,000? (not just California revenue)

Identify Data Subject to CCPA

  • What data would be considered exempt (GLBA or insurance-specific privacy laws) vs non-exempt. Examples of non-exempt data include website visitors (marketing cookies), employee/HR records, job applicants, B2B vendor contacts.

“Significant Risk” Thresholds

  • Does your non-exempt data volume meet one of the following:
    • Volume: Processed personal information of 250,000+ consumers in the preceding calendar year (unique website visitors in California where you collected cookies/IP addresses)
    • Sensitivity: Processed sensitive personal information of 50,000+ consumers; “sensitive” includes precise geolocation, social security numbers (for HR), or sexual orientation/health info (if collected outside of a policy application)
    • Revenue: You derive 50% or more of your annual revenue from selling or sharing personal information.
  • If Yes, you must submit a cybersecurity audit report annually.  

ADMT Trap

  • Do you use ADMT for “significant decisions” on non-exempt data?
  • If Yes, you must conduct a risk assessment and potentially a cybersecurity audit if the tool poses a high risk to consumers. Risk assessments must meet specific criteria and be documented in a formal report. The risk assessment must be completed before initiating processing activity and at least once every three years, or within 45 days of a material change relating to the processing activity.  

2026 Cybersecurity Audit Requirements: Scope and Controls

The cybersecurity audit must assess how the business’s cybersecurity program: protects personal information from unauthorized access, destruction, use, modification, or disclosure; and protects against unauthorized activity resulting in the loss of availability of personal information. The audit must address the following, if applicable:

  1. Authentication
  2. Encryption
  3. Account management and access controls: Specifically limiting access to the privileges and access to personal information that is necessary for the specific business purposes
  4. Inventory and management of personal information and the business’s information system
  5. Secure configuration of hardware and software
  6. Internal and external vulnerability scans, penetration testing and vulnerability disclosure and reporting
  7. Audit log management, including the centralized storage, retention and monitoring of logs
  8. Network monitoring and defenses
  9. Antivirus and antimalware protections
  10. Segmentation of an information system (e.g., via properly configured firewalls, routers, switches)
  11. Limitation and control of ports, services and protocols
  12. Cybersecurity awareness
  13. Cybersecurity education and training 
  14. Secure development and coding best practices, including code reviews and testing
  15. Oversight of service providers , contractors and third parties
  16. Retention schedules and proper disposal of personal information no longer required to be retained.
  17. How the business manages its responses to security incidents
  18. Business continuity and disaster recovery plans, including data recovery capabilities and backups

Audit Reporting Standards: Gaps, Weaknesses, and Certification

The regulation includes detailed requirements for inclusion in the audit report, including a description of  the business’s information system. The report must identify (A) the policies, procedures, and practices that the cybersecurity audit assessed; (B) the criteria used for the cybersecurity audit; and (C) the specific evidence examined to make decisions and assessments, such as documents reviewed, sampling and testing performed, and interviews conducted. 

The report must identify in detail the status of any gaps or weaknesses of the policies and procedures that the auditor deemed to increase the risk of unauthorized access, destruction, use, modification, or disclosure of consumers’ personal information; or increase the risk of unauthorized activity resulting in the loss of availability of personal information. It must also disclose management’s plans to address any gaps and weaknesses.  

The report is signed and dated by the highest-ranking auditor that certifies they completed an independent review of the business’s cybersecurity program and information system, exercised objective and impartial judgment on all issues within the scope of the cybersecurity audit, and did not rely primarily on assertions or attestations by the businesses management.  

Businesses may utilize a cybersecurity audit or evaluation prepared for another purpose, if it meets the requirements of the regulation.  

Key Deadlines: CCPA Audit Submission and Compliance Dates

Businesses have 24 months to complete their first cybersecurity audit and submit its certification of completion to the Agency by April 1, 2028. The audit must cover the period January 1, 2027 through January 1, 2028. Cybersecurity audits must be each year, covering the full 12 month period.  

Cybersecurity audits must be performed by a qualified, objective and independent professional auditor, applying professional auditing standards to evaluate the company’s cybersecurity program. The auditor may be internal or external to the business but must exercise objective and impartial judgment, and ensure activities do not compromise independence.  

Automated Decision-Making Technology Requirements

A business that uses ADMT for a significant decision prior to January 1, 2027, must be in compliance with the requirements of the regulation no later than January 1, 2027. A business that uses ADMT on or after January 1, 2027, must be in compliance with the requirements of the regulation any time it is using ADMT for a significant decision. 

Business must provide:

  • Pre-use notice 
  • Right to opt out of ADMT, or method to appeal the decision to a human reviewer with the authority to overturn the decision
  • Right to access ADMT, which includes an explanation of how the ADMT is used to make the decision or how the decision will be made if the consumer opts out.  

CCPA Readiness & Cybersecurity Audit Services for Insurance

Johnson Lambert supports CCPA regulation readiness and compliance through the following services:

  • Readiness Assessment and Gap Analysis: We will assess your current data governance, privacy and cybersecurity policies to identify where they fall short of the new mandates. The deliverable is a detailed roadmap for compliance.
  • SOC 2 + Privacy: A SOC 2 including the privacy criteria will provide a single report to partners or regulators proving that you have controls in place and operating throughout the year to protect consumer privacy.
  • Cybersecurity Audit Pre-Assessment and Annual Audit: A pre-assessment will identify gaps in control design and operation to meet the requirements of the CCPA. This will prepare your team for the official audit that will cover the full year of 2027.
  • Data Mapping and Inventory: Our team will trace how personal information enters your organization, storage locations, and who it is shared with. This data inventory will be required to respond to consumer requests within the 45-day statutory limit.   
  • Third-Party Risk Management: Evaluate vendor management processes to ensure alignment with the required contractual updates, and necessary security and privacy controls.  

Contact the Johnson Lambert team to identify the path that best suits your insurance company’s needs.

Kim Mobley

Kim Mobley

Partner