California's privacy laws are the most consequential data protection regulations in the United States, and they carry real enforcement teeth. The California Consumer Privacy Act (CCPA), amended and expanded by the California Privacy Rights Act (CPRA), requires covered businesses to implement "reasonable security procedures and practices" to protect the personal information of California residents. That obligation is legally binding, the California Privacy Protection Agency (CPPA) is actively enforcing it, and the private right of action for breach victims means litigation exposure compounds every lapse.
What "reasonable security" actually means in practice is where most businesses get stuck. The statute does not define it. Courts and regulators have spent years filling in the gaps, and the picture that has emerged is clear: basic controls are not optional, known vulnerabilities that testing would have surfaced are treated as negligence, and penetration testing is one of the most direct ways to demonstrate that your security program is active rather than performative.
This guide covers what CCPA and CPRA require, how the California Attorney General and the CPPA have interpreted and enforced those requirements, how penetration testing fits into a compliance-oriented security program, the overlap with SOC 2, and what the specific risk picture looks like for entertainment, media, and streaming companies operating in and around Los Angeles.
What "Reasonable Security" Means Under CCPA and CPRA
Section 1798.150 of the CCPA creates a private right of action for consumers whose "nonencrypted and nonredacted personal information" is subject to unauthorized access, exfiltration, theft, or disclosure as a result of the business's failure to "implement and maintain reasonable security procedures and practices appropriate to the nature of the information." That is the entire security requirement in the statute. No framework citation. No prescriptive control list. Just the word "reasonable."
The CPRA added further weight to the security obligation by establishing the CPPA, authorizing it to require annual cybersecurity audits and risk assessments for businesses engaged in high-risk processing, and explicitly linking enforcement to the adequacy of security practices at the time of a breach or violation.
The California AG's 2016 Data Breach Report
The most authoritative public definition of "reasonable security" under California law comes from the former Attorney General's 2016 Data Breach Report. That report stated directly: "The 20 controls in the Center for Internet Security's Critical Security Controls identify a minimum level of information security that all organizations that collect or maintain personal information should meet. The failure to implement all the Controls that apply to an organization's environment constitutes a lack of reasonable security."
The CIS Controls (now in version 8, reorganized into 18 control groups) provide the de facto baseline. If your organization is not implementing the CIS Controls that apply to your environment, you are, by the AG's own analysis, failing to maintain reasonable security under California law. Businesses subject to the CCPA should be able to map their security program against CIS Controls and document where each control is implemented.
How Courts Have Interpreted the Standard
CCPA litigation has given courts the opportunity to interpret "reasonable security" in context. Several patterns have emerged from early decisions and settlements:
- Industry comparison matters. Courts look at what comparable businesses do. If your sector has established security norms, falling below them is evidence of unreasonable security.
- Data sensitivity scales the bar. The more sensitive the personal information you hold, the more robust your security must be. Financial data, health information, precise geolocation, and biometric data require stronger controls than email addresses.
- Known and discoverable vulnerabilities receive no mercy. If a vulnerability existed that routine testing would have identified, courts treat the failure to discover and remediate it as a failure of reasonable security. "We did not know" is not a defense when testing would have produced knowledge.
- Cost is not an excuse for basic controls. The cost-benefit defense for security measures fails when the controls at issue are widely adopted, inexpensive, and well-documented. Encryption, MFA, and regular security testing are not exotic measures.
The practical consequence: Reasonable security is not a fixed checklist you complete once. It is measured against what the industry considers standard at the time a breach or violation occurs. If you are not actively testing your controls, remediating findings, and keeping pace with evolving threats, you are almost certainly below the bar. Regulators and plaintiffs' attorneys understand this standard well.
The AG's Enforcement History: What Has Actually Been Penalized
The California Attorney General's CCPA enforcement actions since 2020 reveal a consistent set of targets. Understanding where enforcement attention has concentrated helps compliance teams prioritize their work.
Failure to Honor Consumer Rights
The AG's first wave of enforcement letters targeted businesses that failed to provide the required "Do Not Sell My Personal Information" link, did not respond to consumer requests within the statutory 45-day window, or collected consumer data without disclosing required categories and purposes. These are the operational mechanics of CCPA compliance and the easiest failures for regulators to identify.
Inadequate Security Practices Tied to Breaches
Where a breach triggers investigation, the AG and now the CPPA look specifically at whether the business maintained reasonable security. Enforcement actions in this category have focused on:
- Unencrypted personal information. The CCPA private right of action only covers "nonencrypted and nonredacted" data. Businesses that stored personal information in plaintext, or that transmitted it over unencrypted channels, face the strongest exposure in both private litigation and regulatory action.
- Unpatched systems. Several investigations surfaced that breached systems were running software with known, publicly disclosed vulnerabilities. Vulnerability management is a core CIS Control requirement, and neglecting it is treated as a per se failure of reasonable security.
- Absence of security testing. The CPPA's draft cybersecurity audit regulations and enforcement guidance have explicitly referenced the expectation of regular, independent security testing. Businesses that cannot demonstrate a testing history are vulnerable to the argument that they were willfully ignorant of security gaps.
- Weak access controls. Credential-based breaches where the attackers exploited the absence of MFA, excessive user privileges, or shared administrative credentials have featured in multiple enforcement narratives.
CPPA Enforcement and the New Regulatory Landscape
The CPPA began exercising enforcement authority in 2023, and its posture has been more aggressive than the AG's office. The agency has made clear through public statements and proposed regulations that it views cybersecurity audits and risk assessments as core compliance requirements for businesses engaged in processing that presents "significant risk" to consumer privacy. The CPPA has also signaled that enforcement will not be limited to large companies. Any business meeting the CCPA thresholds is subject to the same standard.
Administrative fines reach $2,500 per unintentional violation and $7,500 per intentional violation or violation involving a minor. With violations assessed per consumer, per incident, the exposure for a breach affecting tens of thousands of California residents is substantial. This is separate from the private right of action, which adds statutory damages of $100 to $750 per consumer on top of regulatory fines.
How Penetration Testing Demonstrates CCPA Compliance
Penetration testing is one of the most defensible security activities a covered business can undertake, precisely because it generates documented evidence that your controls were actively validated by an independent party. The compliance value operates on several levels.
Testing Satisfies the "Reasonable" Requirement
A business that conducts regular penetration testing and remediates findings can credibly argue that it was actively working to identify and address security risks. A business that has no testing history cannot make that argument. Courts and regulators treat the absence of testing as evidence that the business was not taking its security obligations seriously, regardless of what its written policies say.
The CIS Controls framework referenced by the AG includes CIS Control 18 (Penetration Testing) as a required control. A business that can point to a testing program aligned with CIS Control 18 is directly addressing the standard the AG has identified as the baseline for reasonable security.
Testing Creates a Defensible Record
In breach litigation and regulatory investigations, your lawyers and compliance team will need to reconstruct your security posture at the time of the incident. A history of annual or more frequent penetration tests, with written reports, documented findings, and remediation evidence, provides that record. It is significantly more persuasive than a stack of policies and a verbal assertion that security was taken seriously.
The pentest report also does something that policies cannot: it proves that your controls were tested under realistic attack conditions. A policy that says "we encrypt all data" is less valuable than a pentest report confirming that an independent expert could not find an unencrypted data pathway.
Testing Surfaces Vulnerabilities Before Attackers Do
The "reasonable security" standard includes an obligation to know about discoverable vulnerabilities. A business that discovers and remediates a vulnerability through penetration testing is in a very different legal position than one that discovers the same vulnerability because an attacker exploited it and California residents' data was exposed. The former demonstrates proactive security. The latter demonstrates negligence.
What a CCPA-Focused Pentest Should Cover
A penetration test scoped for CCPA compliance should specifically address:
- Systems and databases that store personal information, including primary databases, data warehouses, backup systems, and caches where consumer data may reside.
- Consumer-facing web applications and APIs that collect personal information, process consumer rights requests, or handle opt-out and deletion workflows.
- Access control implementation, including testing for privilege escalation, lateral movement, and whether least-privilege policies are enforced in practice.
- Authentication mechanisms, with specific attention to whether MFA is properly enforced and cannot be bypassed through alternative access paths.
- Encryption in transit and at rest, verifying that no personal information flows or rests in plaintext and that key management is properly implemented.
- Third-party integrations that receive or process personal information, including ad-tech platforms, analytics tools, and data vendors.
- Consumer rights workflows, testing that access request, deletion, and opt-out processes cannot be exploited or bypassed by unauthorized parties.
CCPA/CPRA and SOC 2: Where the Frameworks Overlap
Many California businesses pursuing CCPA or CPRA compliance are simultaneously working toward SOC 2 attestation. The two frameworks address different questions but share substantial technical common ground, and a well-designed compliance program can satisfy both without duplicating work.
CCPA / CPRA
A California state law creating enforceable consumer rights over personal information and requiring covered businesses to implement reasonable security. Enforcement through the CPPA and private right of action for breach victims. Focused on personal information of California residents. No formal certification mechanism.
SOC 2
An auditing framework evaluating a service organization's controls against the AICPA Trust Services Criteria. Covers security, availability, processing integrity, confidentiality, and privacy. Results in an attestation report from a licensed CPA firm. Market-driven requirement for enterprise sales, particularly in B2B SaaS.
Shared Technical Ground
The controls that satisfy SOC 2's Security criterion directly address the "reasonable security" standard under CCPA. Both frameworks require:
- Encryption of data at rest and in transit
- Access controls enforcing least privilege
- Multi-factor authentication for systems handling sensitive data
- Vulnerability management including regular scanning and patching
- Penetration testing to validate control effectiveness
- Logging and monitoring of access to personal and sensitive data
- Incident response procedures with defined notification workflows
- Vendor security assessments and contractual data protection requirements
A business that has achieved SOC 2 Type II attestation has, in effect, documented and validated a security program that satisfies the core technical requirements of CCPA's "reasonable security" standard. The SOC 2 report becomes an exhibit in your CCPA compliance posture.
Where They Diverge
SOC 2 does not address the consumer rights mechanics that are specific to CCPA: the "Do Not Sell or Share" opt-out infrastructure, the 45-day response window for consumer requests, deletion propagation to third-party service providers, or the "Limit the Use of My Sensitive Personal Information" link. SOC 2's Privacy criterion addresses some data governance requirements, but it is not calibrated to California law's specific consumer rights obligations.
The practical approach is to build your security program once against the CIS Controls baseline, pursue SOC 2 attestation for B2B sales purposes, and add the CCPA-specific consumer rights infrastructure and privacy notice requirements as a separate compliance workstream. You get the most out of your security investment when the same controls serve multiple compliance purposes rather than treating each framework as a separate project.
Learn more about our CCPA/CPRA compliance support services and how we structure assessments to satisfy both regulatory and audit requirements.
Entertainment, Media, and Streaming Companies in Los Angeles
Los Angeles is home to one of the highest concentrations of entertainment and media companies in the world, and the CCPA/CPRA exposure for companies in this sector is particularly acute. The reasons are structural: entertainment and media businesses collect high volumes of consumer data, including sensitive behavioral and demographic information, across platforms that are specifically designed to maximize engagement and personalization.
Why the Risk Profile Is Elevated
Streaming and On-Demand Platforms
Streaming platforms collect precise viewing histories, device identifiers, payment information, and behavioral data used for recommendation algorithms. The CPRA's "sensitive personal information" category captures some of this data, particularly financial account details and inferences drawn from content consumption that could reveal religious beliefs, political orientation, or other protected characteristics. Platforms that share this data with advertising technology vendors are engaged in "sharing" under the CPRA's definition, triggering opt-out obligations regardless of whether money changes hands.
Studios and Production Companies
Major studios and production companies maintain large datasets of talent, crew, and contractor personal information, including Social Security numbers, financial account details for payroll, and health information collected for production insurance purposes. This is sensitive personal information under the CPRA, and the security obligations that attach to it are more demanding than those for general personal information. A breach of a talent database carries both regulatory exposure and substantial reputational risk.
Gaming and Interactive Entertainment
Gaming companies operating in California collect account data, in-app purchase histories, device and location data, and in many cases biometric information if games use facial or voice recognition features. The CPRA's protections for children's data (those under 16) are particularly relevant for gaming companies, where violations involving minors carry the elevated $7,500 per violation penalty and have attracted specific CPPA enforcement attention.
Talent Agencies and Management Companies
Talent agencies maintain sensitive personal information about clients that spans financial details, contact information, health data relevant to production eligibility, and sometimes immigration status. These are small to mid-sized organizations that often operate without mature security programs, and they are subject to the same CCPA thresholds as larger companies if their revenue or data processing volume meets the statutory tests.
Common Security Gaps in the Entertainment Sector
In assessments of entertainment and media companies, recurring security gaps include:
- Legacy production management systems that store talent and crew data in databases that predate modern encryption standards and have not been updated to enforce encryption at rest.
- Ad-tech integration sprawl. Streaming and digital media companies routinely integrate dozens of advertising and analytics vendors. Each integration is a potential data sharing relationship under the CPRA and a potential attack surface. Very few companies have a complete inventory of what consumer data flows to which vendors.
- Inadequate separation between production and consumer systems. Companies that manage both production operations and consumer-facing platforms often have insufficient network segmentation between the two environments, creating attack paths that move from less-sensitive production infrastructure to consumer data stores.
- Weak authentication on content delivery infrastructure. High-value intellectual property and the consumer data that surrounds it often share infrastructure with administrative access controlled by single-factor authentication and shared credentials.
- Insufficient vendor security scrutiny. Entertainment companies work with a large ecosystem of production vendors, post-production houses, and distribution partners, many of which receive sensitive data with minimal security requirements attached.
Our Los Angeles penetration testing team works specifically with entertainment, media, and streaming companies to address these gaps. We understand the architecture patterns common to this sector and scope assessments to cover the specific attack surfaces that carry the highest CCPA exposure.
Practical Steps Toward CCPA/CPRA Security Compliance
Building a security program that genuinely satisfies the CCPA's "reasonable security" standard requires more than a policy library. The following steps address the technical and operational foundations that regulators and courts have consistently referenced.
Step 1: Build a Data Inventory
You cannot protect what you have not mapped. A comprehensive data inventory is the foundation for every CCPA/CPRA technical requirement. It needs to document:
- Every category of personal information you collect and from which sources
- Where that information is stored, including primary databases, analytics systems, log files, caches, and backup media
- Every third party that receives consumer personal information, including the mechanism of transfer
- Which data elements qualify as "sensitive personal information" under the CPRA
- Retention periods for each data category and the process for deletion when those periods expire
Step 2: Implement and Verify Encryption
The CCPA's private right of action exempts encrypted data from consumer breach claims. Encryption is one of the highest-leverage controls you can implement for CCPA purposes. This means AES-256 encryption at rest for all databases and file storage containing personal information, TLS 1.2 or higher for all data in transit including internal service-to-service communication, and field-level encryption for sensitive personal information such as SSNs, financial account numbers, and biometric data. Encryption policy is not the same as encryption implementation. A penetration test will verify whether your encryption is actually enforced or whether there are pathways to plaintext data that your policies do not address.
Step 3: Enforce Access Controls
Access control failures are among the most common targets in CCPA enforcement investigations. Least-privilege policies must be implemented in practice, not just documented. This requires:
- Role-based access control mapped to actual job functions, with documented justification for each role's permissions
- Multi-factor authentication enforced on all accounts that access personal information, including administrative and database access
- Quarterly access reviews with documented evidence of revocation for role changes and departures
- Separation of privileged access from everyday user accounts
- Automated deprovisioning integrated with HR offboarding processes
Step 4: Conduct Annual Penetration Testing
Annual penetration testing by a qualified, independent third party is the most direct way to satisfy the CIS Control 18 requirement and the CPPA's implicit expectation of regular security validation. The testing scope should cover systems that store or process personal information, consumer-facing applications and APIs, and the network paths between them. Findings must be documented, triaged by severity, and remediated within defined timelines. Retesting should confirm remediation before the finding is closed.
For businesses subject to CPPA's cybersecurity audit requirement, the annual pentest is a core component of that audit. Having a pentest report from a recognized security firm is substantially better evidence of reasonable security than an internally conducted assessment.
Step 5: Build Consumer Rights Infrastructure
The consumer rights granted by CCPA and CPRA require engineering work, not just policy. Access requests, deletion requests, correction requests, and opt-out requests must be fulfilled within the statutory timelines. This requires:
- Automated or semi-automated workflows that can query all data stores where a consumer's personal information exists
- Deletion processes that propagate across primary databases, analytics systems, backups, and third-party service providers
- Global Privacy Control (GPC) signal detection and honoring as a valid opt-out mechanism
- A "Limit the Use of My Sensitive Personal Information" option for consumers whose sensitive data is processed beyond core service delivery
- Audit logging of all consumer rights requests and the responses provided
Step 6: Document Everything
In enforcement proceedings and litigation, documentation is your defense. Maintain records of your data inventory, security policies, penetration test reports and remediation evidence, access reviews, incident response activities, and consumer rights request fulfillment. The businesses that fare best in CPPA investigations are those that can demonstrate an active, documented security program, not just a set of policies that were written once and never revisited.
Starting point for compliance teams: If you are beginning this process, prioritize encryption implementation, access control documentation, and commissioning a penetration test. These three areas address the most common sources of enforcement exposure and provide the technical foundation that supports every other compliance requirement. Consumer rights infrastructure and the data inventory can be built in parallel but should be complete before you begin substantive marketing to California residents at scale.
Working with a California-Based Security Partner
CCPA and CPRA compliance is not a one-time certification exercise. It is an ongoing security obligation that requires regular testing, continuous monitoring, and documented remediation. Working with a security partner that understands California's regulatory environment, the CPPA's enforcement priorities, and the specific risk profiles of California industries is an advantage that shows up both in the quality of your security program and in how your posture is received by regulators if something goes wrong.
Lorikeet Security works with companies across California, with particular focus on the Los Angeles entertainment, media, and technology sectors and the San Francisco Bay Area's enterprise software and fintech ecosystem. Our penetration testing engagements are structured to produce reports that serve both your security team's remediation needs and your legal team's compliance documentation requirements.
If you are in Los Angeles and need CCPA-aligned security testing, visit our Los Angeles penetration testing page for more information about our local team and engagement process. For Bay Area companies, our San Francisco office serves the full range of California privacy compliance use cases.
You can also review our full security services catalog or go directly to start a testing engagement if you already know what your program needs.
CCPA Compliance Starts with Knowing What You Have
Our penetration testing engagements are scoped to cover the systems and controls that California regulators look at when a breach occurs. Reports are structured for both technical remediation and legal compliance review. We work with entertainment, media, technology, and professional services companies across Los Angeles and San Francisco.
Los Angeles Team San Francisco Team
