California has finalized new regulations under the California Consumer Privacy Act that address cybersecurity audits, risk assessments, and Automated Decision-Making Technology (ADMT). The California Privacy Protection Agency began rulemaking in November 2024 and set an effective date of Jan. 1, 2026 for the rules generally. Businesses that use ADMT to make significant decisions must comply with ADMT-specific requirements beginning Jan. 1, 2027. The rulemaking drew extensive feedback from tech companies, advocacy groups, and government leaders; concerns that an overly broad ADMT definition would hinder innovation prompted the final regulations to narrow the scope.
The regulations define ADMT as any technology that processes personal information and uses computation to replace or substantially replace human decisionmaking. “Significant decision” is limited to outcomes such as the provision or denial of financial or lending services, housing, education enrollment or opportunities, employment or independent contracting opportunities or compensation, and healthcare services. The rules expressly exclude tools such as firewalls, anti-malware, calculators, databases, and spreadsheets when they do not replace human decisionmaking. When businesses plan to use ADMT for a significant decision they must notify consumers before or at the time of collection and explain, in clear and simple terms, why the technology is being used.
Consumers gain rights to access information about and opt out of ADMT used for significant decisions, though businesses may avoid an opt-out obligation by providing an appeals process to a human reviewer with authority to overturn decisions. The rules require businesses to perform documented risk assessments for ADMT used in significant decisions or specific training purposes and to record the types of personal information processed and the system’s logic. The CPPA expects the regulations to evolve as technology and business practices change. Businesses subject to the CCPA should inventory technologies, establish processes for consumer requests, and consider cross-jurisdictional strategies that align with the European Union’s Artificial Intelligence Act and the Colorado Artificial Intelligence Act.
