California Privacy Protection Agency Finalizes Automated Decision-making Technology Regulations

CMR Risk & Insurance Services Inc. > Blog > Business > California Privacy Protection Agency Finalizes Automated Decision-making Technology Regulations
Posted by: CMR November 12, 2025 No Comments

On Sept. 23, 2025, the California Privacy Protection Agency (Agency) finalized its regulations under the California Consumer Privacy Act (CCPA) regarding the use of automated decision-making technology (ADMT) for businesses that operate in California. Employers under the CCPA who rely on the ADMT tools for employment decisions must now perform thorough risk evaluations, issue advance notices before using them and respect opt-out and access rights if there is no significant human decision-making.

These new rules go into effect Jan. 1, 2026.

 

Background

The CCPA originally set a July 1, 2020, deadline for the Agency to issue rules governing access, notice, opt-out rights and risk assessments related to automated decision-making technologies. However, due to the complexity of these issues, the rulemaking process took significantly longer than expected. The final regulations weren’t released until after the initial set of CCPA rules was adopted in 2023.

 

Regulation Overview

The new ADMT regulations apply to personal information belonging to California residents and to businesses that either:

 

    • Operate in California with gross annual revenues over $26,625,000; or
    • Process large volumes of personal data.

 

Certain entities are exempt, including:

 

    • Small businesses;
    • Nonprofits; and
    • Employers that do not have applicants, employees or independent contractors in California.

 

ADMT refers to any technology that processes personal information and uses computation to replace or substantially replace human decision-making. This includes profiling tools and systems that generate outputs used to make decisions without human involvement. It does not include tools such as web hosting, domain registration, networking, caching, website loading, data storage, firewalls, anti-virus or anti-malware software, spam or robocall filters, spell checkers, calculators, databases or spreadsheets, provided they do not replace human decision-making.

These rules apply when businesses use ADMT to make “significant decisions” about a California consumer. A significant decision is one that results in the provision or denial of services such as financial products, housing, education, employment, contracting opportunities, compensation or health care.

For employers, “significant decisions” include employment-related outcomes such as hiring, work assignments, pay, bonuses, promotions, demotions, suspensions and terminations. Employers can avoid triggering ADMT requirements by ensuring that meaningful human involvement is present in these decisions. To qualify, the human reviewer must:

 

    1. Understand how to interpret and apply the ADMT output;
    2. Review and analyze the output along with any other relevant information; and
    3. Have the authority to make or change the decision based on that analysis.

 

Businesses using ADMT for significant decisions before Jan. 1, 2027, must comply with these rules no later than that date. Any business using ADMT on or after Jan. 1, 2027, must comply at the time the technology is used.

An employer’s decision to use ADMT should be based on a careful assessment of compliance obligations, decision volume and frequency, the feasibility of meaningful human involvement, the risk of discrimination or error and the overall cost and operational impact, especially in high-volume scenarios like ranking thousands of applicants, where human oversight may be difficult to scale.

 

Risk Assessments

Every business that processes consumers’ personal information presents a significant risk to consumers’ privacy and must conduct a risk assessment before initiating that processing. Each of the following processing activities presents a significant risk to consumers’ privacy:

 

    • Selling or sharing personal information.
    • Processing sensitive personal information of employees solely to administer compensation, determine and store employment authorization, manage benefits, provide reasonable accommodations as required by law or report wages does not require a risk assessment. Any other processing of consumers’ sensitive personal information is subject to risk-assessment requirements.
    • Using ADMT for a significant decision concerning a consumer.
    • Using automated processing to infer or extrapolate a consumer’s intelligence, ability, aptitude, performance at work, economic situation, health (including mental health), personal preferences, interests, reliability, predispositions, behavior, location or movements, based upon systematic observation of that consumer when they are acting in their capacity as an educational program applicant, job applicant, student, employee or independent contractor for the business.
    • Using automated processing to infer or extrapolate a consumer’s intelligence, ability, aptitude, performance at work, economic situation, health (including mental health), personal preferences, interests, reliability, predispositions, behavior or movements, based upon that consumer’s presence in a sensitive location. “Infer or extrapolate” does not include a business using a consumer’s personal information solely to deliver goods to or provide transportation for that consumer at a sensitive location.
    • Processing the personal information of consumers, which the business intends to use to train an ADMT for a significant decision concerning a consumer; or train a facial-recognition, emotion-recognition or other technology that verifies a consumer’s identity or conducts physical or biological identification or profiling of a consumer. For purposes of this paragraph, “intends to use” means the business is using, plans to use, permits others to use, plans to permit others to use, is advertising or marketing the use of or plans to advertise or market the use of.

 

Risk Assessment Requirements

Businesses must conduct risk assessments to determine whether the risks to consumers’ privacy from the processing of that personal information outweigh the benefits to the consumer, the business, other stakeholders and the public from that same processing. The risk assessment must:

 

    1. Clearly state the specific reason for processing personal information; generic terms like “improve services” are not allowed.
    2. Identify and record the specific types of personal information to be processed, including any sensitive categories. It must also ensure that only the minimum amount of personal data necessary to fulfill the stated processing purpose is included.
    3. Document key operational details of the processing, including how personal information will be collected, used, disclosed, retained and sourced; the criteria for retention; how the business interacts with consumers and the purpose of those interactions; the estimated number of affected individuals; any planned or existing disclosures and how they’re delivered; and third parties receiving the data and the reasons for sharing. If ADMT is used, also describe the technology’s logic, its limitations and how its output informs significant decisions.
    4. Identify specific, measurable benefits of processing personal information for the business, consumers, stakeholders or the public. Vague terms like “improving our service” are not permitted.
    5. Identify potential privacy harms to consumers and their causes. These may include unauthorized access or loss of data, discrimination, reduced control over personal information, coerced consent, economic disadvantage, physical or reputational harm and emotional or psychological distress.
    6. Identify and document safeguards the business will implement to address privacy risks. These may include technical controls (e.g., encryption, access management, system monitoring), privacy-enhancing technologies (e.g., differential privacy, federated learning), consultation with external experts on emerging risks and internal policies and training to ensure ADMT functions properly and avoids unlawful discrimination.
    7. Identify and document in a risk assessment report whether it will initiate the processing subject to the risk assessment.
    8. Identify and document in a risk assessment report the individuals who provided the information for the risk assessment, except for legal counsel who provided legal advice.
    9. Identify and document in a risk assessment report the date the assessment was reviewed and approved, and the names and positions of the individuals who reviewed or approved the assessment, except for legal counsel who provided legal advice. The assessment must be reviewed and approved by an individual with the authority to decide whether the business will initiate the processing, subject to the risk assessment.

 

Timing Requirements for Risk Assessments

Businesses must conduct and document a risk assessment before starting any processing activity that presents a significant risk to consumer privacy. Risk assessments must be reviewed and updated at least once every three years to ensure accuracy.

If a material change occurs, such as a new purpose, expanded data use or increased privacy risks, the assessment must be updated as soon as feasible and no later than 45 days after the change.

Businesses must retain their risk assessments, including original and updated versions, for as long as the processing continues or for five years after the completion of the risk assessment, whichever is later.

Submission of Risk Assessments to the Agency

Businesses must submit the following information to the CPPA:

 

    1. Business name and contact details (name, phone, email);
    2. Reporting period (month and year);
    3. Total number of risk assessments conducted or updated, broken down by each processing activity;
    4. Whether each assessment involved processing personal or sensitive data categories;
    5. A signed attestation stating: “I attest that the business has conducted a risk assessment for the processing activities set forth in section 7150(b) during the time period covered by this submission, and that I meet the requirements of section 7157(c). Under penalty of perjury under California law, I declare that the submitted information is true and correct;” and
    6. Name, title and certification date of the executive submitting the attestation.

 

The signer must be a member of executive management with direct responsibility for risk assessment compliance, possess sufficient knowledge of the assessments and have the authority to submit the information. The risk assessment must be submitted to the CPPA website. If requested by the CPPA or attorney general, businesses must provide full risk assessment reports within 30 calendar days.

For processing activities that commenced before the effective date of these regulations and continue after that date, businesses must complete a compliant risk assessment by Dec. 31, 2027, and follow the submission requirements for risk assessments conducted in 2026 and 2027. For risk assessments conducted in 2026 and 2027, the business must submit the required information to the Agency by April 1, 2028.

The Agency may challenge an employer’s conclusion that the benefits of using ADMT outweigh the privacy risks. If the employer fails to implement safeguards or follow documented procedures, the Agency may assert a violation of obligations to maintain “reasonable security procedures” and engage in “reasonably necessary and proportionate” data processing. Even when employers meet these standards, they must still account for the added cost and operational burden of compliance when deciding whether to use ADMT for significant employment decisions.

 

Pre-use Notice Requirements

Businesses using automated decision-making tools must inform California residents before processing their personal data. This notice must clearly explain the:

 

    • Intended use of ADMT;
    • Individuals’ rights to opt out and request access; and
    • How to exercise those rights.

 

The notice should be delivered in the same format as the business’s primary interaction with the individual and must appear before or at the time personal data is collected or repurposed for ADMT.

The notice must include:

 

    • A specific, plain-language explanation of how ADMT will be used;
    • Instructions for opting out or appealing decisions, including any applicable exceptions;
    • Details on how individuals can access information about ADMT related to them;
    • A statement that retaliation for exercising privacy rights is prohibited; and
    • A summary of how ADMT functions, what data influences its output, how decisions are made and what alternative processes apply if someone opts out.

 

A single, combined notice may be used to cover multiple ADMT tools or purposes, as long as it includes all required information. This applies whether one tool serves several functions, multiple tools serve one function or tools are used systematically for recurring decisions.

To reduce administrative burden, employers may consolidate pre-use notices with other required notices—such as the notice at collection, provided the combined notice includes all required ADMT disclosures. This flexibility allows businesses to streamline compliance while still meeting transparency obligations.

 

Right to Opt-Out

Businesses must allow consumers to opt out of the use of ADMT for significant decisions, unless specific exceptions apply.

Opt-out is not required if:

 

    • The business offers a human appeal process where a qualified reviewer can overturn the ADMT decision;
    • ADMT is used solely for evaluating performance in hiring, admissions or acceptance decisions and does not unlawfully discriminate; or
    • ADMT is used only for assigning work or compensation and does not unlawfully discriminate.

 

Essentially, businesses can use ADMT for hiring decisions without offering an opt-out, as long as the tool is used only to evaluate performance potential and operates fairly without discrimination.

For promotions, demotions, suspensions or terminations, employers may also deny opt-out requests if they offer a meaningful appeal process. To qualify, the human reviewer must:

 

    • Know how to interpret the ADMT’s output;
    • Analyze it alongside other relevant information; and
    • Have the authority to change the decision based on that analysis.

 

The reviewer must also consider any information provided by the individual in support of their appeal. The appeal process must be easy to use, clearly explained and comply with applicable notice, timing and verification requirements.

 

Right to Access

California residents have the right to request details about how ADMT was used to make significant decisions about them. In response, businesses must provide:

 

    • The specific purpose for using ADMT with respect to the individual;
    • A plain-language explanation of the ADMT’s logic and how it processed personal data;
    • The output generated by the ADMT; and
    • How that output influenced the final decision.

 

Businesses are not required to disclose trade secrets or information that could compromise security, fraud prevention or safety.

 

Employer Takeaway

Employers subject to the CCPA must now evaluate and document how they use automated decision-making tools in employment decisions. They must conduct risk assessments, provide pre-use notices and offer opt-out or appeal rights when using automated decision-making tools for significant employment decisions. Employers must also be prepared to explain how their ADMT systems work, what data they rely on and how those systems influence employment decisions, especially when responding to access or appeal requests.

Article Published By: Zywave, Inc. 

california risk management Tech Technology
Author: CMR
Copyright © 2025 CMR Risk & Insurance Services | License No. 0E59760
Privacy Policy