In November 2024, the California Privacy Protection Agency voted to proceed with outlining new rules and regulations regarding automated decision-making technology (ADMT), issuing Circular 2024-06. The proposal was one of the first of its kind drafted. We covered this back in January 2025; now that California Privacy Protection Agency (CPPA) regulations have been finalized, we are sharing details on how ADMT is defined in the final text, who it applies to, and a high-level overview of compliance obligations for applicable businesses.
A quick overview
From 2020 to 2023, multiple rounds of rulemaking expanded CCPA obligations. Following this, Circular 2024-06 set the framework for the next steps in 2025. On September 23, 2025, the CPPA finalized regulations for using automated decision-making technology in cybersecurity audits and risk assessments.
The new regulations address cybersecurity measures and risk assessments, with a focus on regulating AI and automated decision-making technology. This includes AI‑driven tools used for:
- Hiring and promotion screening
- Employee monitoring and productivity scoring
- Fraud detection
- Eligibility determinations
- Consumer profiling
How the CPPA defines ADMT
According to the updated regulations, “Automated decision-making technology, or ADMT, means any technology that processes personal information and uses computation to replace human decision making or substantially replace human decision making.”
What qualifies as “substantially replacing human decision making”
“Substantially replacing human decision making” is defined as technology that makes decisions without human involvement. The CPPA does not rule out using technology altogether, but sets specific guidelines to help businesses understand when and how technology can be used to assist in decision-making and when it crosses into a territory that lacks sufficient intervention. Human review and involvement require:
- A comprehensive understanding of how to interpret and use outputs to make decisions
- Reviewing and analyzing the output and relevant information that is relevant to making or overriding decisions
- Authorized personnel analyzing the output and relevant information
Compliance with legal obligations also involves using an opt‑out mechanism that is clearly communicated and easy to use, conducting cybersecurity audits, providing an appeal mechanism, and providing access to explanations and a list of detailed rights for consumers.
Who it applies to
The finalized regulations generally apply to for-profit organizations conducting business in California that meet the following thresholds:
- Annual gross revenue exceeding US $25 million
- Buying, selling, or sharing personal information of 100,000 or more California consumers or households
- Deriving 50% or more of annual revenue from selling or sharing personal information
The updated regulations became effective as of January 1, 2026. Starting on January 1, 2027, ADMT‑specific requirements will become enforceable.
Compliance obligations overview
The finalized regulations address cybersecurity audits and risk assessments related to businesses using ADMT. Businesses that use ADMT for a business use-case scenario are required to:
- Provide clear notices explaining the purpose ADMT will be used for and the data involved before decisions based on ADMT are made.
- Offer consumers an opt‑out from ADMT decisions under most circumstances.
- Enable access and explanation of rights, including the logic used and how ADMT outputs affect decisions.
- Provide an appeal mechanism with meaningful human review and defined response timelines.
Along with detailed regulations that help businesses understand how ADMT can be used to inform decision-making, the finalized regulations define key consumer rights and definitions. For more information about these recent regulations, including detailed responsibilities for applicable businesses and consumer rights, take a closer look here.
Setting the groundwork for potential future regulations in other states
California’s latest regulations represent one of the most comprehensive state‑level frameworks governing automated decision‑making in the United States. As adopting AI and automated tools to assist with roles becomes more common, California’s framework may pave the way for other states considering similar regulations. Additionally, this may also apply to employers that operate across state lines.
Verified Credentials will attempt to provide updates on revisions and new laws that affect employers as more information becomes available.
This content is for informational purposes only and shall not constitute legal opinion or advice. Consult your legal counsel to ensure compliance.
