California regulators unanimously approved a sweeping set of new regulations mandating significant changes for businesses subject to the California Consumer Privacy Act (CCPA). These rules focus heavily on the use of Automated Decision-Making Technology (ADMT) and impose new obligations regarding pre-use notices and consumer opt-out rights.Businesses that use ADMT to make significant decisions must comply with the ADMT requirements beginning January 1, 2027.
What Qualifies as ADMT?
The regulations define ADMT broadly: any technology that processes personal information and uses computation to replace, or substantially replace, human decision making. This definition captures a massive range of tools commonly used by businesses, including resume screeners, scheduling software, productivity monitoring applications, and systems used to influence hiring, promotion, or discipline. Crucially, the “substantially replace” language means businesses cannot simply rely on a nominal human review to avoid compliance obligations.
For employers is it important to note that this new definition and additional rules augument the earlier ADMT regulations finalized by the California Civil Rights Department (CRD), which apply only in the employment context to prevent discrimination.
The Focus on “Significant Decisions”
The CPPA’s rules are triggered only when ADMT is used to make a “significant decision”. A significant decision is one that results in the provision or denial of key services, including:
- Financial or lending services (e.g., extension of credit, checking accounts).
- Housing.
- Education enrollment opportunities (e.g., admission, suspension, or expulsion).
- Employment or independent contracting opportunities, compensation, and workplace discipline.
- Healthcare services.
The Mandate for Pre-Use Notice
Before deploying any ADMT for a significant decision, businesses must issue a clear and accessible pre-use notice to all affected individuals, including job applicants and employees. This notice is detailed and must explain several key factors:
- The purpose for which the ADMT is being used.
- How to opt out of the ADMT’s use, or how to appeal the ADMT decision to a human reviewer if an opt-out is not permitted.
- The consumer’s right to access relevant ADMT data and how to exercise that right.
- A description of the non-retaliation rights under the CCPA.
- An explanation of how the ADMT works and how the significant decision would be made if the consumer opts out.
Your Next Steps for ADMT Compliance
Businesses currently using ADMT for significant decisions have until January 1, 2027, to issue compliant notices. For any new deployment on or after that date, the notice must be provided before the technology is used.
We strongly recommend businesses begin the process of identifying all ADMTs used across the entire organization now. Given that these notices must be customized to address the particular constituent and the ADMT used, they are not “plug-and-play” documents.
Continue your compliance planning with our guide on CCPA Risk Assessments and CCPA Cybersecurity Audits.
This material is provided for informational purposes only. It is not intended to constitute legal advice, nor does it create a client-lawyer relationship between ANR Law and any recipient. Recipients should consult with counsel before taking any actions based on the information contained within this material.
