California’s Automated Decisionmaking Technology Regulations: Seven Steps for Employers

Effective January 1, 2027, many California employers must comply with a challenging and detailed set of new requirements before using automated decisionmaking technology (ADMT) for certain employment actions (“Covered ADMT”). These requirements include documented risk assessments, pre-use notices, changes to privacy policies, vendor provisions, and compliance with rights to opt out and obtain more information about the use of the Covered ADMT. Practical compliance will entail new administrative processes and coordination with other legal requirements. To meet this deadline, California employers should start preparing now. Below, we discuss seven key steps for employers in complying with California ADMT regulations.

Since 2023, the California Consumer Privacy Act (CCPA) has required for-profit employers with more than $25 million in annual gross revenues that do business in California (“California Employers”) to implement comprehensive privacy programs to protect the personal information of California job applicants, employees, or independent contractors. In late 2025, California approved a new set of regulations implementing the CCPA. These regulations include detailed rules on the use of ADMT to “replace human decisionmaking or substantially replace human decisionmaking” on certain employment decisions.¹ Given the high probability that Colorado’s artificial intelligence law will be amended, California’s ADMT regulations likely will impose the most comprehensive set of rules on the use of ADMT, including artificial intelligence, in the United States.

1. Determine Whether the ADMT Requirements Apply

Given the pervasive use of automated tools across modern workplaces, identifying which automated processes fall under the ADMT regulations may initially seem overwhelming. A useful first step is to evaluate processes for each of the seven types of employment-related “significant decisions” identified in the regulations—hiring; allocation of work; compensation; promotion; demotion; suspension; and termination—to determine whether the company uses ADMT to replace, or substantially replace, human decisionmaking in these areas.²

This threshold inquiry is critical. The regulatory framework is not triggered by every use of technology, but rather by systems used to make “significant decisions” about California residents. Accordingly, California Employers should carefully analyze how each tool operates in practice, including the decision at issue, the degree of human involvement, and whether decision-makers can meaningfully review or override those outputs.

California Employers can then evaluate whether and the extent to which the ADMT regulations apply, looking both at the scope of the regulations and the CCPA’s exemptions. For example, the CCPA applies only with respect to the personal information of California residents. ADMT used to make decisions about residents of other states doesn’t fall under the CCPA. In addition, the CCPA exempts certain categories of personal information, for example, information subject to the Health Insurance Portability and Accountability Act (HIPAA) and, generally, data collected as part of the background check process. 

2. Evaluate Whether to Reconfigure Processes or Technology to Limit Application of the ADMT Regulations

Given the operational and compliance burdens associated with the ADMT regulations, employers may want to consider modifying their practices to avoid the requirements. Crucially, the ADMT regulations do not apply if the company interjects adequate human review into the decisionmaking process. For the human review to be adequate, the regulations require that the reviewer (a) know how to interpret the ADMT’s outputs, (b) analyze the ADMT’s output and any other information relevant to the decision, and (c) have the authority to make or change the decision based on that analysis. In practice, this may require both policies and procedures to ensure adequate human review, and training for the reviewers. 

Other steps can reduce the requirements applicable to the use of Covered ADMT. For example, California Employers need not provide California residents with the option to opt out of Covered ADMT for hiring if the employer uses the Covered ADMT solely to assess the applicant’s ability to perform at work and ensures that the Covered ADMT works properly and does not unlawfully discriminate.³ 

In short, employers should approach this analysis as a cost-benefit exercise by weighing the cost of steps to avoid ADMT requirements against the costs of compliance with the ADMT regulations. In many cases, modest adjustments to governance and system design can significantly reduce regulatory exposure while preserving the efficiencies that motivated adoption of the technology.

3. Conduct Robust Vendor Due Diligence and Contract Negotiation

If a vendor providing ADMT tools has not yet been engaged, the California Employer should vet the vendor and the ADMT tool to determine whether the company can use the tool in compliance with the ADMT regulations. This review should extend beyond the ADMT framework to encompass other applicable laws, including privacy, data security, anti-discrimination, and broader employment law obligations. In particular, California Employers should evaluate the tool’s design, inputs, outputs, and validation processes, including any evidence of bias testing or disparate impact analysis, to ensure the system can be lawfully used in practice. 

California Employers should also negotiate contractual provisions that both satisfy regulatory requirements and meaningfully allocate risk. In addition to including provisions required by the CCPA regulations in the contracting process, California Employers should address compliance representations, cooperation obligations (e.g., support for risk assessments and regulatory inquiries), data usage and retention limitations, audit rights, and indemnification for regulatory or litigation exposure arising from the vendor’s technology.

Where a vendor relationship is already in place and there is little room to renegotiate or choose another vendor, California Employers should nonetheless proactively engage with the vendor to mitigate compliance risk. For example, vendors may be able to provide risk assessment templates, technical documentation, or prior audit reports, including bias audits. The vendor also may offer configuration options that could help the company reduce compliance burdens. For example, the tool might enable human review, thereby avoiding application of the ADMT regulations. Configuration options also might facilitate responding to requests from California residents to exercise their rights to opt out and access information about ADMT decisions.

4. Conduct the Risk Assessment

If the ADMT regulations apply, the company must conduct a risk assessment to determine whether the risks to privacy of using the ADMT outweigh the benefits to the individual, the business, other stakeholders, and the public. For new uses of Covered ADMT, the risk assessment must be completed before the company uses the ADMT. The process also must include employees whose job duties relate to the processing. This means that, for the use of ADMT for employment purposes, HR staff likely must participate in the risk assessment. The risk assessment itself must be documented, cover at least six enumerated topics, and be reviewed and approved by at least one participant in the decision to use the Covered ADMT. Given this burdensome process, California Employers should give themselves substantial lead time to complete the risk assessment. We discuss the risk assessment process in greater detail in our companion article, California Risk Assessments: Seven Steps for Employers | Littler.⁴

5. Assess and Operationalize Responding to Data Rights

If, after completing the risk assessment, a California Employer decides to proceed with the Covered ADMT, the employer should evaluate whether its use of ADMT is subject to the opt-out provisions. The statute provides two sets of exceptions. One applies when the California Employer offers an appeal process conducted by a human reviewer with the authority to overturn the decision. The remaining exceptions apply to hiring, compensation, and work assignment decisions, but only when the ADMT is used solely for one of these decisions and the ADMT is effective and nondiscriminatory.

If no exception applies, California Employers should operationalize their response to requests to opt out, access information about ADMT, and obtain a human review. In practice, employers should consider designating a point of contact to monitor and track these requests, developing written procedures for intake and timely response, and establishing an escalation path to legal or compliance teams when complex or sensitive issues arise. A tracking process can help ensure responses are completed within statutory deadlines. 

In addition, companies might periodically review the flow of requests to determine whether to reallocate resources. Thus far, California Employers generally have received few requests to exercise CCPA rights in the employment context, but it is hard to predict how the new ADMT-specific rights may change the volume of requests. The company’s legal department might start by responding to requests on a case-by-case basis. If the volume of requests turns out to be overwhelming, the company could implement procedures and train compliance or HR personnel to handle at least common or straightforward fact patterns.

6. Draft or Revise Notices

The next step is drafting the pre-use notice. The regulations require a pre‑use notice that explains to California residents how the technology will be used and what rights they have with respect to it. California Employers will have to gather substantial information about how the technology works and how the company plans to use the technology to correctly comply with this notice requirement.

The pre‑use notice must provide an easy to understand explanation of how the ADMT works in practice, including the categories of personal information it relies upon, the type of output it generates (e.g., scores, predictions, recommendations), how that output factors into a decision, and how decisions will be made if an individual opts out of ADMT. 

In addition, the notice must explain the individual’s right to opt out of ADMT and how to exercise that right. The regulations require offering at least two methods for submitting opt‑out requests. If the California Employer relies on one of the narrow statutory exceptions to the opt‑out requirement, the notice must identify which exception applies. Likewise, if the California Employer uses the “human appeal” exception, the notice must explain the individual’s right to appeal the decision and provide instructions on how to submit the appeal.⁵

The pre-use notice must also describe the individual’s right to access information about how ADMT will be used with respect to them, how to submit an access request, and that the California Employer may not retaliate for exercising any CCPA right.

As with the CCPA’s notice at collection, the pre‑use notice should be provided before the California Employer begins processing any personal information using ADMT. Employers may incorporate the pre‑use notice into existing notices at collection or privacy policies and may consolidate disclosures for multiple ADMT uses. If the company maintains the privacy policy separate from the pre-use notice, the privacy policy should be updated to include basic details about the use of Covered ADMT.

7. Review, Evaluation, and Retention

Risk assessments must be reviewed at least once every three years and updated within 45 calendar days of any material change to the processing activity. In practice, California Employers should consider monitoring the ADMT process on an ongoing basis. Even if the ADMT remains unchanged, the workforce population does not. Roles shift, hiring patterns evolve, and employee demographics fluctuate, all of which may impact the output by introducing unintended bias or disparate impact. Regular monitoring helps ensure the ADMT continues to operate as intended and remains aligned with the purposes the company initially disclosed. 

Finally, the California Employer should ensure it retains inputs, outputs, and information about how the ADMT works in accordance with legal considerations. Depending on the employment decision at issue, multiple California and federal laws may require retention of these records for statutory periods. In particular, the new automated-decision system regulations under California’s Fair Employment and Housing Act will generally require retention of inputs to, and outputs from, Covered ADMT for four years.⁶ Although FEHA’s definition of covered automated-decision systems differs in some regards from the CCPA’s definition of Covered ADMT, the two definitions largely overlap. 

Conclusion

California’s ADMT regulations will require employers to take a more deliberate, documented, and transparent approach to the use of automated tools in employment decisions. With compliance obligations spanning risk assessments, vendor management, privacy disclosures, and individual rights processes, preparation will demand early coordination across legal, HR, privacy, and technical teams. Employers that begin evaluating their technologies and practices now will be better positioned to mitigate risk, maintain operational flexibility, and meet the January 1, 2027, compliance deadline with confidence.

For more about the CCPA, please see our webpage www.littler.com/ccpa