California’s Long-Awaited Final Regulations on Automated Decisionmaking Create New Compliance Challenges for Employers

After a lengthy rulemaking process, the California Privacy Protection Agency (the “Agency”) has finalized regulations under the California Consumer Privacy Act (CCPA) governing the use of automated decisionmaking technologies. These new rules—set to take effect on January 1, 2026—impose the most stringent requirements in the United States on employers’ use of artificial intelligence and other automated tools in employment decisionmaking.¹ 

Employers subject to the CCPA who use automated decisionmaking technology (ADMT) for employment-related decisions, without meaningful human involvement, must now conduct detailed risk assessments, provide pre-use notices, and honor certain opt-out and access rights. Given the complexity and operational burden of these requirements, employers should begin preparing now to evaluate their use of these technologies and implement compliance frameworks. 

Background

The CCPA required the Agency to adopt regulations addressing access, notice, and opt-out rights for automated decisionmaking technology, as well as risk assessments for high-risk processing of personal information on or before July 1, 2020.² Due to the complexity of the topic, these regulations were delayed well beyond the initial deadline and follow the first round of CCPA regulations approved in 2023. 

As with other CCPA provisions, the new regulations apply only to the personal information of California residents and generally only to businesses that (a) do business in California and (b) either have gross annual revenues exceeding $26.6 million or process large volumes of personal data.³ Small employers, non-profit organizations, and employers that do not have applicants, employees, or independent contractors in California need not comply with the CCPA or its regulations.

Scope of the Regulations

The regulations apply to ADMT used to make “significant decisions” about California residents. Of relevance to employers, “significant decisions” include decisions that result in the provision or denial of employment or independent contracting, including hiring, assignment of work, compensation, promotion and demotion, and termination.⁴ The regulations define ADMT broadly as “any technology that processes personal information and uses computation to replace human decisionmaking or substantially replace human decisionmaking.”⁵ This explicitly includes so-called profiling technologies: technologies that “analyze or predict” such human characteristics as “intelligence, ability, aptitude, performance at work, …[or] reliability ….”⁶ 

This expansive definition potentially distinguishes the CCPA regulations from artificial intelligence laws like New York City’s Local Law 144 or the EU AI Act, which focus on systems that infer or learn. Even simple rule-based tools—such as an algorithm that screens out applicants lacking a certification—may fall within the scope of the regulations.  

However, employers can remove such technologies (as well as more sophisticated AI technologies that infer or learn) from the ADMT regulations entirely by ensuring that employment decisions are made with meaningful human involvement. For the human involvement to be adequate, the regulations require that the decisionmaker (a) knows how to interpret the ADMT’s outputs, (b) analyzes the ADMT’s output and any other information relevant to the decision, and (c) has the authority to make or change the decision based on that analysis. 

While the required degree of human involvement may not be practical in some situations, such as when AI technology ranks thousands of online job applicants for only a few available positions, meaningful human review of AI outputs could be feasible, for example, when a manager uses outputs to evaluate the performance of individual employees. Consequently, before rolling out AI tools to evaluate applicants or employees, employers should consider weighing the burden of meaningful human involvement against the cost of compliance with the ADMT regulations. 

Risk Assessments

Employers must conduct a risk assessment before using ADMT to make a significant decision.⁷ The risk assessment must evaluate whether the privacy risks of the ADMT outweigh its benefits to the consumer, the business, and other stakeholders. If the risks outweigh the benefits, the employer may not proceed with its use unless it can take steps to sufficiently mitigate the risks.

The risk assessment must cover seven factors, including the purposes for using the ADMT, how the ADMT’s logic works, possible negative impacts, planned safeguards, and policies and procedures to limit the negative impacts. The risk assessment must, at minimum, be reviewed and approved by someone with the authority to decide whether or not the business will move forward with using the proposed ADMT. The company must update the risk assessment every three years or when there is a material change in the ADMT used to make significant decisions. 

Importantly, this is not a purely internal exercise. Employers must:

• Document the assessment;
• Obtain a written attestation from a company executive;
• Submit information regarding the assessment to the CPPA; and
• Provide an unabridged copy of the risk assessment to the Agency within 30 days upon request.

These requirements raise the stakes for compliance. The Agency may disagree with the employer’s assessment that the benefits of the ADMT outweigh the risks. In addition, if an employer fails to follow its own safeguards or procedures, the Agency may take the position that the employer has violated the Agency’s mandates for “reasonable security procedures” and “reasonably necessary and proportionate” data processing.⁸ Even in best-case scenarios, employers will have to factor in the additional cost and effort of compliance when determining whether to use ADMT to make significant hiring or employment-related decisions.

Pre-Use Notice Requirements

At or before collecting personal information for use in ADMT to make significant decisions, employers must provide a pre-use notice to California residents.⁹ This notice must explain:

• The specific purpose of the ADMT;
• How the ADMT makes the significant decision;
• Categories of personal information that affect the output;
• The type of output; and
• How that output would be used to make a significant decision. 

The notice must also inform individuals of their rights to access information about the ADMT, opt out, and appeal decisions. The notice must describe how to exercise these rights and that the employer will not retaliate against individuals for doing so.

The pre-use notice adds to the many other notices now required by the CCPA, including the notice at data collection, the privacy policy, a notice about sales and sharing of personal data, among others. Moreover, the regulations stipulate that the company must provide the required information about purposes, output, etc. for each separate set of significant decisions made by the ADMT.

However, the regulations also explain that a company can consolidate information about different uses and types of ADMT into one pre-use notice, as long as that notice includes the information for each ADMT used to make a significant decision. In addition, neither the regulations nor the CCPA itself prohibits an employer from further consolidating by including the pre-use notice in other notices, for example, a pre-use notice about the use of ADMT for hiring in a notice at collection for applicants. This may reduce some of the administrative burden on employers of tracking and updating multiple notices.

Right to Opt Out

The final regulations significantly narrow the right to opt out of ADMT to make a significant decision compared to earlier drafts. Although the regulations confer on California residents the right to opt out of an employer’s use of ADMT to make a significant decision about the individual, the right is subject to two sets of broad exceptions.¹⁰

Hiring, assignment, and compensation decisions: 

First, employers may deny opt-out requests for these decisions if the ADMT is used solely for a hiring, assignment of work, or compensation decision and the employer ensures that the ADMT works for its intended purpose and does not discriminate. 

Post-decision human review exception:

Second, for other decisions—such as promotion, demotion, suspension, or termination—the opt-out right does not apply if the employer offers a meaningful appeal process involving a human reviewer. The human review must satisfy the same three factors for human involvement that remove the use of technology from the regulations’ definition of ADMT. The human reviewer must (a) know how to interpret the ADMT’s outputs, (b) analyze the ADMT’s output, and (c) have the authority to make a decision based on that analysis. In addition, the human reviewer must consider the information provided by the California resident in support of the appeal. In essence, the opt-out right does not apply if the California resident has the option to require the employer to reconsider the decision without ADMT.

Right to Access

California residents have a right to obtain information about how the ADMT made a significant decision about the individual.¹¹ In response to a request for access from an individual who has been subject to a significant decision by ADMT, the business must provide, in plain language:

• The specific purpose for which ADMT was used with respect to this individual;
• A description of the ADMT’s logic that clearly explains how the ADMT processed personal information to generate the output;
• The output; and
• How the business used this output with respect to this individual. 

The regulations note that, in responding to such requests, the business need not disclose trade secrets or information that would compromise security, fraud prevention, or human safety.

Comparison to California’s Automated Decision Systems in the Workplace

In a parallel development at the legislative level, California’s governor is expected to sign Senate Bill (SB) 7 (titled “Automated Decision Systems in the Workplace”) within days. This law generally would be less burdensome than the ADMT regulations, but it would apply more broadly. Like the ADMT regulations, SB 7 requires a detailed notice to workers about the employer’s use of automated decision systems (ADS) to make employment decisions. In contrast to the ADMT regulations, SB 7 also requires that employers provide a separate notice to workers if the employer makes certain adverse decisions based on ADS. SB 7 does not provide a right to opt out. Instead, it prohibits employers from making discipline, termination, or deactivation decisions based solely on ADS. SB 7 also lacks the detailed risk assessment requirements of the new regulations. However, SB 7 applies to all California employers, as opposed to the limited scope of the CCPA.

Key Takeaways for Employers

The CCPA’s ADMT regulations represent a major shift in how employers must approach the use of automated tools in employment decisions. To prepare for the January 1, 2026, effective date, employers should consider:

• Inventorying all automated technologies used in employment decisions;
• Assessing applicability of the CCPA and these regulations;
• Conducting risk assessments and developing policies and procedures;
• Drafting compliant pre-use notices; and
• Establishing processes to comply with rights requests.