As of January 1, 2026, the California Privacy Protection Agency's final regulations on Automated Decision-Making Technology (ADMT) are in force. Businesses that use ADMT to make significant decisions affecting California residents have until January 1, 2027 to comply — including deploying a pre-use notice, honoring opt-out requests through at least two methods, and completing a formal risk assessment. The clock is running.
Your HR platform auto-ranks job applicants. Your lending tool scores creditworthiness. Your insurance underwriting model classifies risk. Under CPRA's new ADMT rules, using any of these systems for a "significant decision" without giving affected California residents advance notice and an opt-out path is a violation — not a future risk, but a present one.
Key Takeaways
- ADMT compliance under CPRA applies to any business using automated decision-making in employment, lending, housing, healthcare, or education decisions affecting California residents — the January 1, 2027 deadline is firm.
- Businesses must provide a pre-use notice describing how the ADMT works, what personal information it uses, what decisions it outputs, and what happens if the consumer opts out before using the system.
- An exception exists if the business offers a genuine human-review alternative — but the reviewer must have actual authority to override the ADMT output, not serve as a formality.
What the CPPA's Final ADMT Rules Actually Cover
The California Privacy Protection Agency adopted the final ADMT regulations on September 22, 2025. They became effective January 1, 2026. This is distinct from the general CCPA/CPRA statute, which has been in force since 2020 — the new regulations layer specific ADMT-related rights and obligations on top of the existing framework.
One scope boundary matters before diving into the requirements: the regulations apply when a business uses ADMT to substantially replace human decision-making, not when ADMT merely facilitates or assists it. The CPPA narrowed this from an earlier draft that used "substantially facilitate" — meaning a business whose ADMT informs a human decision without replacing it may fall outside the regulation's scope. If a human genuinely reviews and decides independently, the opt-out and notice obligations may not apply. The human-review exception below explains what "genuinely" requires.
Three categories of requirement apply:
1. Pre-use notice. Before using ADMT to make a significant decision about a California consumer, businesses must provide a notice that covers what the ADMT is and how it works, what categories of personal information affect its outputs, what outputs it generates, how those outputs feed into the decision, what the alternative decision-making process looks like if the consumer opts out, and a statement that the business will not retaliate against consumers who exercise their rights.
This notice can be incorporated into the CCPA notice at collection — it does not have to be a standalone popup. For businesses using multiple ADMT systems, the notice can be consolidated across them for a single or related set of purposes.
2. Opt-out right. Businesses must give California consumers the ability to opt out of ADMT being used in significant decisions. At least two opt-out methods must be available, and at least one must match the primary channel through which the business interacts with the consumer. If the consumer usually interacts via the business's mobile app, one opt-out method must be accessible through the app.
Businesses must also confirm to consumers that their opt-out has been processed. This confirmation requirement applies whether the opt-out came through a banner, a link, or a Global Privacy Control (GPC) signal. The confirmation cannot be delayed — the CPPA's 2026 regulations make clear that silence does not equal compliance.
3. Right to access. Consumers may request information about the business's use of ADMT in decisions that affected them. This access right overlaps with existing CCPA access rights but specifically covers ADMT outputs and their role in specific decisions.
What "Significant Decision" Means
The regulations define significant decisions as those affecting employment or hiring, financial services and lending, housing, education enrollment, and healthcare. Advertising — even personalized or behavioral advertising — is explicitly excluded from the ADMT significant decision framework.
This scope matters for how businesses should approach their ADMT inventory. A recommendation algorithm for product pages is not covered. An AI tool that ranks job applicants, scores a mortgage application, determines insurance premium tiers, or recommends a treatment protocol is covered. The distinction is not about the sophistication of the algorithm but about what decision the output feeds into.
The Human-Review Alternative
Businesses can avoid the opt-out obligation for ADMT in significant decisions if they offer an alternative decision-making process that is genuinely human-led. The regulations specify three requirements for this alternative to qualify:
- The human reviewer must understand how to interpret the ADMT's output — not just receive it as a number or score without context.
- The reviewer must analyze the output alongside other relevant information about the individual.
- The reviewer must have the actual authority to make or modify the final decision based on their analysis.
The third requirement is the one that most existing processes fail. A compliance step in which a human sees an ADMT output and rubber-stamps it without authority to disagree does not satisfy this exception. Behavioral indicators that a review process fails the third prong include:
- Override rates at or near zero across a statistically significant sample of reviews
- Average review times under 60 seconds per case (insufficient for genuine analysis)
- Reviewer agreement rates with ADMT output above 99%
- Reviewers who lack organizational authority to reach a different outcome than the system produces
- No documentation of supplementary information consulted alongside the ADMT output
If your compliance audit surfaces any of these patterns, the human-review exception is unavailable regardless of what your process documentation says.
ADMT Risk Assessments: 2027 Deadlines and What They Must Cover
The ADMT regulations are paired with a mandatory risk assessment obligation. Businesses that use ADMT for significant decisions must complete a risk assessment that evaluates potential negative impacts on consumers, including discrimination, economic harm, reputational harm, and interference with consumers' ability to make informed choices.
Initial risk assessments must be completed by December 31, 2027. Businesses must then submit an attestation to the CPPA — confirming assessments were completed and providing a summary — by April 1, 2028. Risk assessments must be reviewed at least every three years, and updated within 45 days of any material change to the ADMT or the purposes for which it is used. The attestation is submitted under penalty of perjury by an authorized executive — individual officer-level exposure, not just a corporate compliance checkbox.
The CPPA has made clear it will enforce these obligations. In September 2025, it issued its largest-ever administrative penalty: a $1.35 million settlement against Tractor Supply Company for CCPA violations including defective opt-out mechanisms and inadequate privacy notices. ADMT-specific enforcement actions are coming: CPPA Deputy Director of Enforcement Michael Macko stated at the September 2025 Board meeting that the agency receives 150 consumer complaints per week and has hundreds of open investigations running simultaneously. Individual violations carry penalties of $2,500 per unintentional violation and $7,500 per intentional violation, with no statutory cap on aggregate exposure.
| Requirement | Deadline |
|---|---|
| ADMT pre-use notice and opt-out in place | January 1, 2027 |
| Initial risk assessments completed | December 31, 2027 |
| Risk assessment attestation submitted to CPPA | April 1, 2028 |
| Cybersecurity audit certification (deadline staggered by revenue tier through April 2030) | April 1, 2028–2030 |
What Changed in the 2026 CCPA Regulations Beyond ADMT
The same regulatory package that finalized ADMT rules also introduced two other changes affecting consent infrastructure.
Closing a popup is not consent. Under the 2026 regulations, navigating away from or closing a consent request popup — without explicitly clicking an accept button — does not constitute consent. Businesses that have been treating banner close/dismiss actions as implicit agreement to data collection must update their consent logic.
Symmetric opt-out steps. The number of steps required to opt out must be no greater than the number of steps required to opt in. If a consumer can opt in with two clicks, opt-out must be achievable in two clicks or fewer. This rule applies to cookie consent interfaces, ADMT opt-out flows, and any other consent toggle the business presents.
These changes apply to all CCPA-covered businesses from January 1, 2026 — not January 2027. If your consent banner relies on close-to-accept behavior or makes opting out significantly harder than opting in, you are already in violation.
Secure Privacy's Cookie & Consent Solution handles the opt-out signal infrastructure, confirmation dispatch, and consent logging that the 2026 CCPA regulations require — across the 55+ privacy laws its platform covers, including CCPA and CPRA. Businesses can configure opt-out channels per device type, ensuring the mobile app opt-out requirement is met alongside web-based mechanisms.
Frequently Asked Questions
Does the ADMT opt-out rule apply to all businesses using AI tools in California?
Only businesses that are subject to the CCPA and use ADMT to make significant decisions affecting California residents. The CCPA applies to for-profit businesses operating in California that meet at least one of three thresholds: annual gross revenue over $25 million, buy or sell personal information of 100,000 or more California consumers annually, or derive 50% or more of annual revenue from selling California consumers' personal information.
If we already have a DPIA process, does that satisfy the risk assessment requirement?
Not automatically. The CPPA risk assessment has specific content requirements and must address ADMT-specific impacts including discrimination and interference with consumer autonomy. A GDPR-style DPIA may cover overlapping territory but must be adapted to match the CPPA's required scope. Businesses should map their existing DPIA outputs against the CPPA's risk assessment criteria and document where gaps exist.
Can we satisfy the pre-use notice requirement by updating our privacy policy?
The pre-use notice can be incorporated into the CCPA notice at collection, which is separate from the privacy policy. A blanket privacy policy reference that buries ADMT use in general language does not satisfy the specificity requirement — the notice must describe the specific ADMT, its inputs, outputs, and the alternative decision-making process available.
Does the opt-out right apply to ADMT used internally — for example, in employee scheduling or performance evaluation?
Yes, if the decisions qualify as significant decisions under the regulations. Employee scheduling is a grey area, but performance evaluation and promotion decisions clearly fall within "employment" significant decisions. HR teams should treat any ADMT system that feeds into performance ratings, promotion recommendations, or termination decisions as covered.
What constitutes a "material change" that triggers a new risk assessment?
The regulations require new assessments when the business makes material changes to its ADMT or the purposes for which it is used. Examples of material changes include switching to a new model, significantly expanding the scope of inputs, applying the ADMT to new decision contexts, or integrating the system with a new data source that changes its outputs.
What are the penalties for ADMT violations under the CCPA?
Individual violations carry $2,500 per unintentional violation and $7,500 per intentional violation under Civil Code 1798.155. There is no statutory aggregate cap, which means a systematic failure — such as a defective opt-out mechanism that affects thousands of consumers — can produce liability in the millions. The CPPA issued its largest-ever fine of $1.35 million against Tractor Supply Company in September 2025 for CCPA violations including broken opt-out infrastructure and inadequate privacy notices. ADMT-specific enforcement actions have not yet been issued, but CPPA Deputy Director of Enforcement Michael Macko stated at the September 2025 Board meeting that the agency receives 150 consumer complaints per week and has hundreds of open investigations running simultaneously — most targets do not know they are under investigation until formal notice arrives.
What happens if we receive an opt-out request before January 1, 2027?
Businesses are not legally required to honor ADMT opt-out requests before the January 2027 deadline under the ADMT-specific regulations. However, other opt-out rights under CCPA — including the right to opt out of the sale or sharing of personal information — apply now. Businesses should treat any consumer expressing concerns about ADMT before the deadline as a customer relations matter and prepare infrastructure to honor the opt-out formally from January 1, 2027.
For enterprise teams building the ADMT compliance program, Secure Privacy's Privacy & AI Governance Platform provides the risk assessment workflow, ADMT registry, and documentation trail that the CPPA's January 2027 and December 2027 milestones require.




