California’s privacy regime continues to evolve as businesses increasingly use artificial intelligence and algorithmic tools to make decisions about individuals using their data. In 2025, the California Privacy Protection Agency (CPPA) adopted, and the Office of Administrative Law approved, new regulations setting forth requirements for the use of Automated Decision-Making Technology (ADMT) by certain covered entities, as well as new privacy risk assessment and cybersecurity audit obligations. These new regulations supplement the existing California Consumer Privacy Act (CCPA), as previously expanded by the California Privacy Rights Act (CPRA), and took effect on January 1, 2026, with ADMT requirements phased in beginning January 1, 2027.

For-profit businesses operating in California that are covered by these new regulations will now be subject to rules demanding heightened transparency, increased protection of consumer rights and better risk-management practices when using artificial intelligence to make significant decisions about individuals. These regulations reflect California’s broader effort to ensure that AI-driven decisions are explainable, reviewable, and accountable.

What Is Automated Decision-Making Technology (ADMT)?

Automated Decision-Making Technology (ADMT) generally refers to systems that process personal information and use computation (including algorithms, artificial intelligence, or machine learning) to replace human decision-making or to substantially replace human decision-making. A business replaces human decision-making when it uses the output received from a technology or tool to make a decision without human involvement. ADMT may be implicated when AI tools are used in areas such as:

• Employment or hiring decisions
• Housing or tenant screening
• Healthcare determinations
• Financial services and credit decisions

When these technologies process personal information to make “significant decisions” (including decisions relating to financial or lending services, housing, education, employment or healthcare and excluding decisions relating to consumer advertising), additional obligations under California privacy law may apply.

New Consumer Rights When Businesses Use AI

The CPPA’s final regulations addressing ADMT, risk assessments and cybersecurity audits became effective January 1, 2026. Businesses that use ADMT to make significant decisions (like those referenced above) must comply with the ADMT requirements set forth within the new regulations beginning January 1, 2027 California residents will gain several new protections when it comes to covered businesses utilizing ADMT, including:

• Advance notice (“Pre-use Notice”) when a business uses ADMT to make a significant decision. ;
• The right to opt out of a business’s use of ADMT to make significant decisions (subject to certain limited exceptions);
• The right to access information about a business’s use of ADMT with respect to the consumer (in plain language, and subject to trade secret and security limitations); and
• In certain circumstances, the ability to appeal a significant decision to a human reviewer with authority to change the outcome.

In addition to the new protections outlined above, existing CCPA/CPRA rights (including access, deletion and correction rights) continue to apply to personal information used by ADMT systems.

These measures are intended to increase transparency and give consumers more control over how AI technologies affect decisions that impact their lives.

Compliance Requirements for Businesses Using AI

Businesses subject to the CCPA and CPRA who use ADMT in their decision-making should evaluate whether their use triggers compliance with these requirements and, if so, implement appropriate compliance measures. Key focus areas include:

• Conducting privacy risk assessments for certain higher-risk processing, including using (or training) ADMT for significant decisions, as required by the regulations;
• Aligning data collection, use and retention with stated purposes and limiting the collection, use and retention of personal information to what is reasonably necessary and proportionate in light of such purposes;
• Strengthening cybersecurity protections and, for certain businesses whose processing presents significant risks, completing annual cybersecurity audits;
• Updating privacy policies, notices at collection and consumer-request processes to accurately describe ADMT-related practices and rights; and
• Documenting and managing the categories of personal information used to develop, train or deploy ADMT systems, including through vendor diligence and contractual controls.

Companies that rely on AI tools when hiring employees, screening tenants, in connection with financial services or when making other significant decisions should begin reviewing internal systems and third-party platforms now to ensure that they are prepared to meet these obligations ahead of the January 1, 2027 compliance date.

Expanded Definition of Personal Information in AI Systems

Recent legislative updates have broadened how California privacy law defines personal information in the context of artificial intelligence. For example:

• California Assembly Bill 1008 (AB 1008) clarifies that “personal information” can exist in various formats, including “[a]bstract digital formats” such as “artificial intelligence systems that are capable of outputting personal information”.
• California Senate Bill 1223 (SB 1223) adds “neural data” to the definition of “sensitive personal information” and defines neural data as “information that is generated by measuring the activity of a consumer’s central or peripheral nervous system that is not inferred from nonneural information.”

Which Businesses Must Comply With the CCPA?

The CCPA generally applies to for-profit businesses that do business in California, collect personal information from California residents and meet one or more of the following thresholds:

• Generates annual gross revenue over $26,625,000 (as CPI-adjusted effective January 1, 2025);
• Buys, sells, or shares personal information of 100,000 or more California consumers or households; and/or
• Derives 50% or more of annual revenue from selling or sharing personal information.

Many companies (particularly those with significant online retail or e-commerce platforms) may fall within these thresholds due to the volume of consumer data collected through their websites, apps and digital services.

Preparing for California’s AI Privacy Regulations

With AI regulations continuing to evolve, businesses should begin evaluating how artificial intelligence tools are used within their operations, and determining whether any of these tools qualify as ADMT (particularly those tools used to make significant decisions).

Proactively addressing these requirements through updated disclosures, consumer-rights workflows, risk assessments and governance, can help reduce regulatory risk while supporting responsible and transparent use of artificial intelligence.