California’s New Rules for Automated Decisions Take Effect
The CPPA's finalized CCPA rules on automated decisionmaking technology took effect in January 2026, with notice, opt-out, and explanation duties phasing in by 2027.
California has finalized the first comprehensive American rules governing how businesses may use software to make consequential decisions about people. On 23 September 2025 the Office of Administrative Law approved a long-debated rulemaking package from the California Privacy Protection Agency, and those rules became effective on 1 January 2026. The package adds three obligations to the California Consumer Privacy Act: cybersecurity audits, privacy risk assessments, and a regime for what the agency calls automated decisionmaking technology, or ADMT. The ADMT provisions are the most novel, because they reach directly into the algorithmic and machine-learning systems that increasingly stand between a person and a job, a loan, an apartment, or a course of medical treatment. With the substantive ADMT duties phasing in by 1 January 2027, the rules give businesses a finite runway to inventory their automated systems and decide when to step back from machine-driven judgment.
What the rules actually cover
The regulations define ADMT as technology that processes personal information and uses computation to replace or substantially replace human decisionmaking. That phrasing is deliberately functional rather than tied to any particular technique. It captures a credit-scoring model, an automated resume screener, and a large-language-model assistant alike, so long as the system is doing the deciding rather than merely informing a human who decides. The agency narrowed the concept during the rulemaking: tools that merely assist a human reviewer who retains genuine authority generally fall outside the core ADMT obligations, a line that will invite argument over how much human involvement counts as real.
The obligations attach when ADMT is used to make a “significant decision.” The rules enumerate the categories: decisions providing or denying financial or lending services, housing, education enrollment or opportunities, employment or independent-contracting opportunities or compensation, and healthcare services. Conspicuously absent is behavioral advertising, which earlier drafts had swept in and which drew sustained business objection. The final scope therefore tracks the domains where an erroneous or opaque automated call carries the heaviest personal consequences, and leaves advertising largely outside this rulebook.
The consumer rights the rules create
For covered uses, the regulations build out a familiar triad of privacy rights, recast for the algorithmic context. A business must give a pre-use notice when it deploys ADMT for a significant decision, describing in plain terms that automated technology will be used. Consumers gain a right to opt out of that processing, subject to enumerated exceptions. And consumers gain an access right that is more demanding than the CCPA’s general access right: a business must be able to explain the logic of the ADMT and how its outputs are used in reaching the decision. That explanation duty is where the rules press hardest against modern machine-learning practice, because the “logic” of a complex model is rarely reducible to a clean, human-legible rationale.
The opt-out is not absolute. A business may decline to offer it where it instead provides a meaningful human appeal of an automated decision, or where the ADMT is genuinely necessary to a hiring, admissions, or work-allocation process and does not discriminate on protected characteristics. The practical effect is a choice architecture: a covered business must build either an exit (opt-out) or a check (human appeal), but it cannot run a fully closed automated loop on significant decisions without one of them.
A staggered, multi-year runway
Although the rules took effect on 1 January 2026, their teeth arrive on a deliberate schedule. The substantive ADMT duties—notice, opt-out, access, and appeal—phase in with a compliance date of 1 January 2027, giving businesses roughly a year to map their automated systems against the “significant decision” categories and stand up the required consumer-facing mechanisms. Risk assessments must be conducted for covered high-risk processing, with attestations and summaries due to the agency by April 2028. Cybersecurity audit obligations stagger by revenue, with the largest businesses (over 100 million dollars in revenue) facing the earliest April 2028 deadline and smaller firms following in 2029 and 2030. The architecture rewards early inventory work: a business that has already catalogued where it uses ADMT will find each later deadline a documentation exercise rather than a scramble.
Why this rulemaking matters beyond California
No federal statute squarely governs automated decisionmaking, and Congress has not enacted a general AI-governance law. That vacuum gives California’s rules outsized reach. A national lender, employer, or health-services company rarely segregates its decision systems by state, so the path of least resistance is often to apply the California baseline everywhere. For comparison, the European Union’s General Data Protection Regulation has long restricted solely automated decisions with legal or similarly significant effects; California’s approach is narrower in its triggers but more prescriptive operationally, particularly the duty to explain the logic behind an automated decision.
The open questions heading into 2027
Several ambiguities will be litigated or clarified before the obligations bite. The first is the human-involvement line: how much review, by whom, and at what stage converts an automated system into a merely assistive one outside the core duties. The second is the explanation standard—whether a description of a model’s inputs and purpose satisfies the access right, or whether regulators will demand a decision-specific rationale that current architectures cannot readily produce. The third is enforcement posture: the agency has signaled phased compliance, but it retains audit and enforcement authority, and how aggressively it polices the first wave of ADMT disclosures will shape industry practice more than the text alone. None of these is settled as of mid-2026. What is settled is the direction of travel: significant decisions made by machine now carry disclosure, exit, and explanation duties in the largest state economy in the country, and businesses that wait until 2027 to begin will have started late.
This publication offers commentary and analysis on legal developments and does not provide legal advice. Readers tracking the implementation timeline may find related coverage useful through the publication’s ongoing commentary and its case tracker; the privacy questions raised by these rules sit alongside longer-running debates over employee privacy in increasingly monitored workplaces.
Questions readers ask
When did the CCPA’s ADMT regulations take effect?
The full regulatory package—covering ADMT, risk assessments, and cybersecurity audits—became effective on 1 January 2026 after the Office of Administrative Law approved it on 23 September 2025. The substantive ADMT duties carry a later compliance date of 1 January 2027.
What is “automated decisionmaking technology” under the rules?
It is defined as technology that processes personal information and uses computation to replace or substantially replace human decisionmaking. The definition is function-based, so it can reach scoring models, automated screeners, and AI assistants alike, provided the system is effectively making the decision.
Which decisions trigger the ADMT obligations?
Only “significant decisions”—those providing or denying financial or lending services, housing, education enrollment or opportunities, employment or independent-contracting opportunities or compensation, and healthcare services. Behavioral advertising, included in earlier drafts, was left out of the final scope.
Do consumers have a right to opt out of automated decisions?
Generally yes, for covered significant decisions, subject to exceptions. A business may decline to offer an opt-out where it instead provides a meaningful human appeal, or where the ADMT is necessary to a non-discriminatory hiring, admissions, or work-allocation process.
What does the “access” right require a business to disclose?
The business must be able to explain the logic of the ADMT and how its outputs are used in the decision. This explanation duty is more demanding than the CCPA’s general access right and presses against the opacity of complex machine-learning models.
Is behavioral advertising covered?
Not under these significant-decision rules. Advertising was a focus of earlier drafts but does not fall within the enumerated significant-decision categories in the finalized regulations.
When must businesses comply with the ADMT requirements?
The ADMT-specific duties—notice, opt-out, access, and appeal—phase in with a compliance date of 1 January 2027, giving businesses time after the 1 January 2026 effective date to build the required mechanisms.
What about cybersecurity audits and risk assessments?
Risk assessments for high-risk processing must be conducted, with attestations due to the agency by April 2028. Cybersecurity audit deadlines stagger by revenue: April 2028 for the largest businesses, then 2029 and 2030 for smaller firms.
Is there a federal law that does the same thing?
No general federal statute squarely governs automated decisionmaking, and Congress has not enacted a comprehensive AI-governance law. That gap is part of why California’s rules are likely to influence national compliance practice.
How does this compare to European law?
The EU’s GDPR restricts solely automated decisions with legal or similarly significant effects. California’s rules are narrower in their triggers but more prescriptive operationally, especially the requirement to explain the logic behind an automated decision.
What remains unresolved as the 2027 deadline approaches?
As of mid-2026, key questions remain open: how much human involvement removes a system from the core duties, what level of explanation satisfies the access right, and how aggressively the agency will enforce the first wave of ADMT disclosures.
