California Automated Decision-Making Technologies (CPPA Regulations)
California's ADMT regulations require risk assessments, cybersecurity audits, and consumer protections for automated decision-making technologies. Applies to ALL California businesses using AI for consequential decisions. Compliance deadline: January 1, 2027.
California's ADMT (Automated Decision-Making Technology) regulations, enforced by the California Privacy Protection Agency (CPPA), represent one of the most comprehensive state-level frameworks for regulating AI systems used in consequential decisions about consumers. Effective January 1, 2027, these regulations apply to virtually all California businesses using automated systems to make or substantially assist in decisions that have legal or similarly significant effects on consumers.
The scope is deliberately broad. ADMTs include systems used in housing decisions, credit and financial services, education and employment, healthcare access, insurance underwriting, and access to public accommodations and government services. This expansive definition means that businesses across nearly every sector must evaluate whether their AI systems fall under ADMT requirements.
Key compliance obligations include conducting regular risk assessments to identify potential harms to consumers and groups, implementing cybersecurity controls aligned with the NIST Cybersecurity Framework, providing pre-use notices to consumers about ADMT usage, establishing opt-out mechanisms and alternative decision-making processes, maintaining detailed documentation of data sources and decision logic, and implementing human review and appeal procedures for automated decisions.
Both regulations address AI in employment decisions but with different emphases and timelines. NYC Local Law 144 is narrowly focused on bias audits for hiring tools and is already in effect. California's ADMT regulations are broader, covering all automated employment decisions (not just hiring) and requiring comprehensive risk management rather than just statistical bias testing.
For employers operating in both jurisdictions: NYC compliance is immediately required. California's January 2027 deadline may seem distant, but the comprehensive nature of ADMT requirements means preparation should begin now. However, NYC Local Law 144 creates the foundation organizations that achieve NYC compliance will find many processes transfer to California ADMT requirements.
Start with NYC AEDT ComplianceThe core of ADMT compliance is the annual risk assessment. Unlike simple bias audits, these assessments must comprehensively evaluate potential harms across multiple dimensions: discriminatory impacts on protected groups, privacy violations and data security risks, accuracy and reliability concerns, transparency and explainability limitations, and potential for manipulation or coercion.
Organizations must document not just the assessment results but also the mitigation strategies implemented to address identified risks. This documentation serves multiple purposes: demonstrating due diligence to regulators, providing a roadmap for continuous improvement, and creating a defensible record in case of complaints or investigations. The CPPA has indicated it will scrutinize not just whether assessments occurred but whether they were conducted with genuine rigor and led to meaningful risk mitigation actions.
The cybersecurity component deserves particular attention. ADMTs must implement security controls appropriate to the sensitivity of the data processed and decisions made. The CPPA explicitly requires alignment with NIST Cybersecurity Framework standards, meaning organizations need technical security assessments alongside their algorithmic bias evaluations.
ADMT regulations significantly expand consumer rights around automated decision-making. Businesses must provide clear, timely notice before using ADMTs to make decisions about individuals. These notices must explain what type of automated system is being used, what data is being processed, how the system influences the decision, and how individuals can exercise their rights including opting out or requesting human review.
The opt-out requirement is particularly significant. Organizations must provide a meaningful alternative to automated decision-making, not just a nominal "opt-out" that effectively forces consumers to accept automated processing. This might mean maintaining parallel human-driven processes or ensuring human decision-makers can meaningfully override or modify automated recommendations.
Appeal and correction mechanisms are also mandatory. When an ADMT makes an adverse decision, affected individuals must have a clear path to contest the decision, understand the factors that influenced it, and correct any inaccurate data. This right to explanation and appeal transforms AI systems from "black boxes" into accountable decision-making tools, fundamentally changing how organizations must design and deploy these systems.
While California's ADMT regulations don't take effect until 2027, employers hiring in New York City face immediate compliance obligations under Local Law 144. Book a 15-minute consultation to discuss our full compliance package.