This article summarises publicly available guidance from regulators and official sources. It is general educational information only and does not constitute legal or professional advice. Requirements vary by jurisdiction. Consult your regional authority or a qualified professional for advice specific to your situation.
California's CPRA now has a dedicated set of rules for Automated Decision-Making Technology, and they go well beyond what most businesses already do to comply with general CCPA/CPRA privacy obligations. If an AI tool your business uses makes or substantially replaces a human decision about hiring, pricing, credit, housing, or similar significant outcomes, these newer rules apply on top of your existing privacy compliance, not instead of it.
In short: California's ADMT regulations, finalised and in force as of January 1, 2026, apply to technology that processes personal information and uses computation to replace or substantially replace human decision-making for a "significant decision": finances, housing, education, employment, or health care. Risk assessment obligations began January 1, 2026. Full ADMT compliance, including pre-use notice and consumer opt-out, is required from April 1, 2027.
The plain-English answer
An existing CCPA/CPRA privacy policy, the general kind covering data collection and consumer rights, doesn't automatically satisfy the ADMT-specific requirements. ADMT rules apply specifically where a technology processes personal information and uses computation to replace or substantially replace a human decision that significantly affects someone, and the obligations, a risk assessment, a pre-use notice, and a consumer opt-out, are distinct requirements on top of general privacy compliance, not covered by it automatically.
Why this matters for your business
A 30-person California retailer using AI for hiring decisions and personalised pricing sits squarely in ADMT territory, employment decisions are explicitly named as a "significant decision" category, and depending on how personalised the pricing gets, that can qualify too. This is exactly the kind of business that assumes existing privacy compliance already covers newer AI-specific tools, because the tools were adopted incrementally and nobody re-checked the compliance picture against each new use.
The phased deadlines make this a live, active issue, not a distant future date. Risk assessment obligations for covered processing activities are already in force as of January 1, 2026, and for activities that began before that date and continue afterward, the assessment has to be completed by the end of 2027 at the latest, meaning the clock is already running for a business currently using ADMT-qualifying tools.
What the CPRA's ADMT rules actually require
The California Privacy Protection Agency's regulations, adopted July 2025 and in force since January 1, 2026, define ADMT as technology that processes personal information and uses computation to replace or substantially replace human decision-making. "Significant decisions" specifically covers outcomes affecting finances, housing, education, employment, or health care, notably excluding advertising, which is treated differently under the same regulations.
The compliance timeline has two distinct phases. From January 1, 2026, businesses subject to risk assessment requirements must have those assessments under way or completed for covered processing. From April 1, 2027, the fuller set of ADMT obligations kicks in for businesses using ADMT to make significant decisions: conducting a risk assessment specifically for that use, providing consumers a pre-use notice about the ADMT use, offering an opt-out option (subject to certain exceptions), and allowing consumers to request access to information about how the ADMT was used regarding them.
What this looks like in practice
Picture the operations director working through the business's actual AI tool use against these rules. The AI hiring screening tool clearly qualifies, employment decisions are explicitly named. The personalised pricing tool needs a closer look, if it's meaningfully adjusting prices for individual customers based on their data rather than broad segment-level promotions, it likely qualifies too; if it's closer to standard promotional targeting, it may sit outside the definition, worth a specific check rather than a guess in either direction.
Rather than wait for the April 2027 deadline to arrive, the operations director starts the risk assessment now, since the obligation for covered processing already applies as of January 2026, and builds the pre-use notice and opt-out mechanism into the hiring process ahead of the fuller deadline, giving the business real lead time rather than a scramble in early 2027.
What you can do about it
A practical starting point for any California business using AI for a significant decision:
- Check whether each AI tool your business uses processes personal information to replace or substantially replace a human decision about finances, housing, education, employment, or health care.
- Start the risk assessment now for any qualifying tool, this obligation is already active as of January 2026 for covered processing.
- Build the pre-use notice and consumer opt-out mechanism ahead of the April 2027 deadline, not in the final weeks.
- Set up a process for handling consumer access requests about ADMT use, this is a new, specific right distinct from general CCPA data-access requests.
- Revisit the assessment whenever you adopt a new AI tool or materially change how an existing one works.
If your AI hiring tool specifically is in scope, also check our guide on EEOC guidance on AI hiring and adverse impact, since ADMT and Title VII obligations apply independently of each other.
Methodology (Real-World, Verified)
We test AI tools against real SMB workflows: the tasks a 20-person business actually uses AI for, not enterprise demos. Pricing is verified at the vendor's published rates, with local-currency conversions noted where relevant. Compliance notes reference the legislation and regulatory guidance relevant to each article's region. Every tool is judged on one question: could a business with no dedicated IT department actually pick this up and use it on Monday morning.
Related reading: our AI governance by region.
Try our free AI Compliance Checker to check whether your AI tools meet your compliance obligations.
Does ADMT apply to AI-driven advertising and marketing personalisation?
Generally no, the regulations specifically exclude advertising from the "significant decision" categories that trigger ADMT obligations. Focus your assessment on finance, housing, education, employment, and health care decisions specifically.
Does our existing CCPA privacy policy already cover ADMT disclosure?
Not automatically. ADMT requires a specific pre-use notice about the automated decision-making itself, distinct from a general privacy policy's data-practices disclosure. Check your notice specifically addresses ADMT use, not just general data collection.
Is there an exception if a human reviews the AI's recommendation before the final decision?
It depends on whether that review is genuinely meaningful, similar in spirit to how other jurisdictions treat human review, a token approval of whatever the AI recommended is unlikely to take the process outside "substantially replacing" human decision-making. Get specific advice if you're relying on a human-review step to change your ADMT status.
What happens if we miss the April 2027 deadline?
Non-compliance exposes the business to CCPA/CPRA enforcement generally, which carries per-violation penalties. Starting the risk assessment and notice process well ahead of the deadline, rather than at the last minute, is the practical way to avoid both the compliance gap and the scramble.
The information in this article is general in nature. It reflects a summary of publicly available guidance and does not constitute legal, privacy, or professional advice. Your obligations will depend on your specific situation, jurisdiction, and business circumstances. Do not rely on this article as a substitute for qualified legal or professional advice.
Using AI specifically for hiring decisions in California?
Check the EEOC guidance too