New California Regulations Regarding Employer Use of Automated Decision-Making Technology: Compliance Required by January 1, 2027

Note: Federal artificial intelligence policy is evolving. President Trump’s December 11, 2025, Executive Order Ensuring a National Policy Framework for Artificial Intelligence could affect state-level approaches to artificial intelligence, including the California regulations discussed below. We are monitoring this Executive Order closely, including any challenges to it, and have covered the Executive Order here. In addition, our Trump Executive Order Tracker helps clients stay up to date with all executive orders issued by the Trump administration.

As has been widely reported, California has been at the forefront of seeking to regulate employer use of artificial intelligence-based tools. Employers may already be aware that recent amendments to the California Code of Regulations extend the Fair Employment and Housing Act’s anti-discrimination protections to employment decisions made using “automated decision-making systems,” including artificial intelligence and algorithm-based tools. These amendments took effect on October 1, 2025.

Soon, new California privacy regulations regarding artificial intelligence will further define employer obligations in this domain. Beginning January 1, 2026, California businesses that collect personal information must comply with California Consumer Privacy Act (CCPA) regulations regarding the use of Automated Decision-Making Technology (ADMT) for “significant decisions.” Businesses already using ADMT have until January 1, 2027, to fully implement these measures, while businesses that adopt ADMT after January 1, 2027, must be fully compliant prior to implementation.

What is ADMT?

The new CCPA regulations define ADMT as “any technology that processes personal information and uses computation to replace human decision-making or substantially replace human decision-making.”

What Are “Significant Decisions?”

“Significant decisions” include determinations that impact:

• Financial services or lending,
• Housing,
• Education enrollment or opportunities,
• Employment or independent contracting, including decisions that affect compensation, hiring, allocation or assignment of work, promotion or demotion, suspension, and termination, or
• Health care services.

Key Compliance Requirements

Businesses using ADMT for significant decisions must implement the following measures:

Pre-Use Notices

Before collecting personal information for ADMT’s use, businesses must post clear notices to consumers that include:

• The purpose of the business’s ADMT use,
• The consumer’s right to opt out and how to exercise this right,
• The consumer’s right to access certain information about the business’s ADMT,
• A description of how the ADMT works, what data influences its outputs, and how its outputs are used to make a significant decision,
• An alternative decision-making process if the consumer opts out of the use of ADMT, and
• A statement prohibiting retaliation against a consumer for exercising his or her right to access this information.

Opt-out Rights

Consumers must have the option to opt out of ADMT used for significant decisions, subject to narrow exceptions. Businesses must offer at least two opt-out methods and ensure these opt-out processes are simple and not hidden behind generic banners.

Right to Access ADMT Information

Upon request, businesses must provide:

• The purpose of their ADMT use,
• Information about the logic of the ADMT, which may include “the parameters that generated the outputs as well as the specific output with respect to the consumer,”
• How outputs were used in decision-making, and/or
• Plans for future use of outputs.
• Businesses may withhold information that would reveal trade secrets and information that would compromise the security of the business’s systems, enable fraud, or endanger the “physical safety of natural persons.”

Risk Assessments

Businesses must conduct risk assessments for ADMT used in significant decisions. Risk assessments must determine “whether the risks to consumers’ privacy from the processing of personal information outweigh the benefits to the consumer, the business, other stakeholders, and the public from that same processing.” At least once every three years, businesses must review and update their risk assessments as necessary. If a business makes a “material change relating to the processing activity,” it must update its risk assessment “as soon as feasibly possible, but no later than 45 calendar days from the date of the material change.”

Enforcement

The California Privacy Protection Agency and the Attorney General are authorized to enforce the new ADMT regulations and may request copies of risk assessments during audits or investigations. The new regulations do not provide a private right of action for violations of their ADMT provisions. Noncompliance can result in fines of up to $2,500 per violation and $7,500 per intentional violation, creating substantial exposure for businesses that fail to implement required notices, opt-out mechanisms, access rights, or risk assessments.

Need Guidance?

Our team is available to advise on practical steps for compliance with these new regulations. We invite you to reach out to us if you have any questions or would like to discuss how these changes may impact your business.