The California Consumer Privacy Act (CCPA) Regulations were approved at the end of 2025, and in them are new obligations for companies that use automated decision-making technologies (ADMT) for significant decisions. 

These are new obligations that will require in-scope businesses to modify policies and practices and review contracts with third parties, contractors, and service providers. But first, let’s make sure we all understand what we’re talking about.

Key Definitions:

  • Automated Decision-Making Technology (ADMT): Any technology that processes personal information and uses computation to replace or substantially replace human decision making.​
  • Substantially Replace: Use of the technology’s output to make a decision without human involvement.​
  • Significant Decision: A decision that results in the provision or denial of financial or lending services, housing, education enrollment or opportunities, employment or independent contracting opportunities or compensation, or healthcare services. Does not include advertising.
  • Profiling: Automated processing of personal information to evaluate an individual’s personal aspects, especially to analyze or predict things like intelligence, ability, aptitude, performance at work, economic situation, health, mental health, preferences, interests, reliability, predispositions, behavior, location, or movements.​

Examples of ADMT for Significant Decisions:

Here are some examples we came up with of circumstances where businesses may find themselves using ADMT for significant decision-making.

Note: These examples are all predicated on the absence of any human intervention in the decision-making process.​

  • Hiring Practices: A business records job interviews then uses emotion-recognition technology to decide who to hire.​
  • Credit Approval: Using an algorithm to create risk scores for consumers to determine whether they are eligible for a loan.​
  • Access to Healthcare: A health technology company (non-HIPAA-covered entity) uses an AI system to approve or deny an individual’s request for treatment.​
  • Student Admissions: A learning institution uses an AI tool to scan applications and automatically decide who receives an admission offer or scholarship.

The regulations include some explicit exceptions, including web hosting, domain registration, networking, caching, website-loading, data storage, firewalls, anti-virus, anti-malware, spam- and robocall-filtering, spellchecking, calculators, databases, and spreadsheets, provided that they do not replace human decision making.​

Businesses that process personal information in the ways described above and fall under the scope of CCPA have new obligations under the CCPA Regulations. Now is the time to update your privacy program to ensure compliance going forward. 

Pre-Use Notice

Businesses must provide consumers with notice prior to collecting personal information for use in ADMT. The notices must include:

  • The specific purpose for which ADMT will be used;
  • The consumer’s right to opt-out of ADMT, and how to exercise it;
  • The consumer’s right to access information about ADMT use;
  • A description of how the ADMT works, what types of personal information affect its outputs, what outputs it generates, and how those outputs are used in the decision;
  • The alternative decision-making process if the consumer opts out (discussed below); and
  • A statement that retaliation for exercising rights is prohibited. 

The pre-use notice can be incorporated into a standard privacy notice, but it must be provided to individuals anytime their information may be used by ADMT.

Next steps for businesses: Review and revise privacy notices, including candidate and employee notices, to ensure they comply with these new obligations.

Opt-Outs

Businesses must give consumers the ability to opt out of the use of ADMT for significant decisions unless an exemption applies. They must provide two methods to opt out, one of which should be in the form the business primarily communicates with the consumer.

To avoid the need to provide this opt-out, businesses can implement an appeals process that involves human review with the authority to overturn the decision. There are other opt-out exemptions related to hiring, admissions, and work allocation decisions but they are specific to assessing performance and include stipulations like the ability to show there’s no unlawful discrimination and that the ADMT works for its intended purpose.

Next steps for businesses: Determine your approach. Decide whether to implement an opt-out mechanism or an appeals process if no other exemption applies to your ADMT use.

Access

Businesses must respond to consumers’ requests to access information about use of ADMT. They must provide plain-language explanations of:

  • The specific purpose of ADMT use
  • Information about the logic of the ADMT, such as the parameters affecting its output
  • The outcome of the decision and how the output was used
  • Plans for any future use of the output in Significant Decisions

Next steps for businesses: Review and update privacy rights policies, procedures, automations, and response templates and scripts.

Privacy Risk Assessments

Businesses that use ADMT for significant decision making must conduct privacy risk assessments prior to the processing. 

Must include in assessments: 

  • Specific purpose for processing consumers’ personal information​
  • Categories of PI to be processed, including the minimum necessary to achieve the purpose
  • Method for collection, use, disclosure, retention and source of PI
  • Method of interacting with individuals whose PI it processes, including purpose of the interaction
  • Approximate number of consumers involved
  • Notice provided to the consumers and method for notification​
  • Names or categories of recipients of the PI
  • Where ADMT is involved:​
  • Logic including assumptions and limitations​
  • Output and how it will use the output to make decisions​
  • Benefits to consumers, stakeholders, the business and others​
  • Negative impacts to consumers’ privacy​
  • Safeguards to mitigate negative impacts​
  • Whether processing will go forward based on assessment​
  • Individuals that provided information for the assessment (except legal counsel)​
  • Date and names of approvals (except legal counsel)​

Most companies will have some version of a privacy risk assessment process already. The challenge can be understanding what you have and updating it to reflect specific ADMT requirements. Red Clover Advisors’ Privacy Impact Assessment services are designed to help clients identify areas for review, create custom assessment templates, and execute them. We also help develop the kinds of policies and procedures your team needs to keep assessments current as your ADMT use changes and your reporting obligations grow.

For additional background on risk assessments, the Privacy Risk Assessment Business Guide and A Guide to Privacy Impact Assessments are good starting points.

Next steps for businesses: Review existing privacy risk assessment procedures, technologies, and templates to reflect ADMT assessment obligations.

Upcoming Reporting Obligation

It’s important that businesses keep records of privacy risk assessments. Beginning in 2028, businesses will need to submit a report to the CPPA annually on how many assessments were conducted, the outcome, and more.. 

Next steps for businesses: Prepare for reporting obligations by determining and documenting your approach.

Conclusion

Most of the obligations above become effective Jan.1, 2027; but conducting privacy risk assessments is in effect now. Businesses should be conducting privacy risk assessments on all high-risk processing activities, and start preparing for future obligations today.

ObligationEffective date
Privacy risk assessmentsJan. 1, 2026
Pre-use noticeJan. 1, 2027
Opt-OutsJan. 1, 2027
AccessJan. 1, 2027
Risk assessment reportsApril 1, 2028

To comply with the above requirements, businesses must:

  • Revise privacy notices to incorporate new disclosures for ADMT
  • Revise privacy rights policies and procedures
  • Review access report templates to ensure ADMT is accounted for
  • Consider instituting an appeals process that provides an exemption for opting out of ADMT
  • Update opt-out mechanisms to include ADMT uses
  • Revise privacy risk assessment policy, procedures and templates to incorporate information related to ADMT
  • Prepare for risk reporting obligations by documenting your approach

And don’t forget about training! Any time a business changes its privacy practices, employees need to be made aware and training needs to be updated. Think about where ADMT is or will be most utilized in your organization and make sure those teams understand these new obligations. Work with them to create systems and processes that integrate with existing workflows so new compliance steps you put in place are used and effective.

Need more help?


The new ADMT rules require operational decisions across various business teams, including privacy, security, legal, HR, product, and IT. Getting teams onboard early helps companies tighten internal processes before regulators start asking questions.

When companies approach ADMT requirements strategically:

  • Teams document where Automated Decision-Making Technology (ADMT) is being used to process personal information instead of relying on assumptions
  • Privacy notices, opt-outs, and access processes are built together
  • Privacy risk assessments are updated to include specific ADMT requirements
  • Companies are better prepared to meet reporting obligations that stand up to regulator review

At Red Clover, we understand that navigating the new ADMT requirements in the CCPA regulations can be overwhelming. It might take more expertise and bandwidth than you have in-house. If that’s the case give us a call or reach out here.

Downloadable Resource

California Consumer Privacy Act (CCPA) Compliance Guide

 

Inside our CCPA Compliance Guide you’ll find: essential details about scope and enforcement, definitions, consumer privacy rights and obligations of organizations and more!

Learn More