Table of Contents >> Show >> Hide
- What Happened and Why It Matters
- Why People Are Calling These the “AI Rules” (and Why the Fine Print Matters)
- ADMT Rules: What Businesses Must Actually Do
- Risk Assessments: California’s Privacy “Show Your Work” Requirement
- Cybersecurity Audits: Privacy Compliance Meets Security Program Discipline
- What Businesses Should Do in 2026
- 1) Build an ADMT Decision Inventory
- 2) Separate “AI Buzzword” Uses from Regulated ADMT Uses
- 3) Draft Pre-use Notices and Appeal Flows Now
- 4) Create a Risk Assessment Template That Matches California’s Required Content
- 5) Align Privacy and Security Governance Calendars
- 6) Review Vendor Contracts and Technical Documentation
- Examples: How This Plays Out in Real Life
- Extended Practical Experiences From the Field (Added 500+ Words)
- Conclusion
California just did what privacy teams have been waiting for (and, let’s be honest, quietly dreading with a color-coded spreadsheet): the California Privacy Protection Agency (CPPA) finalized major CCPA regulations covering automated decisionmaking technology (ADMT), risk assessments, and cybersecurity audits.
If your organization handles consumer data at scale, uses AI-driven tools in hiring, lending, healthcare, or other high-impact decisions, or has a security program that already keeps your CISO awake at 2 a.m., these rules matter. A lot. They don’t just add theory. They add concrete obligations, timelines, documentation requirements, and governance expectations.
In this guide, we’ll break down what changed, what the final rules actually require, why the “AI rules” headline is both useful and slightly misleading, and what businesses should do now to avoid a last-minute compliance fire drill.
What Happened and Why It Matters
The CPPA finalized a rule package that updates CCPA regulations and adds detailed requirements for three closely related areas: automated decisionmaking technology (ADMT), privacy risk assessments, and cybersecurity audits. The package is a major step in turning broad CPRA/CCPA concepts into operational rules that companies can actually be audited against.
The big headline: California now has one of the most detailed state-level privacy compliance frameworks in the U.S. for organizations using automated systems in significant decisions and for businesses whose data processing presents elevated privacy or security risk.
Translation: if your company says, “We don’t do AI, we just use a vendor platform that scores applicants / detects fraud / prioritizes cases / ranks users,” you should not assume you’re out of scope. The rules are built around how automated decisionmaking is used, not whether someone in marketing called it “AI.”
Why People Are Calling These the “AI Rules” (and Why the Fine Print Matters)
The shorthand “California AI rules” is catchy, but the final regulations focus on ADMT for significant decisions and related privacy risk and security governancenot every AI or machine learning use case under the sun.
That distinction matters because the final framework is narrower than many businesses feared during earlier drafts. The rules zero in on situations where automated tools can materially affect people’s lives, such as decisions involving:
- Financial or lending services
- Housing
- Education enrollment or opportunities
- Employment or independent contracting opportunities or compensation
- Healthcare services
The final regulations also make clear that advertising is not a “significant decision” for this ADMT article. That does not mean adtech gets a free pass under the CCPA generallybut it does mean the ADMT-specific notice/opt-out/access requirements are not automatically triggered just because a business uses automation in advertising.
ADMT Rules: What Businesses Must Actually Do
1) Provide a Pre-use Notice
If a business uses ADMT to make a significant decision about a consumer, it must provide a Pre-use Notice. This notice must be delivered prominently at or before the point when the business collects personal information for that ADMT use (or before later repurposing already-collected data for such use).
The notice cannot be vague. “We use technology to improve your experience” will not cut it. The final rules expect plain-language descriptions of:
- The specific purpose of the ADMT use
- The consumer’s right to opt out (or, if an exception applies, the specific exception)
- The consumer’s right to access ADMT-related information
- How the system works at a plain-language level (including inputs, outputs, and decision process context)
- What happens if the consumer opts out (the alternative process), unless an exception applies
Good news for overloaded privacy teams: businesses can use a layered notice or hyperlink for some of the additional explanatory content, and they may use consolidated notices for systematic uses of the same ADMT. So yes, you can avoid printing a new notice every 11 minutes.
2) Offer an ADMT Opt-Out (with Important Exceptions)
As a baseline rule, consumers must be able to opt out of the use of ADMT for significant decisions. Businesses also need at least two designated methods for submitting opt-out requests, and at least one method must reflect how the business primarily interacts with the consumer.
One practical detail many teams will miss on first read: the rules say cookie banners or cookie controls are not, by themselves, an acceptable ADMT opt-out method. In other words, your cookie platform is not automatically your ADMT compliance plan.
The final rules include key exceptions, including a path where a business may rely on a human appeal process instead of offering opt-out for a significant decision. But this exception comes with real conditions:
- A human reviewer must have authority to overturn the decision
- The reviewer must be able to interpret and analyze the ADMT output
- The consumer must be able to provide information to support the appeal
- The appeal process must be easy to use and require minimal steps
There are also limited exceptions for certain hiring/admissions and work-allocation/compensation uses, but only if the ADMT is used solely for specified purposes, works for that purpose, and does not unlawfully discriminate based on protected characteristics.
3) Respond to a Consumer’s Request to Access ADMT Information
The final rules create a detailed right to access ADMT information. When a consumer makes a valid request, a business generally must provide plain-language explanations about:
- The specific purpose for which ADMT was used for that consumer
- The logic of the ADMT (enough for the consumer to understand how their information was processed)
- The outcome of the decisionmaking process and how the ADMT output was used
- Instructions for exercising other CCPA rights
Businesses do not have to disclose trade secrets, and they may withhold information that would compromise security or fraud-prevention capabilities. That balance is important: consumers get meaningful transparency, but the rules do not require companies to hand out the blueprint to their anti-fraud systems.
4) ADMT Compliance Deadline
The ADMT article has a critical implementation date: businesses using ADMT for significant decisions before January 1, 2027, must comply by January 1, 2027. If a business begins using ADMT for significant decisions on or after that date, compliance is required whenever it is using ADMT for those decisions.
Risk Assessments: California’s Privacy “Show Your Work” Requirement
The risk assessment rules are a big deal because they force businesses to move from “we considered privacy” to “please document exactly how you considered privacy, what the risks were, what the benefits were, and who approved it.”
When a Risk Assessment Is Required
Businesses must conduct a risk assessment before initiating certain processing activities that present significant risk to consumers’ privacy. The final rules identify categories that trigger this requirement, including:
- Selling or sharing personal information
- Processing sensitive personal information (with some narrow employee-related exceptions)
- Using ADMT for a significant decision concerning a consumer
- Certain automated profiling/inference in employment or educational contexts
- Certain automated inference based on a consumer’s presence in a sensitive location
- Processing personal information to train certain ADMT or identity/biometric-related technologies
That last category is especially important for AI governance teams. If personal information is being used to train tools for significant decisions or certain identity/profiling technologies, California is signaling: “Document the privacy tradeoffs now, not after launch.”
What Must Be in the Risk Assessment
The rules are detailed. A compliant assessment is not a one-page memo with “Risk: medium” and a thumbs-up emoji. Businesses must document specific purposes, categories of personal information, operational elements, retention, disclosures, third-party recipients, benefits, negative privacy impacts, and mitigation measures.
For ADMT-related processing, businesses must also identify the logic of the ADMT (including assumptions/limitations) and how outputs are used to make significant decisions.
The framework also explicitly contemplates stakeholder involvement. Internal employees participating in the processing activity should be involved, and businesses may include outside experts, service providers, consumer representatives, or bias-mitigation specialists. That’s a clear nudge toward multidisciplinary governance instead of “legal handles it alone.”
Updates, Retention, and Submission to the Agency
Risk assessments are not “one and done.” The final rules require businesses to review and update them at least every three years, and sooner when there is a material change (with tight timing expectations for updates).
The CPPA also created a submission framework. Businesses generally submit specified summary information (not necessarily the entire assessment in every case) on a schedule, including a transition rule for assessments conducted in 2026 and 2027. The Agency or California Attorney General can also request full risk assessment reports, and businesses must be ready to produce them quickly.
Practical takeaway: privacy assessments are now part of your evidence file. If your program is mature, this is manageable. If your program is a collection of meeting notes, “v2_final_FINAL,” and good intentions, it’s time to upgrade.
Cybersecurity Audits: Privacy Compliance Meets Security Program Discipline
The cybersecurity audit rules may be the most operationally heavy part of the package, especially for larger businesses. These are not generic “be reasonable” statements. They describe who is covered, what an audit should evaluate, who can perform it, what evidence should support findings, and what must be certified to the CPPA.
Who Is Covered
A business presents “significant risk to consumers’ security” (and therefore must complete a cybersecurity audit) if it meets certain CCPA thresholds tied to scale and data practices. The rules include businesses that meet the CCPA’s percentage-of-revenue threshold tied to selling/sharing personal information, and businesses meeting the revenue threshold plus high-volume processing thresholds for personal information or sensitive personal information.
In plain English: if you are large and data-intensive, California expects a documented cybersecurity audit processnot just a policy binder and a hopeful Slack message.
What the Audit Must Look Like
The audit must be performed by a qualified, objective, independent professional (internal or external), using accepted auditing procedures and standards. The rules reference professional standards bodies and frameworks, and even allow businesses to leverage audits prepared for other purposes if they meet California’s requirements (for example, by supplementing an existing framework-based audit).
The final rules also emphasize evidence quality:
- Findings cannot rely primarily on management assertions or attestations
- Auditors should rely on actual evidence (documents, testing, interviews, sampling)
- Relevant audit documents must be retained for at least five years
That is a strong signal that performative compliance won’t age well here.
Phased Deadlines and Annual Certification
The cybersecurity audit deadlines are phased based on revenue size, with first audit report deadlines landing in 2028, 2029, and 2030 for different tiers. Businesses that fall into scope should map these dates now because audit readiness, vendor coordination, and internal evidence collection take time.
There is also an annual certification of completion requirement submitted to the CPPA by a qualified member of executive management. The certification includes an attestation under penalty of perjury and additional specifics about the audit period and completion status. That executive signature will likely become the moment when privacy, security, and legal teams stop debating and start finalizing.
What Businesses Should Do in 2026
If you want a practical roadmap, start here. This is the part where compliance becomes a project plan.
1) Build an ADMT Decision Inventory
Identify where automated tools are used in decisions affecting consumers, applicants, students, patients, workers, or contractors. Include vendor tools, internal models, scoring systems, ranking engines, and “assistive” software that may still influence significant decisions.
2) Separate “AI Buzzword” Uses from Regulated ADMT Uses
Not every AI tool triggers the ADMT rules, but some low-drama tools absolutely can. A résumé screener may be in scope; a spell-check tool probably isn’t. Classify based on decision impact, not product marketing language.
3) Draft Pre-use Notices and Appeal Flows Now
Don’t wait until late 2026. The notice content requirements are detailed, and the human-appeal exception requires actual operational design, training, and authoritynot just a sentence in a privacy policy.
4) Create a Risk Assessment Template That Matches California’s Required Content
If you already do assessments for Colorado, Connecticut, or internal AI governance, greatreuse them where possible. But make sure the California-specific fields, attestations, and documentation expectations are covered.
5) Align Privacy and Security Governance Calendars
These rules connect privacy and cybersecurity more tightly than many organizations are used to. Your privacy office, security team, legal group, procurement, and internal audit function should share timelines, ownership, and evidence standards.
6) Review Vendor Contracts and Technical Documentation
If a vendor provides ADMT, businesses still need enough information to meet notice, access, and risk assessment obligations. “Vendor says it’s proprietary” may be true, but it is not a complete compliance strategy.
Examples: How This Plays Out in Real Life
Example 1: Hiring Platform. A company uses software to rank applicants and recommend interview candidates. If the tool is used for hiring decisions, it may trigger ADMT requirements for significant decisions, including pre-use notice, opt-out or qualifying exception, and access rights. The same company may also need a risk assessment for the ADMT use.
Example 2: Consumer Lending. A lender uses an automated scoring model to approve or deny loans. This is classic significant-decision territory. Expect ADMT obligations, and depending on scale/data practices, potentially broader risk assessment and cybersecurity audit implications.
Example 3: Large Digital Platform with Extensive Sensitive Data. Even if the company is not using ADMT for all major decisions, processing sensitive personal information at scale and meeting threshold criteria can still trigger risk assessment and cybersecurity audit duties.
Extended Practical Experiences From the Field (Added 500+ Words)
One of the most common experiences teams report when preparing for rules like these is the sudden realization that the company’s “AI inventory” and its “actual automated decision inventory” are two very different documents. The AI inventory usually lists shiny tools: chat assistants, internal productivity bots, summarization features, and maybe a pilot recommendation engine. The automated decision inventory, on the other hand, is where the real compliance work starts. That document tends to uncover the systems that quietly affect outcomes: fraud scoring thresholds, queue-prioritization logic, applicant ranking tools, claim-triage models, and vendor products that no one internally thought to label as ADMT. This gap is normal, but it can be expensive if discovered too late.
Another recurring experience is that privacy, legal, and security teams often begin with different definitions of “good enough documentation.” Privacy teams may want clear consumer-facing explanations. Security teams may want technical precision and evidence trails. Legal teams may want language that can survive regulator scrutiny without oversharing trade secrets. The CPPA framework effectively forces these teams into the same room. In practice, the organizations that move fastest are not necessarily the ones with the biggest budgetsthey are the ones that agree early on templates, approval workflows, and who owns each deliverable.
A third real-world pattern: human appeal processes sound simple until you try to operationalize them. Many businesses initially say, “We’ll just let people appeal to a human.” Then they discover the rule-level questions: Who is the human reviewer? Do they actually have authority to overturn the decision? Are they trained to interpret the system output? How do they document the review? What is the timeline? How can the consumer submit supporting information? Once those questions appear, organizations often realize they need process design, training, and case management supportnot just policy text.
Companies also commonly underestimate how long it takes to build plain-language notices that are both accurate and understandable. Technical teams may describe a model in a way that makes sense to engineers but not to consumers. Legal teams may overcorrect and write something so abstract that it fails the spirit of the notice requirements. The most effective teams run a practical translation exercise: first write the technically correct version, then rewrite it for an average reader, then test whether both versions say the same thing. It’s not glamorous, but it prevents the dreaded “compliant but incomprehensible” notice.
Finally, there is the executive-signature effect. Once a certification requires an executive attestation, cross-functional alignment tends to improve very quickly. Issues that sat unresolved for monthssuch as whether an audit can rely on a vendor report, whether a risk assessment template is complete, or whether evidence retention is centralizedsuddenly get owners and deadlines. That is not cynicism; it is governance reality. The best experience companies can create for themselves over the next cycle is to treat these rules as a program-building opportunity, not just a legal obligation. Teams that do this usually end up with clearer data flows, better vendor oversight, stronger security evidence, and fewer internal surprises. And in privacy compliance, fewer surprises is basically a luxury product.
Conclusion
The CPPA’s final CCPA rules on ADMT, risk assessments, and cybersecurity audits move California privacy law into a more operational, testable era. For businesses, the message is clear: map your automated decision uses, document risk tradeoffs before launch, strengthen your security audit evidence, and build real consumer-facing processesnot just policy statements.
If your organization starts now, these rules are manageable. If you wait until the deadline is close, they become a very expensive group project. And nobody wants a last-minute group project with legal, security, HR, engineering, and procurement all at once.
