EU Regulatory Intelligence — by YRproject

factual analysis · traceable to primary sources

Topics Opportunities Take the check Work with us LinkedIn NL·EN
Analysis

California's CCPA rules on automated decisionmaking technology: the privacy route to AI accountability

Adopted 2026-06-29 · ≈ 3 min read · Dirk Baaijen

California's privacy regulator finalised binding CCPA rules on automated decisionmaking technology (ADMT), risk assessments and cybersecurity audits. In force since 1 January 2026, they reach AI-driven decisions through privacy law, not an AI act, with phased duties from 2027.

While the United States still has no federal AI statute, the most consequential American rules on automated decision-making in 2026 did not come from an "AI act" at all. They came from a privacy regulator. On 1 January 2026 California's amended CCPA regulations took effect, adding binding obligations on automated decisionmaking technology (ADMT), risk assessments and cybersecurity audits. The California Privacy Protection Agency (CPPA) Board adopted the text on 24 July 2025; the Office of Administrative Law approved and filed it on 22 September 2025, with an effective date of 1 January 2026.

This is a different regulatory route from the one California took with its Frontier AI Act (SB 53), which targets a handful of large model developers, and from the wave of dedicated state AI statutes mapped in AI legislation in the US. Here the lever is consumer privacy: any business already in scope of the CCPA that uses computation to make decisions about people inherits a new layer of duties.

What counts as ADMT, and which decisions are covered

The regulations define ADMT in § 7001 as "any technology that processes personal information and uses computation to replace human decisionmaking or substantially replace human decisionmaking." "Technology" expressly includes software derived from machine learning, statistics, other data-processing techniques or artificial intelligence. A system "substantially replaces" human decision-making where the business uses its output to make a decision without meaningful human involvement — a human reviewer who merely rubber-stamps the output does not take it out of scope.

The obligations bite only where ADMT is used for a "significant decision", defined in § 7001 as a decision that results in the provision or denial of financial or lending services, housing, education enrolment or opportunities, employment or independent-contracting opportunities or compensation, or healthcare services. Advertising and most routine personalisation fall outside that list — a deliberate narrowing from the agency's broader earlier drafts.

Three pillars, phased compliance

The regulations stack three obligations with staggered deadlines, so the effective date of 1 January 2026 understates when the duties actually bite:

  • ADMT consumer rights — from 1 January 2027. A business that uses ADMT for

a significant decision before 1 January 2027 must be compliant no later than that date; ADMT deployed afterwards must comply before first use. Consumers get a pre-use notice, a right to opt out (subject to exceptions such as security, fraud prevention or where a human appeal is offered), and a right to access information about how the business used ADMT — including the logic and how the output was used in the decision.

  • Risk assessments — duty from 1 January 2026, first filing 1 April 2028.

Businesses whose processing presents significant risk (including using ADMT for significant decisions, and certain profiling) must conduct and document a risk assessment. For processing conducted in 2026 and 2027, an attestation and summary must be submitted to the CPPA by 1 April 2028.

  • Cybersecurity audits — first reports 1 April 2028 to 2030. Under § 7121,

the deadline for a business's first independent audit report is tiered by revenue: 1 April 2028 for businesses with 2026 gross revenue above \$100 million, 1 April 2029 for those between \$50 million and \$100 million, and 1 April 2030 below \$50 million.

Why this matters beyond California

For an international audience the significance is comparative. California reaches AI-driven decisions through the same instrument the EU uses in the GDPR: data-protection law. The ADMT opt-out, pre-use notice and access rights echo the logic of GDPR Article 22 on automated individual decision-making and the transparency rights in Articles 13–15 — though California builds an opt-out model rather than the GDPR's qualified prohibition, and ties the duties to a closed list of "significant decisions". The risk-assessment obligation is a domestic cousin of the data-protection impact assessment and of the conformity and risk-management duties under the EU AI Act, while staying firmly within privacy law. For multinationals, the practical effect is that an ADMT system deployed for hiring, credit or healthcare access may have to satisfy both GDPR-style automated-decision rules in Europe and California's CCPA regime — converging requirements reached by two different legal routes.

Because California is not an EU jurisdiction and these rules sit outside any EU AI-Act regime, they carry no EU regime label; this entry is analytical context, not a compliance instruction.

Sources

  1. https://cppa.ca.gov/regulations/ccpa_updates.html
    CPPA regulations on CCPA updates, cybersecurity audits, risk assessments, ADMT and insurance; OAL-approved 22 Sept 2025, effective 1 Jan 2026.
  2. https://cppa.ca.gov/announcements/2025/20250923.html
    CPPA announcement (23 Sept 2025): regulations effective 1 January 2026; ADMT requirements apply to significant decisions from 1 January 2027.
  3. https://cppa.ca.gov/regulations/pdf/ccpa_updates_cyber_risk_admt_mod_txt_pro_reg.pdf
    Regulation text: § 7001 defines ADMT and "significant decision"; ADMT compliance by 1 Jan 2027; § 7121 phases first audit reports to 1 Apr 2028/29/30.

Share on LinkedIn

Read next

U

DSA: extra obligations for very large online platforms (VLOPs)

The Digital Services Act imposes the heaviest obligations on platforms with more than 45 million monthly EU users, including annual independent audits, systemic risk assessments, and direct supervision by the European Commission.

A

People analytics predicting attrition: why 'flight-risk' scores are legally shaky

AI predicting which workers will leave (flight-risk) is legally highly problematic: purpose limitation, proportionality, GDPR Art. 22, and the risk of a self-fulfilling prediction and discrimination. Only aggregated is it sometimes defensible.

A

AI fraud detection by government: the lessons after SyRI

After the SyRI ruling (District Court of The Hague, 2020) and the Dutch childcare-benefits scandal, government fraud detection with AI is high-risk under Annex III. The lessons: no opaque risk scores, no proxy discrimination, but proportionality, explainability and a rights assessment.

Dirk Baaijen

About this knowledge base

Compiled and maintained by YRproject — programme and project direction at the intersection of digital transformation, AI and regulation. Every factual claim is traceable to its primary source. YRproject is led by Dirk Baaijen About & method →

A project or programme? Work with YRproject →

The monthly briefing

AI regulation in five minutes: what changed, what is coming and what it means. No spam, unsubscribe anytime.

Your address is used for this only and stored on our own servers.