EveryAILaw.com

California CCPA ADMT Regulations

Jurisdiction:
California
 enacted
Effective:
Jan 1, 2027
Authority:
California Privacy Protection Agency
 Official text Verified Apr 27, 2026

Obligations Covered

Transparency & Disclosure Explainability Risk Assessment

Provisions (2)

Consumer Transparency for ADMT #

Obligation:
Transparency
 enacted
Effective:
Jan 1, 2027
Risk tier:
all
Scope:
deployers

Requirements

RequirementDetails
Pre-use noticeConspicuous notice before ADMT use describing purpose, how it works, outputs, and available consumer rights (§ 7220)
Opt-out rightConsumers may opt out of ADMT in significant decisions; opt-out link required in pre-use notice (§ 7221)
Access rightConsumers may request information about the business's use of ADMT with respect to them (§ 7222)
Appeal mechanismConsumers may appeal ADMT-based decisions affecting them
No retaliationBusiness may not retaliate against consumer for exercising ADMT rights

Penalties

ViolationFine
Per violation$2,500 standard; $7,500 intentional

ADMT Risk Assessment #

Obligation:
Risk Assessment
 enacted
Effective:
Jan 1, 2027
Risk tier:
high-risk
Scope:
deployers

Requirements

RequirementDetails
Pre-processing assessmentRisk assessment required before initiating high-risk processing including ADMT for significant decisions (§ 7150–7152)
Human oversight evaluationMust evaluate adequacy of human oversight in risk assessment (§ 7152)
Triennial reviewReview and update every 3 years, or within 45 days of a material change (§ 7155(a)(2)–(3))
RetentionRetain assessments for duration of processing or 5 years after completion, whichever is later (§ 7155(c))
Submission to CPPAAttestation submitted to CPPA on CPPA request; first general submission April 1, 2028 for 2026–2027 assessments (§ 7157)
Pre-2026 activitiesBusinesses with processing initiated before 2026 must complete risk assessment by December 31, 2027 (§ 7155(b))

Penalties

ViolationFine
Per violation$2,500 standard; $7,500 intentional