On 22 September 2025, the California Office of Administrative Law approved the final regulations issued by the California Privacy Protection Agency on automated decision-making technology, privacy risk assessments, and cybersecurity audits under the California Consumer Privacy Act. The regulations had been five years in the making, going back to the original CCPA mandate that the CPPA adopt rules on access, notice, opt-out rights for automated decisionmaking, and risk assessments for high-risk processing. The CPPA published the proposed rules for public comment, revised them several times in response to industry pushback, and unanimously approved the final version on 24 July 2025. The OAL completed administrative review two months later.
The rules took effect on 1 January 2026. Full ADMT compliance — pre-use notices, opt-out mechanisms, access and appeal rights — is required by 1 January 2027 for businesses already using the technology for significant decisions, and before first use for any new deployment after that date. Initial risk assessments for processing already underway must be completed by 31 December 2027. The first annual summary report to the CPPA is due 1 April 2028. Cybersecurity audit submissions phase in by company size between 2028 and 2030.
For HR, BGV, and workforce decision-making, these are the most operationally consequential automated-decisionmaking rules issued by any US jurisdiction. The EU AI Act has broader reach, but its employment provisions sit inside a complex multi-tier system. The Colorado AI Act, which had been the leading US state framework, has been substantially scaled back. The federal landscape under the current administration has rolled back the prior EEOC AI guidance. California’s ADMT regulations are now, effectively, the operative US compliance standard for automated employment decisions. Every employer of meaningful scale that hires in California — which is to say, most large US employers — sits squarely inside the regulatory perimeter.
This is a landscape view of what the rules actually require, where the compliance scope extends further than most teams have assumed, and how the parallel litigation environment reshapes the operational stakes.
The Definition Is the Point
The single most important thing about the ADMT regulations is the definition the CPPA adopted in the final rules. The earlier drafts had referenced artificial intelligence directly. The final regulations removed every reference to AI and replaced them with a functional definition:
ADMT is “any technology that processes personal information and uses computation to replace human decision-making or substantially replace human decision-making.”
A decision is “substantially” replaced by ADMT if the output is used to make the decision without meaningful human review. Meaningful human review, in turn, requires three things: the human reviewer must understand how to interpret the technology’s output, the human must consider the output alongside other relevant information, and the human must have the authority to change the decision.
The regulation explicitly excludes purely technical tools — web hosting, spell-checkers, calculators, anti-virus software — provided they do not replace human decision-making.
The functional definition is the part that catches most HR teams off-guard. The instinct, when scoping for ADMT compliance, is to inventory the AI tools — the AI resume screener, the AI assessment platform, the AI interview analysis vendor. That inventory is necessary but not sufficient. The regulation captures every automated step in the hiring process that replaces human judgment for a significant decision, regardless of whether the underlying technology is AI, machine learning, statistical scoring, or a simple deterministic rule.
A keyword filter in the applicant tracking system that auto-rejects resumes missing certain terms is ADMT. A pass-fail logic embedded in the BGV vendor’s scoring engine, where “fail” reports route directly to automated rejection notices, is ADMT. A compensation tool that calculates offer amounts based on candidate-supplied data without human review is ADMT. A schedule-routing algorithm that assigns shifts based on automated optimisation rather than human judgment is ADMT when applied to compensation or work assignment.
The compliance perimeter is wider than most companies’ initial inventories. The first operational task of an ADMT programme is to find the systems that are ADMT in the regulation’s sense but that nobody on the team currently thinks of as ADMT.
What Counts as a Significant Decision in Employment
The regulation applies only to ADMT used to make “significant decisions” about consumers. For employment, the regulation defines this category to include decisions that affect:
Hiring — recruitment, application screening, candidate scoring, advance/reject decisions.
Compensation — offer amounts, pay decisions, bonus and equity allocation.
Allocation or assignment of work — shift assignments, project allocation, opportunity distribution.
Promotion — advancement decisions, succession identification, role expansion.
Demotion, suspension, or termination — adverse employment actions of all categories.
What is notable in the final regulations, compared to earlier drafts, is what was removed from the significant decision list. The original draft included workplace profiling and education profiling as covered categories. The final rules pared this back. Profiling and inference activities that do not lead to one of the enumerated employment decisions are not, by themselves, significant decisions for ADMT purposes — though they may still trigger the separate risk assessment requirement, which applies to inference about employees and applicants regardless of whether a significant decision follows.
For BGV specifically, the relevant question is whether the automated scoring or flagging in the verification workflow feeds into one of the enumerated decisions. In most operational architectures, it does — pass-fail outcomes route directly to hire/no-hire decisions. The BGV automation is therefore in scope, both for the employer using the BGV report and for the vendor providing the scoring layer.
The Four Required Capabilities
For ADMT used in significant decisions, the regulations require four operational capabilities by the 1 January 2027 deadline:
Pre-use notice. Before using ADMT to make a significant decision, the business must provide a notice that states the specific purpose for using the ADMT and explains how the individual can exercise their rights under the regulation. The notice has to appear where the workflow begins — at or before data collection for the ADMT purpose, or before previously collected data is repurposed for ADMT use. For hiring, this typically means the notice appears at the point of application or on the career site.
Opt-out right. Consumers have the right to opt out of having ADMT used for significant decisions about them. The regulation includes a narrow but operationally important exception for employment hiring: an employer need not provide opt-out if the ADMT is used solely to assess the applicant’s ability to perform at work and the employer ensures the ADMT works properly and does not unlawfully discriminate. This exception is the major operational decision point for HR teams. Many employers will choose to design their ADMT use into this exception rather than build opt-out infrastructure. Doing so requires that the employer can credibly support both conditions: the technology is genuinely focused on job performance assessment, and the employer has bias testing and accuracy evaluation documentation to support the non-discrimination claim. Workplace ADMT used for purposes beyond performance assessment — culture-fit scoring, personality profiling, sentiment analysis — generally does not qualify for the exception and requires full opt-out.
Access right. Consumers can request information about the business’s use of ADMT, including the logic of the technology (the parameters that generated the outputs as well as the specific output with respect to the consumer) and how the output is used in decision-making. Trade secrets and information that would compromise system security or enable fraud can be withheld, but the carve-out is not a general escape hatch — the regulator has signalled that businesses will need to provide meaningful explanation under the access right, not just generic descriptions.
Appeal process. For ADMT decisions that significantly affect the consumer, the regulation requires an appeal mechanism with qualified human review and defined timelines. The appeal must be reviewed by a human decisionmaker who can change the decision, and the process must be operationally distinct from the original ADMT decision.
For each of these capabilities, the obligation is not just documentary. The regulator has been clear, including through active enforcement testing of opt-out mechanisms throughout 2025 and 2026, that the capabilities have to operate in practice. A notice that is buried in a privacy policy, an opt-out link that doesn’t work, an access response that says nothing meaningful, or an appeal process that rubber-stamps the original decision will not satisfy the regulation.
The Risk Assessment Requirement
In parallel with the ADMT capabilities, the rules require risk assessments before a business engages in any of several categories of high-risk processing — selling or sharing personal information, processing sensitive personal information, using ADMT for significant decisions, using automated processing to infer attributes about job or education applicants, students, employees, or contractors, automated processing in sensitive locations, or training ADMT for any of these uses.
The risk assessment is more demanding than the typical privacy impact assessment most companies have run under GDPR or earlier US privacy regimes. It must:
Evaluate whether the privacy risks of the processing outweigh the benefits to the consumer, the business, other stakeholders, and the public. If the risks outweigh the benefits, the business may not proceed unless the risks can be sufficiently mitigated.
Cover seven specific factors: the purposes of the processing, the types of personal information processed, the specific processing operations, the logic of the ADMT, the foreseeable negative impacts, the planned safeguards, and the policies and procedures to limit the negative impacts.
Be approved by an executive responsible for the processing activity. The approval is not pro forma — the executive is signing off that the benefits outweigh the risks, with personal accountability for the assessment.
Be reviewed at least every three years, or within 45 calendar days of any material change to the processing activity.
Be retained for five years.
For risk assessments conducted in 2026 and 2027, businesses must submit summary information — not the full assessment — to the CPPA by 1 April 2028. The CPPA may also request the unabridged assessment with thirty days’ notice during enforcement or audit. The submission has to identify a designated contact, the time period covered, the number of assessments conducted, an indication of the CCPA personal information involved, an attestation, and the identity of the submitting individual — who must be a member of executive management.
The combination of the ADMT capabilities and the risk assessment requirement is what makes the regulation operationally serious. The capabilities create candidate-facing infrastructure. The risk assessment creates internal accountability and regulator-facing documentation. Together they form a framework that survives audit only if the underlying work has actually been done.
The Hiring Opt-Out Exception, In Practice
The narrow opt-out exception for employment hiring is the single most consequential operational decision in the regulation, because it determines whether the employer needs to build full opt-out infrastructure or can design around it. The exception applies when ADMT is used solely to assess an applicant’s ability to perform at work, and the employer ensures the ADMT works properly and does not unlawfully discriminate.
In practice, qualifying for the exception requires three things:
The use case has to be genuinely focused on job performance assessment. ADMT that evaluates candidates against the technical requirements of the role, the skill profile needed for the work, or the demonstrated competencies of similar high-performers can qualify. ADMT that scores cultural fit, personality compatibility with the team, communication style, or other dimensions not directly tied to job performance generally does not.
The employer has to have documentation that the technology works properly. This means accuracy evaluation, calibration testing, and performance validation against the use case. Vendor marketing materials are not sufficient evidence. The employer needs to be able to show that the technology actually does what it claims to do, in the deployment context.
The employer has to have documentation that the technology does not unlawfully discriminate. This means bias testing, disparate impact analysis, and ongoing monitoring of outcomes by protected characteristic. The standard implied by “ensures” is more demanding than “has tested once.”
Many employers will choose to design their ADMT use into this exception. The compliance overhead is significantly lower than building opt-out infrastructure that operates reliably across hundreds of thousands of applications. But the documentation burden for the exception is real, and it intersects with the parallel litigation environment in important ways.
The Mobley v. Workday Backdrop
The ADMT regulations sit on top of a litigation environment that has shifted significantly in 2025 and 2026. Mobley v. Workday — the federal class action in the Northern District of California alleging that Workday’s AI-driven applicant recommendation system violates Title VII, the ADEA, and the ADA — has progressed through several pivotal rulings.
In May 2025, Judge Rita Lin granted preliminary collective certification on the ADEA claim, allowing potentially “hundreds of millions” of applicants to be notified and opt in to the case. The opt-in window closed in March 2026. In March 2026, the court rejected Workday’s argument that the ADEA does not cover job applicants, allowing the case to proceed into discovery on the substantive claims. The discovery phase will, for the first time, force a court to examine the actual logic of an AI hiring tool to determine whether it functions as a “neutral aid” to employer decisions or as the decisionmaker itself.
The vendor liability theory — that Workday qualifies as an “agent” of its client employers, and is therefore directly liable for discriminatory outcomes — is the operationally most important part of the case. If the theory prevails, AI vendors face direct exposure for discriminatory outputs, not just contractual exposure to their employer clients. The employer-vendor liability architecture for AI hiring tools changes fundamentally.
In January 2026, a parallel class action was filed against Eightfold AI under the Fair Credit Reporting Act, alleging that Eightfold operated as a consumer reporting agency by collecting and scoring applicant data from unverified third-party sources without consent. The case attacks the process rather than the outcome — and if it succeeds, places AI hiring vendors squarely inside the consumer reporting agency regulatory framework.
For California employers, the ADMT regulations and the Mobley/Eightfold cases together create a compounding compliance and litigation environment. The regulations require risk assessments documenting that the ADMT works properly and does not discriminate. The cases create the precedent that those documents will be scrutinised in discovery if litigation follows. The cleanest defensive posture is one in which the ADMT-related documentation can withstand both regulator and litigation review — which means it has to be substantive rather than performative.
Penalties and Enforcement
Noncompliance penalties under the ADMT regulations run to $2,500 per violation and $7,500 per intentional violation. On their face these numbers look modest. In practice they multiply quickly — a violation per applicant, per use of ADMT, per missing capability — and the per-applicant arithmetic for a large employer can produce significant aggregate exposure even at the lower civil tier.
More consequential than the direct civil penalties is the documentation regime the regulation creates. The risk assessment is signed by an executive. The annual report to the CPPA is signed by an executive. The cybersecurity audit (for businesses subject to that layer) is independently conducted and submitted with executive certification. The combination of executive attestation requirements and regulator-accessible documentation creates the kind of compliance infrastructure that supports enforcement in a sustained way over time. The CPPA has built the institutional capacity for active enforcement, and has signalled that ADMT will be a 2027-2028 enforcement priority.
The Operational Inflection Point
For California employers in 2026, the ADMT regulations represent the first true compliance test for automated employment decision-making in the United States. The framework is more demanding than the patchwork of earlier state and local rules — the NYC bias audit requirement, the Illinois AI Video Interview Act, the Colorado AI Act’s narrowing scope. The compliance burden is substantial, but the alternative — operating outside the regulation in a state where the agency has built sustained enforcement capacity, while the parallel litigation environment exposes every AI hiring decision to discovery scrutiny — is not workable.
The right posture for 2026 is to treat the ADMT regulations as the structural baseline for how automated hiring decisions are designed, documented, and operated. That posture serves California compliance, defends against parallel litigation, and produces the kind of operational documentation that will be required as other US states and the EU continue to build their own automated decisionmaking frameworks. The companies that build to that standard now will be in materially better position than the companies that try to retrofit after enforcement begins.
The deadline is January 2027. The work that fits comfortably in twelve months does not fit at all in six. The right time to start is now.
AMS Inform provides background verification and workforce screening services across 160+ countries. For California employers and multinationals scoping their ADMT compliance work — particularly where the BGV process itself contains automated decisioning elements within the regulatory perimeter — visit AMSinform.com to start a conversation.
