CCPA's New ADMT Rules: What California's Automated Decision-Making Regulations Mean for AI SaaS in 2026
CPRA gave Californians a right to opt out of automated decision-making years ago — but it was abstract until the CPPA finalized the detailed ADMT regulations. Now there are concrete duties: pre-use notice, an opt-out, an access right, and documented risk assessments. If your AI decides things about people, this is the rulebook.
What Counts as ADMT
The CPPA defines ADMT as technology that processes personal information and uses computation to replace or substantially replace human decision-making. The "substantially replace" language matters: a rubber-stamp human who simply approves whatever the AI outputs does not save you. If the human isn't meaningfully reviewing, interpreting, and able to override the AI, the system is ADMT.
The obligations attach when ADMT is used to make a significant decision — one that affects access to, or the cost/terms of, financial or lending services, housing, insurance, education enrollment or opportunity, criminal-justice outcomes, employment or independent-contracting opportunities, or healthcare services.
The Three Consumer Rights You Must Build For
Pre-Use Notice
NoticeBefore you use ADMT to make a significant decision, you must give the consumer a plain-language notice: that ADMT will be used, the purpose, how it works at a high level, and how to exercise their opt-out and access rights. This is a UX and copy obligation — it has to appear at the right moment in the flow, not buried in a privacy policy.
Right to Opt Out
Opt-outConsumers can opt out of the ADMT processing for significant decisions. There are narrow exceptions — for example, where you offer a meaningful human-appeal alternative, or where the ADMT is necessary for security/fraud prevention or to provide the requested service. If you rely on an exception, you must document it and still provide the appeal pathway where required.
Right to Access / Explanation
AccessConsumers can ask how ADMT was used in a decision about them. You must give a meaningful explanation: the logic involved, the role the output played, and the parameters that drove the result — in plain language, not a model dump. Build the logging now; you can't reconstruct an explanation for a decision you didn't record.
Risk Assessments: The Part Engineering Teams Miss
Beyond consumer-facing rights, the regulations require a documented risk assessment before processing that poses significant risk to privacy — including certain ADMT uses and processing of sensitive personal information. The assessment must identify the purpose, the categories of data, the benefits, the negative impacts, and the safeguards that reduce those impacts. You must retain it and be able to provide information to the CPPA on request.
Practically, this means a cross-functional artifact — product, legal, and engineering — produced before launch, not a compliance afterthought. Teams that ship AI features fast tend to skip this entirely; it's an enforcement-ready gap.
Does This Apply to Your Product? A Quick Triage
Does your AI screen, rank, or score job applicants or contractors?
CriticalEmployment is a covered significant-decision domain. Resume-screening AI, interview-scoring, and candidate-ranking tools used on California applicants trigger ADMT notice, opt-out, and access obligations — and risk-assessment duties.
Does your AI make or drive lending, credit, or insurance decisions?
CriticalFinancial/lending and insurance are covered. AI underwriting, automated credit decisions, and risk-scoring that affects terms or access are in scope. A human who merely confirms the AI's output likely does not remove you from ADMT.
Does your AI affect housing, education, or healthcare access?
HighTenant screening, admissions/enrollment tools, and AI that gates healthcare services are covered domains. Verify whether a human is genuinely in the loop or just rubber-stamping.
Is there a meaningful human reviewer who can override the AI?
MediumIf a qualified human actually reviews, interprets, and can overturn the AI's output as part of the decision, you may fall outside 'substantially replace' — but document the human role. A reviewer who approves 100% of outputs in seconds is evidence of rubber-stamping, not human review.
Your 2026 ADMT Compliance Checklist
- Inventory every AI feature that influences a significant decision about California residents.
- Classify the human role for each — meaningful review vs. rubber-stamp — and document it.
- Build pre-use notice into the relevant flows, in plain language and at the right moment.
- Implement an opt-out (or a documented exception plus human-appeal path).
- Log decision inputs/outputs so you can honor access/explanation requests later.
- Complete and retain risk assessments before launching covered processing.
- Update your privacy policy to reflect ADMT use, rights, and contact pathways.
As with the rest of CCPA, getting California right puts you most of the way toward compliance with the wave of other state AI/privacy laws (Colorado's AI Act, Texas's TRAIGA, and similar frameworks) that borrow California's structure.
See where your AI product is exposed
RatedWithAI helps SaaS teams surface compliance and trust gaps across their web properties. Start with a free scan to understand how your product presents to users and regulators alike.
Scan Your Product for Free →Frequently Asked Questions
Is a recommendation engine ADMT?
It depends on what the recommendation decides. A product-recommendation widget generally isn't a 'significant decision.' But an AI that recommends whether to approve a loan, hire a candidate, or grant housing — and is acted on without meaningful human override — is ADMT for a significant decision and triggers the full obligations.
Can I avoid the rules by keeping a human in the loop?
Only if the human role is genuine. The regulations target ADMT that 'replaces or substantially replaces' human decision-making. A human who meaningfully reviews and can override the AI may take you outside scope — but you must document that role, and a reviewer who approves everything instantly is not meaningful review.
We use a third-party AI vendor for screening — who's responsible?
You, as the business making the decision about your consumers, carry the CCPA obligations. Your vendor is typically a service provider. You need contractual terms restricting their data use and you must still provide notice, opt-out, and access to your consumers. You can't outsource the legal responsibility along with the model.
What are the penalties for getting ADMT wrong?
ADMT obligations are enforced under CCPA/CPRA by the CPPA and the California AG: $2,500 per unintentional violation and $7,500 per intentional violation, assessed per affected consumer. A non-compliant automated-screening feature applied to thousands of California applicants scales quickly.