If your business uses software to help screen job applicants, approve tenants, score loan applications, or evaluate employees, that software now comes with a compliance obligation. California’s rules on Automated Decisionmaking Technology (ADMT) were finalized in late 2025 and took effect this year, with full compliance required by January 1, 2027.
They’re among the most detailed AI governance rules anywhere in the United States, and most Southern California business leaders we talk to still haven’t heard of them. That’s a problem. The businesses that prepare during 2026 will glide through this. The ones that wait for the deadline will scramble.
One scoping note up front: these rules live inside the CCPA, so they apply to for-profit companies that meet the CCPA’s thresholds. Roughly speaking, that means over $25 million in annual revenue, or handling the personal information of large numbers of California residents. If you’re near those lines, or growing toward them, read on.
Here’s what you actually need to know, minus the legal jargon.
The Short Version
If a computer makes an important decision about a person, and no human meaningfully reviews it, California now requires you to tell that person, give them a way out (an opt-out, or in some cases an appeal to a human), and explain how the decision was made.
That’s the whole regulation in one sentence. Everything else is detail. But the details determine whether you’re on the hook, so let’s walk through them.
What Counts as “ADMT”? (It’s Broader Than You Think)
ADMT is any technology that processes personal information and uses computation to replace, or substantially replace, human decisionmaking.
Notice what’s missing from that definition: the words “artificial intelligence.” The rule doesn’t care whether a tool is marketed as AI. It cares about one thing: is a computer effectively making the call?
| Tool | Likely ADMT? | Why |
| AI resume screener that auto-rejects candidates | ✅ Yes | Software makes the hiring decision |
| Tenant-screening software that scores applicants | ✅ Yes | Score drives approval/denial |
| Automated loan or credit decisioning | ✅ Yes | Financial decision without human review |
| Productivity software whose flags drive discipline or termination | ✅ Yes | Employment decision, if managers act on flags without real review |
| A spreadsheet you use to organize applicant info | ❌ No | A human still decides |
| Your firewall or spam filter | ❌ No | Explicitly excluded; no decisions about people |
| Ad targeting and marketing profiles | ❌ No | Advertising is not a “significant decision” |
The key phrase is “substantially replace.” If your team just rubber-stamps whatever the software says, that counts as the computer deciding. More on that below, because it’s your biggest lever.
When Do the Rules Kick In? Only for “Significant Decisions”
You’re only covered when ADMT is used to make a significant decision, meaning one that results in providing or denying:
- Employment: hiring, pay, promotion, demotion, suspension, termination, or how work gets assigned
- Financial or lending services: loans, credit, financing terms
- Housing: tenant approvals, rental decisions
- Healthcare services
- Education: enrollment and opportunities
If your automated tools only touch marketing, inventory, routing, or internal analytics, breathe easy. If they touch any of the five categories above, keep reading.
If You’re Covered, Here’s Your To-Do List
Businesses using ADMT for significant decisions must provide three things.
1. A Pre-Use Notice. Before you collect someone’s information for an automated decision, or before you repurpose information you already have, you must tell them in plain language that ADMT is being used, how it works, what information feeds it, and what their rights are. This applies to job candidates and employees, not just customers.
2. A Way to Opt Out. Consumers get the right to opt out of automated decisionmaking, with only narrow exceptions. You’ll need two or more designated opt-out methods, at least one matching how you normally interact with people (a clearly labeled link, an email address, a paper form). No account creation, no extra hoops, and you must confirm the opt-out was processed.
One notable exception: a business can skip offering the opt-out if it instead gives people a way to appeal the decision to a human reviewer who has the authority to overturn it. Either way, a real human path has to exist.
3. Access and Explanation. People can ask how the ADMT reached its conclusion about them: what logic it used and how the output shaped the decision.
Behind the scenes, you’ll also need documented risk assessments before deploying covered systems, with updates required no later than 45 days after any material change, plus a certification submitted to the state and signed by a named member of your executive team. And because the CCPA requires your service providers to assist with these obligations, it’s smart to revisit vendor contracts so that cooperation is spelled out.
The Timeline Business Leaders Should Circle
| Date | What Happens |
| Now (2026) | Risk assessment obligations are already in effect for high-risk data processing. New ADMT deployments may need an assessment before launch, not later. |
| January 1, 2027 | Full ADMT compliance required for any system already in use. Anything deployed after this date must comply from day one. |
| April 1, 2028 | First risk-assessment summaries due to the California Privacy Protection Agency. |
Don’t be fooled by “2027.” If you’re rolling out a new AI hiring tool or automated approval workflow this year, the risk-assessment clock may already be ticking. And material changes to an existing system trigger an updated assessment within 45 days.
The Escape Hatch: Meaningful Human Review
Here’s the part most coverage buries: these rules don’t apply if a qualified human genuinely reviews the decision.
But California defined “genuinely” with teeth. The human reviewer must:
- Understand how to interpret the tool’s output
- Actually review the output alongside other relevant information
- Have real authority to change or override the decision
A manager who clicks “approve” on whatever the software recommends doesn’t count. If nobody can override the model, there is no human involvement, and you’re fully in scope.
This gives every business a strategic choice.
Option A: Build the full compliance program with notices, opt-outs, appeals, and risk assessments.
Option B: Redesign your workflow so a trained human makes the final call, and stay outside the rules entirely.
For many small and mid-sized businesses, Option B is faster and cheaper. But it has to be real human review, documented and defensible rather than a checkbox.
Why This Matters Even If You Think You’re Too Small
Three reasons this belongs on your 2026 planning agenda:
- You probably use ADMT and don’t know it. Applicant tracking systems, tenant-screening services, credit tools, and employee-monitoring software often ship with automated scoring turned on by default. The vendor won’t flag your compliance exposure. That’s on you.
- Employers face a parallel rule. Separate California civil rights regulations (under FEHA) generally require keeping the inputs and outputs of automated decision tools used in employment for four years. HR is in the crosshairs from two directions.
- This won’t stay in California. California’s privacy rules have a habit of becoming the national template. Building good AI governance now is an investment, not a tax.
How Crimson IT Has Led the Charge on AI Governance
We’ve been helping Southern California businesses adopt AI the right way, with the guardrails in first rather than bolted on after. For ADMT readiness, that looks like:
- An ADMT inventory cataloging every tool in your environment that scores, ranks, screens, or profiles people, including the ones buried inside software you already own
- Scope analysis to determine which tools touch “significant decisions” and which don’t
- Workflow design that builds meaningful human review into decision processes so you can stay outside the rules where it makes sense
- Risk assessment support with documentation that satisfies regulators and holds up if the CPPA ever comes asking
- Vendor contract review to make sure your software providers are contractually obligated to help you comply
The businesses that treat this as a January 2027 problem will spend Q4 2026 in a panic. The ones that spend a few weeks on it now will have a competitive answer when a candidate, tenant, or customer asks: “Did a computer decide this?”
Not sure whether your tools count as ADMT? Let’s find out together. Contact Crimson IT for a complimentary AI governance assessment.
Crimson IT provides managed IT services, cybersecurity, and AI enablement to businesses across Southern California. This article is for general information and isn’t legal advice. For questions about your specific compliance obligations, consult a qualified attorney.
Sources: California Privacy Protection Agency, approved regulations text and rulemaking materials (cppa.ca.gov/regulations/ccpa_updates.html) and the CPPA’s September 23, 2025 announcement of the finalized regulations.





