CCPA/CPRA AI Compliance: Automated Decision-Making and AI Profiling Requirements

What Is ADMT Under CCPA/CPRA?

The California Privacy Rights Act (effective January 1, 2023, enforced July 1, 2023) substantially expanded CCPA's scope for AI and automated systems. CPRA Section 1798.185(a)(16) directed the California Privacy Protection Agency (CPPA) to issue regulations governing "automated decision-making technology" — a term broadly defined to capture any computational system that processes personal information to make or inform decisions with legal or similarly significant effects on consumers.

The CPPA's proposed ADMT regulations define this technology as:

CPPA Definition — Automated Decision-Making Technology
Core definition Any system, software, or process — including one derived from machine-learning, statistics, or other data-processing or AI techniques — that processes personal information and uses computation as whole or part of a system to make or execute a decision, or to facilitate human decision-making, that has a legal or similarly significant effect.
Includes LLM-based recommendation systems, AI scoring models, generative AI used for consumer-facing decisions, NLP systems that classify consumer data to route or prioritize service delivery.
"Significant effect" Decisions affecting access to or denial of financial services, housing, healthcare, education, employment, or goods and services. Also includes decisions that result in different prices, terms, or quality of service.
Profiling scope Any automated processing to evaluate natural persons' characteristics: economic situation, health, preferences, interests, reliability, behavior, location, or movements.

This definition captures a substantial portion of modern AI deployments. Organizations that believed their AI systems were outside CCPA's scope because they were not "selling" data often discover that ADMT obligations apply because their AI systems analyze and make decisions about California consumers using personal information.

Broader Than You Think

ADMT regulations apply even when the AI is used to "facilitate human decision-making" — not only fully automated decisions. If a human reviews an AI-generated recommendation before acting, the underlying AI system is still subject to ADMT obligations if its output materially influences a significant decision about a consumer. Replacing a fully automated system with human-in-the-loop AI does not avoid ADMT compliance requirements.

Consumer Rights for AI Decisions

CPRA and the CPPA's proposed ADMT regulations create a suite of consumer rights specifically applicable to AI-driven decisions. These rights create new operational requirements that go far beyond standard privacy notice-and-choice mechanisms.

CPRA § 1798.185(a)(16)(A)
Right to Opt Out
Consumers may opt out of the use of ADMT for significant decisions. Businesses must provide a clear opt-out mechanism and honor requests within 15 business days. Cannot penalize consumers for opting out.
CPPA Proposed Rules
Right to Access Logic
Consumers may request a plain-language explanation of the logic involved in ADMT, the categories of data used, and the expected accuracy and potential discriminatory impact of the system.
CPPA Proposed Rules
Right to Human Review
For significant decisions, consumers may request human review of an automated decision. Businesses must provide a meaningful review by a qualified person — not just a rubber-stamp of the AI output.
CCPA § 1798.100
Right to Know About AI
Consumers have a right to know that a business collects and uses personal information, including for AI training and inference. Privacy notices must describe AI use if it processes consumer personal information.

Pre-Deployment Risk Assessment Requirements

The CPPA's proposed ADMT regulations introduce a significant new requirement: businesses must conduct documented risk assessments before deploying ADMT for significant decisions. This obligation is substantively similar to Data Protection Impact Assessments (DPIAs) under GDPR, but with AI-specific content requirements.

Risk Assessment Content Requirements

A compliant ADMT risk assessment must document:

  • Purpose and description: The specific use case, the decisions it makes or informs, and the population of consumers affected.
  • Training data characterization: The sources, types, and representativeness of data used to train or configure the AI system, including any known biases or limitations.
  • Expected performance and accuracy: Documented testing results, including accuracy metrics, false positive/negative rates, and performance differences across demographic groups.
  • Potential for discriminatory impact: Analysis of whether the system's outputs may produce disparate impact on protected classes under California's civil rights laws.
  • Safeguards and controls: Technical and organizational measures implemented to prevent unauthorized use, inaccurate outputs, and discriminatory outcomes.
  • Consumer rights mechanisms: How the business implements opt-out, access, and human review rights for this specific ADMT application.
Risk Assessment Retention and Disclosure

The CPPA has authority to request ADMT risk assessments as part of investigations. Businesses should retain completed risk assessments for the duration of the ADMT deployment plus a minimum of five years after decommissioning. Risk assessments must be updated when the AI system is materially changed — model updates, new training data, or significant changes in use case scope all trigger a re-assessment obligation.

Privacy Notice Requirements for AI

CCPA/CPRA require businesses to disclose data practices in their privacy notices. For AI systems, this creates specific disclosure obligations that most current privacy notices do not satisfy.

What AI-Related Privacy Notices Must Include

A CCPA/CPRA-compliant privacy notice for a business using AI must address:

Disclosure Category CCPA/CPRA Basis Typical Gap
Categories of personal information used in AI systems § 1798.100(a), § 1798.130(a)(5) Privacy notices list data categories but do not disclose that these are fed into AI models
Business purposes for AI/ADMT use § 1798.130(a)(5)(B) Generic "analytics" or "service improvement" language does not satisfy specificity requirement
Opt-out mechanism for ADMT profiling CPPA proposed ADMT rules Many businesses lack a distinct ADMT opt-out separate from general opt-out of sale
Right to human review notice CPPA proposed ADMT rules Human review right is not disclosed; no process exists to handle such requests
AI use in sensitive personal information decisions § 1798.121 (sensitive PI) Health, financial, and demographic data used for AI scoring is often not identified as sensitive PI used in automated decisions

Profiling Restrictions and Sensitive Categories

CPRA introduces heightened restrictions on the use of "sensitive personal information" — a category that includes health data, precise geolocation, racial or ethnic origin, religious beliefs, financial account information, and biometric data. AI systems that use these categories to make or inform decisions face additional obligations:

  • Limitation of use: Sensitive personal information may only be used for purposes disclosed at collection. Using sensitive health data collected for treatment purposes to train a wellness AI product is a violation unless consumers were told of and consented to this use.
  • No inference from sensitive PI: CPRA prohibits using sensitive personal information to infer additional personal information unless the consumer has consented. AI systems that derive scores or profiles from sensitive PI categories must have a lawful basis for each inference.
  • Right to limit sensitive PI use: Consumers may direct businesses to use their sensitive personal information only for the primary purpose for which it was collected. AI systems must implement this limitation at the data ingestion layer — not just in privacy policies.
Sensitive PI in AI Training Data — A Critical Gap

Many AI systems are trained on historical customer data that incidentally contains sensitive personal information — medical codes in customer service transcripts, income indicators in purchase histories, location data in usage logs. Using this data for AI training without checking whether it was disclosed as a training data use at collection creates retroactive CPRA violations. Pre-deployment AI risk assessments should include a data lineage audit that identifies sensitive PI in training datasets and verifies lawful basis for training use.

Implementing Opt-Out for AI Decisions

The right to opt out of ADMT is operationally complex because it must be applied at the individual consumer level, honored within 15 business days, and maintained consistently across the business's systems. A privacy policy update alone does not implement opt-out — the technical infrastructure must actually prevent the opted-out consumer's data from being processed by the ADMT system.

ADMT Opt-Out Request Processing Flow
Consumer Request
Identity Verification
Preference Update
AI Gating Flag
↓ (honored within 15 days)
ADMT Bypassed — Manual Process

Technical Requirements for ADMT Opt-Out

A technically sound ADMT opt-out implementation requires:

  1. Consumer identity linking: The opt-out preference must be linked to the consumer's identity across all systems that process their data — cookie-based opt-outs that do not propagate to backend AI systems are insufficient.
  2. AI pipeline gating: A pre-processing check that examines whether the requesting consumer has opted out of ADMT before routing their data to AI inference. This check must occur before the data reaches the model — it cannot be a post-processing filter on AI outputs.
  3. Alternative processing path: When an opted-out consumer's request or data would normally be processed by AI, a non-AI alternative must exist. If no non-AI alternative is available, the business may need to explain this limitation and document why manual review is not feasible.
  4. Audit trail: Records of opt-out preferences received, the date honored, and confirmation that the AI system did not process the opted-out consumer's data for the restricted purpose must be maintained for compliance verification.

CoreGuard and CCPA/CPRA AI Compliance

CoreGuard's policy enforcement layer operates as a pre-inference gate that can implement ADMT opt-out, sensitive PI restrictions, and human review routing at the AI pipeline level — not just in policy documents.

CCPA/CPRA Requirement CoreGuard Implementation
ADMT opt-out enforcement at inference time Consumer preference flags checked in policy pack before AI inference; opted-out consumers routed to manual processing path with audit documentation
Sensitive PI detection and restriction Input classification detects health codes, financial identifiers, biometric markers; MODIFY disposition redacts or blocks processing per policy configuration
Decision audit trail for human review Cryptographically signed decision certificates include input context hash, model version, policy pack version, and output classification; supports consumer access requests and human review
Risk assessment documentation support Policy pack versioning and behavioral test suite provides pre-deployment testing evidence for ADMT risk assessment; output classification statistics support accuracy documentation
Significant decision detection Decision impact classifier identifies outputs that affect financial, health, employment, or service access decisions; escalates to human review queue when configured
Privacy notice accuracy Policy pack configuration serves as machine-readable documentation of ADMT purposes and data categories; exportable for privacy notice review and CPPA inquiry response

CPPA Enforcement and Penalties

The California Privacy Protection Agency began enforcement of CPRA in July 2023. Unlike CCPA's original cure period, CPRA removed the 30-day cure period for violations — the CPPA may issue notices of violation and impose penalties without giving businesses time to correct the problem first.

Penalties under CCPA/CPRA are:

  • $2,500 per unintentional violation
  • $7,500 per intentional violation or violation involving a minor's data
  • No statutory cap on total penalties — enforcement actions covering systematic AI violations across millions of records can produce penalties in the hundreds of millions of dollars.

The CPPA's enforcement priorities have included organizations using AI for credit and insurance decisions, personalized pricing, and hiring screening. Enforcement is triggered by consumer complaints, proactive CPPA investigations, and data breach investigations that uncover AI compliance gaps.

ADMT Regulations Timeline

The CPPA issued revised proposed ADMT regulations in late 2024. After the public comment period and response period, finalized regulations are expected in 2025-2026. Organizations should implement ADMT governance infrastructure now — both because some obligations under existing CPRA text apply today, and because the finalized regulations will likely require organizations to demonstrate that controls have been in place since ADMT deployment began, not just from the regulation's effective date.

Frequently Asked Questions

What is Automated Decision-Making Technology (ADMT) under CPRA, and does it include LLMs? +
Under CPRA and the CPPA's proposed ADMT regulations, Automated Decision-Making Technology means any system, software, or process — including one derived from machine-learning, statistics, or AI techniques — that processes personal information and uses computation as whole or part of a system to make or execute a decision, or to facilitate human decision-making, that has a legal or similarly significant effect. LLMs that process personal information to generate recommendations, scores, or decisions about individuals are almost certainly covered. This includes AI-powered credit scoring, hiring recommendation systems, insurance underwriting models, personalization engines that affect pricing or access, and customer service AI that makes eligibility determinations.
What opt-out rights do California consumers have for AI-driven decisions? +
Under CPRA and the CPPA's proposed ADMT regulations, California consumers have the right to opt out of the use of ADMT for significant decisions. This includes profiling for targeted advertising, personalized pricing, and decisions with legal or similarly significant effects. The regulations also propose a right to access information about how ADMT works (logic, data sources, expected accuracy) and a right to human review of significant automated decisions. Businesses must honor opt-out requests within 15 business days and may not penalize consumers for exercising this right. The opt-out mechanism must be prominently displayed — a buried privacy settings page does not satisfy the requirement.
What does the CPPA's proposed ADMT rulemaking require for businesses using AI? +
The CPPA's proposed ADMT regulations would require businesses to: (1) Conduct and document pre-deployment risk assessments evaluating the ADMT's purpose, training data, expected accuracy, and potential for discriminatory impact; (2) Provide consumers with a plain-language explanation of how the ADMT works for significant decisions; (3) Honor opt-out requests and implement a process for human review when requested; (4) Retain risk assessment documentation and make it available to the CPPA upon request; (5) Notify consumers when a significant decision is made using ADMT; and (6) Implement safeguards to prevent inaccurate or discriminatory outcomes. These requirements effectively mandate an AI governance infrastructure — not just a privacy policy update.
How does CCPA's definition of 'profiling' apply to AI systems? +
CCPA/CPRA broadly defines profiling as any form of automated processing of personal information to evaluate certain personal aspects relating to a natural person — including performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location, or movements. This captures most AI systems that analyze individual behavior, including: recommendation engines (predicting preferences), risk scoring models (predicting creditworthiness), engagement optimization systems (predicting behavior), and diagnostic AI (predicting health outcomes). Many AI systems businesses assumed were outside CCPA's scope are in fact covered, particularly when they process any California consumer's personal information.
What records does a business need to maintain for CCPA/CPRA AI compliance? +
For AI systems subject to CCPA/CPRA, businesses should maintain: (1) Records of ADMT systems deployed, their purposes, and the categories of personal information processed; (2) Pre-deployment risk assessments with documentation of expected accuracy and bias testing; (3) Logs of significant automated decisions with sufficient detail to support human review and consumer access requests; (4) Records of opt-out requests received and honored, with timestamps; (5) Human review outcomes when consumers exercise their review rights; (6) Model version history with change logs documenting when models were updated and what changed; and (7) Data retention schedules for personal information used in AI training and inference. The CPPA has signaled it will issue investigation notices requesting this documentation with short response windows.
CCPA/CPRA AI Compliance

Operationalize CCPA/CPRA AI Compliance

CoreGuard implements ADMT opt-out enforcement, sensitive PI detection, and decision audit trails at the AI pipeline layer — not just in policy documents. Ready for CPPA inquiry.

See CoreGuard Request Demo

Related Articles

Credit Decisions

AI Governance for Credit Decisions: ECOA, FCRA, and Adverse Action

Read Article →
CFPB Guidance

CFPB AI Lending Guidance: What Banks Need to Know

Read Article →
Healthcare AI

HIPAA AI Compliance Checklist for Healthcare Organizations

Read Article →
HR and Employment

AI Governance for HR and Employment Decisions

Read More →