California’s Automated Decision-Making Rules Are Now Live
On January 1, 2026, California’s Automated Decision-Making Technology (ADMT) regulations took effect — along with the CCPA’s new cybersecurity audit and risk-assessment requirements. The combined effect is the most significant expansion of U.S. privacy obligations since CCPA itself came online in 2020.
What ADMT covers
The ADMT rules apply when a business uses automated decision-making technology — meaning AI, machine learning, or rule-based scoring systems — to make or substantially assist with a significant decision about a California resident. “Significant” includes employment, education, lending, housing, insurance, healthcare services, and access to essential goods or services.
If you use AI to screen résumés, score loan applications, set insurance premiums, or determine eligibility for benefits — and you do business in California — you are covered.
What you have to do
- Pre-use risk assessments. Document the purpose, the categories of personal information used, the categories of recipients, and the safeguards in place to mitigate adverse effects.
- Consumer notices. Inform consumers when ADMT is being used to make a significant decision about them, before the decision is made.
- Opt-out and access rights. Honor consumer requests to opt out of ADMT for significant decisions and to access information about the logic and outputs.
- Annual cybersecurity audit. Required for businesses meeting size and processing thresholds — separate from ADMT but effective the same day.
What this means for your business
If you have California customers, employees, or applicants — and you use any AI tool for material decisions about them — you need a documented ADMT program in place now. The California AG and the California Privacy Protection Agency have signaled that 2026 will be an active enforcement year, with first actions expected by Q3.
The Carlson Firm helps clients build ADMT programs from the assessment up: documenting the qualifying systems, drafting the consumer notices, creating the opt-out workflow, and preparing for the cybersecurity audit. If you’re unsure whether your vendor’s hiring tool or credit-scoring engine is covered, that uncertainty is itself a compliance gap worth closing.
