I. Introduction
The California Privacy Protection Agency (CPPA) approved and adopted a rule-making package that includes new rules related to the use of automated decisionmaking technology (ADMT) on July 24, 2025. The packages further contain rules on risk assessments and cybersecurity audits, and updates to the current California Privacy Protection Agency (CCPA) regulations.
The new rules have now been forwarded to the Office of Administrative Law per the Administrative Procedure Act for review. It now has 30 business days to decide whether the regulations become final and effective.
Read on to learn more about the obligations these new laws place on businesses and, most importantly, how best to ensure compliance with them.
II. Definitions of Key Terms
a. Automated Decisionmaking Technology
Any technology that processes personal information and is capable of completely or substantially replacing human decision-making processes. This includes profiling but does not include web hosting, domain registration, networking, caching, website-loading, data storage, firewalls, anti-virus, anti-malware, spam and robocall filtering, spellchecking, calculators, databases, and spreadsheets, provided that they do not replace human decision-making.
b. Significant Decision
A decision resulting in the “provision or denial of financial or lending services, housing, education enrollment or opportunities, employment or independent contracting opportunities or compensation, or healthcare services”.
c. Substantially Replace Human Decision Making
The use of technology’s output to make a decision without human involvement by a business.
III. Obligations for Businesses
Businesses using ADMT must ensure their compliance with the following obligations before January 1, 2027. For those initiating ADMT use after this date, they must be compliant at the time of using the ADMT.
a. Pre-Use Notice
Businesses using ADMT to make significant decisions must provide their consumers with a pre-use notice. This pre-use notice must adequately inform consumers about their use of ADMT, along with the consumers’ right to access and opt out of ADMT. The notice must be:
- Easy to read, understandable to consumers, available in languages the business typically uses, and reasonably accessible to consumers with disabilities per the relevant regulatory requirements;
- Presented prominently and conspicuously at or before the point of personal information collection/processing for ADMT use;
- Presented in the manner in which the business primarily interacts with the consumer.
Furthermore, the pre-use notice must include:
- An explanation of the exact business reasons for the use of ADMT;
- Description of the consumers’ right to access and opt out of the ADMT, how to exercise these rights, and the appeal process, where applicable;
- The fact that the business is prohibited from retaliating against consumers for exercising their rights;
- An explanation of how the ADMT works, including the following information:
- How ADMT processes personal information, including categories of data affecting the output;
- Types of output and how they are used for significant decisions;
- Any alternative process for making a significant decision if a consumer opts out (unless an exception applies).
- A link through which consumers can opt out of the business’s use of ADMT.
However, businesses can provide a single pre-use notice for multiple ADMTs or purposes, provided it includes all required information for each use.
Exceptions
Trade secrets or information that compromises security, fraud prevention, or safety purposes are not required to be disclosed.
Businesses that process the personal information of 10,000,000 or more consumers in a calendar year must compile the following metrics for their previous calendar year:
- The number of requests to access ADMT that the business received, complied with in whole or in part, and denied;
- The number of requests to opt out of ADMT that the business received, complied with in whole or in part, and denied.
IV. Data Subject Rights
A. Request to Opt Out
Consumers have the right to opt out of ADMT used to make significant decisions. However, the businesses can choose not to provide the consumers with the ability to opt out of ADMT in the following circumstances:
- If a business has a method for consumers to appeal ADMT decisions to a human reviewer who can overturn ADMT decisions;
- If the ADMT is necessary for a consumer’s ability to participate in an educational/work program to determine whether to admit, accept, or hire them, and the ADMT does not discriminate based on any protected characteristics;
- If the ADMT use is solely for business purposes related to allocation/assignment/compensation, and the ADMT does not discriminate based on any protected characteristics.
Methods to Opt Out
Businesses are required to provide two or more methods for consumers to submit opt-out requests, with at least one method reflecting the primary interaction method with the consumer. A business interacting with consumers online must, at minimum, allow consumers to submit opt-out requests through an interactive form linked to the pre-use notice.
The opt-out methods must be easy to use, include minimal steps, and must not use dark patterns. They must not require the creation of a new account or additional information. Businesses are also not required to verify the opt out requests, but can ask for additional information from consumers to complete a request. Lastly, a business can allow specific uses of ADMT to consumers, as long as a single option to opt out of all ADMT uses is provided.
Response to an Opt-Out Request
When responding to an opt-out request, a business:
- May deny the request based on a good-faith, reasonable, and documented belief that a request to opt out of ADMT is fraudulent, with the requester being informed of this decision along with an explanation;
- Must provide a means for a consumer to confirm their request is being processed;
- Must allow authorized agents to submit a request on behalf of the consumer. Requests lacking the consumer’s permission can be denied;
- Must wait 12 months before asking a consumer who opted out to consent to ADMT use again;
- Cannot retaliate against consumers for exercising their opt-out right;
- Must not proceed with processing the consumer's personal information if they have opted out of ADMT before the processing started;
- Must cease processing personal information with ADMT within 15 business days of receiving an opt-out request, and notify service providers, contractors, and third parties to whom data was disclosed to comply with the opt-out.
B. Request to Access ADMT
All consumers have the right to request information related to ADMT use. When responding to such requests, businesses must ensure their response is in plain language and contains the following information:
- Exact reason for which the business used ADMT;
- How the ADMT processed consumer’s personal information to generate an output;
- How the ADMT's output was used in making a significant decision about the consumer, including whether it was the sole factor, other factors involved, any human role, and whether the output will be used in future decision-making;
- How the logic was applied to the consumer and the key parameters affecting the output;
- The information about the prohibition on businesses from retaliating against consumers for exercising their rights under the CCPA and instructions on how to exercise these rights.
Exception
Trade secrets or information that compromises security, fraud prevention, or safety purposes are not required to be disclosed in response to an access request.
Response to an Access Request
When responding to an access request, businesses:
- Can leverage existing "request to know," "delete," or "correct" methods to respond to consumer requests.
- Must only provide consumers access when they have confirmed it to be a verifiable consumer request. If this cannot be confirmed, a consumer request can be denied.
- In case a request is denied, must inform the requester and the basis for the denial must be explained.
- Use reasonable security measures when transmitting the information requested.
- Can use an aggregate-level response summarizing outputs and parameters, when ADMT was used more than four times in 12 months for a consumer,
- Can use secure self-service portals to provide access.
- Can leverage the assistance of service providers/contractors to respond to consumer requests.
- Must not retaliate against a consumer for exercising their access right.
- Can provide additional information to consumers about the use of ADMT to help them compare it with others.
Timeline to Respond to a DSR Request
Businesses are required to confirm the receipt of the access request and appeal request within 10 business days of initially receiving it. They must also provide information about how it will process the request, including a description of the business’s verification process, and a timeline of when the consumer can expect a response related to their request.
Following this, businesses must then respond to the request within 45 days of receiving it. This initial deadline may be extended by an additional 45 days, provided the consumer is informed of this via a notice.
V. How Securiti Can Help
Securiti is the pioneer of the Data Command Center, a centralized platform that enables the safe use of data and GenAI capabilities. Thanks to its unified data intelligence, controls, and orchestration across hybrid multicloud environments, numerous reputable and esteemed global enterprises rely on it for their data security, privacy, governance, and compliance needs.
The Data Command Center is equipped with several solutions and modules designed to ensure swift and reliable compliance via complete automation. These modules, including privacy policy management, assessment automation, vendor risk assessment, and DSR automation, empower an organization to maintain real-time oversight of its compliance with all relevant regulatory requirements per the CCPA via the centralized dashboard.
Furthermore, this enables proactive measures from an organization if a potential violation or non-compliance is detected.
Request a demo today to learn more about how Securiti can help your organization comply with the CCPA’s latest requirements related to the use of ADMT.
