CCPA Regulations on Automated Decisionmaking Technology, Risk Assessments, and Cybersecurity Audits
California ADMT Regulations
Data last verified: March 23, 2026
- Effective Date
- January 1, 2027
- Enforcement Date
- April 1, 2028
Summary
California ADMT regulations under the CCPA/CPRA. ADMT compliance (pre-use notice, opt-out rights) required by 1/1/2027. Risk assessments and consumer access to ADMT data due by 4/1/2028. Penalties from parent CCPA statute: $2,500/$7,500 per violation (inflation-adjusted to $2,663/$7,988 per CPPA).
Who It Applies To
CCPA business definition: $25M+ revenue OR 100K+ consumers OR 50%+ revenue from PI sales
- Min Consumers:
- 100,000
- Min Annual Revenue:
- $25,000,000
Any threshold triggers applicability
Penalties
- Penalty Range
- $2,663 – $7,988per violation
- Cure Period
- Not specified in statute
- Private Right of Action
- No private right of action
- Enforcement Body
- California Privacy Protection Agency (CPPA) and California Attorney General
- Notes
- Each affected consumer and each day of non-compliance may constitute a separate violation. Penalties defined in parent CCPA statute, not in the ADMT regulation itself.
Requirements (3)
- Disclosure11 CCR §§ 7200(a), 7220
This regulation requires businesses to provide a pre-use notice informing consumers that automated decisionmaking technology is being used and for what purpose.
- Opt-Out11 CCR § 7221
This regulation provides consumers the right to opt out of automated decisionmaking technology for certain significant decisions.
- Explanation11 CCR § 7222
This regulation provides consumers the right to access information about how automated decisionmaking technology was used regarding them.
Claire tracks 31 state and local AI laws across 23 US states. No prescriptive federal AI compliance statutes have been enacted. EU AI Act and sector-specific regulations are not covered.
Check if this law applies to your business