CCPA/CPRA Automated Decision-Making Technology Regulations
Effective date
Penalty
Up to $2,663 per violation or $7,988 per intentional violation (CPI-adjusted). No aggregate cap. Each consumer may be a separate violation.
Obligations mapped
10 obligations
Overview
If your company does business in California and meets CCPA thresholds (over $26.6M revenue, 100,000+ California consumers, or 50%+ revenue from selling data), and you use automated technology that replaces human decisionmaking for hiring, lending, housing, education, or healthcare decisions, then starting January 1, 2027, where applicable you may need to give consumers notice before using that technology, offer opt-out rights, respond to information requests within 45 days, and complete risk assessments with annual summaries filed to the CPPA under penalty of perjury. Violations can reach $2,663 per violation or $7,988 for intentional violations, with each consumer potentially a separate violation.
This is a privacy law with automated decision-making provisions.
See if this regulation applies to your company with the free exposure scan.
Who this applies to
This regulation applies to the following roles:
- Developers of covered AI systems
- Deployers and users of covered AI systems
- Organizations operating in California
This regulation applies to both companies that build AI products and companies that use AI tools from other vendors.
AB 375
AI categories covered
- Automated decision-making
Specific AI use cases:
- employment decisions
- financial decisions
- housing decisions
- education decisions
- healthcare decisions
- Resume screening and ranking
- Video interview analysis
- Candidate assessment and scoring
- Workforce scheduling and optimization
- Credit scoring and risk assessment
- Fraud detection
- Insurance underwriting
- insurance claims ai
- tenant screening
- Customer profiling and segmentation
- CRM with AI features
- Diagnostic and clinical AI
- Insurance prior authorization
- clinical documentation ai
- patient engagement ai
What this requires you to do
10 obligations identified from statutory analysis.
Regulation sections 7130-7137
Regulation section 7124; Regulation section 7137
Regulation section 7157
Regulation section 7222
Regulation section 7221
Regulation summaries are simplified for readability and may not capture every nuance of the underlying statute. Verify important details against primary sources linked on this page.
Enforcement and penalties
Up to $2,663 per violation or $7,988 per intentional violation (CPI-adjusted). No aggregate cap. Each consumer may be a separate violation.
Penalty amounts are based on statutory text and may be subject to adjustment, judicial interpretation, or enforcement discretion.
Legislative history
effective
ADMT consumer rights compliance deadline for existing uses.
effective
Regulations take effect. Risk assessment obligations begin.
amended
CPPA Board unanimously adopts ADMT, cybersecurity audit, and risk assessment regulations.
amended
CPRA (Proposition 24) passed by voters, amending CCPA.
signed
CCPA (AB 375) signed into law.
Related regulations
- UpcomingAI-Specific
California AI Transparency Act (SB 942)
The California AI Transparency Act requires creators of large generative AI systems to provide free AI detection tools, embed provenance metadata in AI-generated content, and offer visible disclosure options. Large platforms must detect and preserve provenance data.
Effective
- In EffectAI-Specific
California Transparency in Frontier AI Act (SB 53)
Requires developers of frontier AI models trained above the statutory compute threshold (10^26 FLOPs) to publish safety frameworks, report critical safety incidents to the Office of Emergency Services, and implement whistleblower protections. Also reaches large frontier developers with annual revenues over $500 million. Replaces the vetoed SB 1047 with a narrower transparency approach. Currently applies to approximately five to eight companies worldwide given the FLOP threshold. Includes a federal deference provision: compliance with comparable federal standards, including the EU AI Act, is accepted where the statute allows.
Effective
- In EffectAI-Specific
California Digital Replicas of Deceased Performers Act (AB 1836)
Restricts commercial uses of realistic AI-generated replicas of deceased performers' voices or likenesses in audiovisual works and sound recordings without consent from the personality's estate or other rightsholder.
Effective
- In EffectAI-Specific
California AI Training Data Transparency Act (AB 2013)
Requires developers of generative AI systems or services available to Californians to publish high-level documentation on training data, including sources, types, and curation. Applies retroactively to systems released on or after January 1, 2022. No trade secret exemption. Internal development or material modification of third-party GenAI can be in scope. xAI challenged the law in federal court; on March 4, 2026 the court denied a preliminary injunction, so AB 2013 remains in full effect while litigation continues. Major providers published required documentation by January 1, 2026.
Effective
- In EffectAI-Specific
California Healthcare AI Deceptive Terms Act (AB 489)
AB 3030 (2024) requires healthcare providers to disclose generative AI use to patients and in records. AB 489 (2025) extends similar duties to technology developers and deployers whose healthcare AI communicates with patients or presents as credentialed care. It bars false claims of professional licenses or credentials and requires clear disclosures in healthcare settings.
Effective
- In EffectAI-Specific
California Companion Chatbots Act (SB 243)
California's Companion Chatbot Act may apply to operators of AI chatbots designed for ongoing social interaction. Where applicable, operators may need to disclose the AI nature of the chatbot, maintain safety protocols for self-harm and suicide content, provide crisis referrals, and implement special protections for minors including break reminders and content restrictions. Operators may need to publish safety protocols and file annual reports with the Office of Suicide Prevention starting July 2027.
Effective
- In EffectAI-Specific
California AI Definition Act (AB 2885)
Standardizes the legal definition of artificial intelligence across all California law. Defines AI as an engineered or machine-based system that varies in its level of autonomy and can infer from input how to generate outputs that influence physical or virtual environments. Mirrors the OECD AI definition.
Effective
- UpcomingAI-Specific
Colorado ADMT / AI Act (SB 26-189)
Colorado SB 26-189 repeals and reenacts SB 24-205 into an automated decision-making technology (ADMT) framework for consequential decisions. Starting January 1, 2027, covered developers may need to provide deployers with technical documentation and material-update notices. Covered deployers may need point-of-interaction notices, post-adverse-outcome disclosures, data-access and correction processes, human-review and reconsideration workflows, and three-year compliance records. SB 24-205 risk-management, impact-assessment, and reasonable-care artifacts remain useful governance evidence, but they are historical or reusable controls rather than standalone current-law duties under the new Colorado framework.
Effective
- In EffectAI-Specific
NYC Local Law 144 (Automated Employment Decision Tools)
NYC Local Law 144 requires employers and employment agencies using automated employment decision tools for hiring or promotion in New York City to conduct annual independent bias audits, publish results on their website, and notify candidates that an AEDT is being used.
Effective
- In EffectAI-Specific
Illinois Biometric Information Privacy Act (BIPA)
Illinois BIPA may apply to written consent before collecting fingerprints, facial scans, voiceprints, iris scans, or hand geometry. Where applicable, companies may need to publish a retention/destruction policy, provide written notice, obtain written releases, and may be barred from selling or profiting from biometric data. Any aggrieved person can sue for $1,000 to $5,000 per violation without proving harm.
Effective
- In EffectAI-Specific
California Healthcare Provider Generative AI Disclosure (AB 3030)
Requires healthcare providers to disclose when generative AI is used in patient interactions and to document that use in the patient record. Focuses on licensed providers and clinical settings. AB 489 (2025) later extended parallel transparency duties to developers and deployers of healthcare AI, not only providers.
Effective
- In EffectAI-Specific
California FEHA regulations on automated decision systems (Civil Rights Council)
California Civil Rights Council regulations apply FEHA's anti-discrimination framework to automated decision systems (ADS) in employment. Defines ADS broadly to include AI, ML, and algorithmic tools. Makes anti-bias testing evidence relevant to discrimination claims and defenses. Requires reasonable accommodation when ADS disadvantages disabled or religious individuals. Prohibits pre-offer medical inquiries via ADS. Employers with 5+ employees are covered. 4-year record retention required.
Effective
California AI regulation guide lists every tracked rule for this jurisdiction with timelines and obligation tallies.
Regulation summaries are simplified for readability and may not capture every nuance of the underlying statute. Verify important details against primary sources linked on this page.