On July 24, 2025, the California Privacy Protection Agency (CPPA) Board approved a new set of regulations aimed at governing the use of automated decision-making technology (ADMT), risk assessments, and cybersecurity audits under the California Consumer Privacy Act (CCPA). The unanimous 5-0 vote was the culmination of more than a year of public debate and revisions, with input from stakeholders across the political and technological spectrum.
The final rules introduce several substantive requirements. ADMT opt-outs will only be permitted in cases where the technology substantially replaces human decision-making. Additionally, the definition of human involvement was clarified to require the reviewer to know how to interpret an ADMT-driven output while having the authority to change or correct it.
Businesses must also conduct risk assessments when processing data that may pose privacy risks, including using personal information to train ADMT, using ADMT for significant consumer-related decisions, or employing automated processing to infer personal attributes during education or employment processes. Furthermore, companies must document the personal information processed by their ADMT systems and conduct annual audits if the business is deemed to pose a “significant risk” to consumer’s personal information.
Although the version of the rules that passed was largely unchanged from the version made available for public comment in May 2025, the final version did remove explicit references to artificial intelligence and behavioral advertising from the ADMT sections. The board also expanded the conditions under which ADMT may be used.
Despite the unanimous vote, the rules have been criticized by some privacy advocates and labor representatives for insufficiently protecting employees and consumers. However, the board members emphasized the need for adaptability and noted the rules themselves are not immovable and are intended to be revisited if their implementation is problematic.
Before the rules take effect, they must be approved by California’s Office of Administrative Law which has 30 business days to issue a determination. If approved, portions of the rules could take immediate effect.
