As artificial intelligence (AI) continues to transform industries, businesses are increasingly integrating AI tools into their workforce operations. In response, California regulators have been actively working to address the potential legal challenges posed by emerging AI technologies.
On July 24, 2025, the California Privacy Protection Agency (CPPA) finalized regulations under the California Consumer Privacy Act (CCPA) addressing the use of automated decision-making technology (ADMT). These regulations will take effect if approved by the Office of Administrative Law under the Administrative Procedure Act, which provides for a 30-day review process.
What Is ADMT?
Under the regulations, ADMT is broadly defined as any technology that processes personal information to replace or substantially replace human decision-making. In the employment context, this includes:
- Application screening tools
- Performance evaluation analytics
- Productivity monitoring software
- Any system used to influence employment decisions such as hiring, promotion, discipline, scheduling, compensation, or termination
Importantly, the “substantially replace” standard raises questions about the degree of human involvement required to fall within the definition – questions that may require further regulatory guidance or judicial interpretation. Notably, ADMT does not include tools that simply correct spelling or grammar. The regulations target “significant decisions” such as those affecting employment terms and conditions.
Third Party Vendor Liability
A key takeaway for businesses is that outsourcing ADMT to third-party vendors does not insulate them from liability. Companies remain responsible for third-party oversight, including collaborating with service providers to demonstrate a good faith effort to meet regulatory obligations.
In certain cases, businesses may be required to perform a risk assessment – weighing the privacy risks associated with ADMT against the potential benefits – to determine whether its use is justified.
Notice Requirements for Employers
Employers using ADMT must implement new policies and procedures specifically addressing its use. This includes providing notice to employees, job applicants, and other affected individuals prior to using ADMT. The notice must include:
- The purpose of the ADMT
- A description of how the technology works
- Information on the right to opt out
- Instructions for accessing relevant data processed by the ADMT
- An explanation of anti-retaliation rights
Employers currently using ADMT have until January 1, 2027 to comply with the notice requirements.
Looking Ahead: A Dynamic Legal Landscape
AI regulation is rapidly evolving, and compliance cannot be viewed as a one-time exercise. Businesses should routinely review and update their privacy policies and practices to remain current with legal developments. Engaging experienced legal counsel can help businesses navigate the complexities of AI regulation and mitigate potential liabilities.
