As AI continues to transform industries, businesses are increasingly integrating AI tools into workforce operations. In response, California regulators have been actively working to address the potential legal challenges posed by emerging AI technologies.
On July 24, 2025, the California Privacy Protection Agency (CPPA) established regulations under the California Consumer Privacy Act (CCPA) that address the use of automated decision-making technology (ADMT). These regulations will take effect when approved by the Administrative Law Bureau under the Administrative Procedure Act, which provides for a 30-day review process.
What is ADMT?
Under regulations, ADMT is widely defined as a technology that processes personal information to replace or substantively replace human decision-making. In the employment context, this includes:
Application Screening Tools Performance Evaluation Analysis Productivity Monitoring Software Systems used to influence employment decisions such as employment, promotion, discipline, scheduling, compensation, and dismissal
Importantly, the “substantially replaced” criteria raises questions about the extent of human involvement required to fall within the definition. This is a question that may require further regulatory guidance or judicial interpretation. In particular, ADMT does not include tools that simply modify spelling or grammar. The regulations cover “significant decisions” that affect the terms of employment.
Third Party Vendor Responsibility
An important point for businesses is that outsourcing to third-party vendors is not isolated from responsibility. Companies will remain responsible for third party oversight, including working with service providers to demonstrate their sincere efforts to fulfill their regulatory obligations.
In certain cases, companies may need to perform a risk assessment that weighs the privacy risks associated with ADMT against potential benefits to determine whether their use is justified.
Beware of employer requirements
Employers using ADMT should implement new policies and procedures specifically address their use. This includes providing notifications to employees, job seekers, and other affected individuals prior to using ADMT. Your notification must include:
An explanation of how ADMT’s purpose technology works can be found on the right to opt-out of instructions to access relevant data processed by ADMT.
Employers currently using ADMT must comply with the notification requirements until January 1, 2027.
Looking ahead: Dynamic Legal Landscape
AI regulations are evolving rapidly, and compliance cannot be considered a one-off exercise. Companies should review and update their privacy policies and practices regularly to keep them up to date with legal developments. By captivating experienced lawyers, it helps businesses navigate the complexities of AI regulations and reduce potential debt. For more information or consultation schedule, contact Linda Wang or your preferred CDF attorney.
For more information about the emerging AI regulations and privacy laws shaping workplace compliance and litigation risks, join CDF’s Privacy and AI Practice Group Leader for a timely webinar on AI, Algorithms, Employer Protection – What You Need to Know. It is scheduled for August 20th.
