The California Privacy Protection Agency (CPPA) finalised its comprehensive regulations on automated decision-making technology (ADMT), risk assessments, and cybersecurity audits in September 2025. While the framework officially took effect on 1 January 2026, the strict compliance deadline for businesses using ADMT for significant decisions arrives on 1 January 2027.
California's approach marks a major shift in how US state privacy laws handle artificial intelligence and profiling. Any system that replaces or substantially facilitates human decision-making now falls under strict regulatory scrutiny. You must adjust your data collection and processing practices to meet these incoming mandates.
Failing to prepare for the 2027 deadline risks severe penalties under the California Consumer Privacy Act (CCPA). Regulatory enforcement actions often target companies that ignore structural compliance requirements until after the deadline passes.
The regulations define ADMT broadly to encompass any system, software, or process that uses computation to make or execute a decision. This includes profiling a consumer's performance at work, economic situation, health, personal preferences, or behaviour. When you use these systems for what the CPPA calls a "significant decision", the new rules trigger mandatory consumer rights. A significant decision involves providing or denying financial services, housing, education, employment, or healthcare.
You can no longer deploy these technologies silently in the background.
Decoding Automated Decision-Making Technology
The legal definition of ADMT under the CCPA extends far beyond generative artificial intelligence or complex machine learning models. The wording captures mundane algorithmic processes if they evaluate consumer data to predict behaviours or assign categorisations. A simple rules-based script determining insurance premiums or housing eligibility qualifies as ADMT under these final regulations.
The rules specifically target technologies that replace human decision-making entirely. They also apply to systems that substantially facilitate a human's decision, unless that human meaningfully reviews the technology's output.
To prove a human meaningfully reviewed an output, you must show the human understood how the technology works and had the authority to override the system. Rubber-stamping an algorithmic recommendation does not exempt your business from the ADMT requirements. The CPPA expects documentation proving your staff actively analyses the automated outputs. A human must consider other relevant information before finalising any significant decision about a California resident.
Profiling remains a major focal point within this technological framework.
The CPPA defines profiling as any form of automated processing that evaluates personal aspects relating to a natural person. This includes tracking individuals in publicly accessible places using facial recognition, licence plate readers, or Wi-Fi tracking. It also covers tracking consumers across websites and applications to build behavioural advertising profiles.
The Three Pillars of the 2027 ADMT Rules
The updated CCPA regulations introduce three specific obligations regarding automated systems. You must provide a pre-use notice, offer a clear opt-out mechanism, and grant access rights so consumers can understand the logic behind an automated decision.
The pre-use notice functions as a just-in-time disclosure for California consumers. You must present this notice to individuals before your business processes their personal information using ADMT. The notification must plainly state the purpose for which the technology is used and detail the specific consumer rights available. Relying on generic terms or burying this information within a massive privacy policy will violate the new standards.
The opt-out right forces you to build mechanisms that allow users to reject automated processing entirely.
If a consumer submits an opt-out request after you have initiated the processing, you must cease using that personal information within 15 days. You must also notify all third parties to whom the information was disclosed and instruct them to stop processing it. A functional consent banner forms the frontline of this opt-out architecture.
Consumers also gain the right to access plain-English explanations of how the ADMT works. They can demand to know what role the algorithm played in any decision affecting them.
This means your engineering teams cannot rely on opaque algorithms that offer no visibility into their decision logic. The reasoning behind automated outputs must be documented and explainable upon request by a consumer or the regulator. You must explain the principal factors that led to the specific decision. If you cannot explain how your AI arrived at its conclusion, you cannot legally use it for significant decisions in California.
Risk Assessments and Cybersecurity Audits
Alongside the ADMT requirements, the CPPA finalised rules for mandatory privacy risk assessments and annual cybersecurity audits. The California Office of Administrative Law officially approved this entire rulemaking package on 23 September 2025.
Businesses subject to the risk assessment requirements must begin compliance by 1 January 2026 and submit their first document summaries to the CPPA by 1 April 2028. For any ongoing processing activity initiated prior to 2026, you must conduct and document an assessment no later than 31 December 2027. These assessments must detail the benefits and risks of processing consumer data, specifically addressing potential harms like discrimination or security breaches.
The cybersecurity audit requirements follow a phased rollout schedule based on annual gross revenue.
Businesses with annual gross revenue above $100 million in 2026 face the earliest deadline under the new framework. You must complete your first audit covering the 2027 calendar year and submit a written certification to the Agency by 1 April 2028. Smaller businesses receive an extra year or two to bring their security documentation up to the new regulatory standard. The threshold for these audits focuses heavily on the volume of data processed and the revenue size of the entity.
Review the timeline below to determine when your specific organisation must submit its first cybersecurity audit certification. The dates are strictly enforced by the CPPA.
| Annual Gross Revenue | Audit Report Due Date | Audit Period Covered |
|---|---|---|
| Over $100 million (as of 1 Jan 2027) | 1 April 2028 | 1 Jan 2027 - 1 Jan 2028 |
| $50 million - $100 million (as of 1 Jan 2028) | 1 April 2029 | 1 Jan 2028 - 1 Jan 2029 |
| Less than $50 million (as of 1 Jan 2029) | 1 April 2030 | 1 Jan 2029 - 1 Jan 2030 |
Specific Exceptions to the ADMT Rules
The CPPA recognised that banning all automated processing without exception would break fundamental website operations. The draft and final rules outline specific scenarios where a business can deny an ADMT opt-out request. You can refuse the opt-out if the automated processing is strictly required to prevent security incidents or fraudulent activity. You can also reject the request if the processing is strictly required to provide the specific good or service requested by the consumer.
These exceptions are narrow and heavily scrutinised by regulators.
If you claim the security exception, the data processed must be limited to what is strictly required for threat detection. You cannot repurpose this security data to train generative AI models without explicit, prior consent. Similar rules apply when you deploy functional cookies to remember user preferences.
The service provision exception only covers what the consumer actually requested. A language preference tracker might qualify, but an algorithmic product recommendation engine rarely fits this exemption.
Conducting a CCPA Privacy Risk Assessment
The new risk assessment rules require businesses to document their data practices comprehensively before deploying ADMT. You must identify all categories of personal information processed, including any sensitive data like racial origin, health status, or precise geolocation. The documentation must clearly articulate the operational benefits of the processing alongside the potential negative impacts on consumers.
Potential negative impacts include economic discrimination, psychological harm, reputational damage, or physical injury. You must detail the specific safeguards your engineering and legal teams have implemented to mitigate these risks.
If the residual risks outweigh the benefits to the consumer and the public, the CCPA prohibits you from engaging in the processing activity entirely. The CPPA expects these assessments to be living documents that you update whenever your processing activities change materially. You must keep historical versions of these assessments on file for at least three years after the processing activity ends. When the CPPA demands to see your assessments, you must provide them promptly.
Failing to produce an accurate, up-to-date risk assessment during an audit guarantees a regulatory fine.
How Automated Profiling Impacts Digital Marketing
Marketing teams rely heavily on algorithms to segment audiences and deliver targeted advertisements across the web. The new regulations explicitly classify behavioural profiling as a form of automated decision-making when it tracks consumers across different services. This restricts how you can build and monetise audience profiles without providing clear opt-out avenues.
Understanding your cookie categories helps you correctly classify trackers that trigger ADMT and opt-out requirements. Analytics and marketing cookies often feed raw data directly into the algorithmic models covered by these rules.
If a user exercises their right to opt out of ADMT processing, you must immediately halt the data flow to your profiling vendors. This requires a technical setup where your consent management tool communicates directly with your tag manager and backend systems. A delay in signal propagation could push you past the strict 15-day compliance window for halting processing. Running a comprehensive script scanner is the first step in mapping this data flow accurately.
Marketing without third-party data requires a shift towards direct, consented relationships with your website visitors.
The Intersection of CCPA and Global Privacy Standards
California is not the only jurisdiction tightening the rules around algorithmic processing and profiling. These requirements parallel the profiling restrictions found in the European Union, specifically Article 22 of the General Data Protection Regulation, which grants users the right not to be subject to solely automated decisions. Brazil's LGPD also imposes strict transparency rules on automated decision-making.
If you operate globally, unifying your compliance strategy across jurisdictions saves engineering time and reduces legal risk. The core requirement remains consistent across borders: tell users what you do with their data and give them a mechanism to stop it.
Structuring your privacy operations around a robust consent management platform simplifies this process for your technical teams. You can set geographical rules that deploy the correct notices and opt-out mechanisms based on the visitor's location. This prevents you from over-complicating the user experience for visitors outside of regulated zones like California or the EU. A unified approach protects your revenue while meeting the demands of the CPPA.
Businesses using ADMT should begin mapping their data inputs and algorithmic logic immediately.
Frequently Asked Questions
When do the CCPA automated decision-making rules take effect?
The final CPPA regulations went into effect on 1 January 2026. Businesses that use ADMT for significant decisions must fully comply with the new notice and opt-out requirements by 1 January 2027.
What is a significant decision under the CCPA?
A significant decision involves providing or denying financial services, housing, education enrolment, employment opportunities, compensation, or healthcare services. Using ADMT to make these determinations triggers strict compliance rules.
Do the new CCPA rules apply to targeted advertising?
Yes, the regulations classify profiling consumers based on personal preferences, behaviour, or economic situation as a form of ADMT. Businesses must offer opt-outs for these profiling activities.
When is the first CCPA cybersecurity audit due?
The earliest deadline is 1 April 2028 for businesses with over $100 million in gross revenue. This initial audit must cover the period from 1 January 2027 to 1 January 2028.
Does Kukie.io handle CCPA opt-out requests?
Kukie.io provides a consent management platform that allows websites to capture and enforce user preferences, including CCPA opt-outs. It integrates with your data infrastructure to ensure third-party trackers respect user choices.
Take Control of Your CCPA Compliance
If your business relies on profiling or automated technologies, preparing your website's data collection mechanisms is not optional. Starting with a free plan to map your trackers helps you detect the data flowing into your ADMT systems before the deadline hits. Kukie.io detects first-party and third-party trackers, helping you map the data flowing into your ADMT systems.
