California's ADMT rules take effect January 1, 2027. Notice, opt-out, access, and risk assessment become mandatory.
The California Privacy Protection Agency finalized regulations under the CCPA governing automated decisionmaking technology. When ADMT substantially replaces human judgment in a significant decision about a person's finances, housing, employment, education, or healthcare, a business must give a pre-use notice, honor opt-out and access rights, and complete a risk assessment. AVAAS provides independent evaluation of the deployed system at the point those decisions reach people.
Request evaluationThe ADMT obligations and how AVAAS addresses each one
The CCPA's ADMT regulations attach four consumer-facing duties whenever automated decisionmaking technology substantially replaces a human in a significant decision. Each duty requires you to actually understand the deployed system. One evaluation pipeline produces that understanding and the records the rule expects.
Pre-use notice
Before using ADMT for a significant decision, a business must give a prominent notice describing how the technology works, what personal information affects its outputs, what outputs it produces and how they are used in the decision, and the alternative process available if the consumer opts out.
Opt-out and a real alternative
Consumers may opt out of ADMT being used for a significant decision, subject to limited exceptions. The business must then provide an alternative decisionmaking process, such as meaningful human review, rather than a rubber-stamp.
Access right
A consumer may request information about how the business used ADMT in a decision about them, including the output the technology produced and the role it played in the outcome.
Risk assessment
A business must conduct a risk assessment before using ADMT for a significant decision, weighing the benefits against the risks to consumers, and submit attestations to the CPPA on a phased schedule.
Is your organization in scope?
The rule reaches ADMT used for a "significant decision," defined as the provision or denial of financial or lending services, housing, education enrollment or opportunities, employment or compensation, or healthcare services. These are the organizations most likely to need evaluation.
Employers and HR tech
Automated screening, ranking, or scoring that substantially replaces a human in hiring, promotion, termination, or compensation decisions affecting California workers and applicants, including remote roles open to California residents.
Financial services and lending
Automated credit, lending, and eligibility decisions for California consumers. Banks, credit unions, and fintech platforms whose models provide or deny financial services are squarely in scope.
Housing
Automated tenant screening, rental pricing, and mortgage decisions affecting California residents. Algorithmic screening tools that decide who gets housing are directly covered.
Healthcare
Automated decisions that provide or deny healthcare services, including coverage, prior authorization, and resource decisions affecting California patients.
Education
Automated admissions, financial aid, and enrollment decisions at California institutions. Education enrollment and opportunities are named significant-decision categories.
Insurance
Algorithmic underwriting, pricing, and claims decisions can fall within the financial-services and healthcare significant-decision categories. The CPPA also clarified when insurers must comply with the CCPA.
From evaluation to certification in three steps
AVAAS does not just find problems. It explains them at the level the ADMT rule's notice, access, human-review, and risk-assessment duties all require.
Evaluate the deployed system
Five structurally independent validators assess the ADMT where it makes or substantially informs significant decisions, across the categories and protected classes California law reaches, on the system as actually deployed rather than a demo.
Decompose with causal attribution
Causal decomposition explains each output to its root variables, so disparities are not just detected but explained. This is what a substantive risk assessment, an access response, and meaningful human review of an opted-out decision each require.
Document for notice, rights, and attestation
Receive an evaluation report that supplies the pre-use notice description, the per-decision access explanation, the risk-assessment evidence, and remediation prescriptions, with sealed deployment verification that flags later changes to the system.
What you get that other approaches don't
Governance platforms help you build internal compliance programs, but they sell software to the companies they evaluate. Law firm reviews provide independence, but take weeks per engagement and rarely decompose the model itself. AVAAS combines genuine structural independence with patent-protected evaluation methods, delivered through a streamlined platform.
| Capability | Internal assessment | Law firm review | Governance platform | AVAAS |
|---|---|---|---|---|
| CCPA risk assessment | ✓ Self-reported | ✓ Legal review | ✓ Automated | ✓ Independent, decomposed |
| Causal attribution | — | — | — | ✓ Causal decomposition |
| Per-decision access explanation | Weak | Moderate | Template | ✓ Specific, per-decision |
| Meaningful alternative to ADMT | Manual | Advisory | General | ✓ Decomposed for substantive review |
| Modification detection | Manual process | — | — | ✓ Automatic via sealed deployment |
| Independence from the operator | In-house | ✓ Independent | Sells to those it scores | ✓ Structural |
What California companies face when the ADMT duties arrive
Each scenario reflects documented patterns from active litigation and enforcement nationally, applied to the significant-decision categories the CCPA's ADMT rule covers.
Why California's ADMT rule is distinct: It does not ask whether your model is biased in the abstract. It attaches concrete, consumer-facing duties the moment ADMT substantially replaces a human in a significant decision: a pre-use notice that accurately describes the system, an opt-out with a real alternative, an access right that explains the individual output, and a risk assessment you attest to the CPPA. Each duty requires you to actually understand the deployed system. A self-graded checklist does not produce that understanding. An independent, decomposed evaluation does.
A California employer uses ADMT to screen and rank applicants with little human involvement. On January 1, 2027, the notice, opt-out, and access duties attach. An applicant opts out and asks how the system scored them. The employer must produce an accurate pre-use notice, route the applicant to a real human alternative, and explain the output, all while holding a completed risk assessment.
The notice is generic because no one has decomposed what the model actually weighs. The access response is boilerplate. The human alternative re-confirms the model because the reviewer cannot see what drove the score. No documented risk assessment exists to attest to the CPPA. Each shortfall is a separate exposure across thousands of applicants.
Causal attribution names the factors driving each score and their contribution. The pre-use notice describes the system accurately, the access response is specific, the human reviewer has the decomposition needed for substantive review, and the evaluation report stands as the documented risk assessment.
Comparable: Mobley v. Workday, a class action alleging age discrimination by an AI hiring platform across a large applicant pool.
A property manager uses an automated screening score to approve or deny California rental applicants. A denied applicant exercises the access right and asks what drove the decision. Housing is a named significant-decision category, so the notice, access, and risk-assessment duties apply in full.
The vendor calls the score proprietary, so the manager cannot explain the denial. The access response is empty, and there is no risk assessment documenting whether the score's inputs act as proxies for a protected class. The disparity surfaces through complaints, and the gaps compound across every screened applicant.
Causal attribution identifies the variables driving the denial and flags proxies for protected characteristics. The access response is specific and honest, and the documented evaluation supports the risk assessment while pointing to the exact inputs to remediate.
Comparable: SafeRent settled for $2M+ over AI tenant screening with alleged disparate impact.
A health plan uses ADMT to decide prior-authorization requests for post-acute care affecting California patients. Healthcare is a named significant-decision category. Patients can opt out into a human alternative and can ask how the automated output was used in the denial.
The human alternative rubber-stamps the model because the reviewer cannot see what drove the denial. The access explanation is unavailable, and no risk assessment documents whether the model systematically under-authorizes a definable group. Reversed denials and complaints follow.
Causal attribution shows which variables drove the denial, so the human alternative is substantive and the access explanation is specific. The evaluation documents the disparity and the fix, supporting the risk assessment the plan must attest to the CPPA.
Comparable: UnitedHealth / nH Predict, a class action alleging an AI algorithm overrode physicians and denied medically necessary care.
Be ready before January 1, 2027.
AVAAS evaluates your automated decisionmaking where it meets people, and produces the notice, access, human-review, and risk-assessment evidence the CCPA's ADMT rule expects.
Request an evaluation