California: CCPA Final Regulations for AI Tools Used in Employment Decisions
|
APPLIES TO All Employers with Employees in CA Who are Subject to the CCPA |
EFFECTIVE As Indicated |
QUESTIONS? Contact HR On-Call |
Quick Look
|
Discussion
On July 24, 2025, the CPPA finalized regulations to address the use of ADMT in employment decisions. The regulations are part of the enforcement of the California Consumer Privacy Act (CCPA), which already restricted how employers collect and use the personal information of employees. These regulations go further to limit unlawful employment actions that may be caused by the use of ADMT technology. The regulations are now before the Office of Administrative Law, which has 30 days to review the final regulations. The CCPA applies to all private businesses (regardless of location) with annual gross revenues exceeding $25 million or who buy, sell, or share consumers’ personal information at certain thresholds; it also protects employees of covered businesses.
ADMT refers to any technology that processes personal information and uses computation to replace human decision-making or substantially replaces human decision-making. A business that uses ADMT must now also provide consumers with a pre-use notice in accordance with the CCPA. The pre-use notice must also include a link through which a consumer can opt-out of the use of ADMT. Consumers also have the right to access information about the ADMT’s use and logic. A consumer’s rights under the CCPA have also been expanded to include the right not to be retaliated against for exercising privacy rights conferred by the CCPA when the consumer is an employee, job applicant, or independent contractor.
These requirements will only apply if significant decisions are made by the use of ADMT concerning a consumer. This includes employment or independent contracting opportunities or compensation. Employment or independent contracting opportunities or compensation includes hiring; allocation or assignment of work for employees, whether salaried, hourly, or per-assignment compensation, including incentive compensation; promotion; and demotion, suspension, and termination.
Before using ADMT, businesses must conduct a risk assessment since the use of ADMT presents a significant risk to consumers’ privacy. A risk assessment must be conducted when:
- ADMT processing is used to infer or extrapolate performance at work when a consumer is acting in their capacity as a job applicant, employee, or independent contractor for the business;
- ADMT processing is used to infer or extrapolate performance at work based on that consumer’s presence in a sensitive location; and
- Training an ADMT for identifying verification or profiling of a consumer (e.g., biometric security).
The finalized regulations also updated the practical examples used throughout to include the applicability of ADMT. Employers using ADMT have until January 1, 2027 to comply with the notice requirements. Risk assessments of ADMT must be submitted to the CPPA no later than April 1, 2028. Although the final regulations are pending review, employers should begin working on compliance immediately since the requirements can be difficult to implement.
Action Items
- Review finalized regulations here.
- Continue monitoring the CPPA website for updates on approval of finalized regulations.
- Review use of ADMT and prepare for implementing notice and risk assessment requirements.
Disclaimer: This document is designed to provide general information and guidance concerning employment-related issues. It is presented with the understanding that ManagEase is not engaged in rendering any legal opinions. If a legal opinion is needed, please contact the services of your own legal adviser. © 2025 ManagEase