Randisi & Associates

Pre-Employment Screening Specialists

RANDISI & ASSOCIATES, INC.

410.336.0287
Contact Us
You are here: Home / Personnel Management / Regulations for Automated Decision-Making Technology

Regulations for Automated Decision-Making Technology

By

This article from Skadden, Arps, Slate, Meagher & Flom LLP discusses regulations in California around automated decision-making technology. What happens in California usually moves across the country. SO, we have summarized high-level points to consider for those firms that wish to prepare for these types of regulations in states in which your firm operates. We have not included deadline dates and other particulars of the law’s implementation in California. We encourage you to review the article in its entirety for more detail.

Executive Summary

What’s new: Regulations under the California Consumer Privacy Act (CCPA) are finalized, establishing a comprehensive regulatory framework for businesses using California consumers’ information, including those employing automated decision-making technology (ADMT) for “significant decisions.”

Why it matters: The regulations, which begin to come into effect January 1, 2026, mandate: consent and opt-out procedures; detailed disclosures about privacy policies and the ADMT process; risk assessments; and cybersecurity audits. The new regime significantly reshapes governance requirements for businesses that process the personal information of California consumers.

What to do now: Companies will want to begin mapping current and planned uses of ADMT, identifying processing activities that may trigger risk assessments, and to prepare for possible cybersecurity audits.

The final regulations create three new areas of compliance under the CCPA:

  • Obligations for businesses that use automated decision-making (ADMT) for “significant decisions” about California consumers.
  • Mandatory risk assessments for certain high-risk processing activities.
  • Annual cybersecurity audits for businesses meeting specified thresholds.

These requirements are phased in over several years and will require businesses to undertake new documentation, governance and consumer-facing processes.

They also clarify existing regulations, most notably:

  • Where consent is required for a processing purpose, individuals must be able to withdraw such consent at any time.
  • Links to privacy policies must appear not just on the business’s homepage, but on any web page where personal information is collected.
  • Opting out must be as easy as opting in.
  • Access requests can be for information beyond the preceding 12 months.

Automated Decision-Making Technology (ADMT)

The regulations narrowly define ADMT as technology that: (1) processes personal information and (2) uses computation to replace or substantially replace human decision-making. “Significant decisions” includes decisions that affect finances, housing, education, employment or health care, but not advertising (which was included in previous drafts of the regulations).

Beginning April 1, 2027, businesses using ADMT for significant decisions must:

  • Conduct a risk assessment.
  • Provide a pre-use notice to consumers about the business’s use of ADMT for a significant decision.
  • Provide an opt-out option to California consumers, subject to certain exceptions.
  • Allow consumers to request access to information about the business’s use of ADMT, including information about the logic of the ADMT and how ADMT outputs are used in decision-making.
  • Provide California consumers with the ability to appeal the results of ADMT.

Risk Assessments

Businesses subject to the CCPA must conduct and maintain risk assessments before initiating processing activities that pose “significant risk” to consumer privacy. Triggering activities include:

  • Selling or sharing personal information for cross-context behavioral advertising purposes.
  • Processing sensitive personal information.
  • Using ADMT for a significant decision concerning a consumer.
  • Profiling a consumer in certain education and employment contexts.
  • Profiling a consumer based on their presence at a sensitive location.
  • Processing the personal information of consumers, which the business intends to use to train an ADMT for a significant decision concerning a consumer.
  • Processing personal information of consumers to train a facial-recognition, emotion-recognition or other technology that verifies a consumer’s identity, or conducts physical or biological identification or profiling of a consumer.
  • Risk assessments will need to evaluate “negative impacts” on consumers, such as discrimination, economic or physical harm, reputational harm, or interference with consumers’ ability to make informed choices.
  • Businesses can conduct a single risk assessment for a comparable set of processing activities (e.g., similar processing activities that present similar risks to consumers’ privacy). Businesses can also leverage risk assessments conducted for other purposes (i.e., pursuant to a requirement under the EU’s General Data Protection Regulation), provided that the risk assessment contains the information that must be addressed under the CCPA regulations. Businesses must retain assessments for the duration of processing or five years after completion.

Companies should consider:

  • Evaluating ADMT usage by inventorying current and planned ADMT tools, particularly in hiring, lending, fraud detection or customer profiling.
  • Preparing for risk assessments by developing frameworks and templates now to assess and document high-risk processing activities.
  • Proactively reviewing cybersecurity programs against the core components that cybersecurity audits will be required to address.
  • Reviewing consumer-facing materials and preparing to revise notices and data subject rights processes to meet the new requirements.

This memorandum is provided by Skadden, Arps, Slate, Meagher & Flom LLP and its affiliates for educational and informational purposes only and is not intended and should not be construed as legal advice. This memorandum is considered advertising under applicable state laws.

James P. Randisi, President of Randisi & Associates, Inc., has been helping employers protect their clients, workforce and reputation through implementation of employment screening and drug testing programs since 1999. This post does not constitute legal advice. Randisi & Associates, Inc. is not a law firm. Always contact competent employment legal counsel. To learn more about the rights of employees who test positive for marijuana, Mr. Randisi can be contacted by phone at 410.336.0287 or Email: info@randisiandassociates.com or the website at Randisiandassociates.com

Afilliate Organizations

Tazworks NAPBS

Request A Quote

How can we Randisi and Associates assist your organization with background checks, drug testing and pre-employment screening?


CLICK HERE to Request a Quote or Consultation

Contact Us

Phone: 410.336.0287
Fax: 410.296.6131

1202 Fieldbrook Circle
York PA 17404
Contact Us

PRIVACY POLICY