New California AI Privacy Rules Detailed

- The regulations were finalized by the California Privacy Protection Agency (CPPA) board on July 24, 2025, and approved by the Office of Administrative Law on September 22, 2025, with an effective date of January 1, 2026. However, businesses have until January 1, 2027, to comply with the specific requirements for automated decision-making technology (ADMT). - The rules apply to the use of ADMT for "significant decisions," which are defined as those affecting a consumer's employment, housing, credit, education, or healthcare. The definition of a significant decision does not include advertising. - Beyond the right to opt-out, consumers gain the right to access meaningful information about how an automated system operates, including its logic and inputs. Businesses must also provide a notice to consumers *before* their data is used in these systems. - These regulations are part of a broader set of new compliance obligations that also mandate annual cybersecurity audits and privacy risk assessments for companies engaging in high-risk data processing. Deadlines for the first cybersecurity audit certifications are staggered by company revenue, beginning on April 1, 2028, for businesses making over $100 million. - Unlike the EU's AI Act, which regulates the output of AI systems regardless of data type, California's rules are specifically tied to the processing of personal information under the CCPA framework. - This privacy initiative is separate from other recent California AI legislation, such as bills AB 1836 and AB 2602, which were signed in September 2024 to regulate the use of "digital replicas" of deceased and living performers. - An exception to some consumer rights provisions exists if the ADMT system incorporates substantive and documented human oversight. To qualify, the human reviewer must have the authority to change the decision and understand how to interpret the technology's output.