California ADMT Rules Reach AI Hiring Decisions | TLY

AI Regulation Tracker  /  Regulation

California's ADMT rules give AI-hiring employers notice and opt-out duties by January 1, 2027

The California Privacy Protection Agency finalized regulations that treat AI-driven hiring, pay, and firing as a privacy matter. Covered employers must give pre-use notice, honor opt-outs, and explain access and appeal rights, separate from California's FEHA anti-discrimination rules.

California's ADMT rules give AI-hiring employers notice and opt-out duties by January 1, 2027 regulation briefing
The Leveraged Years AI Regulation Tracker

California now has two separate rulebooks for artificial intelligence in the workplace, and employers that treat them as one will miss half their obligations. The first, issued by the Civil Rights Council under the Fair Employment and Housing Act, took effect on October 1, 2025 and polices discrimination. The second, issued by the California Privacy Protection Agency under the California Consumer Privacy Act, treats the same hiring and firing tools as a privacy matter. The Office of Administrative Law approved the Agency's automated decision-making technology regulations on September 23, 2025. Employers covered by the CCPA that use these tools to make significant decisions must comply beginning January 1, 2027.

What the CPPA rules require

The regulations give California residents rights over a business's use of automated decision-making technology, defined broadly as technology that processes personal information and replaces or substantially replaces human decision-making. When a business uses ADMT to make a "significant decision," three duties attach.

The first is a pre-use notice. Before the tool is used, the business must tell the affected person, in plain and accessible terms, that it is using ADMT, the specific purpose, how the technology makes the decision, the categories of personal information that feed the output, and how the output is used. The notice must also explain the person's rights to access information about the decision, to opt out, and to appeal.

The second is an opt-out right, which is real but limited. For certain employment decisions, including hiring, allocation of work, and compensation, a business may decline an opt-out request if it has evaluated the technology to confirm it works for its intended purpose and does not unlawfully discriminate, and if it meets related requirements. A business may also avoid the opt-out obligation entirely by offering a human-appeal process, meaning a qualified human reviewer with the authority to change the decision. In practice, most employers will choose one of these two paths rather than build a full opt-out.

The third is access and appeal. A person subject to a significant decision made by ADMT can request information about how the technology processed their personal information to reach the output and how the business used that output. Where the business relies on the appeal exemption instead of an opt-out, it must give the person a way to contest the decision to a human.

Why "significant decision" is the trigger that matters

The obligations turn on whether the tool makes a significant decision, and the Agency defines that category to include employment. Significant decisions cover decisions that affect finances, housing, education, and health care, and, for the workplace, hiring, allocation or assignment of work, compensation, promotion, demotion, suspension, and termination. That reach is wide. A resume-screening model that ranks applicants, a scheduling system that assigns shifts and hours, or a scoring tool that feeds pay or promotion calls can each fall inside the definition when it replaces or substantially replaces human judgment.

The regulations do not reach every use of software in HR. A tool that merely supports a decision a human independently makes is treated differently from one that makes or substantially replaces the decision. That line will be contested, and employers should document who actually decides and how much weight the automated output carries.

The privacy route is not the discrimination route

The key point for compliance planning is that this is a CCPA privacy duty, not a discrimination rule, and the two operate on different logic. The Civil Rights Council's FEHA regulations, in force since October 1, 2025, ask whether an automated system produces discriminatory outcomes on the basis of protected characteristics, and they push employers toward anti-bias testing and four-year record retention. The CPPA regulations ask a different question. They ask whether the business told the person the technology was being used, gave them a way to opt out or appeal, and can explain the decision on request. An employer can pass a bias audit and still violate the CCPA rules by failing to publish a pre-use notice. It can also satisfy the notice and opt-out duties and still face a FEHA claim if the tool discriminates. Both regimes apply to the same hiring tool at the same time.

That dual exposure is the practical headline. Compliance counsel who mapped only the FEHA rules in 2025 have a second, privacy-side project to complete before January 1, 2027.

The two regimes also assign responsibility differently. The FEHA rules extend liability to an employer's agents, which pulls vendors and staffing intermediaries into discrimination exposure. The CPPA framework works through the CCPA's business and service-provider structure, so an employer that hands screening to a vendor still owns the notice, opt-out, and access duties toward the affected person. An employer cannot contract those duties away by pointing to the vendor. That means the notice and access obligations should be written into vendor agreements, with the vendor committed to supplying the technical detail the employer needs to answer an access request and to support a human-appeal path.

What the rules do not do

The ADMT regulations do not ban automated hiring tools, and they do not require employers to stop using AI in the workplace. They do not give applicants an unconditional veto over automated screening, because the opt-out is subject to exceptions and can be displaced by a human-appeal process. They also arrive alongside, and do not replace, a broader set of CCPA obligations the same rulemaking finalized, including risk assessments for high-risk processing and, for larger businesses, annual cybersecurity audits that phase in on a revenue-based schedule beginning in 2028. Businesses using ADMT for significant decisions are generally expected to conduct a risk assessment as part of the framework. Employers should confirm the exact scope and timing of the risk-assessment and audit obligations against the final text, because those pieces carry their own deadlines separate from the January 1, 2027 ADMT compliance date.

The cross-cutting reach for out-of-state employers

The CCPA applies to businesses that meet its thresholds and process the personal information of California residents, so an employer headquartered outside California can still be covered when it hires or manages California-based applicants and workers. HR-technology vendors that build screening, scheduling, or scoring systems used in California should expect their employer clients to demand notice content, opt-out or appeal functionality, and access-response capability well before the compliance date. Because California often sets a template other states follow, the notice-and-opt-out model here is worth watching as a preview of where automated-hiring regulation is heading nationally.

A practical sequence before the deadline

Employers with California applicants or workers can break the work into a short sequence. Start with an inventory: list every automated system that touches an employment decision, and for each, record whether it makes, substantially replaces, or only supports a human choice. That classification decides which tools fall inside the significant-decision category. Next, for each covered tool, choose a compliance path, either an opt-out mechanism or a human-appeal process, since that choice shapes the notice language and the operational build. Then draft the pre-use notice so it names the purpose, describes in plain terms how the tool reaches its output, lists the categories of personal information used, and states the person's access, opt-out, and appeal rights. Finally, prepare the access-response process so the business can explain, on request, how a specific decision was reached. None of these steps requires new technology in most cases, but each requires documentation the business does not typically keep today.

For employers, the calm reading is this. Two California agencies now regulate AI in employment from two directions. The privacy side, effective January 1, 2027, is about transparency and control: tell people, let them opt out or appeal, and be able to explain the decision. Building that now is more manageable than reverse-engineering it under an access request later.

Frequently Asked Questions

What changed with California's CPPA ADMT regulations?

The California Privacy Protection Agency finalized regulations under the CCPA, approved by the Office of Administrative Law on September 23, 2025, that give California residents rights to notice, opt-out, and access when a business uses automated decision-making technology to make significant decisions. For ADMT used in significant decisions, compliance is required beginning January 1, 2027.

Who is affected, and which employment decisions count?

CCPA-covered businesses, including employers and their service providers, that use ADMT to make significant employment decisions. Significant decisions include hiring, allocation or assignment of work, compensation, promotion, demotion, suspension, and termination when the technology makes or substantially replaces human judgment. Out-of-state employers can be covered when they process California residents' personal information.

How is this different from California's FEHA AI employment rules?

The FEHA regulations from the Civil Rights Council, effective October 1, 2025, target discrimination and push anti-bias testing and record retention. The CPPA ADMT rules are a privacy duty focused on notice, opt-out or appeal, and access. Both apply to the same hiring tool at the same time, so satisfying one does not satisfy the other.

Can applicants or employees opt out of automated hiring tools?

Sometimes, and the right is limited. For decisions such as hiring, work allocation, and compensation, a business may deny an opt-out if it has evaluated the tool to confirm it works as intended and does not unlawfully discriminate. A business can also avoid the opt-out obligation by offering a human-appeal process with a reviewer who can change the decision.

What is the single most important step to take before January 1, 2027?

Inventory every automated tool that makes or substantially replaces a human employment decision, then decide for each whether you will offer an opt-out or a human-appeal process, and draft the required pre-use notice describing how the technology works and what rights the person has.

Browse the full AI Regulation News tracker

Informational analysis for working professionals, not legal advice. Confirm how any rule applies to your situation with qualified counsel.