Tips for Complying with CPPA Automated Decision Making Regulations

Last August, I wrote about upcoming regulatory changes from the California Privacy Protection Agency (CPPA). These included new disclosure regulations for businesses using Automated Decision-Making Technology (ADMT). As of January 1, 2026, the new CPPA rules are in place, and compliance is required by January 1, 2027. Companies subject to the CPPA regulations should use 2026 to prepare for compliance. A recent Mayer Brown memo gives tips on preparation:

• “Map ADMT uses. Inventory how the business uses ADMT, the decisions made using such technology, and the level of human involvement in such decisions to determine if the ADMT substantially replaced human decision-making.
• Build consumer-facing content. If the CCPA’s ADMT requirements are triggered, prepare ADMT pre-use notices, intake mechanisms for receiving opt-out and access requests, a step-by-step playbook for processing such rights requests, and template responses to the requests.
• Update contracting. Draft ADMT-specific requirements in vendor agreements, such as a requirement for service providers to assist the business with its ADMT compliance obligations, as required under the new CCPA contractual provisions for service providers.”

For companies subject to the CPPA regulations, this process for managing ADMT will be mandatory. However, companies operating in other states may also want to take note. Not only will shoring up your policies on ADMT help put you ahead of the curve on upcoming state or national legislation, but it will also aid in risk mitigation. Mapping ADMT as a voluntary exercise identifies potential risk areas and help establish clear lines of reporting and responsibility for automated decsisions.