Skip to main content
AI Compliance DocumentsRisk assessments: required now

California CCPA ADMT · Risk assessments required since January 1, 2026

California's AI Rules
Are Already in Effect

If your business uses automated systems to make decisions about California consumers — who gets hired, approved, or profiled — you needed to start documenting risk assessments on January 1, 2026. ADMT opt-out notices are due January 1, 2027.

Built from CalPrivacy's published regulations at cppa.ca.gov. Not summaries. Not paraphrases. Not training data.

Get All 7 Documents — $499
Instant downloadRegulation-cited

$2,500

per unintentional violation
Cal. Civ. Code § 1798.155

$7,500

per intentional violation
Cal. Civ. Code § 1798.155

Multiplies

per consumer, per violation
CPPA + CA Attorney General

Deep Dive — How the Regulations Actually Work

California's CCPA ADMT regulations were approved September 22, 2025, and took effect January 1, 2026. They cover cybersecurity audits, risk assessments, and Automated Decisionmaking Technology (ADMT).

The deadlines are staggered. Risk assessments: required now, with attestations due April 1, 2028. ADMT notices and opt-out rights: required January 1, 2027. Cybersecurity audits: phased by revenue, starting April 1, 2028 for businesses over $100 million.

The CCPA covers your business if you do business in California with annual gross revenue over $25 million (not just California revenue), or you buy/sell/share data of 100,000+ consumers per year, or 50%+ of revenue comes from selling or sharing consumer data.

Here's what's actually happening.

On September 22, 2025, the California Office of Administrative Law approved a package of regulations covering cybersecurity audits, risk assessments, and Automated Decisionmaking Technology. The press release went out September 23. Most businesses completely ignored it.

If your business is subject to the CCPA and uses automated systems to make decisions about consumers — who gets hired, who gets approved for credit, who sees which ads — the compliance clock has already started. Risk assessments have been required since January 1, 2026. That's not a future deadline. It's now.

Two Deadlines. Both Matter.

January 1, 2026 — Risk Assessments (Active Now)

If you process personal information for profiling, sell or share data, or use ADMT for significant decisions, you must be conducting and documenting risk assessments today. Attestation summary due to CalPrivacy by April 1, 2028.

January 1, 2027 — ADMT Notices & Opt-Outs

Pre-use notices must be provided before or at the point of using ADMT for significant decisions about consumers. Opt-out mechanisms must be in place. Nine months to identify every automated system, draft notices, build opt-out processes, and train staff.

Does this apply to you?

If you answer “yes” to any of these, the CCPA ADMT regulations likely cover your business — assuming you meet the CCPA revenue and data thresholds.

Self-assessment: Does California CCPA ADMT apply to you?

The $25 Million Threshold

The CCPA applies to your business if you do business in California AND meet any one of: annual gross revenue over $25 million (this is national revenue, not California-specific), buying or selling the personal information of 100,000 or more consumers or households per year, or deriving 50% or more of annual revenue from selling or sharing consumers' personal information. If your business makes $25 million nationally and has even one California customer, you're covered.

Compliance team reviewing AI risk assessment documents in a modern office

7 Documents. Both Deadlines Covered.

Each document addresses specific requirements of the CPPA ADMT and risk assessment regulations published at cppa.ca.gov.

1

Pre-Use Notice Template

Before or at the point of using ADMT for a significant decision, you must provide this notice explaining what the technology is, how it's being used, and what kind of decision it's involved in. Required by January 1, 2027.

2

Opt-Out Mechanism Documentation

Consumers must have the ability to opt out of ADMT in certain circumstances. This documents your opt-out process and the mechanism for consumers to exercise that right.

3

ADMT Impact Assessment

A documented risk assessment for each processing activity involving automated decision-making technology. Covers purpose, data involved, benefits, risks to consumers, and your mitigation measures.

4

Consumer Rights Response Procedures

Internal policies for how your organization handles opt-out requests and other consumer rights requests under the CCPA ADMT regulations.

5

Data Processing Inventory

A structured inventory of every AI and automated decision-making system that processes personal information — the foundation document for all other compliance work.

6

Human Oversight Protocol

Documents your process for human review of automated decisions, including how opt-out requests are escalated and handled by staff.

7

Compliance Checklist

Every obligation under the CCPA ADMT regulations in one place — risk assessments, ADMT notices, opt-out mechanisms, and attestation deadlines — cross-referenced to the regulation's requirements.

CalPrivacy Is Actively Enforcing

In the last six months, CalPrivacy fined Tractor Supply Company $1.35 million, American Honda Motor Co. $632,500, and Todd Snyder $345,178. In January 2026 they issued two more enforcement decisions and ordered Datamasters to stop selling all Californians' personal information.

The California Attorney General retains independent enforcement authority under the CCPA. Both can bring actions. There is no private right of action for ADMT-specific violations.

A lot of our customers have lawyers.

They don't buy these templates instead of legal counsel. They buy them so their attorney isn't starting from a blank page at $400 an hour.

Law firm

$5,000–$25,000

Weeks of back-and-forth

AI Compliance Documents

$499

Instant download, customize today

Get Your Compliance Package — $499

Questions we hear a lot.

The risk assessment deadline already passed. Are we in violation?
The compliance obligation started January 1, 2026. If you haven't started, the right move is to start now and document that you did. The submission deadline for attestations isn't until April 1, 2028 — but if CalPrivacy comes knocking before then, you need to show that assessments were being conducted. Starting today puts you in a better position than not starting.
We're not in California. Does this still apply?
The CCPA covers businesses that “do business in California” — not businesses headquartered there. The $25 million revenue threshold is based on your total annual gross revenue, not California-specific revenue. A company anywhere in the world that processes personal information of California consumers and meets the CCPA thresholds is covered.
What exactly counts as “significant decisions”?
The regulations address ADMT used for decisions that substantially determine outcomes for consumers — such as in hiring, lending, insurance approvals, and service eligibility. Systems that merely assist a human review (where the human makes the final determination based on independent judgment) may be treated differently than systems that substantially drive outcomes. This package's ADMT Impact Assessment includes a framework for evaluating your specific systems.
I have no idea which of our tools use automated decision-making.
That's the most common thing we hear. If a tool screens, scores, ranks, recommends, or personalizes for individual consumers — there's likely automated decision-making involved. Hiring software, CRM systems, ad-targeting platforms, and credit tools all commonly qualify. Start with the Data Processing Inventory included in this package — it gives you a structured format for mapping every system.
Are these documents legal advice?
No. We are not a law firm. These are compliance templates built from CalPrivacy's published regulations — a defensible starting point, not a substitute for legal counsel. Many of our customers hand these to their attorney for review. That saves their attorney hours of drafting time at $400 an hour.
What about cybersecurity audits?
Cybersecurity audit requirements are in the same regulation package, but the deadlines are phased by revenue: businesses over $100 million submit certifications by April 1, 2028; $50–$100 million by April 1, 2029; under $50 million by April 1, 2030. This package focuses on ADMT and risk assessment obligations. If you need cybersecurity audit documentation, contact us.

Verified Against CalPrivacy's Published Regulations

Every requirement in these documents traces to CalPrivacy's published ADMT and risk assessment regulations at cppa.ca.gov. No summaries. No AI-generated legal claims.

Regulation-sourced

Built from the published rules at cppa.ca.gov

Both deadlines

Covers January 2026 risk assessments and January 2027 ADMT notices

Attorney-ready

Hand directly to legal counsel for review

Did You Know? — Quick Facts About California CCPA ADMT

The California Office of Administrative Law approved the ADMT, risk assessment, and cybersecurity audit regulations on September 22, 2025, concluding a rulemaking process that began with preliminary public comments in February 2023.

Source: California Privacy Protection Agency

CalPrivacy fined Tractor Supply Company $1.35 million in September 2025 — the largest fine in the agency's history — for failing to properly notify consumers and job applicants of their privacy rights under the CCPA.

Source: California Privacy Protection Agency

In January 2026, CalPrivacy ordered a data broker called Datamasters to stop selling all Californians' personal information after it was found reselling lists of people with Alzheimer's disease, drug addiction, and other health conditions for targeted advertising.

Source: California Privacy Protection Agency

The California Privacy Protection Agency received public comments from more than 50 organizations — including the U.S. Chamber of Commerce, Mozilla, Consumer Reports, and Stanford's AI institute — during the preliminary comment period for the ADMT and risk assessment rules.

Source: California Privacy Protection Agency

Sources

  1. CCPA Updates, Cybersecurity Audits, Risk Assessments, ADMT, and Insurance Regulations — cppa.ca.gov
  2. CalPrivacy Press Release: California Finalizes Regulations to Strengthen Consumers' Privacy (September 23, 2025)
  3. CalPrivacy Enforcement: Tractor Supply Company $1.35M Fine (September 30, 2025)
  4. CalPrivacy Enforcement: Datamasters and S&P Global Data Broker Actions (January 8, 2026)
  5. CalPrivacy Announcements — Penalty Increases (2025)
Professional reviewing California CCPA ADMT compliance documents on a laptop

Risk assessments: required now · ADMT notices: January 1, 2027

Don't wait for a complaint.

7 documents. Mapped to CalPrivacy's regulations. Covers both the 2026 risk assessment and 2027 ADMT deadlines. Instant download. All sales final. $499.

Get Your Compliance Package Now

These documents are compliance templates, not legal advice. We recommend attorney review for your specific situation.