05/29/2026
BUILDLAB
6 min readCalifornia’s New ADMT Rules: What Small Businesses Must Do Before January 2027
California’s automated decision-making technology (ADMT) regulations are here, with key obligations landing January 1, 2027 — and no revenue threshold on the risk-assessment and ADMT pieces. If you use AI to make decisions about people, you may be in scope.
The California Privacy Protection Agency finalized rules on automated decision-making technology (ADMT), risk assessments, and cybersecurity audits — effective January 1, 2026, with the ADMT notice, opt-out, and access obligations phasing to a hard January 1, 2027 deadline. The part that surprises small businesses: the ADMT and risk-assessment duties don’t carry the same revenue or data-volume threshold that gates much of the broader CCPA, so small firms using AI for consequential decisions can be in scope.
What counts as ADMT
Broadly, technology that processes personal information to make — or substantially replace human judgment in — a “significant decision” about someone: hiring, firing, pay, lending, housing, insurance, education, or access to healthcare. If you use an AI or algorithmic tool to screen applicants, tenants, or borrowers, read the rules closely.
What you may need to do
- Provide a pre-use notice when ADMT drives a significant decision.
- Offer the ability to opt out (with limited exceptions) and to access or appeal the decision.
- Run and document risk assessments for higher-risk processing.
- Complete cybersecurity audits if you meet the thresholds for that piece.
- Keep records that demonstrate compliance.
