Privacy Lawyers Suggest First Steps to Comply With California ADMT Rules

California privacy compliance expectations “are trending toward a more operational phase,” Seyfarth privacy attorneys Danny Riley and Yana Komsitsky wrote on July 28. “For organizations handling California residents’ data, it’s time to move from awareness to readiness. These updates do not just expand privacy rights, they raise the compliance bar across governance, security, and technology design in ways that will ripple through the rest of the U.S. market.”

The CPPA Board unanimously approved 119 pages of proposed rules Thursday on ADMT, risk assessments, cybersecurity audits, insurance and updates to California Consumer Privacy Act (CCPA) regulations (see 2507250027). The board authorized staff to submit a final rulemaking package to the California Office of Administrative Law (OAL), which will have 30 business days to approve it. A CPPA spokesperson said Tuesday that the agency hasn't yet submitted the rulemaking package to OAL.

While the rules await OAL approval, "businesses may want to evaluate application and start developing processes to ensure compliance with these new regulations,” Gregory Parks and several Morgan Lewis privacy lawyers blogged on Monday. “While these new rules are less onerous than some of the draft rules that were offered, and while the CPPA provided lead time for phased implementation, compliance may still require substantial planning and updates to existing systems.”

"The amended regulations -- designed to reinforce consumer protections, improve accountability, and guide the responsible use of emerging technologies -- introduce complex, multi-phase requirements that begin taking effect in 2027,” agreed Nelson Mullins privacy attorney Mallory Acheson and two colleagues in a July 29 blog post.

To start, businesses should update privacy notices for CPPA specificity and transparency requirements, conduct "internal audits to assess whether cybersecurity audit and risk assessment requirements apply,” and inventory "current and planned ADMT systems, including those used in hiring, benefits eligibility, financial services, or profiling," they added.

“As California organizations try to wrap their brains around the full expanse of the rules,” blogged Eversheds Sutherland, it’s “important to ensure that … companies and employers understand their use cases, data maps, and data collection points” and the ADMT “that they or a vendor, service provider, or contractor may use.”

In addition, the law firm said companies should “ensure that recordkeeping practices and retention schedules have been updated [and] revisit their cybersecurity audit, and risk assessment frameworks.”

The rules could increase litigation risk, it added. “On the heels of a federal agenda that is focused on deregulation and innovation, the requirements under the new [California] rules could trigger some whiplash, not to mention the fear that the new rules could make litigation an easier path for the plaintiff bar, particularly in the employment space.”

Wilson Sonsini attorneys noted that OAL will "fill in the effective date of the regulations,” though risk-assessment requirements must take effect by Dec. 31, 2027. "In practice, businesses should anticipate ADMT requirements taking effect on the general effective date of the regulations, while cybersecurity audit and risk assessment requirements will apply two years later.” If the CPPA submits the rules by the end of this month, the earliest they could take effect is Oct. 1, according to two other law firms’ blog posts.

ADMT Advice

On several blogs, law firms advised that businesses conduct an inventory of ADMTs that are used or may eventually be used to make significant decisions, and to update privacy policies accordingly.

Conduct an inventory of "all uses of ADMT and profiling, evaluate whether they meet the ‘significant decision’ threshold, and develop pre-use notices to meet disclosure requirements,” Seyfarth lawyers said.

“Identify all ADMTs used to make significant decisions,” agreed Fisher Phillips lawyers Darcey Groden and two colleagues in a July 31 post. “This is easier said than done, as it will require reviewing processes through[out] the entire business to identify ADMTs. We strongly recommend you start on this now.”

Companies’ pre-use notices for consumers should be “customized to address the particular constituent and the ADMT used,” added the Fisher Phillips lawyers. “Update your consumer response processes and be prepared to address opt-outs from ADMTs, appeals to a human reviewer where opt-outs are not permitted, and requests to access ADMT.” They also noted that, “despite the popularity of cookie banners right now, they are not the proper mechanism for pre-use notification or submitting consumer requests relating to ADMTs.”

Eversheds Sutherland warned that the ADMT disclosure requirements could lead “to disclosure of proprietary information that would otherwise only be available through discovery, particularly in the employment space, where discrimination claims run rampant.”

Also, the firm said, it could put the CPPA “at odds” with the Trump administration’s AI Action Plan, “which contemplates that any state rulemaking that ‘overregulates’ AI could lead the Administration to withhold federal funding, putting pressure on states like California to weigh the potential consequences of federal defunding against the merits of their AI regulations.”

Fisher Phillips pointed out that the CPPA’s ADMT rules come on top of anti-discrimination measures approved earlier this year by the California Civil Rights Department on employers’ use of automated decisions (see 2503240042). "The CRD regulations are limited in scope compared to the CPPA’s and apply only in the job applicant and employment contexts,” the law firm said.

Cybersecurity Audits Not 'Box-Checking'

The new cybersecurity audit rule "will do more than just impose another compliance obligation -- it could provide a useful window into what California regulators consider to be ‘reasonable’ security practices for protecting personal information,” Wyrick privacy lawyer Alex Pearce blogged July 31. He noted that the rule "targets larger businesses, and those whose business models rely heavily on the monetization of personal information, reflecting the Agency’s view that these entities pose the greatest risk to consumer privacy and security.”

Some requirements, such as that the audit be conducted by an objective and independent auditor, "appear designed to ensure that audits are not mere box-checking exercises, but a more candid, impartial assessment of the business’s cybersecurity posture,” added Pearce. Meanwhile, the agency’s decision to codify a “list of controls and practices” signals what the CPPA will probably look at it when assessing compliance with “CCPA’s requirement to 'implement reasonable security procedures and practices appropriate to the nature of the personal information,’” he said.

Adding this package of rules might mean moving away from the previous “case-by-case, settlement-driven approach to defining security obligations,” said the Wyrick lawyer. “Instead, it could help establish a uniform baseline for reasonable security that applies to all CCPA-covered businesses, reducing uncertainty and leveling the playing field.”

For companies seeking to avoid enforcers’ scrutiny, "it will be essential to ensure that audit reports are thorough, accurate, and professionally prepared, while avoiding careless, speculative, or poorly considered statements that could be misconstrued or used against the business in regulatory or legal proceedings.”

Likewise, Morgan Lewis suggested companies “that process consumer personal information with 'significant risk' should begin identifying the categories of information to be covered by a cybersecurity audit and consider engaging qualified auditors given that the audit process will likely take time and refinement.”

The Nelson Mullins lawyers agreed. “Businesses must begin establishing audit processes now, including identifying qualified audit personnel, establishing internal reporting lines, and documenting cybersecurity practices comprehensively."

Fisher Phillips suggested auditing before it’s officially required. "Conducting a dry run a year or two in advance will allow the business to develop processes to obtain necessary information and complete the audit within the required time frame in the future,” its privacy lawyers blogged. “Additionally, conducting audits now will allow the business to identify any gaps and fix them sooner rather than later."

Risk Assessments and 'Meaningful Consent'

Companies “required to conduct risk assessments should begin analyzing their internal processes to ensure all regulatory elements are addressed well before the end of 2027,” Morgan Lewis said.

"For most organizations,” said the Seyfarth lawyers, “the practical burden will be building scalable audit and risk assessment programs that can cover multiple processing activities and harmonize with other state and federal frameworks.”

CPPA rules allow companies to complete one risk assessment that can be submitted to multiple states for privacy law compliance, said the Fisher Phillips lawyers. However, they noted that a company's most recent risk assessment probably won't work in California because the CPPA "has many more requirements than other consumer privacy laws.”

Eversheds Sutherland noted that the "expectation has always been that the use of ADMT would trigger risk assessment requirements.” But the CPPA rules “blow open that lid by requiring that ADMT and the use of any meaningful automated processing that is used to monitor workers or to infer consumer characteristics based on location, whether or not it meets the definition of ADMT, could require risk assessment,” the firm said. “This creates a possible maze for employers and industries that use location data to draw consumer inferences.”

The same law firm also urged attention to the California agency’s updated consent regulations. While obtaining consumer consent isn't a new concept to the CCPA, "the new rules delve into and highlight the importance of meaningful consent,” it said. For example, it might be problematic if the choice to participate in a financial incentive program is displayed more boldly than the option to decline, it said. “Similarly, choices driven by a false sense of urgency … could be seen as misleading.”