California CPPA finalises rules on Automated Decision-Making Technology

The CPPA adopted regulations that require certain businesses to conduct risk assessments, annual cybersecurity audits, and provide access and opt-out rights for Automated Decision-Making Technology (ADMT). Effective 1 January 2026, with staged compliance.

Why this matters

California's rules add transparency, audit, and consumer-rights obligations for ADMT. Deployers operating in California must document risk assessments and implement opt-out workflows by the effective date.

Impact on obligations

Deployer

Conduct risk assessments and annual cybersecurity audits. Provide access and opt-out rights for ADMT. Prepare system cards and training data notes where applicable.

What to evidence

System cards
Training data notes where applicable
Risk assessments
Audit findings
Opt-out workflows

Key artefacts explained:

DSSE: Dead Simple Signing Envelope — portable signature format
STH: Signed Tree Head — tamper-evident checkpoint in transparency log
TSA: Time-Stamp Authority — independent timestamp receipt
WORM: Write Once Read Many — immutable storage for audit trails

Primary source

California Privacy Protection Agency(cppa.ca.gov)