WThe Warden WatchTracking AI Compliance in HR

The Warden Watch

Tracking AI Compliance in HR

A public monitor for regulation, litigation and incidents affecting AI in hiring, recruitment and employment decision-making.

Explore regulationView bias audit scope

Regulation intelligence node

California Consumer Privacy Act Regulations on Cybersecurity Audits, Risk Assessments, and Automated Decisionmaking Technology

CCPA Cybersecurity, Risk Assessments, and ADMT Regulations

Partially activeBoth

Jurisdiction

California, United States

Status

Partially active

Live from

1 January 2026

Compliance deadline

1 January 2027

What this regulation is

These final regulations under the California Consumer Privacy Act (CCPA) establish binding compliance requirements for businesses using Automated Decisionmaking Technology (ADMT) or conducting high-risk data processing operations[cite: 1, 2]. Businesses utilising ADMT to make 'significant decisions'—such as employment evaluations, housing access, and financial lending—must provide prominent pre-use disclosures to consumers, accommodate requests to opt out of automated processing, and grant individuals rights of access to see the data and logic applied to them[cite: 1, 2]. Furthermore, businesses whose processing operations pose a significant risk to consumer security or privacy must complete annual independent cybersecurity audits and execute comprehensive, documented privacy risk assessments[cite: 1, 2].

Regulator or body

California Privacy Protection Agency

Audience impact

What different teams need to know

HR and recruitment teams

Employers using automation for employment life-cycle decisions in California face major operational compliance mandates[cite: 1, 2]. Automated resume screening software, video interview text/voice recorders, or productivity-tracking systems used to make hiring, work allocation, compensation, promotion, or termination choices are classified as automated significant decisions[cite: 1, 2]. HR departments must deploy a compliant 'Pre-use Notice' at or before data collection, establish an explicit opt-out path for applicants and employees, or establish a qualified human-led appeals process[cite: 1, 2]. If a human appeal is chosen, the internal reviewer must understand the system logic and possess the legal authority to overturn automated decisions[cite: 2]. Pre-employment risk assessments must also be completed for automated profiling frameworks or when using candidate information for model training purposes[cite: 2].

HR technology vendors

HR technology, automated sourcing, and electronic testing vendors must build compliance mechanisms into platforms supplied to California employers[cite: 2]. Any vendor making ADMT available to another business for executing significant employment decisions is under a direct statutory obligation to supply all available factual data necessary for that employer to conduct its own legally mandated risk assessments[cite: 1, 2]. Platforms must support granular tell-back capabilities, explicitly documenting core algorithmic logic, data weightings, parameters, and output configurations so that deployers can comply with pre-use notices and individual access requests without deploying deceptive design architectures or dark patterns[cite: 1, 2].

Status intelligence

Current status and key dates

Regulatory status

Adopted by the Agency Board on July 24, 2025; approved by the Office of Administrative Law (OAL) on September 22, 2025; effective from January 1, 2026[cite: 1, 3]. Complete implementation of the ADMT rights is mandated by January 1, 2027[cite: 1, 2].

Date timeline

Passed
24 July 2025
Live from
1 January 2026
Enforcement / compliance
1 January 2027

Mandatory audit scope

Bias auditing and protected characteristics

Bias audit summary

The regulation establishes operational validation safeguards but does not mandate a freestanding external 'bias audit' akin to explicit algorithmic auditing legislation[cite: 1, 2]. To qualify for specific exceptions to the consumer ADMT opt-out requirement (such as automated candidate selection or work allocation systems), a business must establish that its ADMT functions as intended and 'does not unlawfully discriminate based upon protected characteristics'[cite: 2]. The rules reference anti-bias policies, procedural testing, and internal workforce training as non-exhaustive examples of safeguards that businesses should document within their formal Risk Assessment Report to prove system compliance[cite: 1, 2].

Protected characteristics summary

The regulations tightly link anti-discrimination safeguards with protected characteristics across both the Risk Assessment and ADMT frameworks[cite: 1, 2]. When performing a mandated privacy risk assessment, businesses must explicitly evaluate and document potential negative impacts, including unlawful discrimination based on protected characteristics[cite: 1, 2]. Additionally, the regulatory scope maps specific protected variables within its sensitive personal information definitions, including racial or ethnic origin, citizenship or immigration status, religious or philosophical beliefs, union membership, genetic data, health status, sex life, sexual orientation, and neural data[cite: 1, 2].

Duties and legal nuance

Obligations and requirement levels

Binding duties are shown as compact cards. Evidence and notes are collapsed by default.

Candidate Notice

BindingApplies to: DeployerExpress
Trigger and timing

Trigger: Utilising an Automated Decisionmaking Technology (ADMT) to make a significant decision concerning an applicant or employee, including hiring, work allocation, compensation, promotion, demotion, suspension, or termination[cite: 1, 2].

Timing: Prominently and conspicuously presented to the consumer at or before the point when the business collects personal information planned for automated processing[cite: 1, 2].

Source: 11 CCR § 7220(a), (b)(2), (c)

Evidence
A business that uses ADMT as set forth in section 7200, subsection (a), must provide consumers with a Pre-use Notice... Be presented prominently and conspicuously to the consumer at or before the point when the business collects the consumer’s personal information that the business plans to process using ADMT[cite: 2].
Notes
The notice must explain the specific purpose of the ADMT, detailed logic parameters, categories of data affecting the output, and define what alternative human-driven processes apply if an individual opts out[cite: 2].

Opt Out

BindingApplies to: DeployerExpress
Trigger and timing

Trigger: Deploying automated decisionmaking technology to completely or substantially replace human involvement for a significant employment or independent contracting opportunity[cite: 1, 2].

Timing: Provided continuously; automated processing must cease as soon as feasibly possible and no later than 15 business days from receipt of a post-deployment request[cite: 1, 2].

Source: 11 CCR § 7221(a), (n)(1)

Evidence
A business must provide consumers with the ability to opt-out of the use of ADMT to make a significant decision concerning the consumer, except as set forth in subsection (b)... Ceasing to process the consumer’s personal information using that ADMT as soon as feasibly possible, but no later than 15 business days from the date the business receives the request[cite: 2].
Notes
Exceptions apply if the employer maintains a robust human-led appeals process, or verifies that the technology works solely for core ability assessment and performs without unlawful discrimination[cite: 1, 2].

Human Review

BindingApplies to: DeployerExpress
Trigger and timing

Trigger: Relying upon the human appeal exception to deny or bypass a consumer's standard right to opt-out of automated significant employment decisions[cite: 1, 2].

Timing: Operational during active consumer appeal phases[cite: 2].

Source: 11 CCR § 7221(b)(1)

Evidence
The business provides the consumer with a method to appeal the decision to a human reviewer who has the authority to overturn the decision. To qualify for this exception, the business must do the following: (A) Designate a human reviewer to review and analyze the output of the ADMT and any other information that is relevant to change the significant decision at issue[cite: 2].
Notes
The human reviewer must understand system logic, review evidence submitted by the consumer, and hold full internal corporate authority to alter or change the target decision[cite: 1, 2].

Explainability

BindingApplies to: DeployerExpress
Trigger and timing

Trigger: Receipt of a consumer request to access detailed information about the business's use of ADMT with respect to them[cite: 2].

Timing: Processed within 45 calendar days of receiving a verifiable individual request[cite: 2].

Source: 11 CCR § 7222(a), (b)

Evidence
A business that uses ADMT to make a significant decision must provide a consumer with information about this use when responding to a consumer’s request to access ADMT... provide plain language explanations of... Information about the logic of the ADMT... The outcome of the decisionmaking process for the consumer[cite: 2].
Notes
Requires explanation of automated parameters, final outputs, human participation roles, and decision impacts[cite: 1, 2]. Protects legitimate trade secrets and core data security architecture from public disclosure[cite: 1, 2].

Risk Assessment

BindingApplies to: DeployerExpress
Trigger and timing

Trigger: Using ADMT to make significant decisions, or executing automated processing to infer or extrapolate traits via systematic observation of educational/job applicants, students, employees, or contractors[cite: 1, 2].

Timing: Conducted and documented before initiating the target data processing activity; reviewed and updated at least once every three years or within 45 days of a material change[cite: 1, 2].

Source: 11 CCR § 7150(a), (b)(3)-(4); 11 CCR § 7155(a)

Evidence
Every business whose processing of consumers' personal information presents significant risk to consumers' privacy as set forth in subsection (b) must conduct a risk assessment before initiating that processing... Using ADMT for a significant decision concerning a consumer... Using automated processing to infer or extrapolate a consumer's... performance at work... based upon systematic observation[cite: 2].
Notes
Mandates creation of a formal Risk Assessment Report documenting operational flows, retention schedules, privacy risk types, executive approvals, and implemented technical safeguards[cite: 1, 2].

Vendor Due Diligence

BindingApplies to: ProviderExpress
Trigger and timing

Trigger: Making an automated decisionmaking technology platform available to another business entity to facilitate significant choices[cite: 1, 2].

Timing: Provided contextually during software distribution, licensing, or onboarding phases[cite: 2].

Source: 11 CCR § 7153(a)

Evidence
A business that makes ADMT available to another business (“recipient-business”) to make a significant decision as set forth in section 7150, subsection (b)(3), must provide to the recipient-business all facts available to the business that are necessary for the recipient-business to conduct its own risk assessment[cite: 2].
Notes
Creates a distinct upstream factual delivery mandate for platform vendors to ensure downstream employers possess the telemetry required to complete state risk reporting[cite: 1, 2].

Bias Audit

MentionedApplies to: DeployerExpress
Trigger and timing

Trigger: Evaluating anti-discrimination safeguards or validating algorithmic parameters under formal risk reporting and opt-out exclusions[cite: 1, 2].

Timing: Pre-deployment testing or periodic system reviews[cite: 1, 2].

Source: 11 CCR § 7152(a)(6)(A)(iv); 11 CCR § 7221(b)(2)-(3)

Evidence
Implementing policies, procedures, and training to ensure that the business’s ADMT works for the business’s purpose and does not unlawfully discriminate based upon protected characteristics[cite: 2].
Notes
The regulation references internal bias evaluations, performance parameters, and discrimination testing as types of technical safeguards a business may consider, but does not impose a freestanding external, independent, or independent third-party algorithmic bias audit requirement[cite: 1, 2].

Public Reporting

BindingApplies to: DeployerExpress
Trigger and timing

Trigger: Executing active risk assessments for monitored data-processing and ADMT systems[cite: 1, 2].

Timing: Submitted annually to the Agency no later than April 1[cite: 1, 2].

Source: 11 CCR § 7157(a), (b)

Evidence
the business must submit to the Agency the information required by subsection (b) no later than April 1 following any year during which the business conducted the risk assessments[cite: 2].
Notes
Requires filing high-level summary metadata, volumes of assessments conducted, data classes processed, and structural certifications under penalty of perjury[cite: 1, 2]. Definitive underlying reports must be produced within 30 calendar days upon administrative request by the CPPA or the Attorney General[cite: 1, 2].

Actor split

Who the record says is responsible

Primary liability role: Both

Employer / employment agency duties

Candidate Notice · BindingOpt Out · BindingHuman Review · BindingExplainability · BindingRisk Assessment · BindingVendor Due Diligence · BindingBias Audit · MentionedPublic Reporting · Binding

Vendor support context

HR technology, automated sourcing, and electronic testing vendors must build compliance mechanisms into platforms supplied to California employers[cite: 2]. Any vendor making ADMT available to another business for executing significant employment decisions is under a direct statutory obligation to supply all available factual data necessary for that employer to conduct its own legally mandated risk assessments[cite: 1, 2]. Platforms must support granular tell-back capabilities, explicitly documenting core algorithmic logic, data weightings, parameters, and output configurations so that deployers can comply with pre-use notices and individual access requests without deploying deceptive design architectures or dark patterns[cite: 1, 2].

Hiring and employment use cases

Affected use cases

ScreeningExpressly coveredExpress

software to screen applicants’ resumes to determine which applicants it will hire[cite: 2].

Source: 11 CCR § 7220(e)(2)

Directly leveraged as a primary illustrative use case of algorithmic technology triggering multi-notice consolidation duties[cite: 1, 2].
InterviewingExpressly coveredExpress

Business A plans to videotape job interviews, then use emotion-recognition technology without human involvement to decide who to hire... software to evaluate applicants’ vocal intonation, facial expression, and gestures[cite: 2].

Source: 11 CCR § 7150(c)(1); 11 CCR § 7220(e)(2)

Identifies automated video or voice extraction frameworks as directly subject to automated significant decision restrictions[cite: 1, 2].
Employee MonitoringExpressly coveredExpress

proposed use of productivity monitoring software to determine the employee’s allocation/assignment of work and compensation[cite: 2].

Source: 11 CCR § 7220(e)(1)

Covers systems logging workforce activity metrics to make algorithmic staffing or compensation changes[cite: 1, 2].
Performance ManagementInferred coveredInferred

“Employment or independent contracting opportunities or compensation” means: Hiring... Allocation or assignment of work... Promotion; and Demotion, suspension, and termination[cite: 2].

Source: 11 CCR § 7001(ddd)(4)

PromotionExpressly coveredExpress

“Employment or independent contracting opportunities or compensation” means... Promotion[cite: 2].

Source: 11 CCR § 7001(ddd)(4)(C)

TerminationExpressly coveredExpress

“Employment or independent contracting opportunities or compensation” means... Demotion, suspension, and termination[cite: 2].

Source: 11 CCR § 7001(ddd)(4)(D)

Primary source

Source

Regulator or body

California Privacy Protection Agency

Source documents

Warden Watch alerts

Track AI hiring compliance changes

Get weekly alerts on AI hiring regulation, litigation and incidents.

California Consumer Privacy Act Regulations on Cybersecurity Audits, Risk Assessments, and Automated Decisionmaking Technology — The Warden Watch