California's ADMT regulations are the most operationally consequential AI employment rules issued by any US jurisdiction. Starting January 1, 2027, any California employer using AI to screen resumes, score video interviews, or rank candidates must give applicants a specific pre-use notice, offer at least two opt-out methods, and maintain a signed risk assessment. Penalties reach $7,500 per intentional violation, and the California Privacy Protection Agency (CPPA) has signaled ADMT enforcement as a 2027-2028 priority.
Most compliance guides stop at explaining what you need to do. This one gives you the actual templates: copy-paste pre-use notice language and a structured risk assessment form ready to fill in.
What Counts as ADMT Under California Law
The California Privacy Protection Agency defines ADMT as any technology that processes personal information and uses computation to replace or substantially replace human decision-making. Under this definition, a tool does not need to make decisions entirely on its own to qualify. If the system's output, a score, ranking, flag, or recommendation, is what the hiring manager primarily relies on, the tool is likely ADMT.
Covered tools in a hiring context include:
- Resume-screening software that ranks or filters candidates based on keyword matching or machine learning
- Video interview platforms that score tone, facial expression, or language patterns
- Skills-assessment platforms that generate pass/fail scores used to advance or eliminate candidates
- ATS features that auto-route candidates into reject, hold, or advance buckets without human review at each step
The key phrase is "substantially replace." A tool a recruiter always double-checks manually carries less regulatory risk than one that filters 90% of applicants before a human ever sees a profile. When the AI output is the de facto decision, ADMT obligations apply.
Which California Employers Must Comply
The ADMT regulations apply to businesses subject to the California Consumer Privacy Act (CCPA). A business falls under the CCPA if it meets any of the following thresholds:
- Annual gross revenues exceeding $25 million
- Annual purchase, sale, or sharing of personal information from 100,000 or more consumers or households
- Deriving 50% or more of annual revenues from selling consumers' personal information
If your company qualifies under any threshold and uses ADMT to make or substantially influence employment decisions affecting California residents, the regulations apply to you by January 1, 2027. There is no exemption based solely on headcount or startup status. A Series B company with $30 million in revenue using an AI resume screener for California applicants is covered.
Non-California employers are not exempt if they are processing data from California-based job applicants. The CCPA follows the consumer's residency, not the employer's headquarters.
California ADMT Pre-Use Notice: Copy-Paste Template
The CPPA requires the pre-use notice to appear "at or before" the point of data collection for the ADMT purpose. For hiring, that means before the applicant submits their application, or at the start of any AI-assessed screening step.
The notice must include a plain-language explanation of how the ADMT works, what personal information it processes, what output it generates, how that output factors into the hiring decision, how the applicant can opt out, what the alternative process looks like, and a statement that exercising rights will not result in retaliation.
Below is a template you can adapt. Text in brackets requires your specific input:
[COMPANY NAME] AUTOMATED DECISIONMAKING NOTICE
We use automated decisionmaking technology (ADMT) during our hiring process for this position. This notice explains how it works and your rights under California law.
What technology we use: [Name of tool, for example: "HireVue video interview scoring" or "Greenhouse resume ranking feature"]. This technology is provided by [Vendor Name].
What personal information it processes: [Describe the data processed, for example: "your resume text and work history" or "your video interview responses, including language patterns and delivery".]
What output it produces: [Describe the output, for example: "a competency score from 0 to 100 that compares your responses to a validated benchmark for this role" or "a resume relevance ranking among all applicants for this position".]
How the output influences decisions: [Describe use, for example: "candidates scoring below [threshold] are not advanced to a phone screen" or "the ranking is reviewed by a recruiter who makes the final decision about whom to contact".]
Your opt-out rights: You have the right to opt out of ADMT processing at any time before or during your application. If you opt out, we will [describe the alternative, for example: "have a recruiter manually review your full application using the same evaluation criteria, with no penalty to your candidacy"]. To opt out, use either of these methods:
- Email [[email protected]] with the subject line "ADMT Opt-Out, [Your Name], [Position Applied For]"
- Call [phone number] and request an ADMT opt-out from our HR or recruiting team
No retaliation: Exercising your right to opt out of ADMT will not affect our consideration of your application or result in any adverse treatment of your candidacy.
For questions about this notice or your privacy rights, contact us at [[email protected]].
Review this template with counsel before deploying it. The description sections should reflect your specific tool configuration, not a generic vendor description. If your vendor provides public-facing transparency documentation, use it as the source for the "what personal information" and "what output" sections.
Opt-Out Obligations: What You Must Offer
The CPPA requires at least two distinct opt-out methods. The process must be simple, meaning no buried links, no dark patterns, and no requiring the applicant to navigate multiple screens just to find the option.
When a candidate exercises their opt-out right:
- If the opt-out request comes before ADMT processing starts, you must not initiate that processing for their application
- If the request comes after processing has started, you have 15 days to stop using ADMT in the evaluation of that individual
- You must provide the alternative decision process described in your notice, in the same general timeframe as the standard process
One narrow exception applies in hiring: employers who use ADMT solely to assess an applicant's ability to perform the specific job may decline to honor an opt-out request in limited circumstances, but only if they have verified through anti-bias testing that the system does not discriminate unlawfully and the results of that testing are documented. This exception is not a blanket waiver. Even where it applies, the employer must still provide the full pre-use notice, maintain the risk assessment, and honor all access and correction rights.
If you are using AI tools that apply across the full hiring funnel (screening, interview scoring, and final ranking), do not assume one opt-out scope covers all three. Each distinct use of ADMT for a significant decision may require its own notice and opt-out offer.
California ADMT Risk Assessment Template
The CPPA requires a formal risk assessment before deploying ADMT for significant decisions. The assessment must be signed and certified by a senior executive, retained for at least five years, and remain current. If you materially change the ADMT tool, the use case, or the data it processes, you must update the assessment.
By April 1, 2028, you must submit an attestation to the CPPA confirming that required risk assessments were completed, along with a summary of your assessment findings.
Use one completed assessment per distinct ADMT tool and use case combination. If you use the same vendor tool for both resume screening and interview scoring, complete separate assessments for each.
CALIFORNIA ADMT RISK ASSESSMENT
Company Name: ___________________________ Tool Name and Vendor: ___________________________ Use Case: [Resume Screening / Interview Scoring / Candidate Ranking / Other] Assessment Date: ___________________________ Review Date: ___________________________
Section 1: Business Purpose
State the specific, non-generic reason for using this ADMT. Vague purposes (efficiency, scalability) are insufficient under CPPA guidance.
Example: "To reduce recruiter time spent on initial screening by automatically ranking applicants for [Job Title] positions based on resume text against a defined skills rubric, so that recruiters can focus review on candidates who most closely match the job requirements."
What is the minimum necessary personal information processed by this tool? List each data type below and confirm no additional sensitive data is collected:
- Resume text (structured work history, education)
- Self-reported responses to screening questions
- Video or audio interview responses
- Assessment or test results
- Other: ___________________________
Section 2: Operational Elements
- How is personal information collected? (applicant-submitted, ATS-pulled, third-party sourced)
- How is the personal information used within the tool? (ranking algorithm, language model scoring, etc.)
- Who receives the output? (hiring manager, recruiting team, executive approver)
- What is the retention period for applicant personal information within this tool?
- Approximately how many California applicants are processed per month?
Section 3: Anticipated Benefits
List specific, measurable benefits. Do not list generic or speculative benefits.
Examples: "Reduces recruiter time per application from 8 minutes to 2 minutes, allowing same-day responses to applicants." "Applies consistent evaluation criteria across all applications, reducing variance from recruiter-specific preferences."
Section 4: Anticipated Negative Impacts
Identify and document potential harms to applicants. The CPPA requires this section to address:
- Unauthorized access or data breach risk (what applicant data could be exposed and how it is protected)
- Potential for unlawful discrimination or disparate impact across protected classes (race, gender, age, disability, national origin)
- Loss of applicant control over how their data is evaluated
- Potential for coercion if applicants feel declining ADMT will harm their candidacy
- Reputational harm to applicants from incorrect scores or erroneous disqualifications
- Economic harm if a qualified candidate is incorrectly screened out of consideration
Section 5: Safeguards and Mitigation
For each negative impact identified in Section 4, document the safeguard in place, who is responsible for it, and how compliance is verified.
Example for disparate impact: "We conduct quarterly disparate impact analysis across race, gender, and age using the 4/5ths rule. Results are reviewed by [HR Director]. Last analysis date: [Date]. Outcome: [pass/flag/remediation taken]. Vendor bias test documentation obtained: [Yes/No, Date]."
Example for data breach risk: "Vendor SOC 2 Type II report obtained [Date]. Applicant data encrypted at rest and in transit. Data processing agreement executed [Date] with deletion schedule of [N] days after position closes."
Section 6: Assessment Conclusion
State whether the privacy risks of the ADMT outweigh the benefits. The CPPA requires you to make this judgment explicitly.
If risks outweigh benefits: Document what steps you are taking before deployment or what alternative approach you will use instead.
If benefits outweigh risks: State that conclusion, reference the safeguards in Section 5, and confirm those safeguards are in place.
Conclusion: ___________________________
Section 7: Senior Executive Certification
I certify that this risk assessment accurately reflects the company's use of the above ADMT, that the negative impacts have been assessed in good faith, and that the safeguards described are in place and will be maintained throughout the period of deployment.
Name: ___________________________ Title: ___________________________ Signature: ___________________________ Date: ___________________________
Retain the signed assessment for a minimum of five years or for as long as the processing continues, whichever is longer.
Compliance Deadlines: 2026 to 2028
| Deadline | Requirement |
|---|---|
| January 1, 2026 | Risk assessments must begin for any new ADMT deployments initiated on or after this date |
| January 1, 2027 | Full compliance required for businesses already using ADMT: pre-use notices, opt-out mechanisms, access rights, and risk assessments for existing deployments |
| April 1, 2028 | Attestation to the CPPA that required risk assessments were completed, plus a summary of assessment findings |
The January 1, 2027 deadline is the critical one for most employers currently using AI screening tools. Do not wait until December 2026 to start building your compliance documentation. Pre-use notices must be embedded in your application flow, which often requires engineering changes to your ATS or careers portal.
The April 1, 2028 attestation is an easy deadline to miss because it sits two years after the main enforcement window opens. Add it to your compliance calendar now.
Penalties for Non-Compliance
The CPPA enforces ADMT violations under the CCPA enforcement framework:
- $2,500 per violation
- $7,500 per intentional violation
Because penalties can be counted per consumer affected, an employer using a non-compliant AI screening tool across 500 California applicants without the required pre-use notice could face exposure reaching $1.25 million in civil penalties for a single hiring cycle. The CPPA has publicly identified automated decision-making for employment as an enforcement focus for 2027-2028.
Beyond CPPA civil enforcement, the CCPA creates a private right of action for certain data security violations, and plaintiffs' attorneys are already monitoring ADMT compliance as a potential class action area. Employers who have the notice and risk assessment documentation in place are in a materially better position if a complaint is filed.
The Workday AI lawsuit is instructive here. Workday faced claims that its AI screening tools produced discriminatory outcomes across protected classes. The ADMT regulations do not eliminate discrimination liability, but employers who conduct and document disparate impact testing as part of the risk assessment process have a documented record of good-faith compliance effort.
See the EEOC AI hiring guidance checklist for the parallel federal layer that applies alongside California's ADMT rules, and the multi-state AI bias audit requirements guide if your hiring spans multiple jurisdictions.
Compliance Checklist: California ADMT
- Identify every AI tool used in any hiring, promotion, termination, or task-assignment decision affecting California residents
- Determine whether each tool qualifies as ADMT (replaces or substantially replaces human decision-making)
- Complete a risk assessment for each covered ADMT tool and use case
- Get the risk assessment signed by a senior executive
- Embed the pre-use notice in your application flow at or before data collection
- Set up at least two opt-out methods and test that they work
- Define and document the alternative review process for opt-out applicants
- Obtain vendor bias testing documentation and store it with your risk assessment
- Schedule quarterly disparate impact analysis for each covered tool
- Set a calendar reminder for the April 1, 2028 CPPA attestation
- Check NYC Local Law 144 if you also hire in New York City
- Review FCRA requirements if your AI tool draws on background check data
References
- California Privacy Protection Agency, Final CCPA Regulations on Automated Decisionmaking Technology, Risk Assessments, and Cybersecurity Audits (adopted July 24, 2025; effective January 1, 2026): cppa.ca.gov/regulations/ccpa_updates.html
- Littler Mendelson, "California's Automated Decisionmaking Technology Regulations: Seven Steps for Employers" (2026): littler.com
- Akin Gump, "New California Regulations Regarding Employer Use of Automated Decision-Making Technology: Compliance Required by January 1, 2027" (2026): akingump.com
- Thompson Coburn, "California's ADMT Rules Under the CCPA: What They Mean for Significant Decisions" (2026): thompsoncoburn.com
- Fisher Phillips, "What California's ADMT Rules Actually Mean for Hiring Decisions in 2026": fisherphillips.com
- Related: AI governance for HR teams complete guide, full HR AI compliance framework
- Related: California SB 942 AI Transparency Act August 2026, companion California AI transparency requirements
- Related: AI hiring compliance for small teams complete guide, state-by-state overview
