CCPA, CPRA, and the New ADMT Rules: What They Mean for LLM Products

The CCPA, as amended by the CPRA, has long given Californians rights over their personal information. What changed in 2025 is that the California Privacy Protection Agency (CPPA) finalized a package of regulations that, for the first time, attach concrete process duties to automated decisionmaking technology (ADMT) — and many LLM-powered workflows fall squarely inside the definition. This is the working read on what those rules require, when, and which AI products are caught.

The European analog to this analysis — GDPR Article 22 — is covered separately; this piece is the California-specific counterpart, and the timelines and definitions differ in ways that matter.

What the CPPA Actually Finalized

On July 24, 2025, the CPPA Board adopted a regulatory package that, on September 22, 2025, was approved by California’s Office of Administrative Law and filed with the Secretary of State. The package does four things: updates existing CCPA regulations; creates risk-assessment and annual cybersecurity-audit obligations for certain businesses; implements consumer rights to access and opt out of ADMT; and clarifies CCPA application to insurers.

The regulations took effect January 1, 2026 — but the substantive ADMT and audit duties phase in on staggered deadlines rather than all at once. Confusing the effective date with the compliance deadlines is the most common mistake organizations make reading these rules.

The Phased Timeline (Read This Carefully)

The dates that govern actual obligations:

• January 1, 2026 — regulations effective; risk-assessment requirements begin applying to in-scope processing.
• January 1, 2027 — businesses using ADMT for significant decisions must comply with the ADMT requirements (pre-use notice, opt-out, access, appeal).
• April 1, 2027 — the operative date by which businesses using ADMT for significant decisions must have the ADMT consumer-facing mechanisms in place per the regulations’ phase-in.
• December 31, 2027 — initial risk assessments for processing already underway are due (internally).
• April 1, 2028 — businesses must submit information about risk assessments conducted in 2026–2027 to the CPPA (the summary, not the full assessment), and the first cybersecurity-audit certifications are due for the largest businesses (over $100M revenue), with smaller tiers due in 2029 and 2030.

So the headline for AI builders: if your product makes “significant decisions” via automation, the consumer-facing ADMT obligations are a 2027 deadline, but the risk-assessment clock is effectively running now.

What Counts as ADMT — and When LLMs Are Caught

The regulations target automated decisionmaking technology used to make a significant decision about a consumer. “Significant decisions” are those affecting finances, housing, education, employment, or healthcare — and the rules expressly exclude advertising from the “significant decision” category.

This is the test that determines whether an LLM product is in scope. An LLM is caught when its output drives a significant decision:

• An LLM that scores or screens job applicants → employment → in scope.
• An LLM that recommends approval/denial of a loan, lease, or financial-account application → finances/housing → in scope.
• An LLM that routes a patient or triages care → healthcare → in scope.
• An LLM that generates marketing copy or personalizes ads → advertising → expressly excluded.
• A general-purpose chat assistant answering questions with no determinative effect on a significant decision → generally not in scope on that basis alone.

The mistake to avoid is assuming “we just call a model API” exempts you. If the model’s output is determinative — or substantially shapes — a significant decision about a Californian, the workflow is ADMT regardless of whether the model is yours or a vendor’s.

The Four Duties for In-Scope ADMT

For businesses using ADMT to make significant decisions, the regulations require (beginning in 2027):

1. Conduct a risk assessment of the processing before relying on it.
2. Provide a pre-use notice to consumers explaining the business’s use of ADMT for the significant decision.
3. Offer an opt-out of the ADMT use, subject to defined exceptions.
4. Honor access and appeal rights — consumers can request information about the logic of the ADMT and how its outputs are used, and can appeal decisions made by ADMT to a human.

The access right’s “logic” component is the one that maps directly onto LLM explainability problems. A consumer can ask how the system reached a significant decision about them, and the business must provide meaningful information about the logic and the role the ADMT output played — which is operationally hard when the determinative step is a model inference.

What This Means for LLM Product Teams

Concrete implications, in priority order:

Classify your decisions now. For each automated workflow, ask: does its output drive a finance, housing, education, employment, or healthcare decision about a Californian? That single question determines scope. Document the answer.

Start the risk assessment, not later. The risk-assessment obligation is the near-term one. For in-scope processing, the assessment should cover the model’s role, the data flows feeding it, the foreseeable harms, and the mitigations — and you’ll eventually summarize it to the CPPA.

Build the consumer mechanisms for 2027. Pre-use notice, an opt-out path, an access response that can describe the logic, and a human appeal channel that does not loop back through the same model. These take lead time; the 2027 deadline is closer than it looks.

Account for vendor models. Using a third-party LLM does not move the obligation off you as the business making the decision. Your vendor diligence should capture what explanation and logging support the provider can give you, because the access and appeal duties land on the deployer.

How This Sits Alongside the EU and Other States

California’s ADMT regime is conceptually adjacent to GDPR Article 22 — both attach process safeguards (notice, human involvement, contestability) to consequential automated decisions — but the categories (“significant decisions” in five named domains vs. “legal or similarly significant effects”) and the timelines differ, so a single global control set has to satisfy the stricter of each element. Within the US, this also stacks on the state AI laws now in force: an LLM hiring tool deployed nationally may face California’s ADMT duties, Illinois’s employment-AI notice and anti-discrimination rules, and Texas’s interaction-disclosure obligations simultaneously.

The Compliance Posture

The CPPA package converts the CCPA from a data-rights statute into something closer to an AI-process regulation for the decisions that matter most to people’s lives. For LLM products that touch money, housing, jobs, education, or health, 2026 is the year to classify and assess, and 2027 is the year the consumer-facing machinery has to be live. The risk of misclassifying a “significant decision” workflow as out-of-scope is the expensive failure mode — get the classification right first, and the rest is implementation.

Cross-references

For the European counterpart to this automated-decision analysis, see GDPR Article 22 and LLM automated decision-making. For the broader US state-law context this sits within, see the US state AI laws roundup for 2026. For the assessment artifact these duties require, the DPIA template for LLM deployment is a useful starting structure.

For ongoing AI-policy coverage, AI policy watch ↗ follows the CPPA and state regulators.