By January 1, 2027, certain businesses that use automated decision-making technology to
make employment decisions must comply with new California Privacy Protection Agency
regulations. The regulations generally apply to large employers -- those with annual revenue in
excess of $25 million dollars. Any such large employer that uses automated decision-making
technology for significant employment decisions must conduct “risk assessments,” provide pre-
use notices to California consumers about the decisions, and, in most cases, offer those
individuals the ability to opt out.
The term “automated decision-making technology” is broad. It means any technology
that processes personal information, and in so doing, substantially replaces human involvement
in employment decisions. Human involvement is replaced where a reviewer is not required to (1)
know how to interpret the technology’s output to make a decision; (2) review and analyze the
technology’s output to make a decision; and (3) where a reviewer lacks authority to make or
change the decision. The term does not apply to web hosting, domain registration, networking,
website-loading, data storage, calculating, and databases provided they do not replace human
decision making.
What decisions are considered “significant”? Most consequential decisions would be
deemed “significant,” including decisions about assigning work to employees, decisions on
employee compensation rates (including bonuses), and decisions on promoting, demoting,
suspending, or terminating employees.
What notice must be provided? The pre-use notice needs to explain in plain language
how the employer uses the automated technology to make decisions, and how the consumer can
opt out of such decision-making processes. Certain exceptions apply so long as the use of the
automated technology does not result in unlawful discrimination based on protected
characteristics (i.e., age, color, race, religion, gender). Assuming there is no unlawful
discrimination, employers do not need to provide an opt-out notice where (1) the employer
ensures an actual person reviews the decision and has the authority to overturn the decision, (2)
the technology is used solely to assess the employee’s ability to perform at work; or (3) the
technology is used solely to assign work and set compensation.
Why are risk assessments required? The purpose of risk assessments is to determine
whether privacy risks from processing personal information outweigh the benefits to the
consumer, the business, other stakeholders, and the public. To comply, the risk assessment must:
1. Identify and document the specific purpose for processing personal information;
2. Identify the categories of personal information to be processed including the minimum
personal information necessary to achieve the business purpose;
3. Identify how the business collects, uses, discloses, and processes information;
4. Identify the benefits to the business, consumers, stakeholders, and the public;
5. Identify the negative impacts, such as discrimination based upon protected
characteristics and/or impairing a consumer’s control over personal information;
6. Report any safeguards to be used for processing information;
7. Identify whether the business will use the information;
8. Identify who provided the information for the risk assessment; and
9. Identify the date the assessment was reviewed and approved with the individuals who
approved the assessment.
Risk assessments conducted in 2026 and 2027 need to be submitted to the California
Privacy Protection Agency by April 1, 2028.
Takeaway
These newly-implemented regulations (which can be found at CCPA - Effective January
1, 2026) reflect both a general concern about privacy rights and a growing trend in California to
regulate how businesses use AI. Several bills addressing these issues are now pending and would
impose even stricter and broader regulations. As a result, employers with less than $25 million in
annual revenue may also face new restrictions on their use of AI-powered tools, including
applications used to screen resumes, conduct video-based applicant assessments, and evaluate
employee performance.
For now, employers should carefully review whether these requirements apply to their
operations. Employers should identify what AI applications they use to make employment
decisions and consider designating a reviewer of automated employment decisions. The reviewer
should have the authority to overturn decisions as needed. Employers using AI in hiring,
promotions, terminations, or compensation decisions should evaluate how this technology is
used and ensure it is not unlawfully discriminating against employees or applicants.
STAY UP TO DATE
Keep up with the ever-evolving challenges of California state and federal law in employment litigation, labor relations, prevailing wage, wage and hour, personnel policies, construction litigation, and workplace investigations.