As Artificial Intelligence (AI) – specifically automated decision-making technology (ADMT) – becomes increasingly integrated into human resources processes, new California compliance requirements are taking center stage. Tools such as resume screeners, performance scoring systems, and scheduling software now fall under California Privacy Protection Agency (the Agency) regulations designed to protect employee rights and ensure data transparency. Here’s what HR professionals need to know—and do—to stay ahead of these changes. 

Background 

The CPPA is responsible for creating and enforcing California’s Privacy Rights Act (CPRA) regulations that initially took effect March 29, 2024. The CPRA amended and expanded the California Consumer Protection Act (CCPA) by, among other things, giving consumers – including employees – the right to correct inaccurate personal information collected by a covered business and to limit a covered business’s use and disclosure of “sensitive personal information” (e.g., social security number, racial or ethnic origin, religious beliefs, genetic data, precise geolocation) to specific identified purposes. 

In its inaugural Enforcement Advisory No. 2024-01 (issued April 2, 2024), the Agency focused on the importance of data minimization. In its second round of regulatory enforcement, the Agency is focusing on ADMT as it applies to significant decisions in the employment and job applicant contexts.   

As discussed here, the employer’s first step toward compliance is to determine whether their business falls subject to the CCPA. This typically refers to for-profit entities operating in California that collect personal information from California residents. In general, the CCPA applies to a “business” that: 

• Does business in the State of California, 

• Collects personal information (or on behalf of which such information is collected), 

• Alone or jointly with others determines the purposes or means of processing of that data; and 

• Satisfies one or more of the following: 
  • Has gross annual revenue in excess of $25 million in the preceding calendar year (measured on January 1 of the calendar year) 
  • Annually buys, sells, or shares the personal information of 100,000 California consumers or households 
  • Derives 50% or more of its annual revenue from selling or sharing personal information. 

ADMT Specific Compliance 

When it comes to ADMT, specific triggers for compliance arise when an organization uses ADMT to make significant employment decisions, such as those related to hiring, promotions, or benefits. Compliance is also required for activities that present a high privacy risk—including selling or sharing personal information, processing sensitive personal data, or profiling employees or candidates.  

Additionally, businesses that meet certain size thresholds, such as generating more than $50 million in annual revenue, may be subject to cybersecurity audit requirements, with phased deadlines beginning in 2028. 

Entities not covered by these new regulatory requirements include non-profit organizations and any organization that does not fall within the scope of the CCPA—such as those not meeting the relevant thresholds or not handling the personal data of California residents. 

What Does it Mean 

Employers subject to the new CCPA regulations should consider the following key regulatory points and suggested best practices ahead of the regulations January 1, 2027 effective date:  

Key Regulatory Points: 

• Clear Notice Requirements: Employers must provide transparent notices to employees before using ADMT for hiring, promotions, or other employment-related decisions. Notices should explain the purpose of the tool, outline employee rights (such as opt-out or appeal options), and describe how the technology works, including what data it uses. 

• Mandatory Risk Assessments: Any use of ADMT for employment decisions requires a formal risk assessment, especially if sensitive data like location or personal traits are used. These assessments must be completed by December 31, 2027, and updated every three years or within 45 days of any significant changes. 

• Employee Empowerment: Employees have new rights, including the ability to opt out of ADMT, appeal technology-driven decisions, and access information about how those decisions are made. 

Compliance Best Practices: 

• Inventory and Update HR Tech: Conduct a thorough review of all HR technology, from screening tools to performance management systems. This includes any third-party vendors/platforms that utilize ADMT. Ensure that each tool’s use is documented and compliant with the new notice and employee rights requirements.  

• Collaborate For Compliance: Work closely with your organization’s legal counsel, IT professionals, and internal compliance teams to document risks, submit necessary assessments to the Agency, and schedule cybersecurity audits if your organization meets the regulatory thresholds. As always, training impacted staff on these new requirements is essential for ongoing compliance. 

Although January 1, 2027, may seem a long way away, time has a way of passing quickly. It’s crucial to begin preparing now to allow ample opportunity for internal audits, necessary system updates, and coordination across teams. By acting early and engaging with compliance partners, employers can ensure they are fully prepared to meet these updated regulatory requirements.