Automated Decision-Making Technology — pre-use notice, opt-out, access rights
Primary statement
ADMT operations operate per evolving US state law: (1) CPPA Regulation § 7150 — risk assessment for high-risk processing (effective 1 Jan 2026, first attestation due 1 Apr 2028); (2) CPPA Regulation § 7200 — pre-use notice when ADMT makes significant decisions about consumers (compliance from 1 Jan 2027); (3) CPPA Regulation §§ 7220-7222 — ADMT opt-out and access rights (compliance from 1 Jan 2027); (4) state-law parallel profiling protections (CO, CT, TX). The ADMT regime is the most consequential AI-governance regulatory wave for US-touching businesses.
Audit-fatigue payoff
A unified ADMT programme — risk assessment + pre-use notice + opt-out mechanism + access rights — satisfies ADMT requirements across all 9 contributing frameworks. CPPA Regulations §§ 7150 / 7200 / 7220 form the leading-edge audit reference.
Strictness matrix
Scope
Scope: ADMT making "significant decisions" about consumers — financial services, housing, education, employment, healthcare, insurance, criminal justice, essential goods/services. Plus extensive profiling. The "significant decisions" concept defines the trigger boundary.
Ceiling source: ccpa:CCPA.Reg.7200
Rationale: CPPA Regulation § 7200 specifies the broadest ADMT scope through "significant decisions".
Threshold
Risk assessment threshold: processing presenting a significant risk to consumer privacy. Triggers include selling/sharing PI, processing SPI, profiling for significant decisions, training ADMT on personal information. The risk assessment IS the gating control.
Ceiling source: ccpa:CCPA.Reg.7150
Rationale: CPPA Regulation § 7150 risk assessment is the binary threshold for high-risk ADMT processing.
Method
Method: (1) risk assessment per § 7150 with documented analysis of necessity, proportionality, safeguards; (2) annual attestation to CPPA (from 1 Apr 2028); (3) pre-use notice per § 7200 — meaningful description of logic, outputs, role in decision, intended use; (4) opt-out mechanism per § 7220 with documented procedure; (5) access rights per § 7220 — consumer can request information about ADMT use; (6) state-law parallel profiling controls (CO, CT, TX).
Ceiling source: ccpa:CCPA.Reg.7220
Rationale: CPPA Regulations §§ 7150 / 7200 / 7220 form the comprehensive ADMT method.
Frequency
Risk assessment: per processing activity + on material change. Annual attestation to CPPA (from 1 Apr 2028). Pre-use notice refresh: per ADMT change. Opt-out mechanism: continuous availability. Access right SLA: 45 days typically.
Ceiling source: ccpa:CCPA.Reg.7150
Rationale: Per-activity risk assessment with annual attestation is the audit-defensible cadence.
Evidence
Required evidence: (1) risk assessment per high-risk ADMT processing (§ 7150); (2) annual attestation to CPPA (from 1 Apr 2028); (3) pre-use notice per ADMT (§ 7200); (4) opt-out mechanism evidence + sample opt-outs honoured (§ 7220); (5) access right responses (§ 7220-7222); (6) state-law profiling notice evidence per applicable state.
Ceiling source: ccpa:CCPA.Reg.7150
Rationale: CPPA Regulation § 7150 evidence with annual attestation is uniquely strict and the leading-edge audit anchor.
Auditor test pattern
Step 1: Inspect ADMT inventory; identify high-risk processing. Step 2: Inspect risk assessments per § 7150. Step 3: For each high-risk ADMT, inspect pre-use notice (§ 7200). Step 4: Verify opt-out mechanism (§ 7220) is accessible. Step 5: Sample one opt-out and verify it was honoured. Step 6: Sample one access request and verify response per § 7220-7222. Step 7: For state-law parallel requirements (CO, CT, TX), verify profiling notices.
Common findings
Common 2024–26 findings: (1) ADMT inventory absent — ML models in production not catalogued; (2) Risk assessment for § 7150 not started despite 1 Apr 2028 attestation deadline; (3) Pre-use notice generic, not ADMT-specific; (4) Opt-out mechanism for ADMT routed through general opt-out without ADMT-specific path; (5) Access requests for ADMT information not handled separately; (6) State-law profiling notices absent.