What is ADMT under CPRA and which AI systems qualify?

CPRA ADMT (Automated Decision-Making Technology) is any system that processes personal information using computation to make or execute a decision or to facilitate human decision-making. This covers: ML models making credit, employment, or healthcare decisions; AI recommendation systems presented to human decision-makers; scoring algorithms used for loan underwriting or tenant screening; and LLMs generating decision summaries or recommendations. It does not cover product recommendations or content personalization without significant individual impact.

What significant decisions trigger CPRA ADMT rights for California consumers?

Significant decisions covered by CPRA ADMT: financial decisions (credit, loans, insurance, payment terms), employment (hiring, promotion, termination, performance evaluation), education (admission, aid, discipline), healthcare (diagnosis, treatment authorization, insurance coverage), housing (rental, mortgage, property services access), and other decisions with legal or similarly significant effects. AI systems used for any of these categories for California consumers require opt-out mechanisms, per-decision logic access, and human review capability.

Our AI helps human underwriters make loan decisions — does CPRA ADMT apply?

Yes. CPRA ADMT covers systems that 'facilitate' human decision-making, not just fully automated decisions. If your AI scores, ranks, or recommends applications to human underwriters, and those underwriters rely substantially on the AI output, the system is ADMT for the loan decision. California borrowers have the right to opt out of the AI-facilitated process and to understand how the AI scoring influenced their specific loan decision.

What must the ADMT logic access response include?

The access response must be specific to the individual decision and reasonably understandable to an average consumer. It must include: what categories of personal information about this consumer were used as model inputs; how those factors contributed to the output (weights, importance, relative contribution); the AI's output (score, recommendation, decision); and how that output was used in the final decision about this consumer. General model documentation or feature lists without individualized explanation are insufficient.

How does the CPRA ADMT opt-out work operationally?

A consumer who opts out of ADMT for a significant decision must be offered an alternative path to the same outcome through non-ADMT means — typically human review. The alternative must be genuinely equivalent: not slower by design, not more expensive, not less favorable. Businesses must honor opt-out requests within 15 business days. Opt-out signals can be submitted via the privacy rights request mechanism (typically a webform or email). Businesses must document what process replaces ADMT when a consumer opts out and disclose this in the privacy notice.

Does CPRA ADMT apply to AI used for employee decisions as well as consumer decisions?

Yes. The CCPA/CPRA employee exemption expired January 1, 2023. California employees now have full CCPA/CPRA rights including ADMT rights. AI systems used for employment decisions about California employees — performance scoring, scheduling optimization, promotion ranking, termination recommendation — are ADMT subject to CPRA. This is a common compliance gap for HR AI vendors and workforce management AI platforms.

What is the CPPA penalty for ADMT violations?

CPPA may impose civil penalties up to $7,500 per intentional violation of ADMT regulations. There is no private right of action for ADMT violations — consumers cannot sue directly for ADMT failures (CCPA private right of action is limited to data breach security failures). CPPA may investigate based on consumer complaints, routine audits, or enforcement sweeps. Violations include: failure to provide an opt-out mechanism, failure to fulfill access to logic requests within 45 days, and failure to document or implement a human review process.

How does Tenet AI support CPRA ADMT compliance?

Tenet captures a per-decision record for every AI inference used in significant decisions: inputs used, model output, factors driving the output (from model explainability), and the human reviewer's action (accept, override, or escalate). These records are queryable by consumer ID and support CPRA ADMT access requests within 45 days. When a consumer opts out, Tenet flags that consumer in the decision routing system and routes future decisions to the human review queue. The human override capture satisfies the CPRA requirement to document human review of ADMT-based decisions.

CCPA/CPRA Automated Decision-Making (ADMT): Opt-Out Rights, Access to AI Logic, and Human Review Compliance

California Privacy Rights Act (CPRA) and CPPA Automated Decision-Making Technology (ADMT) regulations grant California consumers new rights regarding AI decisions: the right to opt out of ADMT for significant decisions; the right to access per-decision AI logic in plain language; and the right to request human review of ADMT-based significant decisions. ADMT is defined broadly — it covers AI that "facilitates" human decisions (not just fully automated decisions). Significant decisions covered: credit, employment, healthcare, education, housing, insurance, and legal rights. CPPA enforces with fines up to $7,500 per intentional violation; there is no private right of action for ADMT violations (only for data breach security failures). AI teams must implement: opt-out mechanisms within 15 business days, per-decision explanation logs in plain language, and a documented human review process.

ADMT Definition: Covers AI That "Facilitates" Human Decisions

CPPA ADMT regulations define automated decision-making technology as any system that processes personal information using computation to make or execute a decision or to facilitate human decision-making. The "facilitates" clause is the expansive provision: AI recommendation engines, AI scoring systems presented to human decision-makers, and AI-ranked lists that influence loan officers, HR managers, or medical professionals are all ADMT — not just fully automated systems. ADMT covers: ML models, rule-based systems, scoring algorithms, profiling systems, and LLMs used in decision workflows. Product recommendations and content personalization without significant individual impact are not ADMT.

Significant Decisions: What Categories Trigger ADMT Rights

CPRA ADMT rights apply to decisions with significant effects on consumers: financial decisions (credit, loans, payment terms, insurance); employment (hiring, promotion, performance evaluation, termination); education (admission, financial aid, academic discipline); healthcare (diagnosis, treatment, authorization, coverage); housing (rental applications, mortgage, property services); government services; and other decisions producing legal or similarly significant effects. This covers a wide range of AI deployments. Businesses must conduct an ADMT inventory to identify all AI systems that make or contribute to any of these decision categories for California consumers.

Access to ADMT Logic: Per-Decision Plain-Language Explanations

When a consumer requests access to ADMT logic, the response must be reasonably understandable to an average consumer — not a general model description. The response must be specific to the individual decision: what categories of personal information were used as inputs; how those factors were weighted or evaluated; what the AI output was; and how that output contributed to the decision. Generic model card links, technical feature lists, or "we use machine learning to evaluate applications" responses are insufficient. AI systems must generate per-decision explanation artifacts that can be rendered in plain language. This drives a technical requirement: decision-level explainability, not model-level explainability.

Opt-Out Right and Human Review Alternative

Consumers may opt out of ADMT for significant decisions. Businesses must honor opt-out requests within 15 business days and offer a genuine alternative (typically, a human-reviewed decision process). The alternative cannot be more burdensome than the default ADMT path — slower timelines, higher costs, or less favorable outcomes for the opt-out path effectively penalize consumers for exercising their rights. Businesses must designate a human reviewer who has authority and access to independent evaluate the decision without reliance on the AI score. CPPA regulations (§ 7033) require documenting the human review process and disclosing the appeal path in the privacy notice.

CPPA Enforcement and Interaction with GDPR Article 22

CPPA enforces ADMT regulations with civil penalties up to $7,500 per intentional violation. There is no private right of action for ADMT violations — enforcement is by CPPA only. CPPA may investigate based on consumer complaints, routine audits, or proactive monitoring. Contrast with GDPR Article 22: GDPR restricts solely automated decisions with legal/significant effects, while CPRA covers AI that "facilitates" (not just fully automates) human decisions. CPRA's "facilitates" clause is broader — an AI recommendation that influences a human loan officer is covered by CPRA ADMT but may not be covered by GDPR Art. 22 if a human makes the final decision. AI teams serving both US and EU consumers must implement the more demanding California standard for US operations.