Affiliate disclosure: This page contains affiliate links marked with ↗.
If you sign up through one of these links, we may earn a commission at no extra cost to you.
Our rankings and reviews are editorially independent — affiliate relationships do not influence them.
Read our methodology →
S
California ADMT Rules for AI Agents
Editorial note. Buyer-focused summary, not legal advice. ADMT regulations were finalised by the CPPA in late 2025 / early 2026; enforcement is still being clarified through agency guidance and the first compliance cycles. Engage California-licensed counsel before deploying ADMT-triggering agents.
What counts as ADMT
The CPPA's definition is intentionally broad. An AI agent is ADMT if it:
- Uses personal information about a California consumer (which includes B2B contacts, employees, and prospects in 2026);
- To make or facilitate (i.e. substantially contribute to) a decision; AND
- The decision produces a "significant effect" — financial, employment, education, housing, healthcare, criminal justice, or access to essential goods/services.
The "facilitate" prong is the wide one. An AI agent that drafts the rejection email a human then sends still facilitates the decision — and counts.
Common AI-agent use cases that trigger ADMT
- CV-screening / candidate ranking
- Lead scoring that determines whether a human salesperson follows up
- Credit / loan / insurance underwriting assistance
- Fraud-detection scoring with downstream account actions
- Tenant screening and housing decisions
- Healthcare triage and care-pathway recommendations
- Employee monitoring + performance scoring
- Customer-tier or risk classification influencing service eligibility
Common AI-agent use cases that don't trigger ADMT:
- Internal scheduling / calendar optimisation
- Meeting transcription / summarisation
- Document classification for routing
- Marketing-email drafting (subject to ADMT only when used for behavioural-advertising profiling)
- Code generation
The four-step compliance flow
- Pre-use notice. Before personal information is processed by the ADMT, give a clear notice — what the agent does, what categories of data it uses, what significant effect it might produce. Notice must be at least as prominent as your privacy policy link and presented at or before collection.
- Right to opt out. For some ADMT uses (especially profiling for behavioural advertising and certain forms of training), consumers can opt out. You must offer a verifiable mechanism — typically a webform or an authenticated portal request.
- Right to access. Consumers can request: what categories of personal information the ADMT used, the logic involved (in non-trade-secret terms), and the decision the ADMT facilitated about them. Respond within 45 days of the verifiable request.
- Risk assessment + audit. Businesses processing ADMT for "extensive profiling" or training certain models must conduct a risk assessment and, in some cases, submit it to the CPPA. The detailed thresholds are in the final regulations published by the CPPA in 2025-2026 — confirm with counsel.
How ADMT, GDPR Art. 22, and the EU AI Act overlap
| Concern | California ADMT (CCPA) | GDPR Art. 22 | EU AI Act |
|---|---|---|---|
| Jurisdiction | California consumers | EU/UK data subjects | EU users + market |
| Trigger | "Significant effect" decisions using PI | Solely automated decisions with legal/significant effect | High-risk system classification |
| Pre-use notice | Required | Implied via Art. 13/14 | Required transparency |
| Opt-out | Required for some uses | Right to object; right not to be subject | Not the same; uses risk-tier obligations |
| Access to logic | Yes (non-trade-secret) | Yes (meaningful info) | Yes (transparency) |
| Risk assessment | Required for some ADMT | DPIA when high-risk | Risk-management system for high-risk |
| Sanction | Up to $7,500 per intentional violation | Up to 4% of global turnover | Up to 7% of global turnover (severe) |
If you have California users + EU users (most B2B SaaS): all three apply. Build the higher floor — typically EU AI Act + GDPR — and ADMT obligations slot inside.
Buyer checklist
- Map your agent use case to the ADMT definition. Be honest about the "facilitate" prong.
- If ADMT applies, draft the pre-use notice. Plain language. Visible at collection.
- Build the opt-out mechanism. Tie it to your existing CCPA "Do Not Sell or Share" plumbing.
- Document the logic. The agent's decision rules should be explainable in non-technical language and documented separately from the prompt — auditors and regulators will ask.
- Set up data-subject-access-request handling specifically for ADMT inquiries — what was decided, what data was used, what logic.
- Run the risk assessment if your processing volume or use case crosses CPPA thresholds.
- Confirm the agent platform supports your obligations: can it surface the categories of PI used per decision? Can it export a per-consumer decision log?
- Renew annually. ADMT regulations will continue to evolve; review your processing inventory at least once per year.
Platform implications
Few AI agent platforms have explicit ADMT support in 2026 — the regulations are too new. What to ask vendors:
- Per-decision audit log accessible to the customer
- Categories-of-personal-information tagging at the input layer
- EU + California regional data residency options
- Decision-logic documentation export (not just the prompt)
If the vendor cannot supply these, your in-house obligations grow accordingly. For high-volume ADMT use cases, prefer platforms with the strongest enterprise governance posture — Workato, Voiceflow, Relevance AI, Botpress.