CCPA/CPRA · Automated Decisionmaking Technology (ADMT) · California-resident data

Veladon for California CCPA/CPRA AI: ADMT Evidence for 2026 Enforcement

California's CCPA (2020) and CPRA (2023) extended to Automated Decisionmaking Technology (ADMT) via regulations finalized 2025–2026. Any business meeting the CCPA thresholds (revenue, California-resident records, or selling/sharing thresholds) that uses AI making significant decisions about California residents — including employee AI use handling customer, applicant, or employee data of California residents — must provide notice, honor access/deletion rights, and conduct risk assessments for ADMT.

Full name
California CCPA/CPRA with Automated Decisionmaking Technology (ADMT) regulations
Effective
CCPA January 2020; CPRA January 2023; ADMT final regulations 2025–2026
Jurisdiction
California (applies to businesses handling CA-resident data)
Primary regulator
California Privacy Protection Agency (CPPA) + CA Attorney General
Get the California ADMT evidence mapHow Veladon works

Executive summary · for CISOs + Compliance Officers

Why this matters for 500–2,500 employee mid-market.

California's CCPA (2020) and CPRA (2023) extended to Automated Decisionmaking Technology (ADMT) via regulations finalized 2025–2026. Any business meeting the CCPA thresholds (revenue, California-resident records, or selling/sharing thresholds) that uses AI making significant decisions about California residents — including employee AI use handling customer, applicant, or employee data of California residents — must provide notice, honor access/deletion rights, and conduct risk assessments for ADMT. The California Privacy Protection Agency (CPPA) has enforcement authority plus CA Attorney General concurrent authority.

Veladon's per-use-case classification flags significant-decision AI use vs routine productivity use at the prompt level. The AI-system inventory supports 1798.100 records obligations; the per-prompt log supports 1798.105 deletion rights (hashed event deletion with audit trail). For organizations subject to both California ADMT and Colorado AI Act impact-assessment requirements, the quarterly pack supports both regulatory consumers from one data set — the same MAP 3 + MAP 5 artifacts that satisfy NIST AI RMF.

Which California CCPA/CPRA AI controls matter for employees using public LLMs?

These are the specific articles, controls, or sections that govern the moment an employee pastes data into ChatGPT, Claude, or Gemini. A general-DLP retrofit rarely maps to these by default — Veladon's evidence pack carries the references inline on every log line.

  • Civ. Code 1798.100 — consumer right to know; applies to AI processing of personal information
  • Civ. Code 1798.105 — right to delete; applies to AI-held personal information
  • Civ. Code 1798.120 — right to opt out of sale/sharing; ADMT implications
  • Civ. Code 1798.185(a)(16) — automated decisionmaking technology regulations (the key ADMT provision)
  • ADMT regulations (CPPA 2025–2026) — pre-use notice, access rights, opt-out rights for significant decisions
  • Risk assessment requirements — businesses using ADMT for significant decisions must conduct risk assessments

Control-by-control mapping · 8 controls

What Veladon evidences for each California CCPA/CPRA AI control.

The concrete control-ID to evidence mapping auditors request during fieldwork. Every California CCPA/CPRA AI control below is indexed inline on every log line Veladon generates — so the quarterly evidence pack ships pre-sampled for each control.

Control IDRequirementVeladon evidence
Cal. Civ. Code 1798.100Right to know — consumers have the right to request information about personal information collected, used, disclosed, or sold.AI-system inventory showing personal-information processing by AI systems, per-prompt logs hashed for consumer access-request response, re-identification via audit replay only.
Cal. Civ. Code 1798.105Right to delete — consumers have the right to request deletion of personal information.Deletion-request workflow — hashed event deletion with audit trail showing deletion completeness, derived-data cascade handling.
Cal. Civ. Code 1798.120Right to opt out of sale/sharing — consumers have the right to opt out of the sale or sharing of personal information.ADMT-scope tagging per prompt, with automated opt-out honoring where significant-decision AI use is opted out of.
Cal. Civ. Code 1798.185(a)(16)Automated decisionmaking technology regulations — pre-use notice, access rights, opt-out rights for significant decisions.Per-use-case ADMT classification — significant-decision vs routine productivity. Pre-use notice workflow per ADMT use case. Opt-out workflow per consumer.
CPPA ADMT Regulations (2025–2026)Risk assessment requirements — businesses using ADMT for significant decisions must conduct risk assessments.Risk-assessment inputs — AI inventory, impact categories, data subject categories, redaction taxonomy per AI system, per-use-case impact evaluation.
Cal. Civ. Code 1798.140(a) (ADMT definition)ADMT — any system, software, or process, including those derived from machine-learning, that processes personal information and replaces or substantially facilitates human decisionmaking about a consumer.ADMT-scope classifier per prompt — use-case taxonomy distinguishes decision-replacing (significant) vs decision-supporting (routine) AI use.
Colorado AI Act (SB 24-205)High-risk AI system impact assessments + duty of reasonable care to avoid algorithmic discrimination.Impact-assessment inputs per high-risk use case, duty-of-care documentation (oversight mapping, training acknowledgments, incident-response), duplicative with California ADMT evidence.
CCPA ThresholdsBusiness is subject to CCPA if: $25M annual revenue, or processes PI of 100,000+ CA consumers/households, or 50%+ of revenue from selling/sharing CA consumer PI.Not directly applicable — Veladon supplies processing evidence; threshold determination is customer-side legal analysis.

What lands in your quarterly evidence pack for California CCPA/CPRA AI.

Veladon's quarterly evidence pack is structured around the exact artifacts a Big 4 auditor or regulator asks for. The list below is what lands in your /quarterly-exports/ folder 30 days after deployment.

  1. 011798.100 records — AI system inventory showing personal-information processing by AI systems (including public LLMs)
  2. 021798.185(a)(16) ADMT — per-use-case classification flagging significant-decision AI use vs. routine productivity use
  3. 03Risk assessment inputs — AI inventory, impact categories, data subject categories, redaction taxonomy per AI system
  4. 04Right-to-know evidence — per-prompt logs available for consumer access request response (hashed, with re-identification only via audit replay)
  5. 05Training and policy artifacts for employees using AI that processes CA-resident data
  6. 06Quarterly CCPA + AI evidence supplement — aligned with ISO 42001 and NIST AI RMF primary pack

Implementation playbook · 5 phases · 500 employees in 5–10 business days

How to deploy Veladon for California CCPA/CPRA AI in a compressed timeline.

  1. Phase 01

    ADMT scoping

    Week 1–2

    Activities

    • Identify AI use cases involving California-resident personal information
    • Classify each use case as significant-decision (ADMT in scope) vs routine productivity
    • Deploy Veladon pilot with use-case taxonomy configuration
    • Legal counsel review of ADMT classification

    Artifacts produced

    • ADMT use-case inventory
    • Legal review memo
    • Pilot deployment evidence

  2. Phase 02

    Pre-use notice + opt-out workflow

    Week 3

    Activities

    • Design pre-use notice flow for significant-decision AI use
    • Configure Veladon opt-out workflow for ADMT-scope prompts
    • Integrate with existing CCPA consumer-rights management tool
    • Author policy documents for ADMT

    Artifacts produced

    • Pre-use notice design
    • Opt-out workflow configuration
    • Integration evidence
    • ADMT policy document

  3. Phase 03

    Risk assessment + production

    Week 4–5

    Activities

    • Full MDM rollout
    • Conduct CPPA risk assessment for ADMT in scope
    • Complete Colorado AI Act impact assessment for high-risk AI systems
    • Enable rights-response workflow (access, delete, opt-out)

    Artifacts produced

    • 100% deployment evidence
    • CPPA risk assessment
    • Colorado impact assessment
    • Rights-response workflow live

  4. Phase 04

    Evidence + enforcement posture

    Month 2

    Activities

    • First quarterly CCPA + AI + ADMT evidence pack
    • Consumer-rights request handling simulation
    • CPPA inquiry-response tabletop
    • Annual rights-metric review

    Artifacts produced

    • Quarterly pack v1
    • Rights-handling simulation log
    • Tabletop exercise documentation
    • Metric review memo

  5. Phase 05

    Continuous governance

    Quarterly

    Activities

    • Quarterly evidence pack
    • Consumer-rights request handling (access, delete, opt-out)
    • Annual risk assessment refresh (both CPPA and Colorado)
    • Annual policy refresh

    Artifacts produced

    • Quarterly packs
    • Rights-request logs
    • Annual risk-assessment updates

Concrete use cases · how California CCPA/CPRA AI obligations show up in practice

The specific scenarios Veladon covers for California CCPA/CPRA AI.

Finance analyst reviews CA-resident loan applicant

A finance analyst at a California fintech uses Claude to evaluate loan applications. The applicant is a California resident, the output influences the underwriting decision — ADMT under 1798.185(a)(16). Veladon classifies the prompt as ADMT-scope, enforces the pre-use notice flow (the applicant received notice at intake), and logs the event with ADMT classification, significant-decision tag, and the applicant's opt-out status. CPPA audit evidence is per-prompt, not per-policy.

HR team screens CA applicants via AI

An HR team uses ChatGPT Team to screen California-based job applicants' resumes. This falls under both California ADMT (employment decisions) and emerging California FEHA AI regulations. Veladon classifies the use case as significant-decision ADMT, logs the applicant-level evidence, and supports opt-out handling for applicants who exercise the right. Colorado AI Act high-risk AI system duty-of-care evidence overlaps — one event serves both regulatory consumers.

Consumer access request handling

A California consumer submits an access request asking what AI systems processed their personal information in the past 12 months. Veladon's per-prompt log (hashed, re-identified only via audit replay) supports the response — the AI-system inventory lists systems in scope, the audit replay shows specific events involving the consumer's data, and the response packaged within the 45-day CCPA response window. Rights-response workflow reduces handling time from 20–40 hours (manual search) to 2–4 hours (tool-supported).

Opt-out of ADMT for consumer

A California consumer opts out of ADMT use of their personal information. Veladon's ADMT-scope classification enables automated enforcement — prompts classified as significant-decision ADMT handling the consumer's data are blocked, while routine productivity prompts (summarization, translation without downstream decision impact) proceed. The opt-out log shows per-consumer enforcement evidence. Audit coverage per 1798.185(a)(16) is continuous.

CPPA enforcement inquiry

CPPA opens an inquiry after multiple consumer complaints. CPPA requests evidence of (1) AI systems processing California-resident PI, (2) ADMT classification per use case, (3) pre-use notice delivery, (4) risk-assessment artifacts, (5) rights-request handling evidence. Veladon's quarterly pack covers all five directly. Inquiry closes with procedural documentation updates rather than administrative fines.

Colorado AI Act impact assessment overlap

An insurance company selling in both California and Colorado uses AI in underwriting. California requires ADMT notice + opt-out; Colorado requires high-risk AI impact assessment + duty of care. Veladon's impact-assessment inputs (per-use-case exposure, affected-data categories, oversight mapping) satisfy Colorado AI Act requirements. The same evidence supports CPPA risk assessment under 1798.185 regulations. Unified evidence = reduced GRC effort.

Deadline calendar

California CCPA/CPRA AI deadlines + audit milestones.

Framework deadline

Rolling (continuous CPPA enforcement, Colorado AI Act effective Feb 1, 2026)

  1. February 1, 2026

    Colorado AI Act effective date

    High-risk AI system duty-of-care and impact-assessment requirements become enforceable.

  2. 2026 (rolling)

    CPPA ADMT regulations full application

    ADMT final regulations applied in 2025–2026. Pre-use notice, access, opt-out rights enforceable.

  3. 45-day CCPA response window per request

    Consumer rights-request response windows

    Access, deletion, opt-out requests require response within 45 days (plus 45-day extension if necessary).

  4. Annual

    Annual CPPA risk assessment refresh

    Risk assessment for ADMT in scope. Update with new use cases, new providers, new regulatory guidance.

Why a general DLP retrofit is insufficient for California CCPA/CPRA AI evidence.

General DLPs were built for CCPA data-subject access requests at the file level. They do not classify AI use cases by significant-decision vs. routine use, and they do not produce the ADMT-specific evidence that the 2025–2026 regulations require. Classic DLP tuned to 1798.100 access requests does not answer the ADMT 1798.185(a)(16) questions. Veladon's per-use-case classification and AI-specific inventory supply the ADMT evidence that CPPA enforcement inquiries increasingly request.

Questions CISOs ask about California CCPA/CPRA AI

Common questions about California CCPA/CPRA AI and employee AI use.

Does CCPA/CPRA apply to a non-California company whose employees use ChatGPT with California-customer data?

Yes, if the company meets the CCPA thresholds (currently: $25M annual revenue, or processing personal information of 100,000+ California consumers/households, or deriving 50%+ of annual revenue from selling/sharing California consumer personal information). The company then owes CCPA rights to California residents whose data is processed, including rights that intersect with AI processing. Extraterritoriality is the norm — physical location of the business does not matter; the residency of the data subject does.

What is an Automated Decisionmaking Technology (ADMT) under the 2025–2026 regulations?

ADMT is defined broadly in the CPPA's finalized regulations as any system, software, or process, including those derived from machine-learning, statistics, or other data-processing techniques, that processes personal information and either replaces human decisionmaking or substantially facilitates human decisionmaking about a consumer. Employee AI use for significant decisions (hiring, firing, loan underwriting, pricing, healthcare treatment, etc.) involving California residents falls under ADMT requirements. Routine productivity use (summarizing a document that does not drive a significant decision) typically falls outside ADMT scope.

Do employees pasting customer emails into Claude trigger ADMT obligations?

It depends on the downstream use. If the output drives a significant decision about the California-resident customer (e.g., account closure, pricing change, service denial), ADMT obligations apply: pre-use notice to the consumer, right to access details about the ADMT, right to opt out. If the output is purely summarization without a significant decision consequence, ADMT obligations typically do not apply — but CCPA general rights still apply. Veladon's per-use-case classification is designed to flag the distinction at the prompt level.

What does a CPPA enforcement inquiry look like for AI-related CCPA issues?

Typical inquiry: CPPA sends a notice requesting evidence of (1) AI systems processing California-resident personal information, (2) ADMT classification per AI use case, (3) consumer-notice evidence where ADMT is used for significant decisions, (4) risk-assessment artifacts, (5) evidence of honoring consumer access/deletion/opt-out requests for AI-held personal information. Businesses without AI-specific evidence receive administrative fines up to $7,500 per intentional violation and $2,500 per unintentional violation. Healthcare-specific violations under the CMIA can layer on.

How does California ADMT interact with the Colorado AI Act?

Both states enacted AI-specific regulations in 2024–2025, with overlap but distinct structure. Colorado AI Act (effective 2026) focuses on developer and deployer obligations for high-risk AI systems and carries specific duty-of-care and impact-assessment requirements. California ADMT focuses on consumer rights and significant-decision ADMT. A national mid-market typically needs evidence satisfying both regimes: Colorado-style impact assessments and California-style consumer rights. Veladon's evidence pack supports both — impact-assessment inputs + consumer-rights records.

Tailored FAQ · California CCPA/CPRA AI-specific

Additional California CCPA/CPRA AI questions Veladon buyers ask.

Does CCPA/CPRA apply to a non-California company whose employees use ChatGPT with California-customer data?

Yes, if the company meets the CCPA thresholds ($25M annual revenue, processing PI of 100,000+ California consumers/households, or 50%+ of revenue from selling/sharing California consumer PI). The company owes CCPA rights to California residents whose data is processed, including rights that intersect with AI processing. Extraterritoriality is the norm — physical location of the business does not matter; the residency of the data subject does.

What is Automated Decisionmaking Technology (ADMT) under the 2025–2026 regulations?

ADMT is defined broadly as any system, software, or process, including those derived from machine-learning, statistics, or other data-processing techniques, that processes personal information and either replaces human decisionmaking or substantially facilitates human decisionmaking about a consumer. Employee AI use for significant decisions (hiring, firing, loan underwriting, pricing, healthcare treatment) involving California residents falls under ADMT requirements. Routine productivity use (summarizing a document without downstream decision consequence) typically falls outside ADMT scope.

Do employees pasting customer emails into Claude trigger ADMT obligations?

It depends on downstream use. If the output drives a significant decision about the California-resident customer (account closure, pricing change, service denial), ADMT obligations apply: pre-use notice, right to access details about ADMT, right to opt out. If the output is purely summarization without significant-decision consequence, ADMT obligations typically do not apply — but CCPA general rights still apply. Veladon's per-use-case classification flags the distinction at the prompt level.

What does a CPPA enforcement inquiry look like for AI-related CCPA issues?

Typical inquiry: CPPA sends a notice requesting evidence of (1) AI systems processing California-resident personal information, (2) ADMT classification per AI use case, (3) consumer-notice evidence where ADMT is used for significant decisions, (4) risk-assessment artifacts, (5) evidence of honoring consumer access/deletion/opt-out requests for AI-held personal information. Businesses without AI-specific evidence receive administrative fines up to $7,500 per intentional violation and $2,500 per unintentional violation. Healthcare-specific violations under CMIA can layer on.

How does California ADMT interact with Colorado AI Act?

Both states enacted AI-specific regulations in 2024–2025 with overlap but distinct structure. Colorado AI Act (effective February 1, 2026) focuses on developer and deployer obligations for high-risk AI systems and carries specific duty-of-care and impact-assessment requirements. California ADMT focuses on consumer rights and significant-decision ADMT. A national mid-market typically needs evidence satisfying both regimes: Colorado-style impact assessments and California-style consumer rights. Veladon's evidence pack supports both — impact-assessment inputs + consumer-rights records.

Can Veladon automate CCPA deletion-request handling for AI events?

Partially. Veladon's hashed event log supports deletion — on a valid consumer deletion request, the relevant event records are purged from the log with deletion-trail evidence. Derived data (aggregated metrics, training improvements) is handled per Veladon's data-handling policy. Full automation requires integration with your existing CCPA rights-management tool (OneTrust, Transcend, BigID, or comparable); Veladon integrates via webhook API.

Pricing context · 500–2,500 employee deployments

What Veladon typically costs for California CCPA/CPRA AI coverage.

For California CCPA/CPRA + ADMT + Colorado AI Act coverage at 500–2,500 employees, Veladon lands at $22–32k ACV (mid-market tier) or $45–90k (enterprise tier) with California-indexed quarterly packs. For businesses at or above the CCPA thresholds ($25M revenue / 100k consumers / 50% selling threshold), the tool is a near-necessity as 2025–2026 ADMT enforcement ramps. CPPA administrative fines ($2,500 unintentional / $7,500 intentional per violation) aggregate rapidly across a 1,500-employee deployment; a single unfavorable enforcement event can exceed 10+ years of Veladon cost. The tool supports California + Colorado + NIST AI RMF MAP from one data set, maximizing regulatory ROI.

Related on Veladon

Need California CCPA/CPRA AI evidence on a compressed timeline?

Veladon deploys via MDM in 30 minutes and generates the first evidence pack at day 30. Get the Veladon early-access brief — detailed architecture, detection taxonomy, and California CCPA/CPRA AI crosswalk.

Get the California ADMT evidence map