- (a) A business that uses ADMT to make a significant decision must provide a consumer with information about this use when responding to a consumer's request to access ADMT.
(b) When responding to a consumer's request to access ADMT, a business must provide plain language explanations of the following information to the consumer:
- (1) The specific purpose for which the business used ADMT with respect to the consumer. The business must not describe the purpose in generic terms, such as “to improve our services.”
- (2) Information about the logic of the ADMT. Such information must enable a consumer to understand how the ADMT processed their personal information to generate an output with respect to them, which may include the parameters that generated the output as well as the specific output with respect to the consumer.
(3) The outcome of the decisionmaking process for the consumer, including how the business used the output of the ADMT to make a significant decision with respect to the consumer. For example, this may include information about whether the output was the sole factor to make the decision; and if it was not the sole factor, which other factors played a role in making the decision; and to the extent that a human was part of the decisionmaking process in a manner that does not meet the requirements of “human involvement” in section 7001, subsection (e)(1), what that human's role was in the decisionmaking process.
- (A) If the business also plans to use the output to make an additional significant decision concerning the consumer in the future, the business's explanation must include how the business plans to use that output to make a significant decision about the consumer in the future. For example, this may include whether the output will be the sole factor in the decisionmaking process or what the other factors will be in that decisionmaking process; and to the extent that a human will be part of the decisionmaking process in a manner that does not meet the requirements of “human involvement” in section 7001, subsection (e)(1), what that human's role will be in the decisionmaking process.
(4) That the business is prohibited from retaliating against consumers for exercising their CCPA rights, and instructions for how the consumer can exercise their other CCPA rights. These instructions must include any links to an online request form or portal for making such a request, if offered by the business.
- (A) The business may comply with the instructions requirement by providing a link that takes the consumer directly to the specific section of the business's privacy policy that contains these instructions. Directing the consumer to the beginning of the privacy policy, or to another section of the privacy policy that does not contain these instructions, so that the consumer is required to scroll through other information in order to find the instructions, does not satisfy the instructions requirement.
(c) In providing the information required by subsections (b)(2)-(3), a business's response to a consumer's request to access ADMT is not required to include:
- (1) Trade secrets, as defined in Civil Code section 3426.1, subdivision (d); or
(2) Information that would compromise the business's ability to:
- (A) Prevent, detect, and investigate security incidents that compromise the availability, authenticity, integrity, or confidentiality of stored or transmitted personal information;
- (B) Resist malicious, deceptive, fraudulent, or illegal actions directed at the business or at consumers, or to prosecute those responsible for those actions; or
- (C) Ensure the physical safety of natural persons.
- (d) A business's methods for consumers to submit requests to access ADMT must be easy to use and must not use dark patterns. A business may use its existing methods to submit requests to know, delete, or correct as set forth in section 7020 for requests to access ADMT.
- (e) A business must comply with the verification requirements set forth in Article 5 for requests to access ADMT. If a business cannot verify the identity of the person making the request to access ADMT, the business must inform the requestor that it cannot verify their identity.
- (f) If a business denies a consumer's verified request to exercise their right to access ADMT, in whole or in part, because of a conflict with federal or state law, or an exception to the CCPA, the business must inform the requestor and explain the basis for the denial, unless prohibited from doing so by law. If the request is denied only in part, the business must disclose the other information sought by the consumer.
- (g) A business must use reasonable security measures when transmitting the requested information to the consumer.
- (h) If a business maintains a password-protected account with the consumer, it may comply with a request to access ADMT by using a secure self-service portal for consumers to access, view, and receive a portable copy of their requested information if the portal fully discloses the requested information that the consumer is entitled to under the CCPA and these regulations, uses reasonable data security controls, and complies with the verification requirements set forth in Article 5.
- (i) A service provider or contractor must provide assistance to the business in responding to a verifiable consumer request to access ADMT, including by providing the business with the consumer's personal information it has in its possession that it collected pursuant to their written contract with the business, or by enabling the business to access that personal information.
- (j) A business that used an ADMT with respect to a consumer more than four times within a 12-month period may provide an aggregate-level response to the consumer's request to access ADMT. Specifically, for the information required by subsection (b)(2), the business may provide a summary of the outputs with respect to the consumer over the preceding 12 months; the parameters that, on average over the preceding 12 months, affected the outputs with respect to the consumer; and a summary of how those parameters applied to the consumer.
- (k) A business must not retaliate against a consumer because the consumer exercised their right to access ADMT as set forth in Civil Code section 1798.125 and Article 7.
- (l) Nothing in this section prohibits a business from providing additional information to enable a consumer to understand how the ADMT was used to make a significant decision with respect to them. For example, a business may provide the range of possible outputs or aggregate output statistics to help a consumer understand how they compare to other consumers, such as the five most common outputs of the ADMT and the percentage of consumers that received each of those outputs during the preceding calendar year.
Note: Authority cited: Section 1798.185, Civil Code. Reference: Sections 1798.125 and 1798.185, Civil Code.
History
1. New section filed 9-22-2025; operative 1-1-2026 (Register 2025, No. 39).