California is once again positioning itself at the forefront of data privacy by refining its regulatory approach. The shift is most notable around Automated Decision-Making Technology (ADMT) and risk assessments. The California Privacy Protection Agency (CPPA), responsible for enforcing the California Consumer Privacy Act (CCPA) and its amendments under CPRA, is actively shaping rulemaking in ways that echo leading global frameworks, such as the EU’s GDPR and Colorado’s AI Act.

With board discussions around ADMT scheduled for July 2025 and draft rules expected shortly thereafter, California is signaling a shift. A shift from penalizing privacy violations after they happen to designing systems that prevent harm upfront. Big tech is pushing back hard on this, but historically, California has stood its ground and is likely to stand strong on this as well.

Blueprint for Regulatory Recalibration

California’s upcoming rules around ADMT and risk assessments echo many features found in both international privacy frameworks and recent AI-related legislation in other U.S. states. This marks a shift from reactive enforcement to proactive prevention. These forthcoming regulations are expected to cover a wide range of algorithmic use cases that range from profiling and behavioral targeting to decisions about employment, lending, and healthcare.

In line with the “privacy by design” approach, businesses will be expected to embed privacy and risk mitigation into the core of their systems. Risk assessments, already a staple in international governance models, are poised to become mandatory for high-impact uses of ADMT, urging organizations to identify and address potential harms before automated tools are deployed—not after enforcement action is triggered.

 Below are key points of this realignment:

• Right to Opt Out of Algorithmic Decisions: Individuals will likely have the ability to opt out of fully automated decisions, especially those that carry significant consequences for their rights or well-being.
• Risk Assessments for High-Impact Uses: Just as other major jurisdictions require risk assessments for sensitive or high-impact data uses, California is preparing to make such evaluations a core part of responsible AI and data governance.
• Transparency Requirements: Organizations will be expected to provide clear, accessible explanations when automated tools are used. Most notably, around how decisions are made and what impact they may have.
• Data Minimization and Purpose Limitation: The idea that personal data should be used only for narrowly defined purposes, and only as much as is necessary, is a principle reflected in both California’s approach and global norms.

Why This Alignment Matters

The convergence of CCPA with global models isn’t just a legal curiosity but has real implications for businesses and regulators alike.

• For businesses, alignment between California, the EU, and Colorado means fewer fragmented obligations and a clearer path to multi-jurisdictional compliance. Organizations operating across state and international borders can now begin to standardize internal processes around ADMT and risk mitigation.
• For regulators, California’s approach could become a working prototype for federal rules. As federal agencies debate how to regulate AI and consumer privacy, the CPPA’s model offers a practical template.
• For other states, this sets a precedent. Rather than starting from scratch, they can adopt language and structures already getting trial runs in California and Colorado.

What Businesses Should Prepare For

The CPPA is already demonstrating how seriously it takes consumer expectations, especially in enforcement actions. A recent case involving Healthline serves as a wake-up call: even seemingly routine behaviors like tracking article clicks can be interpreted as collecting sensitive health data, especially when that data is inferred rather than explicitly provided.

As California refines its ADMT rules, these kinds of inferred, high-risk data uses are likely to face increased scrutiny.

Here’s what organizations should consider doing today:

• Conduct Data Audits: Identify where automated decision-making systems are deployed and what kinds of inferences are being drawn from user behavior.
• Implement Opt-Out Mechanisms: Allow consumers to opt out of profiling and automated decisions, particularly in contexts involving health, employment, or finance.
• Perform Internal Risk Assessments: Before launching or updating any algorithmic system, evaluate potential harms and document mitigation steps.
• Review Vendor Contracts: Ensure third-party vendors handling automated systems meet California’s emerging standards for privacy and transparency.

Setting the Tone for Proactive Privacy

California’s next round of privacy rules is not just a local update but a step toward global harmonization of privacy governance. With its sights set on proactive prevention and international alignment, the CPPA is crafting a future in which responsible automation isn’t optional.

Businesses that adapt early will not only reduce their legal risk but also build trust with consumers in an age where algorithms increasingly shape everyday life.