The California Civil Rights Council and the California Privacy Protection Agency have recently passed regulations that impose requirements on employers who use “automated-decision systems” or “automated decisionmaking technology,” respectively, in employment decisions or certain HR processes. On the legislative side, the California Legislature passed SB 7, which would impose additional obligations on employers who use these technologies; the bill is currently on the Governor’s desk. And the Governor has signed SB 53, which provides certain employee whistleblower rights with respect to AI safety. Below, we discuss some of the key requirements in the new regulations and legislation.

California Civil Rights Council – ADS Regulations

The California Civil Rights Council’s (CCRC) Employment Regulations Regarding Automated-Decision Systems took effect on October 1, 2025. The regulations, aimed at addressing potential discrimination when businesses use artificial intelligence tools to make personnel decisions, apply to employers with five or more employees in California. Notable provisions include:

  • Covered Technologies. The CCRC regulations define “Automated-Decision Systems” (ADS) as “[a] computational process that makes a decision or facilitates human decision making regarding an employment benefit.” An ADS may be derived from and/or use artificial intelligence, machine-learning, algorithms, statistics, or other data processing techniques. An ADS could perform tasks such as:
    • Screening resumes for particular terms or patterns;Directing job advertisements or other recruiting materials to targeted groups;Analyzing facial expressions, word choice, or voice in online interviews;Using computer-based assessments or tests (e.g., questions, puzzles, games) to make predictive assessments or measure skill, dexterity, reaction time, or other characteristics of an applicant or employee; or
    • Analyzing employee or applicant data acquired from third parties.
  • Employment Discrimination. The CCRC regulations clarify that it is unlawful under the California Fair Employment and Housing Act (FEHA) for an employer or covered entity to use an ADS that results in discrimination against an applicant or employee based on a protected class under FEHA (i.e., race, national origin, gender, age, religion, disability, etc.). An employer may be liable even if it did not intend to discriminate where the use of the ADS results in a disparate impact on a protected class.
  • Anti-bias Testing. The regulations provide that anti-bias testing or similar proactive efforts to avoid unlawful discrimination can be used in defense of discrimination claims. Conversely, the absence of anti-bias testing can be used as evidence in a claim against an employer.
  • Records Retention. An employer or covered entity must preserve ADS-related records, including selection criteria, relevant outputs and audit findings, for four years.

California Privacy Protection Agency – ADMT Regulations

The California Privacy Protection Agency (CPPA) recently approved, and the Office of Administrative Law finalized, regulations on the use of automated decisionmaking technologies (ADMT) in “significant decisions” about consumers, including employees. Businesses must be in compliance with the regulations by January 1, 2027, including with respect to any ADMT already in use prior to that date. Notable provisions relating to employees, job applicants, and independent contractors include:

  • Covered Technologies. The regulations define “Automated decisionmaking technology” or “ADMT” as “any technology that processes personal information and uses computation to replace human decisionmaking or substantially replace human decisionmaking.” For purposes of this definition, to “substantially replace human decisionmaking” means “a business uses the technology’s output to make a decision without human involvement.”
  • Significant Decision. A “significant decision” includes employment or independent contracting opportunities, defined as “hiring, allocation of work, compensation, promotion, demotion, suspension, or termination.”
  • Pre-use Notice. A business that uses ADMT to make a significant decision must provide consumers with a Pre-use Notice describing the use of ADMT and the consumer’s rights to opt-out of and to access ADMT.
  • Opt-out. A business must provide consumers with the ability to opt-out of the use of ADMT to make a significant decision concerning the consumer, subject to exceptions, including a human appeal option.
  • Access. A business that uses ADMT to make a significant decision must provide consumers with information about its use, such as the purpose of the ADMT and the logic involved, when responding to a consumer’s request to access ADMT, subject to exceptions.
  • Risk Assessments. Businesses must conduct a risk assessment before using ADMT to make a significant decision concerning employees and applicants or where the use otherwise presents a significant risk to employees (such as using automated processing to infer or extrapolate a consumer’s intelligence, ability, aptitude, performance at work, reliability, location, or movements, based on systematic observation of the employee or applicant). The risk assessment must contain specified content that is detailed and prescriptive. For any processing activity that the business initiated before the effective date of the regulations (January 1, 2026) and conducted after the effective date, the business must conduct a risk assessment by December 31, 2027 and submit certain required information about such risk assessments (but not the underlying risk assessments) to the CPPA by April 1, 2028.

Legislation

The California Legislature recently passed SB 7, the “No Robo Bosses Act,” which would require notice, human oversight, and corroboration when employers use automated decision systems for decisions that impact workers’ livelihoods. Governor Newsom has until October 12 to sign or veto the bill.

In the meantime, the Governor has signed SB 53, the Transparency in Frontier Artificial Intelligence Act, which takes effect on January 1, 2026. Among other things, the new law amends the California Labor Code to add whistleblower protections for employees of large AI companies, in connection with an employee concern that the company’s activities pose a specific and substantial danger to public health or safety. More information on SB 53 is here.

Next Steps

Employers should prepare for the relevant regulations and new laws by understanding the technologies its HR and other departments are using or plan to use which could trigger these legal requirements. Employers should develop policies and processes to ensure that they are satisfying relevant requirements when using AI in the employment context by, for example, providing relevant and timely notices to applicants and/or employees, conducting risk assessments and bias audits, and complying with recordkeeping requirements. For more best practices on using AI in the workplace, see our prior blog post.

Tags: California Consumer Privacy Act, CCPA, State Privacy
Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Lindsey Tonsager Lindsey Tonsager

Lindsey Tonsager co-chairs the firm’s global Data Privacy and Cybersecurity practice. She advises clients in their strategic and proactive engagement with the Federal Trade Commission, the U.S. Congress, the California Privacy Protection Agency, and state attorneys general on proposed changes to data protection…

Lindsey Tonsager co-chairs the firm’s global Data Privacy and Cybersecurity practice. She advises clients in their strategic and proactive engagement with the Federal Trade Commission, the U.S. Congress, the California Privacy Protection Agency, and state attorneys general on proposed changes to data protection laws, and regularly represents clients in responding to investigations and enforcement actions involving their privacy and information security practices.

Lindsey’s practice focuses on helping clients launch new products and services that implicate the laws governing the use of artificial intelligence, data processing for connected devices, biometrics, online advertising, endorsements and testimonials in advertising and social media, the collection of personal information from children and students online, e-mail marketing, disclosures of video viewing information, and new technologies.

Lindsey also assesses privacy and data security risks in complex corporate transactions where personal data is a critical asset or data processing risks are otherwise material. In light of a dynamic regulatory environment where new state, federal, and international data protection laws are always on the horizon and enforcement priorities are shifting, she focuses on designing risk-based, global privacy programs for clients that can keep pace with evolving legal requirements and efficiently leverage the clients’ existing privacy policies and practices. She conducts data protection assessments to benchmark against legal requirements and industry trends and proposes practical risk mitigation measures.

Read more about Lindsey TonsagerEmail
Show more Show less
Photo of Carolyn Rashby Carolyn Rashby

Carolyn Rashby provides business-focused advice and counsel to companies navigating the constantly evolving and overlapping maze of federal, state, and local employment requirements. Carolyn’s approach is preventive, while recognizing the need to set clients up for the best possible defense should disputes arise.…

Carolyn Rashby provides business-focused advice and counsel to companies navigating the constantly evolving and overlapping maze of federal, state, and local employment requirements. Carolyn’s approach is preventive, while recognizing the need to set clients up for the best possible defense should disputes arise.

As a senior member of Covington’s Institutional Culture and Social Responsibility Practice Group, Carolyn has co-led significant investigations into workplace culture, DEI issues, and reports of sexual misconduct and workplace harassment.

As an employment lawyer with over two decades of experience, Carolyn focuses on a wide range of compliance and regulatory matters for employers, including:

Conducting audits regarding employee classification and pay equity
Advising on employment issues arising in corporate transactions
Strategic counseling on a wide range of issues including discrimination and harassment, wages and hours, worker classification, workplace accommodations and leave management, performance management and termination decisions, workplace violence, employment agreements, trade secrets, restrictive covenants, employee handbooks, and personnel policies
Drafting employment contracts and offer letters, separation agreements, NDAs, and other employment agreements
Advising on employee privacy matters, including under the California Consumer Privacy Act
Providing guidance on use of AI in the workplace and development of related policies
Leading anti-harassment and other workplace-related trainings, for employees, executives, and boards

Carolyn also works frequently with the firm’s white collar, privacy, employee benefits and executive compensation, corporate, government contracts, and cybersecurity practice groups to ensure that all potential employment issues are addressed in matters handled by these groups.

Read more about Carolyn RashbyEmail
Show more Show less
Photo of Michelle York Michelle York

Michelle Barineau counsels U.S. and multinational clients on a broad range of employment issues. Michelle routinely provides guidance pertaining to wage and hour compliance, job classifications, pay equity, and employee leave. She also prepares key employment documents including employment agreements, employee policies, and…

Michelle Barineau counsels U.S. and multinational clients on a broad range of employment issues. Michelle routinely provides guidance pertaining to wage and hour compliance, job classifications, pay equity, and employee leave. She also prepares key employment documents including employment agreements, employee policies, and separation agreements.

Michelle guides employers through hiring and terminating employees and managing their performance, as well as workforce change strategies, including reorganizations, reductions in force, and WARN compliance. In addition, Michelle provides practical advice about workplace issues impacting employers including remote work, workplace culture, diversity, equity, and inclusion, and the use of artificial intelligence in the workplace. She helps clients navigate matters involving harassment, discrimination, non-competition, and other issues arising under state and federal employment laws including Title VII of the Civil Rights Act of 1964, the Americans with Disabilities Act, the Equal Pay Act, the Family and Medical Leave Act, and the Fair Labor Standards Act. She assists clients when responding to agency charges and demand letters, including whistleblower retaliation complaints, and frequently interacts with the Equal Employment Opportunity Commission, state and local equal employment opportunity agencies, and the Occupational Safety and Health Administration.

Michelle has experience investigating employment complaints and she frequently partners with white collar colleagues to conduct sensitive internal investigations, workplace culture assessments, and racial equity audits. She works with colleagues in the privacy, employee benefits and executive compensation, and corporate groups when employment matters arise and she regularly works with colleagues in California to advise on matters implicating California employment laws. Michelle is a co-founder of Covington’s AI Roundtable, which convenes senior lawyers at the firm working closely on AI issues to discuss legal implications of AI deployment and use.

Read more about Michelle YorkEmail
Show more Show less
Photo of Bryan Ramirez Bryan Ramirez

Bryan Ramirez is an associate in the firm’s San Francisco office and is a member of the Data Privacy and Cybersecurity Practice Group. He advises clients on a range of regulatory and compliance issues, including compliance with state privacy laws. Bryan also maintains…

Bryan Ramirez is an associate in the firm’s San Francisco office and is a member of the Data Privacy and Cybersecurity Practice Group. He advises clients on a range of regulatory and compliance issues, including compliance with state privacy laws. Bryan also maintains an active pro bono practice.

Read more about Bryan RamirezEmail
Show more Show less