CCPA/CPRA 2026 — California ADMT Rules for AI Voice and Chat

California finalised the ADMT regulations on 23 September 2025 and they took effect 1 January 2026. The risk-assessment clock is already running; the consumer-facing rights flip on 1 January 2027. AI voice and chat that touch a "significant decision" now sit inside the rule.

What the law says

The California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), is the foundation. The California Privacy Protection Agency (CPPA) finalised three packages on 23 September 2025: amended CCPA regulations, Automated Decisionmaking Technology (ADMT) rules, risk-assessment rules, and cybersecurity-audit rules. The Office of Administrative Law approved the package; effective date 1 January 2026. Risk-assessment compliance starts immediately for in-scope businesses; ADMT consumer-facing rights — pre-use notice, opt-out, access — go live 1 January 2027.

ADMT means "any technology that processes personal information and uses computation to replace human decision-making or substantially replace human decision-making." The trigger is a "significant decision" — financial or lending services, housing, education, employment, healthcare services. A pre-use notice must precede collection. The consumer can opt out of ADMT for the significant decision (with limited exceptions). The consumer can request access to information about the logic, training data categories, intended use, and how outputs were used. Cybersecurity audits become mandatory for businesses that meet the thresholds, with phased deadlines through 2030. Penalties remain $2,500 per violation, $7,500 per intentional violation or per violation involving a minor.

What AI voice/chat must do

A voice agent that decides who gets a same-day appointment, prioritises a lead for credit, screens a tenant, or routes a healthcare benefits eligibility check is making — or substantially replacing — a significant decision. From January 2027 the agent must surface a plain-language pre-use notice before processing, host a published opt-out workflow, accept access requests, and document an alternative non-ADMT process. From January 2026, a documented risk assessment must already exist for any qualifying processing. Sensitive personal information continues to trigger right-to-limit obligations. Honor Global Privacy Control signals as a valid opt-out request. Build a 45-day response window for verifiable consumer requests, extendable by 45 more.

CallSphere posture

CallSphere is HIPAA and SOC 2 aligned with 37 agents, 90+ tools, 115+ DB tables, 6 verticals, and 50+ businesses at 4.8/5. California-facing tenants get an ADMT pre-use notice generator that pulls from each workflow's logic graph; a one-click opt-out path inside the voice and chat agents; an access-request engine that returns logic, input categories, and output mapping in JSON or PDF; and a risk-assessment template aligned to the CPPA's 10 required elements. The audit log captures every inference and tool call to satisfy access-request reconstruction. GPC signals are honored at the website and IVR boundary. Cybersecurity-audit evidence — vulnerability management, access controls, incident response, vendor diligence — is exported on demand. Pricing $149 / $499 / $1,499; 14-day trial; 22% lifetime affiliate at /affiliate; see /pricing; contact /contact; company at /about.

flowchart LR
A[CA Caller] --> B[Voice Agent]
B --> C[Pre-Use Notice]
C --> D[Significant Decision?]
D --> E[Opt-Out Path]
D --> F[Alt Non-ADMT]
B --> G[Risk Assessment]
G --> H[CPPA Audit File]

Compliance checklist

1. Inventory every workflow and label which ones make or substantially replace a significant decision.
2. Stand up the pre-use notice surface — voice prompt, web page, in-product modal — before January 2027.
3. Build the opt-out flow and the alternative non-ADMT path; document both.
4. Complete the risk assessment per the CPPA's 10 elements before processing in 2026.
5. Honor GPC at every consumer interface.
6. Implement an access-request engine that returns logic, training-data categories, and output usage.
7. Apply the right-to-limit when sensitive personal information is processed.
8. Schedule cybersecurity audits per the phased thresholds.
9. Retain processing records and assessment evidence for at least three years.
10. Train front-line staff on cure-period letters and the 45+45-day response clock.

FAQ

Are healthcare AI agents always ADMT? If the agent decides who gets a healthcare service, yes. If it only schedules around clinician decisions, often no — but document the boundary.

Does HIPAA carve us out? HIPAA's pre-existing carve-outs for protected health information remain. Non-PHI processing is still in scope; many voice agents process both.

When do consumer-facing rights start? 1 January 2027 for ADMT rights. Risk assessments are due before processing in 2026.

What counts as opt-out compliance for voice? A clear voice prompt that routes to the alternative non-ADMT process plus a published web/IVR opt-out URL.

Can we charge to honor an access request? No, the first request per 12 months is free; subsequent requests can be charged a reasonable fee.

Sources

• CPPA Announcement of Final Regulations 23 Sept 2025: https://cppa.ca.gov/announcements/2025/20250923.html
• CPPA Regulations Page: https://cppa.ca.gov/regulations/
• CCPA Statute Effective 1 Jan 2026: https://cppa.ca.gov/regulations/pdf/ccpa_statute_eff_20260101.pdf
• CPPA CCPA Updates ADMT/Risk/Cybersecurity: https://cppa.ca.gov/regulations/ccpa_updates.html
• White & Case ADMT Final Rules Alert: https://www.whitecase.com/insight-alert/cppa-finalizes-rules-admt-risk-assessments-and-cybersecurity-audits-requirements