Requirements for Automated Decision-making Technology (ADMT) Under the CCPA
A practical guide to California's ADMT regulations, including when Article 11 applies and how businesses can comply with its disclosure, opt-out, access, and governance requirements.
California’s ADMT regulations are now among the most detailed and operationally demanding AI governance rules in the United States. Article 11 of the CPPA regulations imposes strict obligations on businesses that use automated decisionmaking technology to make “significant decisions” about consumers — including decisions involving credit, housing, healthcare, employment, education, and other high-stakes outcomes.
Article 11 applies whenever a business uses ADMT to make a “significant decision” about a consumer. The definition of ADMT is intentionally expansive and functional: if the technology automates the decision itself, and if the human role is merely rubber-stamping, it is ADMT under the CCPA. The regulations define “significant decision” in a narrowly tailored yet impactful way, focusing on decisions that have legal, economic, educational, professional, or health-related effects on individuals.
This article provides a practical, practitioner-focused roadmap to complying with Article 11. It explains when ADMT is in scope, what businesses must disclose before using it, when consumers can opt out, and what must be provided when consumers request access to information about how ADMT works. It also summarizes the narrow exceptions, choice-architecture requirements, verification obligations, and timing rules that apply across opt-out, appeal, and access workflows.
NOTE: The regulations clarify that advertising is not a significant decision. Thus, profiling or targeting for marketing purposes alone does not trigger Article 11 (though it does implicate other CCPA provisions).
Key takeaways for practitioners:
- ADMT is broadly defined. Any technology that replaces or substantiallyreplaces human decisionmaking — including many forms of scoring, profiling, ranking, and eligibility determinations — is likely in scope. Human involvement that is superficial or purely clerical does notremove a system from ADMT classification.
- Opt-out exceptions are narrow. Only three limited exceptions exist (human appeal, initial hiring/admission ability-to-perform assessments, and allocation/assignment-of-work decisions). Outside of these small carve-outs, consumers retain a full right to opt out.
- Opt-out ≠ no transparency. Even when an exception applies, businesses must still provide full pre-use notice and must honor access requests.
- Opt-out methods must be dark-pattern-free. § 7004 acts as a strict design standard: opt-out must be as easy as opting in, require minimal steps, and avoid nudging, friction, or confusing UX patterns.
- Honoring an opt-out, offering human appeal, and avoiding ADMT classification often converge. In practice, all three routes require meaningful human involvement with real authority — not just “reviewing” or rubber-stamping ADMT output.
- Access requests require full verification. Unlike opt-outs, requests to access ADMT require identity verification under Article 5 to avoid disclosing personal information to the wrong individual.
- Pre-use notices and access responses must be specific. Generic statements (“to improve services”) are prohibited. Businesses must explain the specific decision, logic, parameters, human roles, and intended future uses of ADMT outputs.
- Service providers and contractors must cooperate. They must return or enable access to all relevant consumer data to help the business fulfill access requests.
Together, these requirements make ADMT governance a cross-functional operational challenge that touches legal, engineering, data science, UX design, customer service, HR, education administration, and product teams. This article walks through the rules section by section to help practitioners convert them into actionable compliance processes.
Compliance Timeline (§ 7200(b)):
- Businesses already using ADMT for significant decisions before January 1, 2027 must comply with Article 11 by January 1, 2027.
- Businesses deploying such ADMT on or after January 1, 2027 must comply immediately whenever they use the ADMT.
In effect, any business using AI or automation to provide or deny essential services or opportunities must begin preparing their compliance program now.
1. Scope: When Article 11 Applies (§ 7200)
Article 11 applies whenever a business uses ADMT to make a “significant decision” about a consumer.
1.1. What ADMT Means Under the CCPA (§ 7001(e))
“Automated decisionmaking technology” or ADMT is defined broadly to include any technology that processes personal information and uses computation to replace or substantially replace human decisionmaking.
A technology substantially replaces human decisionmaking when a business uses the system’s output to make a decision without meaningful human involvement. To qualify as genuine human involvement, the human reviewer must:
- Know how to interpret and use the system’s output,
- Review and analyze the output and other relevant information, and
- Have real authority to make or change the decision based on that analysis.
If those elements are missing, the decision is considered automated — even if a human “touches” the process.
The definition also explicitly includes profiling when it replaces or substantially replaces human decisionmaking.
At the same time, the regulations carve out a series of everyday technologies that do not count as ADMT so long as they do not replace human decisionmaking — including web hosting, domain registration, networking tools, caching, data storage, firewalls, anti-virus and anti-malware tools, spam filters, spellcheckers, calculators, databases, and spreadsheets.
1.2. What Significant Decision Means Under the CCPA (§ 7001(ddd))
A significant decision is a decision that results in the provision or denial of the following services, opportunities, or benefits:
(1) Financial or Lending Services: These include decisions involving:
- Extension of credit or loans
- Transmitting or exchanging funds
- Providing deposit or checking accounts
- Check cashing
- Installment payment plans
Any ADMT used to determine eligibility or terms for these financial services triggers Article 11.
(2) Housing: This covers any building or structure used or intended as a residence or sleeping place, whether permanent or temporary.
However, an ADMT system does not make a significant decision when it provides or denies housing solely based on:
- Availability or vacancy, or
- Successful receipt of payment
Thus, automated room assignment or vacancy detection alone would not be regulated as a significant decision.
(3) Education Enrollment or Opportunities: This includes:
- Admission or acceptance into academic or vocational programs
- Granting of educational credentials (degrees, diplomas, certificates)
- Student suspension or expulsion
Any ADMT used in admissions screening, plagiarism enforcement with disciplinary consequences, or credentialing decisions falls within Article 11.
(4) Employment or Independent Contracting Opportunities or Compensation: This encompasses:
- Hiring
- Allocation or assignment of work and compensation, including salary, hourly pay, per-assignment pay, and bonuses
- Promotion decisions
- Demotion, suspension, or termination
Systems that rank applicants, score employee productivity, recommend disciplinary actions, allocate shifts, or determine pay are all covered.
(5) Healthcare Services: This includes services related to:
- Diagnosis, prevention, or treatment of disease
- Assessment or care of a person’s health
ADMT used to triage patients, determine eligibility for care, or recommend treatments qualifies.
Explicit Exclusion: Advertising -The regulations clarify that advertising is not a significant decision. Thus, profiling or targeting for marketing purposes alone does not trigger Article 11 (though it may implicate other CCPA provisions).
2. Pre-Use Notice Requirements (§ 7220)
Businesses must provide consumers with a Pre-use Notice before processing their personal information with ADMT for a significant decision.
2.1. Timing and Presentation
The notice must be:
- Prominent and conspicuous (§ 7220(b)(2)),
- Delivered at or before the point of data collection for ADMT purposes, or delivered before repurposing previously collected data for ADMT (§ 7220(b)(2)),
- Presented in the manner the business primarily interacts with the consumer (§ 7220(b)(3)).
Businesses may incorporate the Pre-use Notice into their Notice at Collection, but only if all ADMT-specific content is included.
2.2. Required Content of the Pre-use Notice
The notice must include:
(1) A specific, plain-language explanation of the ADMT’s purpose: Generic statements such as “to make significant decisions” are prohibited (§ 7220(c)(1)). The business must clearly identify the decision being automated — e.g., “to determine eligibility for a loan,” “to assess employee productivity for promotion decisions.”
(2) Information about the right to opt-out of ADMT: Consumers must be told they have the right to opt-out, and how to submit an opt-out request (§ 7220(c)(2)). If the business is relying on exceptions to the opt-out rights, it shall provide alternative information instead:
- The human appeal exception (§ 7221(b)(1)): It must instead inform the consumer of their right to appeal to a human reviewer.
- Another permissible exception (§ 7221(b)(2)–(3)): It must identify which exception applies.
(3) Information about the right to access ADMT: Consumers must be told they may submit a request to access information about the system’s logic, output, and purposes (§ 7220(c)(3)).
(4) Anti-retaliation assurance: The business must affirmatively state that it may not retaliate against consumers for exercising CCPA rights (§ 7220(c)(4)).
(5) Additional explanation of how the ADMT works: This “layerable” explanation may be provided by link or expandable content and must include (§ 7220(c)(5)):
- How the ADMT processes personal information, including categories of data that influence outputs (an “opt-out” may include predictions, decisions, and recommendations — e.g. numerical scores of compatibility)
- The type of output (e.g., score, recommendation) and how it is used in the decision — including whether the output is the sole factor in the decision-making process or what the other factors are, whether a human is involved in a manner that does not meet regulatory requirements for the opt-out exemption (and what the role of that human is)
- The alternative decisionmaking process available if the consumer opts out (unless an exception applies).
Businesses are not required to reveal trade secrets or information that would compromise security or safety (§ 7220(d)).
2.3. Consolidated Pre-use Notices (§ 7220(e))
Businesses may consolidate Pre-use Notices (provided that the notice contains all the required information described in 2.2. above for each ADMT system) when:
- One ADMT is used for multiple purposes (for example, an employer may provide a consolidated Pre-use notice to an employee that addresses the employer’s proposed use of productivity monitoring software to determine the employee’s allocation or assignment of work and compensation, and to determine which employees will be demoted)
- Multiple ADMTs serve one purpose (for example, a business may provide a consolidated Pre-Use Notice to a job applicant that addresses the bussiness’ proposed use of (1) software to screen applicants’ resumes to determine which applicants it will hire; and (2) software to evaluate applicant’s vocal intonation, facial expressions, and gestures to determine which applicants to hire)
- Multiple ADMTs cover multiple purposes (for example, an education provider may provide a consolidated Pre-use Notice to a new student that addresses the educational provider’s proposed use of : (A) software that automatically screens students work for plagiarism to determine whether they will be suspended, and (B) softward that automatically assesses sudents’ exams to determine whether to grant them a diploma or certificate),
- The business systematically uses the same ADMT over time (for example, a business may provide a consolidated Pre-use Notice to an employee that addresses the business’s methodical and regular use of ADMT to allocate work to its employees, rather than providing a Pre-use Notice to the same employees each time it proposes to use the sme ADMT for the same purpose.)
Taking advantage of this flexibility will be critical for employers, education providers, and enterprises deploying ADMT across multiple functions and workflows.
3. When Do Consumers Have a Right to Opt-Out of ADMT (§ 7221(b))?
Consumers generally have the right to opt-out of ADMT for significant decisions (§ 7221(a)) unless
- The Human Appeal Exception applies (§ 7221(b)(1))
- The Hiring and Admission Decisions Exception applies (§ 7221(b)(2)).
- The Allocation/Assignment of Work or Compensation Decisions applies (§ 7221(b)(3)).
Practice Tip: An exemption from opt-out never means an exemption from transparency: Even when ADMT falls within an exemption to the right to opt out, the business is still fully obligated to provide consumers with pre-use notice and access rights. If ADMT is used to make a significant decision — whether or not the consumer may opt out — the business must always:
- Provide a clear, advance notice describing the ADMT, the decision it will affect, the logic involved, and the consumer’s rights; and
- Provide access, upon request, to the information required under the ADMT access provisions.
3.1. Human Appeal Exception to the Right to Opt-Out (§ 7221(b)(1))
The Human Appeal Exception applies in precisely the scenario where the business has already used ADMT — meaning the initial decision was made by technology that did “substantially replace human decisionmaking”. Despite that initial reliance on ADMT, the regulations provide that the business does not need to offer an opt-out if it offers a robust, meaningful human appeal process that effectively re-introduces the level of human involvement that would have been required to avoid qualifying as ADMT in the first place.
To qualify for this exception, the business must provide the consumer with a method to appeal the decision to a human reviewer who has full authority to overturn it. The regulations impose stringent requirements to ensure this human review is real, substantive, and outcome-determinative:
(1) Human Reviewer’s Qualifications and Authority (§ 7221(b)(1)(A)) The business must:
- designate a human reviewer who can review and analyze the ADMT’s output and any other information relevant to the specific decision;
- ensure the reviewer understands how to interpret and use the ADMT’s output, not merely verify that the system operated as intended;
- require the reviewer to consider the consumer’s submitted informationin support of the appeal, and permit consideration of other sources of information; and
- guarantee the reviewer has genuine authority to change or overturn the original decision based on their analysis.
Practice Tip:
Do not assume any employee can serve as the human reviewer. This is a high bar: the reviewer must have real, substantive decisionmaking authority — not a clerical role or a rubber-stamp function. They must be capable of providing the same level of meaningful human involvement that would have been required to keep the technology from qualifying as ADMT in the first place.
(2) Appeal Process Requirements (§ 7221(b)(1)(B)):The business must also:
- clearly explain how the consumer can submit an appeal;
- provide a method that is easy to execute and requires minimal steps, and comply with the requirements in Section §7004 (Requirements for Methods for submitting CCPA Requests and Obtaining Consumer Consent),
- enable the consumer to provide supporting information to the reviewer, and
- comply with the disclosure and communication standards in §7003 (a)-(b) (Requirements for Disclosures and Communications to Consumers,) the verification requirements in Article 5 (Verification of Requests), and follow the required timelines for appeals in § 7021 (Timelines for Responding to Requests to Delete, Requests to Correct, Requests to Know, Requests to Access ADMT, and Requests to Appeal ADMT.)
Practice Tip: Building an ADMT Opt-Out Flow That Avoids Dark Patterns: When designing the method for consumers to opt out of ADMT, treat § 7004 as a strict usability standard. Your opt-out mechanism must be easy to find, easy to understand, and easy to execute, and it must not use any design elements that could impair, burden, or nudge consumers away from exercising their rights. To stay compliant:
- Use plain, straightforward language. The opt-out path must be written at a consumer-friendly reading level and must align with § 7003’s disclosure requirements. Avoid double negatives, ambiguous toggles (“on/off”), or confusing button placement.
- Ensure symmetry in choice. The process to opt out of ADMT cannot involve more steps, more time, or more friction than any less privacy-protective alternative. “Opt-out” should never be harder than “continue with ADMT.”
- Eliminate misdirection and pressure tactics. Do not use urgency, countdowns, pre-selected defaults, oversized “accept” buttons, or interfaces that steer consumers toward remaining subject to ADMT.
- Avoid any choice architecture that impairs consumer autonomy. The interface may not require scrolling through dense policies, navigating disruptive screens, bundling unrelated consents, or forcing broad acceptance of terms unrelated to the ADMT decision.
- Make the process functional and frictionless. Ensure that links, pages, forms, and emails work; that consumers are not required to call unprepared staff; and that you do not impose delays, circular flows, or duplicate steps.
Remember: If the opt-out method contains any design element that makes the consumer’s choice harder, slower, or less obvious, it may be considered a dark pattern — and any “consent” to continued use of ADMT obtained through such a pattern will be treated as invalid.
3.2. Hiring and Admission Decisions (§ 7221(b)(2))
Hiring and admission decisions under § 7001(ddd)(3)(A) and § 7001(ddd)(4)(A) are exempted from the right to opt-out if the ADMT is used
- Solely to assess the ability to perform at work or in an educational program to determine whether to admit, accept, or hire them, and
- the ADMT works for the business’s purpose and does not unlawfully discriminate.
3.3. Allocation/Assignment of Work or Compensation Decisions (§ 7221(b)(3))
Allocation or work and compensation decisions under § 7001(ddd)(4)(B) are exempted from the right to opt-out if the ADMT is used:
- Solely for the business’ allocation and assignment of work or compensation, and
- the ADMT works for the business’s purpose and does not unlawfully discriminate.
Practice Tip: The Hiring/Admission/Allocation/Assignment Exemptions Apply Only to a Small Subset of “Significant Decisions”: The exemption in § 7221(b)(2) is extremely narrow. It applies only to ADMT used to assess an individual’s ability to perform in a job or educational program for the purpose of an initial hiring or admission decision (and only if the use does not unlawfully discriminate.)
“Significant decisions” under § 7001(ddd) include a wide range of other outcomes — such as decisions affecting financial or lending services, housing, education enrollment or opportunities, employment or independent contracting opportunities or compensation, and healthcare services. Every other significant decision involving education or employment remains fully subject to the consumer’s right to opt out of ADMT, including:
(1) Education enrollment or opportunities (§ 7001(ddd)(3)): granting of educational credentials (degrees, diplomas, certificates), and suspension or expulsion.
(2) Employment or independent contracting opportunities or compensation (§ 7001(ddd)(4)): salary, hourly or incentive compensation, promotion, demotion,
suspension, and termination.
If ADMT influences any of these broader significant decisions, the exceptions do not apply. In practice, this means that most employment and education-related ADMT uses will still require businesses to offer consumers the right to opt out unless the Human Appeal Exception Applies.
4. Requirements for Opt-Out Methods
4.1. Required Opt-Out Submission Methods
Businesses that use ADMT must provide two or more designated methodsfor consumers to submit opt-out requests (§ 7221(c)). When selecting these methods, businesses must consider:
- how they primarily interact with consumers,
- how the ADMT is used in their operations, and
- ease of use for consumers.
At least one method must match the business’s primary interaction channel.
Examples include:
- Online businesses must provide an interactive online form accessible via an opt-out link included in the Pre-use Notice. The link title must clearly state the right — e.g., “Opt-Out of Automated Decisionmaking Technology.”
- Businesses interacting both online and in person may offer an in-person option in addition to the online form.
- A toll-free telephone number, a designated email address, a form submitted in person, or a form submitted by mail.
Practice Tip: Cookie banners or cookie-consent tools do not qualify as ADMT opt-out methods (§ 7221(c)(4)) because cookies concern collection, not automated decisionmaking.
4.2. Ease-of-Use and Minimal Friction Requirements
Under § 7221(d), all opt-out methods must:
- Be easy for consumers to execute,
- Require minimal steps, and
- Comply with the choice-architecture rules in § 7004, including: clear language, symmetry in choice, no confusing or misleading elements, no dark patterns or unnecessary friction.
Practice Tip: Disclosures and communications about the opt-out process must also meet § 7003(a)–(b) (clarity, readability, accessibility).
4.3. Restrictions on Verification and Information Gathering
Businesses must not impose burdensome verification requirements:
- No account creation or unnecessary data collection (§ 7221(e)).
- A businesses may request only the minimum information necessary to identify the consumer whose data is subject to the ADMT. If a business can honor the opt-out without additional information, it must do so. (§ 7221(f).)
Practice Tip: VCR (verifiable consumer request) requirement do not apply to opt-outs of ADMT
4.4. Denial of ADMT Opt-Out Requests (§ 7221(g))
A business may deny a request only if it has a good-faith, reasonable, documented belief that the request is fraudulent — and it must notify the consumer of the reason.
Practice Tip: Honoring an Opt-Out Often Converges With Non-ADMT Use and the Human-Appeal Exception: Under § 7221(g), a business may deny an ADMT opt-out request only when it has a good-faith, reasonable, documented belief that the request is fraudulent; otherwise, the opt-out must be honored. The regulations, however, do not identify a precise standard for what “honoring” an opt-out requires in practice. This creates an unclear boundary between three operational paths:
(1) Using technology that does not qualify as ADMT (because it does not replace or substantially replace human decisionmaking),
(2) Offering a human-appeal process to qualify for an opt-out exception, and
(3) Honoring a consumer’s opt-out by ensuring the decision is made without the ADMT at issue.
In practice, these three paths may often converge as honoring an opt-out will generally require the business to remake the decision through a process that engages meaningful human involvement — the same level of human expertise and authority that would prevent a tool from being classified as ADMT in the first place, or that would satisfy the human-appeal exception. Importantly, technologies may still be used, but only in ways that support rather than substantially replace human judgment.
4.6. Other Requirements:
- Confirmation and Authorized Agents (§ 7221(h)&(j)) Consumers must be given a way to confirm that their opt-out has been processed. Consumers may also authorize an agent to submit an ADMT opt-out request. Businesses may require written proof of authorization and may deny the request if proof is not provided.
- When responding to an opt-out request, the business may present consumers with: the option to allow specific ADMT uses, as long as there is also a single, global option to opt out of all ADMT uses covered under § 7221(a) (§ 7221(i)).
- Limits on Re-Prompting and Retaliation: A business must wait at least 12 months before re-asking a consumer who opted out to consent again (§ 7221(k)) and businesses may not retaliate against consumers for exercising opt-out rights (§ 7221(l)).
4.5. Timing and Follow-Through (§ 7221(m)&(n))
The timing obligations differ depending on when the opt-out is received by the business:
(1) If the request is received before ADMT processing begins: The business must not initiate processing of the consumer’s personal information using that ADMT.
(2) If the request is received after ADMT processing has already begun:
The business must:
- Cease processing as soon as feasible but no later than 15 business days, and
- Notify and instruct all service providers, contractors, and other recipients of the personal information to also cease processing within the same timeframe.
5. Consumer Right to Access ADMT (§ 7222)
Consumers have the right to request detailed information about how ADMT was used to make significant decisions about them. When a consumer submits an ADMT access request, a business must provide clear, plain-language explanations of the ADMT’s purpose, logic, outputs, and effects — subject only to limited trade secret and security exceptions.
5.1. Required Disclosures in Response to an ADMT Access Request (§ 7222(b))
When responding to an access request, a business must provide plain-language explanations of the following:
(1) Specific Purpose of ADMT Use (§ 7222(b)(1)): The business must state the specific purpose for which the ADMT was used with respect to that consumer. Generic descriptions (e.g., “to improve our services”) are prohibited.
(2) Information About the Logic of the ADMT (§ 7222(b)(2)): The explanation must be sufficiently detailed to allow the consumer to understand how the ADMT processed their personal information, including:
- The parameters used to generate the output,
- How those parameters applied to the consumer’s data, and
- The specific output generated for that consumer.
This must be understandable in plain language and may not rely on opaque technical descriptions.
(3) Outcome of the Decisionmaking Process (§ 7222(b)(3)): Businesses must explain how the ADMT output was used to make the significant decision, including:
- Whether the ADMT output was the sole factor in the decision-making (and, if not, which other factors contributed),
- Whether any human involvement occurred that does not meet the regulation’s definition of meaningful “human involvement” (i.e., insufficient to remove the technology from ADMT classification) and what the role of the human was.
If the business will use the same ADMT output for future significant decisions, it must also explain (§ 7222(b)(3)(A)):
- Whether the output will be the sole factor,
- The other factors expected to be considered, and
- Any anticipated human involvement that does not meet the “human involvement” standard.
5.2. Anti-Retaliation and Instructions for Exercising Other CCPA Rights (§ 7222(b)(4))
Consumers must be told that the business may not retaliate against them for exercising CCPA rights and must be provided “instructions — with direct links — “ for exercising those rights. The link must take the consumer directly to the section of the privacy policy containing the instructions; directing consumers to the top of the policy or to an unrelated section does not comply.
5.3. Trade Secret and Security Limitations (§ 7222(c))
Businesses are not required to disclose :
- Trade secrets (Civ. Code § 3426.1(d)),
- Information that would compromise security incident prevention or investigation, anti-fraud capabilities, or physical safety.
All other required information must still be provided.
5.4. Aggregate-Level Responses for Frequent Uses (§ 7222(j))
If ADMT was used more than four times for a consumer within a 12-month period, the business may provide aggregate-level logic and output summaries. This includes:
- A summary of outputs over the 12-month period,
- The parameters that typically influenced outputs, and
- How those parameters tended to apply to that consumer.
5.5. Other Requirements
(1) Submission Methods (§ 7222(d)): Submission methods must be easy to use, must not employ dark patterns, and may rely on the business’s existing methods for requests to know, delete, or correct.
(2) Verification (§ 7222(e)): Standard Article 5 verification requirements apply. If verification fails, the business must inform the consumer.
(3) Denials (§ 7222(f)): If a verified request is denied in whole or in part because of a legal conflict or CCPA exception, the business must explain the reason unless prohibited by law. If denied only in part, remaining information must still be provided.
(4) Reasonable Security (§ 7222(g)): Businesses must use reasonable security measures when transmitting responsive information.
(5) Portals (§ 7222(h)): If the business maintains a password-protected account, it may satisfy the request by providing the information through a secure self-service portal, as long as the portal:
- Fully discloses all required information,
- Uses reasonable security controls, and
- Complies with Article 5 verification .
(6) Assistance from Service Providers and Contractors (§ 7222(i)): Service providers and contractors must assist by:
- Providing relevant personal information, or
- Enabling the business to access it.
(7) Anti-Retaliation (§ 7222(k)): A business may not retaliate against a consumer for exercising the right to access ADMT.
5.6. Optional Additional Information (§ 7222(l))
Providing more detail is expressly allowed and may help reduce confusion or follow-up requests. Specifically, businesses may provide additional explanatory information to help consumers understand the ADMT, such as:
- The range of possible outputs,
- Aggregate output statistics to help a consumer understand how they compare to other consumers, such as the five most common outputs and the percentage of consumers that received each.
Practice Tip: Opt-Out Requires No Verification — but Access to ADMT Does, and Article 5 Sets the Standard: Under the CCPA’s ADMT rules, businesses do not verify a consumer’s identity for an opt-out request. Section 7221(f) expressly prohibits requiring a VCR (verifiable consumer request) for opting out of ADMT. A business may ask only for the minimal information necessary to direct the opt-out — no accounts, no documentation, and no high-friction identity checks. However, when a consumer exercises the right to access ADMT, the rules change. Section 7222(e) requires full identity verification under Article 5, using the same standards that apply to requests to know, delete, or correct. This difference exists for a simple reason: responding to an access request necessarily involves disclosing information about how the ADMT processed the consumer’s personal information — and the law seeks to prevent that sensitive information from being disclosed to the wrong person.
As a reminder, to comply with Article 5, businesses must follow strict verification rules, including:
1. Reasonable Verification Method Required (§ 7060(a)): Businesses must establish, document, and follow a reasonable method to verify that the requester is the correct consumer.
2. Matching Consumer Information (§ 7060(c)(1)): Verification should begin by matching information the business already maintains. Additional data may be requested only if necessary.
4. Minimize Sensitive Data Collection (§ 7060(c)(2)): Businesses should avoid collecting sensitive personal information unless absolutely necessary for verification.
5. Verification Must Consider Six Factors (§ 7060(c)(3)): The method must be appropriate given: (i) the sensitivity and value of the data, (ii) the risk of harm from unauthorized access, (iii) the likelihood of fraud, (iv) robustness of the data used for verification, (v) the business’s interaction model with the consumer, and (vi) available verification technologies.
6. Limits on Additional Information (§ 7060(d)) Additional information may be collected only when needed, used solely for verification/fraud prevention, and deleted after use.
7. No Fees or Burdens for Verification (§ 7060(e)): Businesses cannot require notarization unless they pay for it.
8. Security Measures Required (§ 7060(f)): Businesses must use reasonable security to detect fraud and prevent unauthorized access.
9. Verification Standards Differ by Request Type (§ 7062): Access to ADMT requires a reasonably high degree of certainty — typically: matching three reliable data points, plus a signed declaration under penalty of perjury (§ 7062(c)). (But, for password-protected accounts, existing authentication can be used if compliant (§ 7061).)
If Identity Cannot Be Verified (§ 7062(g)) The business must deny the request, and explain why it cannot verify the identity.
