From ADMT Pre-use Notices to Optouts: A Marketing Ops Guide to California ADMT Compliance

Automated decisionmaking technology (ADMT) is quickly becoming a core part of how organizations personalize experiences, assess risk, and streamline decision making. Under the California Consumer Privacy Act (CCPA) Regulations, however, the use of ADMT comes with a new set of transparency and choice requirements that directly impact how organizations use ADMT.

The requirements surrounding ADMT under the CCPA Regulations enter into force on January 1, 2027. This is later than other provisions of the CCPA Regulations, such as those surrounding opt-out preference signals (OOPS) that entered into force January 1, 2026. However, similar to requirements on OOPS, the provisions on ADMT are consumer facing and present a clear method of ensuring transparency and building trust with consumers.

From a regulatory perspective, California has introduced multiple laws to facilitate the transparent use of artificial intelligence (AI) in consumer interactions. However, the CCPA Regulations provisions on ADMT go further in specifying when and how disclosures have to be given to consumers who are subject to ADMT.

Read on to discover what the California ADMT Regulations mean in practice, with a specific focus on pre-use notices, optout rights, and what marketing and CMP teams need to operationalize todayout rights, and what marketing and CMP teams need to operationalize now.

What Is ADMT Under the CCPA Regulations?

"Automated decisionmaking technology" (ADMT) under the CCPA Regulations is defined as any technology that processes personal information and uses computation to replace human decisionmaking or substantially replace human decisionmaking.

Businesses that use ADMT to make "significant decisions" about consumers are subject to additional obligations. Under the CCPA Regulations, the categories of decisions, less so the technology itself, are subject to requirements. Specifically, a "significant decision" means a decision that results in the provision or denial of financial or lending services, housing, education enrollment or opportunities, employment or independent contracting opportunities or compensation, or healthcare services These include:

• Financial or lending – the extension of credit or a loan;
• Housing
• Education enrollment – admission or acceptance, or educational credentials;
• Employment – hiring, promotion, allocation, or assignment of work;
• Healthcare services – diagnosis, prevention, and treatment of disease.

However, the CCPA Regulations clarify that a significant decision does not include advertising to a consumer.

Where ADMT is used for these purposes, consumers are entitled to advance transparency, the right to opt out, and a distinct right to access information about the ADMT itself.

For example, an online lending platform using automated scoring to determine whether a consumer qualifies for a credit product would be considered to be making a significant decision using ADMT and would therefore need to provide a pre-use notice and an opt-out mechanism.

Why ADMT Matters for Marketing and CMP Teams

ADMT compliance is not limited to backend systems or data science workflows. The CCPA Regulations emphasize how and when information is surfaced to consumers, and on how easily consumers can understand and exercise their rights.

For marketing operations and consent management teams, this means:

• Designing new notice experiences that are separate from cookie banners.
• Ensuring optout mechanisms that are purpose specific and easy to use.
• Integrating ADMT data with DSR processes to support access rights.

For instance, if a hiring platform uses automated screening tools to shortlist job candidates, marketing or product teams responsible for the application journey must ensure that a pre-use notice appears before applicants submit personal information and that candidates can easily opt out of automated evaluation.

While the CCPA Regulations represent a new requirement for businesses collecting personal data in California, other jurisdictions including Illinois, New Jersey, and New York City have already moved forward by passing laws that address the use of AI in high-stakes decisions.

Such legislation reflects broader trends to ensure greater transparency for consumers around whose personal data is being collected and why, when it comes to potential high-risk activities, such as ADMT or the processing of children's data.

In short, ADMT introduces a new category of consumer choice that must be thoughtfully embedded into existing consent and preference journeys.

Pre-use Notices: What’s Required

When the pre-use notice must appear

Businesses using ADMT must provide a pre-use Notice at or before the point when they collect personal information that will be processed using ADMT. If personal information was originally collected for a different purpose, and is later repurposed for ADMT, a pre-use Notice must be provided before that processing begins.

The Pre-use Notice must be:

• Prominently and conspicuously presented
• Easy to read and written in plain language
• Accessible to consumers with disabilities
• Available in the languages in which the business ordinarily operates in California
• Presented in the primary manner in which the business interacts with consumers

Importantly, the CCPA Regulations explicitly provide that the pre-use Notice cannot be embedded in or replaced by a cookie banner or preference center.

For example, a healthcare service using automated triage tools to assess patient eligibility for certain treatments must display a pre-use notice before collecting medical intake data if that information will feed into automated evaluation systems.

What the Pre-use Notice Must Include

At a minimum, the pre-use Notice must include:

• A plain language explanation of the specific purpose for which the business plans to use ADMT
• Information about the right to opt out of ADMT, including how to exercise that right
• Information about the right to access ADMT, and how to submit an access request

Generic descriptions such as “to make a significant decision” are not sufficient. The purpose must be specific enough for consumers to understand how ADMT affects them and their engagement in a sensitive context.

Instead of stating that ADMT will be used “to evaluate applications,” a notice might explain that ADMT will be used to assess eligibility for housing or credit based on submitted information.

Layered Notices and Consolidated Approaches

Additional detail about how the ADMT works may be provided in a second layer, or via a hyperlink, explaining how personal data is processed and the role of human review, alongside allowing for multiple ADMTs to be consolidated into a single pre-use notice.

Opting Out of ADMT: Operational Considerations

How Optouts Must Be Offered

When ADMT is used to make significant decisions, businesses must offer consumers the right to opt out and provide two or more designated methods for submitting optout requests.

Key requirements include:

• At least one optout method must reflect how the business primarily interacts with consumers
• Online businesses must provide an interactive form accessible via an optout link in the pre-use notice
• The optout link must clearly state what the consumer is opting out of (for example, “Optout of Automated DecisionMaking Technology”)

The CCPA Regulations provides that cookie banners or cookie controls are not, by themselves, an acceptable optout mechanism for ADMT, because they relate to data collection rather than the use of ADMT itself.

Where consumers submit a request to op-out of ADMT, businesses cannot require a verifiable consumer request and consumers must be capable of submitting a frictionless request. Where consumers are unidentified, businesses may only ask for information necessary to complete the request, such as information necessary to identify the user.

A consumer applying for an online mortgage could be offered an “Opt-out of Automated Decision-Making” link directly within the application interface, allowing them to request human review instead of automated assessment.

Designing User Friendly Optout Flows

Optout requests must be:

• Easy to execute and require minimal steps
• Free from dark patterns
• Possible without creating an account
• Possible without submitting a verifiable consumer request

Businesses must also provide a way for consumers to confirm that their optout request has been processed.

Partial vs. Global Optouts

Businesses may allow consumers to opt out of specific uses of ADMT, as long as they also provide a single option to opt out of all ADMT uses. This approach is similar to offering granular toggles for cookie consent alongside a 'reject all' option, but applied specifically to ADMT.

A consumer could opt out of automated employment screening while still allowing automated fraud detection or security monitoring.

Timing and Duration

If a consumer opts out before ADMT processing begins, the business must not initiate that processing. If the opt-out occurs after processing has started, the business has up to 15 days to stop using ADMT for that consumer.

Once a consumer has opted out, the business must wait at least 12 months before asking the consumer to consent to ADMT again.

ADMT Access Rights: A Separate Obligation

In addition to optout rights, consumers have a distinct right to access information about ADMT, where the business uses ADMT. This right is separate from the general right to access personal data.

The pre-use notice given to consumers must also explain how consumers can submit an ADMT access request.

Required Contents of Responses

When a consumer asks how ADMT was used about them, the CCPA Regulations require businesses to explain clearly and in plain language why ADMT was used, how it generally worked, and what decision it led to, including whether ADMT played a meaningful role in that outcome. Businesses must also make clear that consumers won’t be penalized for exercising their rights, and while the CCPA Regulations set a baseline for disclosures, they explicitly encourage providing additional context where it helps consumers better understand how ADMT affected them.

Key Takeaways for Teams

• ADMT introduces new notice and choice requirements that sit alongside, but separate from, consent collection
• Pre-use notices must be clear, timely, and purposeuse notices must be clear, timely, and purposespecific
• ADMT opt-outs require dedicated ADMT specific flows, not cookie controls
• Consumers must be able to confirm their optout requests
• Consolidated notices can reduce friction, but only when designed carefully

While ADMT requirements have a delayed implementation date of January 1, 2027, the design and operational implications are significant. Marketing operations and privacy teams play a central role in ensuring these new rights are surfaced clearly, respected consistently, and integrated seamlessly into existing consent experiences.

Operationalizing ADMT Disclosures and Rights With OneTrust

The ADMT requirements under the CCPA Regulations introduce a new category of user choice that resembles consent or preferences on the surface but operates at a deeper level. Users can request that AI systems do not profile them, avoid personalized experiences, or refrain from automated decision-making altogether.

These are purpose-specific, system-level preferences rather than simple channel or communication choices. Supporting them requires identity resolution across anonymous and authenticated states, propagation of signals across CRM, CDP, and decisioning systems, and consistent enforcement at the point where decisions are made. 

Pre-use notices and opt-out rights therefore introduce a need for persistent, cross-channel coordination of these signals, positioning this as a core use case for a unified consent and preference management (UCPM) layer. These signals must also connect directly to data subject request workflows, ensuring that when a user opts out of automated decision-making or requests access to how it was used, that request is automatically linked to the same identity, context, and systems where the decision occurred.

In practice, this coordination becomes critical in common marketing and product scenarios. For example, if a consumer opts out of automated decision-making during a loan application journey, that preference must not only update their profile in a CRM, but also prevent automated scoring models from evaluating future applications, suppress inclusion in lookalike audiences within a CDP, and ensure any downstream activation in advertising or personalization platforms reflects that choice. Without this level of propagation, the opt-out exists in one interface but is not enforced where decisions actually happen. 

Operationalizing ADMT disclosures therefore requires more than a traditional approach to consent management. It requires the ability to surface purpose-specific disclosures across journeys, resolve identity across touchpoints, and connect user choices directly to downstream systems where those decisions are executed. It also requires linking those choices to data subject request workflows, so opt-out and access requests can be processed against the same data, models, and decision logic that generated the outcome.

OneTrust helps teams operationalize these requirements by connecting consent and preference collection with downstream enforcement and DSR workflows. OneTrust Data Subject Request (DSR) Automation provides pre-built workflows for responding to ADMT opt-out and access requests, ensuring that requests are routed, verified, and fulfilled against the correct systems and datasets. 

Through integrations with CRM platforms, CDPs, and data infrastructure, OneTrust enables preference signals to propagate in near real time, so that when a user exercises their rights, those choices are consistently enforced across channels, models, and activation systems. This allows marketing and privacy teams to move from isolated compliance workflows to coordinated, system-level governance of ADMT.

Learn more about how OneTrust Privacy Automation can help teams operationalize ADMT rights.

Key Questions About ADMT Compliance