CCPA and AI: California Consumer Privacy Act Requirements for AI Systems
CPRA — the 2020 update to CCPA — added automated decision-making opt-out rights, profiling restrictions, and sensitive personal information protections that directly target AI use cases. If you use AI to process California consumer data, here is what you need to do.
Who Must Comply with CCPA/CPRA
CCPA/CPRA applies to for-profit businesses that do business in California and meet at least one of the following thresholds:
- For-profit businesses doing business in California AND meeting ONE of:
- •Annual gross revenue > $25 million
- •Buy, sell, or share personal info of 100,000+ California residents or households annually
- •Derive 50%+ of annual revenue from selling California personal information
The thresholds apply regardless of where the business is incorporated. A UK company or UAE company that meets these thresholds and targets California consumers must comply. There is no "we are not a California company" exemption.
CCPA/CPRA Consumer Rights That Apply to AI Systems
Right to Opt Out of Automated Decision-Making (CPRA)
CPRA regulations finalized 2024; enforcement activeWhen it applies: AI systems that make or substantially facilitate automated decisions with significant effects on consumers — including healthcare, financial eligibility, education, employment, housing, and credit
What you must do: Businesses must provide a mechanism to opt out of automated decision-making. Opt-out must be honoured within 45 days. Cannot retaliate against consumers who opt out.
Right to Know About Automated Decision-Making Logic
CPRA regulations; CPPA finalised automated decision-making regulations 2024When it applies: When automated decision-making logic is used to evaluate the consumer
What you must do: On request, provide a meaningful explanation of the logic used — including the type of profiling, the categories of personal information used, and the consequences of the decision.
Right to Limit Sensitive Personal Information Processing
CPRA in force January 2023; enforcement activeWhen it applies: AI systems that use sensitive PI (race, religion, sexual orientation, precise geolocation, health data, biometrics, financial account data) for training or inference
What you must do: Consumers can limit use of sensitive PI to what is necessary for the requested service. Cannot use sensitive PI for AI training without explicit consent.
Right to Delete
CCPA in force July 2020; CPRA expanded scope 2023When it applies: Personal data used in AI training or stored in AI inference logs
What you must do: On verified request, delete personal information — including from AI training datasets (if technically feasible) and inference logs. Must also direct service providers (AI vendors) to delete.
Right to Opt Out of Sale/Sharing (for AI training)
CCPA/CPRAWhen it applies: Selling or sharing consumer data to AI vendors for training purposes or sharing with data brokers who train AI
What you must do: "Do Not Sell or Share My Personal Information" link must be prominent. Sharing data with AI vendors for cross-context behavioural advertising = "sharing" under CPRA.
CPPA Automated Decision-Making Regulations: What Changed in 2024
The California Privacy Protection Agency (CPPA) finalised Automated Decision-Making Technology (ADMT) regulations in 2024. These regulations are the most specific AI privacy rules in any US state:
Pre-use notice required
Before using ADMT that significantly affects consumers, businesses must provide notice of: the type of decision being made, the categories of personal information used, the source of information, and how to opt out.
Opt-out right must be "easy to execute"
The CPPA requires that the opt-out mechanism be "easy to execute" — which the regulations interpret as comparable in prominence to the "Do Not Sell" button requirement. A buried link in a privacy policy does not satisfy this.
"Significant decisions" defined broadly
Significant decisions include: financial and insurance eligibility; employment and contracting; housing; healthcare treatment; education; and access to essential goods and services. This covers most B2C AI use cases.
Profiling opt-out separate from decision opt-out
Consumers have a separate right to opt out of profiling — the collection and analysis of personal information to make inferences — even if no significant automated decision is being made. Behavioural analytics and recommendation engines may trigger this right.
Risk assessments for high-risk ADMT
Businesses using ADMT for significant decisions must conduct cybersecurity audits and privacy risk assessments, similar to GDPR DPIAs. Assessments must weigh the benefits of the AI system against risks to consumers.
AI Training Data and CCPA: What Businesses Often Miss
One of the most common CCPA compliance gaps for AI-deploying businesses is the training data dimension:
Using California consumer data to train AI without disclosure
High riskIf your AI model was trained on data that included California consumer personal information, that processing must be disclosed in your privacy notice. The purpose of processing must include "training AI models" if that is how the data is used.
Sharing consumer data with AI vendors for training
High riskSending consumer data to a third-party AI vendor for model training is "sharing" under CPRA if it involves cross-context behavioural advertising, or "sale" if you receive compensation. Both require the "Do Not Sell or Share" opt-out.
Service provider using your data to train their general AI
High riskIf an AI vendor uses your customer data to improve their general AI product (not just your specific deployment), they are not acting as a "service provider" under CCPA — they are a "third party." This changes your CCPA obligations significantly.
Inference logs stored indefinitely
Medium riskLogs of AI inference queries containing personal data are personal information under CCPA. Retention must be specified in the privacy notice. Deletion requests must include deletion from inference logs.
CCPA/CPRA AI Compliance Checklist
Privacy notice updated to include categories of personal information used in AI systems
Automated decision-making opt-out mechanism in place (CPRA) for significant AI decisions
"Do Not Sell or Share" mechanism in place if sharing data with AI training vendors
Deletion rights honoured for AI training data and inference logs (instruct vendors to delete)
Sensitive PI identified in AI pipelines; consent or limitation mechanism in place
Service provider contracts with AI vendors include CPRA-required terms (use restriction, sub-service provider clauses)
Consumer request response process tested: can you respond within 45 days?
Privacy notice includes description of AI logic for profiling (or link to separate explanation)
Employee/job applicant exemption confirmed if applicable to your HR AI
Data protection assessments conducted for AI systems processing sensitive PI at large scale
CCPA vs GDPR: Key Differences for AI
| Feature | CCPA/CPRA | GDPR |
|---|---|---|
| Automated decision rights | Opt-out right; explanation on request | Absolute right not to be solely decided by AI (with exceptions) |
| Legal basis required | No (disclosure-based framework) | Yes (6 lawful bases required) |
| Sensitivity categories | List-based: 9 sensitive categories | List-based: 9 special categories + stricter rules |
| Profiling | Opt-out right (CPRA) | DPIA required; Art.22 restrictions |
| Enforcement | California AG + CPPA; $100-7,500/violation | National DPAs; up to €20M or 4% revenue |
| Extraterritorial reach | Any business with CA customers above thresholds | Any business targeting EU individuals |
Check Your CCPA AI Obligations
ComplianceIQ identifies which California privacy obligations apply to your AI use cases — including CPRA automated decision-making and profiling requirements.
Run a Free Risk Assessment