California's AI Law Is Real. Does It Actually Apply to Your Professional Services Firm?

Published: May 20, 2026 | By: The Crossing Report

---

Summary

California's ADMT regulations are in effect as of January 1, 2026. Every professional services firm with California clients has been told to worry about them. Here's the honest analysis most newsletters won't give you: the $26.6M revenue threshold means most 5–50 person firms are NOT in full ADMT compliance scope. But that's not zero exposure — three baseline obligations apply regardless of your size. And here's the part that matters most: California is the template. What it requires today, other states will require in 2027 and 2028. Understanding this law now is how you stay ahead of what's coming.

---

California Has AI Regulations. They're Real. Are They Yours to Worry About?

If you own a professional services firm with clients in California, someone in the last six months has told you to "watch the ADMT regulations." Maybe a lawyer. Maybe a compliance vendor trying to sell you something. Maybe a newsletter that explained the regulation and left you more anxious than informed.

Here's what most of those conversations left out: the honest answer to "does this apply to me?" is probably no — not the full compliance program — but you do have exposure in three specific areas that are worth an hour of your time right now.

California finalized its ADMT (Automated Decision-Making Technology) regulations under the CCPA/CPRA in January 2026. The California Privacy Protection Agency (CPPA) administers them. Initial provisions took effect January 1, 2026. Full compliance is required by January 1, 2027.

The regulation is real. It is not hypothetical. It targets businesses that use AI to make "significant decisions" affecting California consumers — employment, financial services, healthcare, education, housing, and (in some interpretations) access to professional services. If your firm uses AI tools in any of those contexts and has California clients or employees, you need to understand what this law does and doesn't require of you.

The good news: the threshold analysis is more favorable for most small firms than the coverage has made it sound.

---

What California ADMT Actually Is (Plain English)

The ADMT regulations were passed under the California Privacy Rights Act (CPRA), which amended the CCPA. The California Privacy Protection Agency — California's dedicated privacy regulator — drafted and now enforces the rules.

In plain terms, the regulation creates three new obligations for covered businesses:

1. Right to opt out — consumers can opt out of automated decision-making for covered decisions (employment, financial services, healthcare, education, housing, legal service access)
2. Right to human review — consumers can request that a human review any significant decision made using automated technology
3. Disclosure — businesses must tell consumers when AI is being used to make significant decisions about them

Parallel to Colorado's ADMT framework (SB 205, effective June 30, 2026), but with the procedural overlay of California's existing CCPA framework — meaning it builds on privacy rights California residents already had.

This is not a general "you must tell people you use AI" requirement. It's specifically about significant decisions with legal or similarly significant effects on individuals. That distinction matters for scope analysis.

---

Does California ADMT Compliance Apply to Your Firm? Run the Threshold Test

This is the question most articles bury or avoid. Let's answer it directly.

The primary ADMT threshold — most 5–50 person firms won't hit this:

• Annual gross revenue exceeds $26.6M, OR
• Buys, sells, or shares personal information of 100,000+ consumers or households, OR
• Derives 50%+ of annual revenue from selling or sharing personal information

If your firm doesn't meet any of these three tests, you are almost certainly not subject to the full ADMT compliance program — risk assessments, opt-out mechanisms, human review pathways, and the full documentation regime.

A 15-person accounting firm with $3.2M in revenue and 180 business clients: below threshold. A 22-person consulting firm with $8M revenue serving 200 corporate clients: almost certainly below threshold on all three prongs. A solo attorney with a $900K practice: well below threshold.

Where the analysis gets more complicated for professional services:

The data volume prong catches firms that don't think of themselves as data businesses. Consider:

• A staffing firm that places 50,000 workers annually — even with modest revenue — may be above the 100K consumer records threshold based on the personal information collected from candidates and placed workers
• A law firm serving a Fortune 500 client that processes California employee data on behalf of that client: gray area that requires counsel to evaluate properly
• A consulting firm serving large enterprise clients whose employees are the end-users of the consulting engagement: depends on how you define "consumer" and how the engagement is structured

If you're in any of these situations, the 100K consumer records threshold deserves a careful look before you assume you're out of scope.

What applies regardless of threshold:

Even if you are clearly below the ADMT threshold, three categories of exposure remain:

• General CCPA transparency obligations for any business with California customers (the CCPA's base requirements aren't gated on the ADMT threshold)
• Cybersecurity audit requirements for firms above $50M revenue — if you're reading this article, probably not relevant to you, but worth knowing it exists
• California chatbot disclosure requirements if you use AI in consumer-facing interactions — a separate requirement that overlaps with the state AI chatbot laws now active in multiple states

The honest answer for most readers of this article: you're probably not in full ADMT scope. But confirm your revenue, estimate your California consumer data volume, and then read the next section carefully — because these three obligations apply to you regardless.

---

The 3 Things Even Below-Threshold Firms Should Do Now

Here's what actually applies to most professional services firms, regardless of whether you hit the ADMT threshold:

1. Disclose AI Use in Client-Facing Interactions

California's CCPA — not the new ADMT rules, the existing base law — extends transparency principles to AI-assisted service delivery. If your firm uses AI to generate proposals, draft deliverables, conduct client intake, or communicate with clients through AI tools, you should have a written AI use policy that:

• States that the firm uses AI tools in service delivery
• Confirms that AI output is reviewed by a licensed professional before delivery
• Notes that clients may request human review of AI-assisted work

This is not legally complex. It's one paragraph added to your engagement letter and your privacy policy. It satisfies the CCPA's general transparency obligations and positions your firm ahead of the AI disclosure policy requirements spreading across multiple states.

Firms that have already done this find that it also builds client confidence rather than creating friction. Clients who might have worried about undisclosed AI use are reassured by transparency.

2. Audit Your AI Use in Employment Decisions

This one catches small firms off guard, and it applies regardless of revenue or consumer data volume.

If you use any AI tool in hiring decisions affecting California-based employees or candidates — resume screening, interview scheduling, candidate scoring, work assignment, compensation decisions — you have potential exposure under California's ADMT rules even if you're below the primary threshold. The threshold governs the full compliance program; it doesn't grant blanket immunity for employment AI practices.

You do not need a full ADMT compliance program for this. You need to know the answer to two questions:

1. Does my firm use any AI tool that makes or materially influences decisions about California employees or job candidates?
2. If yes, is the AI's role documented, and is there a human who reviews AI-influenced hiring or compensation decisions before they're final?

If the answer to question 1 is yes and question 2 is no, that's the gap to close. A documented review process — not an expensive compliance audit — is the protection you need.

3. Check Your Vendor Agreements

This is the sub-processor chain issue, and it's the one most small firms miss entirely.

If you use SaaS platforms that process California consumer data on your behalf — your CRM, your project management software, your AI writing tools, your client portal — your data processor agreements should address how those vendors handle ADMT compliance. Your vendor's compliance posture is partially your responsibility under California's framework.

This appeared in GDPR, and it's appearing again here: the compliance obligation runs downstream to the firms that control the data, not just the platforms that process it.

The practical step: review your top three to five SaaS vendor agreements. Look for language addressing California privacy compliance. If it's absent, request an updated DPA (data processing addendum). Most enterprise-tier SaaS vendors have these ready; many consumer-grade tools do not.

---

What Full ADMT Compliance Requires (If You're Above Threshold)

For the staffing firm, the larger consulting firm, or the professional services business that actually meets the $26.6M or 100K consumer threshold, here's what the full compliance program requires by January 1, 2027:

• Risk assessments for each AI system making covered significant decisions — documented before deployment, updated when the system changes
• Opt-out mechanism — a process for consumers to opt out of automated decision-making in covered categories
• Human review pathway — consumers can request human review of significant AI-influenced decisions; the firm must have a process to fulfill those requests
• Written AI governance documentation — maps each AI system to its purpose, scope, and the categories of significant decisions it influences
• Updated disclosure notices — privacy policy and data collection notices updated to reference ADMT use
• Cybersecurity audit — required for firms above $50M revenue; first audit due January 1, 2030 for qualifying small businesses

If you're above threshold, this is not a project for this week. It's a six-month program. The January 1, 2027 full compliance deadline gives you a runway, but not an unlimited one. Start with the risk assessment for your highest-stakes AI systems — the ones influencing employment, financial, or legal service access decisions.

Note: This checklist describes the regulatory framework as published. Consult a California privacy attorney before finalizing your compliance program.

---

California vs. Colorado, Washington, and Oregon: Why This Matters Beyond State Lines

One reason to understand California ADMT even if you don't have California clients: it's the template.

A quick comparison of the current state ADMT landscape:

State	Law	Effective Date	Key Difference
California	CPRA ADMT Regulations	Jan 1, 2026 (full: Jan 1, 2027)	Revenue/data threshold; most developed procedural framework
Colorado	SB 205 (ADMT)	June 30, 2026	No revenue threshold exemption; legal services explicitly in scope
Washington	HB 2225	Jan 1, 2027	AI companion chatbot disclosure (Replika-type; intake chatbots likely not covered)
Oregon	SB 1546	Jan 1, 2027	Chatbot disclosure; private right of action

The most important column is the Colorado row. Colorado's ADMT framework has no revenue-based threshold exemption. A five-person firm using AI screening tools for Colorado candidates is potentially in scope. Legal services are explicitly listed as a covered category. Colorado goes live June 30, 2026. Note: a federal court paused enforcement of SB 24-205 on April 28, 2026, pending a preliminary injunction motion by xAI — the statute's effective date stands, but the AG cannot initiate enforcement while the injunction is active. SB26-189, a replacement bill, passed both chambers of the Colorado legislature (Senate 34-1 on May 7, House 57-6 on May 9) and was sent to Governor Polis on May 11, 2026. The compliance baseline (disclosure, recordkeeping) is the right preparation under any outcome.

The pattern is clear: California defined the framework. Other states are adopting it with modifications, some more aggressive than California's, some less. A firm that understands California compliance and has built the three baseline practices described above is well-positioned as multi-state AI compliance requirements compound.

Building California-compliant AI governance now — even if you're below the primary California threshold — is how you future-proof your firm for 2027 and 2028 as this framework spreads.

---

FAQ

Does California's ADMT law apply to small professional services firms?

The primary ADMT compliance obligations are triggered by revenue threshold ($26.6M+) or data volume (100K+ consumers). Most small professional services firms with 5–50 employees and below $10M revenue will not meet these thresholds and do not face full ADMT compliance requirements. However, general CCPA transparency obligations still apply if the firm has California customers, and firms using AI in employment decisions affecting California-based candidates should assess their specific exposure regardless of size.

What is "automated decision-making technology" under California law?

Under California's ADMT regulations (effective January 1, 2026), automated decision-making technology means any system that uses computation to make a decision, or a decision that facilitates human decision-making, that produces a legal or similarly significant effect on a consumer — including employment, financial services, healthcare, education, housing, or legal service access. The regulation does not require AI to be the sole decision-maker; AI that materially influences a human decision can still trigger coverage.

What does California's ADMT regulation require for employment decisions?

For covered businesses using ADMT in California employment decisions, the regulation requires: (1) a pre-deployment risk assessment documenting the system's purpose and potential for discriminatory impact; (2) a consumer-facing right to opt out of automated processing and request human review; (3) disclosure at or before the point of data collection that ADMT is used in employment decisions; and (4) retention of documentation for a minimum period. These requirements apply to hiring, promotion, termination, compensation, and work scheduling decisions.

How does California ADMT differ from Colorado's AI Act?

Both California and Colorado regulate automated decision-making technology, but with different structures. Colorado's ADMT (SB 24-205, effective June 30, 2026) applies to "consequential decisions" affecting Colorado consumers and has no revenue-based threshold exemption — a five-person firm with AI screening tools for Colorado candidates is potentially in scope. Note: on April 28, 2026, a federal court paused enforcement of SB 24-205 pending a preliminary injunction motion by xAI (joined by the DOJ). The effective date of June 30 still exists in statute, but the AG cannot initiate enforcement while the injunction is active. Continue building your compliance baseline. California's ADMT has a revenue/data threshold that exempts most small businesses from the primary compliance obligations. Colorado also explicitly includes legal services as a covered category; California uses broader "legal service access" language with less interpretive guidance.

What should professional services firms do to prepare for California ADMT compliance?

Three actions this quarter: (1) Run the threshold analysis — calculate your annual gross revenue and the approximate number of California consumers whose personal information you collect, process, or share. If you're clearly below $26.6M and below 100K consumer records, you are almost certainly not in the primary ADMT compliance scope. (2) Review your AI use in employment decisions — even below-threshold firms should document whether their AI tools make or materially influence hiring, scheduling, or compensation decisions affecting California employees or candidates. (3) Update your client-facing AI disclosure — a written statement that your firm uses AI tools in service delivery, that AI output is reviewed by a licensed professional, and that clients may request human review of AI-assisted work. This satisfies CCPA transparency obligations and positions you for future state requirements.

---

Your Action This Week

California ADMT is the template for what's coming. Other states are watching, adopting, and accelerating — with fewer threshold exemptions, not more.

Here's what you do this week:

Step 1 (15 minutes): Run the threshold analysis. Pull your last annual revenue figure. Estimate the number of California consumers whose personal data your firm collects. If you're clearly below $26.6M and well below 100K consumer records, document that conclusion and move to step 2.

Step 2 (30 minutes): Check your AI use in employment decisions. List every AI tool your firm uses. Flag any that touch hiring, scheduling, compensation, or performance review for California employees or candidates. For each flagged tool, confirm that a human reviews AI-influenced decisions before they're final.

Step 3 (30 minutes): Draft your AI disclosure statement. One paragraph. What AI tools you use. That output is reviewed by a licensed professional. That clients or candidates may request human review. Add it to your engagement letter template and your privacy policy.

You can do all three in under two hours. The firms that do this now are the ones who won't be scrambling when Oregon SB 1546 goes live in January 2027, or when the federal framework lands — whenever that turns out to be.

---

Sources: California Privacy Protection Agency (CPPA), Final ADMT Regulations (January 2026); Wiley Law, "California Finalizes Pivotal CCPA Regulations on AI, Cyber Audits, and Risk Governance" (March 2026); Internet Lawyer Blog, "California ADMT Compliance in 2026: Risk Assessments, Cybersecurity Audits, and What Businesses Must Do Now" (April 2026); SecurePrivacy, "California AI Regulations 2026: CPRA, ADMT & Compliance Thresholds."

---

Related Reading

• AI Regulation Compliance for Professional Services Firms — What the current regulatory landscape means for your firm
• State AI Chatbot Laws: What Professional Services Firms Need to Know — The disclosure requirements already in effect
• AI Disclosure Policy for Professional Services Firms — How to build a client-facing AI disclosure that protects your firm

---

The Crossing Report tracks every state AI compliance deadline for professional services firm owners — and translates them into plain language you can act on. California's ADMT regulations are the template for what's coming in 2027 and 2028 across the country. Subscribe here.