Navigating Algorithmic Accountability Under CCPA Article 11

With the finalization of Article 11 of the California Consumer Privacy Act (“CCPA”) regulations, the California Privacy Protection Agency (“CPPA”) has introduced a rigorous compliance framework for automated decision-making technology (“ADMT”). Under these new regulations, if a machine is making a “significant decision” about a California resident, that individual — including consumers, patients, employees and job candidates — now has a legal right to know how their data is being used and to opt out entirely. This is a fundamental regulatory shift toward enforcing algorithmic accountability.

What Is Covered?

Under Article 11, ADMT is defined broadly as any technology that processes personal information and uses computation to replace or “substantially replace” human decision making. The threshold for “substantially replace” is high. A business cannot claim human involvement if an employee is “checking the box” when reviewing an artificial intelligence (AI) output. To avoid the ADMT classification, there must be meaningful human involvement, characterized by:

  • Authority: The human must have the power to override the system.
  • Competence: The human must understand the logic used to reach the conclusion.
  • Review: The human must actively review the logic, not just the final result.

Article 11 does not apply to every minor algorithm (like a basic recommendation engine), however. It specifically targets technologies that influence significant decisions. If the AI/algorithm results in the provision or denial of the following, then Article 11 is in scope:

  • Employment: Hiring, compensation or promotions.
  • Financial services: Lending, credit or insurance.
  • Housing and education: Admissions, mortgage eligibility or rental applications.
  • Healthcare: Access to services or specific treatment plans.

Consumer Rights Impact

Compliance with Article 11 consists of these core consumer rights requirements:

  • Pre-use notice: Before the ADMT is applied, a conspicuous notice explaining the purpose of the technology must be provided. It’s also essential to clearly demonstrate and enable the consumer’s right to opt-out and access the information.
  • Right to opt-out: Consumers can generally decline for their data to be used in ADMT. Exceptions (like fraud prevention) are narrow. If an opt-out is denied, the business must offer a human appeal process.
  • Right to access: Often called “explainability” in AI governance, this allows consumers to demand the logic, parameters and specific data points, including personal information, used to reach a score or result.

Privacy Program Operational Requirements

In addition to updating consumer rights forms, processes and workflows, organizations will also need to conduct the following privacy management activities:

  • Risk assessments: Enhance and update privacy impact assessments and document that the benefits of the technology outweigh the risks of bias or discrimination.
  • Specialized training: Staff handling consumer requests must be trained specifically on ADMT rights.
  • Non-retaliation: Organizations cannot penalize an individual (via price, quality of service, employment or other means) for exercising their right to opt-out of automated systems.

Businesses that use ADMT must comply with requirements beginning January 1, 2027, and certain risk assessment filings will be due in 2028. Additionally, similar to third-party risk management, the ultimate responsibility for compliance is non-transferable. So, organizations that use off-the-shelf AI tools for hiring or credit scoring will face the burden of compliance, not the software vendor. Vendor contracts must be structured to allow compliance with these transparency and explainability requirements.

Conclusion

The “black box” era of AI is ending for those covered by the CCPA. It is logical for organizations to build trust through algorithmic transparency and explain how they make decisions. Explainable changes to consumer rights, privacy notices, privacy impact assessments and vendor management are key activities and privacy operations for meeting these requirements.

The time has arrived to stop treating AI as a black box, particularly to customers, employees and other consumers. To meet CCPA expectations and uphold trust, organizations need to act now: make ADMT transparent, clearly explain how AI-driven outcomes are reached, review consumer rights, make required updates to privacy notices, enhance the privacy impact assessment process and hone in on AI vendor oversight.

Related Insights

Published

May 22, 2026

temp Key Contacts

Scott Margolis

Managing Director

Kenric Tom

Managing Director

Most Popular Insights

  1. Beyond Cost Metrics: Recognizing the True Value of Nuclear Energy
  2. Finally, Pundits Are Talking About Rising Consumer Loan Delinquencies
  3. A New Era of Medicaid Reform
  4. Turning Vision and Strategy Into Action: The Role of Operating Model Design
  5. The Hidden Risk for Data Centers That No One is Talking About

Sign up to get access to FTI Consulting Insights

Subscribe