Posts

Showing posts with the label ADMT

What Colorado AI Law's Major Rewrite Means For Employers

Colorado's landmark artificial intelligence law, the most comprehensive in the country, has been replaced before it ever took effect. After years of concern over the implications of Colorado's Concerning Consumer Protections in Interactions with AI Systems law, which was set to take effect on June 30, Gov. Jared Polis recently signed into law S.B. 26-189, a bill that repealed the Colorado AI law and replaced its broad "high-risk artificial intelligence system" framework with a narrower regime focused on automated decision-making technology, or ADMT, used in consequential decisions. S.B. 26-189 will apply to job applicants and employees who are residents of Colorado, in addition to "any individual whose access to, eligibility for, or opportunity in Colorado is evaluated in a consequential decision by a person doing business in Colorado." The Colorado AI law has been a source of concern for employers since it was enacted in 2024. Had the law gone into effect ...

Managing Agentic AI in Real‑World Use: From Outputs to Actions

Agentic artificial intelligence (AI) is the next frontier for companies and organizations that are using AI. Agentic AI can select and carry out actions on a user’s behalf based on instructions, context, and the permissions it has been configured to use . As organizations integrate these systems and capabilities, they face an additional layer of legal risks and governance concerns. As companies begin to use agentic AI, they should consider key risk management practices to ensure responsible adoption . This includes aligning with emerging best practices and standards being studied and promoted by the National Institute for Standards and Technology (NIST) around agentic AI, including the Center for AI Standards and Innovation (CAISI) AI Agent Standards Initiative and the National Cybersecurity Center of Excellence Project addressing Software and AI Agency Identify and Authorization . For example, organizations utilizing agentic AI should look more closely at how the authority of AI age...

Colorado Moves to Replace AI Bias Audit Law With New Transparency Framework: Your Guide to Understanding the Changes

Colorado lawmakers are moving to repeal the state’s first-in-the-nation AI antidiscrimination law and replace the mandatory bias audit and risk impact assessment requirements with a streamlined transparency-and-notice framework. The May 1 proposal, backed by key lawmakers, instead focuses on automated decision-making technology (ADMT) used in “consequential” decisions. If the bill gets passed into law, new employer obligations would kick in on January 1, 2027 . Here’s what the proposed replacement would mean for your business and what you should be doing right now. Quick Recap: How We Got Here The original law passed in 2024 imposed broad obligations on both AI developers and the businesses deploying AI tools, including mandatory bias audits, risk impact assessments, and extensive disclosure requirements. It was set to take effect February 1, 2026. The business and tech communities immediately pushed back, arguing the requirements were unworkable and would crush innovation. After rep...

A MoFo Privacy Minute Q&A: Key Steps in 2026 to Comply with State Privacy Assessment Requirements

Question:  Do I need to complete state privacy risk assessments in 2026? I know some CCPA deadlines aren’t until next year, but how can I prepare my team to comply with state privacy assessment requirements? Answer:   The start of the year is an excellent time to review and update your organization’s privacy assessment process, particularly in light of new regulations under the CCPA . It is likely that you will need to conduct privacy assessments in 2026 , though it depends on your organization’s data processing activities and which state consumer privacy laws apply to your organization. The CCPA’s new requirements include: Undertaking a risk assessment if the organization is “selling” or “sharing” personal data, processing sensitive data (with limited exceptions), using automated decision-making technology (ADMT) for a “significant decision,” or engaged in other types of processing that present a “significant risk” to consumers’ privacy. Conducting the risk assessment per the...

The CCPA and Automated Decision-Making Technologies (ADMT)

As artificial intelligence (AI), particularly generative AI, becomes increasingly woven into our professional and personal lives—from personalized travel itineraries to reviewing resumes to summarizing investigation notes and reports—questions about who or what controls our data and how it’s used are ever present. AI systems survive and thrive on information and that intersection of AI and privacy elevates the need for data protection. Recent  regulations  issued by the California Privacy Protection Agency (CPPA) under the California Consumer Privacy Act (CCPA) begin to erect those protections. Among its various provisions, the CCPA now specifically addresses automated decision-making technologies (ADMT), attempting to bring transparency and consumer rights to, among other things, push back on algorithms making significant decisions about them. As a starting point, it is important to define ADMT. Under the CCPA, it means any technology that processes personal information and ...

California Finalizes Groundbreaking Regulations on AI, Risk Assessments, and Cybersecurity, Part II: What Businesses Need to Know

Image
  In July 2025, the California Privacy Protection Agency (CPPA) Board unanimously approved new regulations pursuant to the California Consumer Privacy Act (CCPA) that specifically address the use of automated decisionmaking technologies (ADMTs), requirements for completing risk assessments, and, for businesses processing large amounts of California resident data or engaging in the large-scale sale or sharing of data, mandatory annual cybersecurity audits. While these regulations have been in the drafting process since 2023, they reflect an ongoing trend in California and across the country in favor of heightened, proactive accountability mandates. Quick Hits The CPPA Board recently approved new cybersecurity audit regulations that, pending final approval by the California Office of Administrative Law (OAL), will apply to large CCPA-covered businesses and data brokers. The regulations include extensive independent audit requirements that will, at a minimum, necessitate businesses e...