California’s new automated decision-making (ADMT) rules are moving toward effect (earliest dates discussed by practitioners are late-2025 into early-2026, pending state approval). Don’t wait. Treat ADMT like product risk, not paperwork. Map where your software profiles, predicts, scores, ranks, targets, or otherwise decides about people. Stand up a lightweight program that ships with your code: clear notices, simple choices, practical testing, tight vendor controls, and a short audit trail. Done right, this removes buyer objections and speeds enterprise deals.

You’re covered if your tech profiles, predicts, or makes decisions about people

If your product uses models, rules, or scoring to influence access, pricing, support priority, content shown, outreach, fraud flags, hiring signals, tenant moderation—or any meaningful effect on a person—you should assume ADMT rules apply. It’s broader than “AI.” Rules focus on impact, not buzzwords. Edge cases (analytics, pure security use, internal QA) may be treated differently, but don’t bank on it. Start with an honest inventory of decisions and the data that drives them, including vendor-provided models.

The minimum viable plan has six parts

(1) Inventory: where ADMT happens and why. (2) Notice: plain-English explanation before you use it. (3) Choices: opt-out where required and an easy contact path. (4) Meaningful information: what inputs matter and how to get a human involved. (5) Risk assessment & testing: bias/impact checks at launch and on change. (6) Governance: owners, approvals, and vendor oversight. Keep it lean: two pages of policy, one page of roles and RACI, and engineering tickets tied to releases.

The ADMT notice must be specific, short, and helpful

Say what the tool does, why you use it, data types involved, how it affects people, how to opt-out or get human review, and how to exercise rights. One to three short paragraphs on the page where the decision happens (or immediately before it). Link to your fuller privacy notice. Avoid vague phrasing like “we may use AI.” Example: “We use automated scoring to prioritize support tickets based on severity signals (error logs, crash rate, plan tier). You can request human review at any time.”

Give people choices and “meaningful information” without giving away your IP

Where the rules require it, provide an opt-out (or a human-in-the-loop path) that still delivers a usable experience. For access requests, explain the inputs that most influence the outcome, the basic logic (e.g., “recent non-payment lowers eligibility score”), and how to contest or correct data. You do not need to disclose source code or weights. Do offer examples, thresholds where reasonable, and links to fix bad inputs. Track response SLAs and closure quality.

Risk assessments and testing should live in your SDLC, not in a PDF

Build a simple ADMT Test Plan template into your pull-request or release form: purpose, populations affected, success/failure metrics, drift and bias checks, abuse risks, rollback triggers, and approvers. Re-run on material changes: new features, new models, new data sources, threshold changes, or expansions to minors/critical services. Keep test evidence (notebooks, screenshots, sample outputs) alongside the release in your repo or QA system. “Evidence where the work happens” beats stale binders.

Prove it: logs, change control, and vendor attestations

Keep decision logs (timestamp, model/version/ruleset, key inputs, result, overrides) with retention aligned to your privacy program. Gate releases with a simple change-control step: ticket link, approver, risk check, and sign-off. For vendors (model APIs, enrichment, scoring), collect attestations: what data they process, where it lives, sub-processors, and their own bias/testing disclosures. Bake these into procurement and renewal. Use DPAs and SOWs to lock obligations and audit rights.

Sales enablement wins: turn compliance into faster deals

Enterprise buyers will ask three things: What decisions do you automate? How do you control risk? Can I audit it?

Have a one-pager ready that answers all three, plus a short ADMT Playbook: notice examples, opt-out paths, human-review SOP, and your testing checklist. Offer a controlled demo showing a decision, a contest request, and a human override. This reduces security/compliance cycles and clears legal faster—often the difference between Q4 slip and closed-won.