Get Started
Ready to protect your organization?
A+
May 18, 2026 · Benjamin J. Treger
What FEHA Requires Now, What’s Coming in 2027, and Why Using a Vendor Doesn’t Shield You
If your business uses software to screen resumes, schedule shifts, monitor productivity, or score candidate interviews, California now treats those tools as part of your hiring and management practices for discrimination purposes. As of October 1, 2025, the California Civil Rights Council’s new regulations on Automated Decision Systems make clear that the Fair Employment and Housing Act (“FEHA”) applies to algorithmic and AI-driven decisions the same way it applies to a human manager’s decisions. And a second set of rules, finalized by the California Privacy Protection Agency, will layer new notice, opt-out, and risk-assessment requirements on top, with the first major compliance deadline arriving January 1, 2027.
This post walks through what the regulations require, what employers most commonly miss, and what to do now.
California now regulates the use of AI and other automated tools in employment under two distinct frameworks.
The first is the FEHA framework, administered by the California Civil Rights Department (“CRD”). The Civil Rights Council finalized regulations last summer that took effect October 1, 2025. These regulations clarify that an Automated Decision System (“ADS”) can produce discriminatory employment outcomes just as easily as a human manager can, and that liability under FEHA flows accordingly.
The second is the privacy framework under the California Consumer Privacy Act (“CCPA”), administered by the California Privacy Protection Agency (“CPPA”). The CPPA finalized regulations governing “Automated Decision-Making Technology” (“ADMT”) in late 2025. Substantive compliance is required by January 1, 2027 for tools already in use, and immediately upon deployment for tools introduced after that date.
The frameworks overlap considerably but are not identical. An employer’s HR technology stack may be subject to one, both, or (less often) neither, depending on how the tools are used and what they do.
The Civil Rights Council’s regulations define an ADS broadly: a “computational process that makes a decision or facilitates human decision making regarding an employment benefit.” The process may use artificial intelligence, machine learning, algorithms, statistics, or other data processing techniques.
In practical terms, this captures essentially every category of HR technology, including:
Importantly, the regulations cover tools that “facilitate” human decision-making, not just tools that make the decision outright. An algorithm that recommends a hire, a promotion, or a termination is covered even if a human signs off at the end.
The CCPA’s ADMT definition is narrower and turns on whether the technology “replaces” or “substantially replaces” human decision-making. Tools used merely to assist or augment a person’s judgment may fall outside the ADMT framework if meaningful human involvement exists in the decision. The CPPA defines “meaningful human involvement” as requiring three things: a decisionmaker who knows how to interpret the tool’s outputs, analysis of those outputs together with other relevant information, and authority to make or change the decision based on that analysis. An employer cannot escape coverage by rubber-stamping the algorithm’s recommendation.
The most consequential feature of the new FEHA regulations is the extension of liability to “agents” of the employer. An “agent” is any person or entity that acts on the employer’s behalf, directly or indirectly, to exercise a function traditionally exercised by the employer. That includes recruiting, screening, hiring, promotion, and decisions about pay, benefits, or leave, including when those activities and decisions are conducted in whole or in part through the use of an automated decision system.
The practical consequence is that an employer cannot insulate itself from liability by outsourcing an HR function to a third-party vendor. If the vendor’s algorithm produces a disparate impact on applicants in a protected class, the employer is on the hook. The regulations also clarify that the vendor itself may be liable for aiding and abetting unlawful employment practices.
This is a meaningful departure from how employers have historically allocated risk. Many vendor contracts include indemnity provisions, warranties, and audit terms that purport to shift risk back to the vendor. Those terms remain commercially relevant, but they do not eliminate the employer’s direct FEHA liability to applicants and employees. Reviewing vendor agreements to ensure adequate audit rights, bias-testing representations, and indemnification is now table stakes, not a nice-to-have.
The new regulations also flag a specific risk in the design of ADS assessments. Tests, questions, puzzle games, or other interactive content that elicits information about an applicant’s or employee’s disability may constitute an unlawful medical inquiry under FEHA. This is not a hypothetical concern. Gamified assessments that measure reaction time, manual dexterity, or sustained attention can functionally screen out applicants with disabilities, just as a poorly designed physical agility test can screen out applicants with mobility impairments.
The regulations also clarify that employers may need to provide reasonable accommodations during ADS-driven assessments. An applicant with a vision impairment, a cognitive disability, or a motor function impairment may be entitled to an alternative assessment method or to additional time. Building a reasonable-accommodation process into the front end of an automated screening pipeline is now an FEHA obligation, not a courtesy.
The new regulations extend the FEHA recordkeeping period from two years to four. The expanded retention obligation applies to all employment records “created or received by the employer or other covered entity dealing with any employment practice and affecting any employment benefit of any applicant or employee.”
Critically, “automated decision system data” is now expressly part of the recordkeeping rule. That includes:
Employers who use third-party tools should pay particular attention to this requirement. If your vendor stores the underlying data and you do not have a contractual right to retrieve and retain it for four years, you have a compliance problem. Vendor agreements should be revised to ensure that the employer can preserve the relevant data through the full retention period and produce it if necessary.
The CCPA’s ADMT regulations introduce a set of obligations that are conceptually familiar from European privacy law but new to California employment. Compliance is required by January 1, 2027 for tools already in use.
The headline obligations include:
Pre-use notice. Before using ADMT to make a significant employment decision, the employer must provide a written notice describing how the technology works, what types of personal information affect its outputs, what outputs it produces, and how those outputs are used in the decision. The notice must also describe the alternative process available to a worker who opts out.
Opt-out rights. Workers generally have the right to opt out of having ADMT used to make a significant decision about them, subject to several exceptions. The most important exception for employers is that the opt-out is not required if the employer provides a meaningful human appeal mechanism, that is, a human reviewer who can overturn the ADMT-driven decision after independent analysis. Many employers will structure their compliance program around this exception rather than around a true opt-out.
Access rights. Workers have the right to request information about how the ADMT was used in a decision concerning them, including the logic of the system and how the outputs were used.
Risk assessments. Employers using ADMT for significant decisions must conduct a documented risk assessment weighing the benefits of the technology against the privacy and discrimination risks it creates. Risk assessments must be completed by December 31, 2027 for tools already in use as of January 1, 2026, and information about completed assessments must be submitted to the CPPA by April 1, 2028.
Civil penalties under the CCPA framework can reach $2,500 per violation and $7,500 per intentional violation, with each affected individual and each day of noncompliance counted separately. There is no private right of action for these provisions; enforcement runs through the CPPA and the Attorney General.
The new FEHA regulations preserve existing affirmative defenses to discrimination claims (business necessity, job-relatedness, bona fide occupational qualification), but they add a new element to the analysis. Evidence of anti-bias testing, audits, or other proactive efforts to identify and mitigate discriminatory effects can support an employer’s defense. Equally, the lack of such evidence can support a plaintiff’s case.
The regulation does not prescribe a specific audit methodology, but the practical implication is that employers using ADS tools should be conducting periodic bias audits, documenting the results, and updating the tool or its inputs when disparities appear. The quality, recency, and scope of those efforts will matter at trial.
For employers using vendor tools, this points to a key contract term: the right to receive (and to share with counsel) the vendor’s own bias testing and audit data. A vendor that refuses to share that information is not a vendor an employer should be relying on for a defensible hiring or management process.
The compliance program for these regulations breaks into roughly six steps.
1. Inventory. Identify every AI, algorithmic, or automated tool used in any HR function. The list should include applicant tracking systems, resume screeners, video interview tools, assessment platforms, scheduling tools, performance management tools, productivity monitoring tools, and any internal analytics tools used in HR decisions. Many employers find that the inventory is longer than expected, in part because individual managers have signed up for tools without going through procurement or legal review.
2. Classify. For each tool, determine whether it is making or facilitating an employment decision, and whether it falls within the FEHA ADS definition, the CCPA ADMT definition, or both.
3. Review vendor agreements. Renegotiate as necessary to secure representations about anti-bias testing, audit rights, data access and retention rights compatible with the four-year FEHA rule, and indemnification calibrated to the new liability environment.
4. Build the human-review process. If the employer plans to rely on the meaningful human involvement exception under the CCPA framework, document the process: who reviews, what they review, what authority they have, and how the review is recorded.
5. Update applicant and employee notices. Pre-use notices, accommodation procedures for ADS-driven assessments, and access-request procedures should be in place by January 1, 2027. The notice content prescribed by the CPPA is specific; templates and guidance from the agency should be reviewed when finalized.
6. Document the recordkeeping plan. Identify what ADS-related data is created or received, where it lives, who is responsible for retention, and how it will be produced if requested. Four years is a long retention window, and the obligation applies to data generated today.
For employers who have already invested in HR technology, the work is not catastrophic but it is real, and it cannot be done at the last minute. For employers who are evaluating new AI tools, the new regulations should change the procurement process from the start.
This post is for informational purposes only and does not constitute legal advice. Consult with a qualified employment attorney about your specific situation.