FirmAdapt is an AI-powered business diagnostics platform that audits companies to expose operational inefficiencies and broken processes. We then deploy custom AI agents, robotic process automation, and engineered solutions to fix the problems we find. Our diagnostic tools include company audits, website audits, competitive intelligence, and faith-based compliance screening.

Does FirmAdapt have a free API?

Yes, FirmAdapt offers free open API endpoints that require no authentication. AI agents and developers can make up to 10 requests per week without signing up. The API supports company profile lookups, faith-based compliance screening, and stock searches across 12 global markets.

What is faith-based stock screening?

Faith-based stock screening analyzes a company's financial ratios and business activities to determine compliance with religious investment guidelines. FirmAdapt supports 9 frameworks including Shariah (AAOIFI, S&P), Christian (BRI), Catholic (USCCB), Jewish (Halakhic), LDS/Mormon, ESG Religious, and Evangelical standards.

Can AI agents use FirmAdapt?

Yes, FirmAdapt is designed for native AI agent integration. It provides an MCP (Model Context Protocol) server for Claude Desktop, Cursor, and other AI tools. AI agents can access company profiles, run faith-based compliance screens, and search stocks across 12 global markets using free open endpoints with no API key required.

What markets does FirmAdapt support?

FirmAdapt supports 12 global markets: US (NYSE/NASDAQ), UK (London Stock Exchange), Germany (XETRA), France (Euronext Paris), Japan (Tokyo Stock Exchange), India (NSE/BSE), Saudi Arabia (Tadawul), UAE (Dubai/Abu Dhabi), Malaysia (Bursa), Indonesia (IDX), Canada (TSX), and Australia (ASX).

Back to Blog

AI complianceregulatoryprivacydata protectionCCPA

California CCPA and CPRA Updates Affecting AI Use in 2026

By Basel IsmailMay 16, 2026

California CCPA and CPRA Updates Affecting AI Use in 2026

The California Privacy Protection Agency has been working on Automated Decision-Making Technology (ADMT) regulations for over two years now, and the latest draft rulemaking package is the most consequential set of AI-related privacy rules any U.S. state has produced. If your organization deploys AI systems that touch California consumers, the compliance window is narrowing faster than most legal teams realize.

What the ADMT Regulations Actually Require

The CPPA Board initiated formal rulemaking on ADMT in November 2023, with revised draft regulations released in stages through 2024 and into 2025. The core framework builds on CPRA's Section 1798.185(a)(16), which directed the Agency to issue regulations governing businesses' use of automated decision-making, including profiling. The resulting rules go well beyond what most companies have prepared for.

The key provisions in the latest draft include:

Pre-use notice requirements. Before deploying ADMT in decisions that produce "legal or similarly significant effects" on consumers, businesses must provide a plain-language notice describing the logic, purpose, and expected outcome of the automated processing. This applies to decisions about employment, housing, insurance, education, credit, healthcare, and access to essential goods and services.
Opt-out rights for ADMT. Consumers would have the right to opt out of automated decision-making in significant decisions. This is structurally similar to the existing right to opt out of the sale or sharing of personal information under Section 1798.120, but applied to algorithmic processing itself.
Access to the logic. Consumers can request meaningful information about the logic involved in automated decisions, not just the fact that automation was used. The draft regulations specify that "meaningful information" includes the key variables and parameters the system relies on.
Risk assessments. Businesses using ADMT for significant decisions must conduct and document cybersecurity audits and risk assessments. These assessments must evaluate the risks of the processing to consumers' privacy, including the risk of discrimination, and weigh those against the benefits. The assessments must be submitted to the CPPA upon request.

The scope is broad. "Automated decision-making technology" is defined to include any system that processes personal information and uses computation to replace or substantially facilitate human decision-making. That covers a lot of ground, from underwriting algorithms to AI-powered hiring tools to clinical decision support systems.

The Comment Period and Where Things Stand

The CPPA held multiple public comment periods through 2024, and the Board reviewed extensive stakeholder feedback at its March and July 2024 meetings. The Agency received over 400 written comments on the ADMT provisions alone, with significant pushback from industry groups including the California Chamber of Commerce and TechNet, who argued the opt-out provisions were unworkable for certain automated processes and that the definition of ADMT was overbroad.

Consumer advocacy groups, including the Electronic Frontier Foundation and Consumer Reports, pushed in the opposite direction, arguing the draft rules should be strengthened and that the opt-out right should apply to a wider range of processing activities.

The CPPA revised the draft in response to comments and moved the package toward formal rulemaking under the California Administrative Procedure Act. The formal 45-day comment period for the final proposed regulations is expected in 2025, with the rules potentially taking effect in 2026. The Agency has signaled it intends to finalize the ADMT regulations as a priority, alongside the ongoing cybersecurity audit and risk assessment rulemaking tracks.

One important procedural note: these regulations still need to clear the Office of Administrative Law (OAL) review, which has been a bottleneck before. The CPPA's first set of CPRA implementing regulations took effect on March 29, 2023, but only after OAL initially rejected the package and the Agency had to resubmit. There is no guarantee the ADMT rules will sail through on the first attempt.

What You Should Be Implementing Now

Even with the final effective date uncertain, the direction is clear enough to act on. Waiting for final text is a losing strategy here because the compliance obligations, particularly the risk assessments and notice infrastructure, take months to build properly.

Inventory Your ADMT Systems

Start with a comprehensive inventory of every system that uses personal information from California consumers in automated or semi-automated decision-making. Include vendor-provided tools. Many organizations discover they have far more ADMT exposure than they assumed, particularly in HR tech stacks, customer scoring systems, and fraud detection tools. Map each system to the categories of decisions it influences and whether those decisions produce "legal or similarly significant effects."

Build Your Risk Assessment Framework

The draft regulations align with the broader risk assessment requirements the CPPA has been developing under Section 1798.185(a)(15). If you have not already adopted a risk assessment methodology, the NIST AI Risk Management Framework (AI RMF 1.0, released January 2023) provides a solid foundation that maps reasonably well to what the CPPA is requiring. Your assessments should document the purpose of the processing, the categories of personal information used, the risks to consumers (including disparate impact), and the safeguards you have implemented.

Design Your Notice and Opt-Out Mechanisms

The pre-use notice requirement means you need to be able to explain, in consumer-facing language, what your ADMT systems do and why. For many organizations, this is harder than it sounds. Work with your data science and engineering teams now to develop descriptions of model logic that are accurate but comprehensible. On the opt-out side, think through what happens operationally when a consumer opts out. Do you have a manual fallback process? Can your systems route individual cases to human review without breaking your workflow? These are engineering problems that take time to solve.

Watch for Interaction with Other Frameworks

The CCPA/CPRA ADMT rules will layer on top of existing obligations. Colorado's AI Act (SB 24-205), effective February 1, 2026, imposes similar risk assessment and notice requirements for "high-risk AI systems." The EU AI Act's requirements for high-risk systems are phasing in through 2025 and 2026. Illinois's AI Video Interview Act (820 ILCS 42) already governs AI in hiring. If you operate across jurisdictions, building a unified compliance framework now will save you from maintaining parallel processes later.

Also keep an eye on enforcement signals. The CPPA has been building its enforcement team and issued its first public enforcement action (a $350,000 fine against DoorDash in January 2024 for selling consumer data without proper opt-out mechanisms). The Agency has made clear that AI governance is a priority area, and ADMT enforcement is likely to follow soon after the rules take effect.

How FirmAdapt Addresses This

FirmAdapt's architecture was designed around the assumption that AI systems in regulated industries need auditable decision logic, consumer-facing transparency, and documented risk assessments as default features. The platform supports automated generation of risk assessment documentation aligned with CPPA requirements and NIST AI RMF, and it maintains audit trails that capture the variables and parameters influencing each automated decision, which maps directly to the "meaningful information" disclosure obligations in the draft ADMT regulations.

For organizations that need to implement opt-out routing and human review fallbacks, FirmAdapt provides configurable decision workflows that can flag and redirect individual processing requests without requiring a full system redesign. If you are building your ADMT compliance infrastructure from scratch, it is worth evaluating whether your current tools can support the level of granularity California is about to require.

Ready to uncover operational inefficiencies and learn how to fix them with AI?

Try FirmAdapt free with 10 analysis credits. No credit card required.

Get Started Free