California AI Bias Audit Requirements 2026: A Full Compliance Guide

Why California suddenly has two AI bias audit regimes

For most of the past decade, "algorithmic fairness" was a research topic, not a legal duty. That changed in 2025 when two different California agencies — the California Privacy Protection Agency (CPPA) and the California Civil Rights Department (CRD) — finalized binding rules in the same calendar year. The CRD acted first, with regulations under the Fair Employment and Housing Act (FEHA) that took effect October 1, 2025. The CPPA followed, with a sweeping update to the California Consumer Privacy Act (CCPA) that took effect January 1, 2026, including new obligations for Automated Decision-Making Technology (ADMT). The two regimes have different scopes, different triggers, and different deadlines, but they overlap heavily for any company that uses AI to make decisions about people. You generally need a plan for both.

California is also not alone. Colorado, Illinois, and New York City have similar frameworks, and the federal landscape is fragmented. But because California regulates by reach (any business that processes a California consumer's data), its rules become the de facto national standard for AI products with any meaningful U.S. user base.

California AI bias audit requirements 2026: the CCPA/ADMT track

The CPPA's rules establish a risk-assessment regime that has bias at its core. The relevant trigger is whether you use ADMT to make a "significant decision" about a California consumer — defined as a decision affecting finances, housing, education, employment, or healthcare. Advertising decisions, which appeared in earlier drafts, were dropped from the final version. If you cross that threshold, you must conduct and document a risk assessment before the processing begins, identify the foreseeable risks (including discriminatory outcomes), and describe the safeguards. The assessment must be certified by a senior executive and retained for at least five years, or for as long as the processing continues.

The compliance timeline is staggered. For ADMT activities that started before January 1, 2026 and continue after that date, the initial risk assessment must be completed by December 31, 2027, and the first attestation summary is due to the CPPA by April 1, 2028. ADMT-specific consumer-rights obligations — pre-use notice, opt-out, and access requests — kick in on January 1, 2027. The cybersecurity-audit obligations are tied to revenue: companies above $100 million in 2026 revenue file by April 1, 2028; $50–100 million by April 1, 2029; under $50 million by April 1, 2030.

A subtle but important detail: the regulations explicitly call for businesses to involve "experts in detecting and mitigating bias in ADMT" in the risk-assessment process. That is the closest thing California has to a formal bias-audit requirement at the consumer-protection layer, and it is now in the regulations themselves, not just in guidance. If your risk assessment makes no reference to bias testing, fairness metrics, or sub-group performance, an experienced regulator will read that as a gap.

The CRD/FEHA track: bias audits in employment

The CRD's regulations take a different angle: they sit inside FEHA and target employment specifically. They make it explicitly unlawful for an employer or covered entity to use an automated-decision system or selection criteria — including a qualification standard, employment test, or proxy — that discriminates against an applicant or employee based on a protected characteristic. The regulations define "automated-decision system" broadly to include AI, machine learning, algorithms, statistics, and other data-processing techniques that make or facilitate employment decisions. Common-use software like word processors and spreadsheets is excluded.

Two features of the FEHA rules deserve special attention. First, "agent" is defined to include third parties that perform a function traditionally exercised by the employer — vendors that recruit, screen, score, or select. Those agents are themselves treated as employers under FEHA, which means a hiring-tool vendor with at least five employees can be sued directly for discrimination. Second, the regulations explicitly recognize evidence of anti-bias testing as a defense to discrimination claims. That language gives employers a powerful incentive to actually run audits — not just to comply, but to build a litigation record.

Record retention also got longer. The regulations require employers to preserve personnel records and ADS data for four years from creation or the relevant personnel action, whichever is later, doubling the previous two-year window. Pair that with the CCPA's five-year retention rule and you should plan around a five-year minimum for anything bias-related.

What an AI bias audit actually tests

A defensible bias audit looks at three layers: inputs, outputs, and performance. Inputs means the training data and the features. Are protected attributes (race, gender, age) being used directly? More commonly, are proxies being used — ZIP code, alma mater, name patterns, browsing history — that correlate tightly enough with a protected class to function as a stand-in? The CRD regulations explicitly call out proxies as covered.

Outputs means the decisions or scores the model produces, broken down by protected group. The standard test is selection rate parity: if Group A is selected at 80% of Group B's rate, you have a presumptive disparate-impact problem (the "four-fifths rule," familiar from federal employment law). California has not adopted four-fifths as a hard threshold, but it remains the most common diagnostic.

Performance means accuracy and error rates by sub-group. A diagnostic model can be 99% accurate overall and 60% accurate on a minority sub-group; an AI scribe can transcribe English speakers cleanly and badly garble accented speech. False-negative parity matters as much as overall accuracy, especially in healthcare and lending where missed positives translate directly into denied care or denied credit.

A worked example: hiring screen for a California employer

Consider a mid-sized California employer using a third-party resume-screening tool. Under the FEHA regulations, both the employer and the vendor are on the hook. A defensible audit for that pipeline would look something like this. The team obtains demographic data on the applicant pool (typically self-reported, voluntary, separated from the screening pipeline). They compute selection rates by gender and by race for the most recent twelve months of hiring. They document the data, the methodology, and the results, along with any remediation taken when a disparity was found. They also evaluate the model's features — does "years at company" effectively penalize candidates who took caregiving leave, which correlates with gender? Does "graduated from a top-50 school" act as a proxy for race? They run the analysis annually, after every material model update, and after any change in the applicant pool composition.

On the CCPA side, the same employer needs to ask whether the same screening tool is making a "significant decision" about a California consumer. Hiring is enumerated as a significant decision, so the answer is yes — which means a separate, CPPA-style risk assessment is needed, certified by a senior executive, with bias risks and safeguards explicitly addressed. One audit, two filing tracks.

How AB 489 and AB 3030 interact with the bias-audit regime

Healthcare AI sits at the intersection of multiple laws. AB 489 prohibits AI from holding itself out as a licensed clinician, and AB 3030 requires generative AI to disclose itself in patient communications. Neither law is, by itself, a bias-audit law — but the California Attorney General has issued guidance making clear that an algorithm that produces discriminatory healthcare outcomes is a civil rights violation under existing state law, regardless of AB 489/3030 compliance. So a healthcare AI vendor in California faces three overlapping duties: identify itself (AB 3030), avoid clinical impersonation (AB 489), and audit for disparate impact (CRD/CCPA). For a deeper dive into the AG's position, see our analysis of the 2025 AG advisory. For the medical-device-specific testing protocol, see our 5-step medical bias audit guide.

Common bias-audit failure modes

Most failed audits we have reviewed fail in one of four predictable ways. The first is "overall accuracy theater" — a vendor reports a single 95% accuracy number with no sub-group breakdown, which tells you nothing about disparate impact. The second is unrepresentative training data: a model built on a population that is 90% one demographic will almost always underperform on the remaining 10%, no matter how clean the algorithm is. The third is undocumented mitigation: the team noticed a disparity, "tuned" the model, and now cannot reconstruct what changed or whether the disparity actually closed. The fourth — the most common with vendor-supplied tools — is silent reliance on the vendor's own audit without any independent verification, which provides no real defense if the vendor's methodology is challenged.

There is no required audit format under California law (yet), but practical defensibility demands a written methodology, named demographic categories, sample sizes large enough to draw conclusions, the actual numbers, and a remediation log. Treat the audit as evidence you may have to produce in litigation, because that is exactly what it is.

What to do in the next 90 days

For most companies, the right sequence right now is: inventory every system that could meet the ADMT or ADS definitions; categorize each by whether it makes a "significant decision"; assign a senior executive owner for each one (CCPA requires this); run a baseline bias audit on the top three by risk; document the methodology and findings; and put a calendar reminder for the December 31, 2027 ADMT deadline. Sectors with the most exposure — hiring, lending, housing, healthcare, insurance — should prioritize over the next two quarters. For everyone else, the April 1, 2028 attestation deadline is closer than it looks once you account for the time it takes to gather demographic data, run analyses, and remediate.

For a quicker self-assessment of where you stand against the broader 2026 regime — including the bias and transparency angles — try the free 2-minute compliance check, which scores your AI deployment against AB 489, AB 3030, AB 2013, and the ADMT rules in one pass.

Sources

The legal framework above draws on official California regulatory materials and analyses from leading employment- and privacy-law firms. The primary documents to bookmark are the CCPA regulations effective January 1, 2026 (CPPA, PDF), the CPPA rulemaking page on ADMT, risk assessments, and cybersecurity audits, the final text of the CRD's Employment Regulations on Automated-Decision Systems (PDF), and the CRD announcement of approval. Both agencies have explicit enforcement authority, and both have signaled they intend to use it.