For existing covered uses, companies have until December 31, 2027 to complete required assessments. New uses must be assessed before deployment. Some employment-administration tasks are carved out, but profiling for performance, reliability, aptitude, or behavior remains within scope. The specific contours of what constitutes prohibited profiling or high-impact decision-making under the regulations remain subject to agency interpretation as implementation proceeds.
Employers should treat this as a concrete compliance deadline rather than an abstract policy question. The practical effect is that any AI tool used in hiring or employee monitoring now requires documented privacy risk assessment and potentially triggers notice, opt-out rights, and reporting obligations to the agency. In-house counsel and HR teams should audit current and planned AI deployments against the CPPA's definitions of automated decision-making and profiling to identify which tools require assessment before the 2026 effective date.