An HR analytics platform pulls in calendar activity, email volume, who shows up to which meetings, and project-tracking data for every employee in the company. Once a week it turns all of that into a single engagement-and-retention risk score per person. A manager opens the dashboard, reads the scores, and decides who to pull into a development conversation, who to put on a performance plan, who to make a retention push for, going partly on the score and partly on things the tool never saw. The vendor's line is simple: the platform supplies the intelligence, the managers make the calls. It doesn't fire anyone, doesn't hand out promotions, doesn't write a performance rating. It watches and it scores.
California's ADMT rules don't care who signs off at the end of that chain. The obligation can land earlier, the moment the tool systematically watches a covered person and infers things about them. Systematic observation of employees, paired with automated processing that draws inferences, can require a risk assessment on its own. Section 7150(b)(4) names systematic observation of job applicants, students, employees, and independent contractors as a trigger all by itself. A product can stay clear of the significant-decision path completely and still be inside the rules.
That matters because a whole industry rests on the belief that watching, without deciding, is harmless. Engagement tools that read flight risk off behavioral patterns. Productivity monitors that watch output and flag a slump. Analytics that grade managers on how their teams perform. Scheduling systems that staff from past attendance. They all make the same quiet claim: the software only watches and scores, a human does the acting somewhere else. Older privacy law often let that line hold. California's ADMT rules don't, and the split between watching and acting doesn't make the obligation go away, it just decides who carries it.
The regulation never draws a bright line around what makes observation "systematic." The words it uses point to monitoring that's methodical, regular, or continuous. A platform reading behavioral signals off every employee, every week, for months is plainly systematic. A one-time survey at onboarding plainly isn't. In between sit a lot of analytics products that sample all the time, score now and then, or follow one narrow signal over months. The rule won't settle every edge case, but it catches most of what has scaled in enterprise people-ops since 2020. Continuous automated watching wired into the workforce system is just what the language is describing.
The profiling-from-observation obligation doesn't wait for the employer to make a significant decision off the data. This is the piece most HR-tech legal teams miss. They ask the familiar question, does this product drive employment decisions the regulation covers, and if the platform only serves up insights instead of issuing formal calls, they file it as out of scope. But the observation trigger needs no decision downstream. It needs systematic observation, automated processing, and an inference about a covered person. A workforce analytics tool can trip it on what it watches and computes alone, with no formal employment action ever issued.
Section 7153 puts a finer point on it for vendors. If the tool is made available to an employer and the employer uses it in a way that triggers ADMT obligations, the vendor has to supply the facts the customer's risk assessment needs. Most HR analytics vendors have written down nothing of the sort, not the inference logic, not the model's assumptions, not its limits or where it breaks, in anything like the form the rule wants. They built a workforce-intelligence product. The regulation calls it automated decision-making technology no matter what the brochure says, because what counts is what the tool does, not what the vendor meant by it.
In practice the gap is wide. Most of these monitoring and scoring tools predate the rules. The documentation runs to feature lists and method summaries, not inference logic the way the regulation means it. The privacy notices mention collecting data but not profiling. The terms of service sort out liability for the manager's decision and say nothing about the duty that attaches back at observation. Bolting a risk assessment onto a product never built to produce one means answering questions the engineers may never have been asked. What does the score actually claim about the employee? Which inputs move it? Where does it break, and for whom does it break worse? Nobody writes that down for a feature sold as "people analytics."
None of this makes every monitoring tool illegal. It means the compliance question shows up earlier in the pipeline than most teams expect. The manager acting on the alert isn't the only one who counts. The tool that did the watching and the inferring is already inside the rules, whether or not the inference ever reaches a decision-maker, and whether or not the vendor admits it.
Proof of Review helps vendors and employers put that on paper: what the tool infers, on what basis, and what was done with the output, in the form a risk assessment actually calls for.