California 2023-2024 Regular Session

California Senate Bill SB892 Compare Versions

Version 1 (Old)

Version 2 (New)

Old	New		Differences
1		-	~~Enrolled September 05, 2024 Passed IN Senate August 31, 2024 Passed IN Assembly August 28, 2024~~ Amended IN Assembly August 19, 2024 Amended IN Assembly July 03, 2024 Amended IN Assembly June 21, 2024 Amended IN Senate April 10, 2024 Amended IN Senate April 01, 2024 CALIFORNIA LEGISLATURE 20232024 REGULAR SESSION Senate Bill No. 892Introduced by Senator Padilla(Coauthors: Senators Rubio and Smallwood-Cuevas)January 03, 2024An act to add Section 12100.1 to the Public Contract Code, relating to public contracts.LEGISLATIVE COUNSEL'S DIGESTSB 892, Padilla. Public contracts: automated decision systems: procurement standards.Existing law requires all contracts for the acquisition of information technology goods and services related to information technology projects, as defined, to be made by or under the supervision of the Department of Technology. Existing law requires all other contracts for the acquisition of information technology goods or services to be made by or under the supervision of the Department of General Services. Under existing law, both the Department of Technology and the Department of General Services are authorized to delegate their authority to another agency, as specified.This bill would require the Department of Technology to develop and adopt regulations to create an automated decision system (ADS) procurement standard. To develop those regulations, the bill would require the department to consider principles and industry standards addressed in specified publications regarding AI risk management. The bill would require the ADS procurement standard to include, among other things, a detailed risk assessment procedure that analyzes specified characteristics of the ADS, methods for appropriate risk controls, as provided, and adverse incident monitoring procedures. The bill would require the department to, among other things, collaborate with specified organizations to develop the ADS procurement standard and review and update the ADS procurement standard and related regulations, as specified.Commencing January 1, 2027, ~~this~~ bill would ~~prohibit a state agency from procuring~~ an ~~ADS, entering into a contract for~~ an ~~ADS, or any service~~ that utilizes an ADS, as specified, until the department has adopted regulations creating an ADS procurement standard. Commencing January 1, 2027, the bill would also require a contract for an ADS or a service that utilizes an ADS, as specified, to include a clause that, among other things, provides a completed risk assessment of the relevant ADS, as specified, requires adherence to appropriate risk controls, and provides procedures for adverse incident monitoring.Digest Key Vote: MAJORITY Appropriation: NO Fiscal Committee: YES Local Program: NO Bill TextThe people of the State of California do enact as follows:SECTION 1. Section 12100.1 is added to the Public Contract Code, to read:12100.1. (a) For purposes of this section, the following definitions apply:(1) Artificial intelligence or AI means an engineered or machine-based system that varies in its level of autonomy and that can, for explicit or implicit objectives, infer from the input it receives how to generate outputs that can influence physical or virtual environments.(2) ~~(A)~~ Automated decision system or ~~ADS~~ means a ~~computational process derived from machine learning, statistical modeling, data analytics, or artificial intelligence~~ that issues simplified output, including a score, classification, or recommendation, that is used to assist or replace human discretionary decisionmaking and materially impacts natural persons. (B) Automated decision system does not include a spam email filter, firewall, antivirus software, identity and access management tools, calculator, database, dataset, or other compilation of data.(3) Department means the Department of Technology.(b) The department shall develop and adopt regulations to create an ADS procurement standard.(1) To develop regulations related to the ADS procurement standard, the department shall consider principles and industry standards addressed in relevant publications, including, but not limited to, all of the following:(A) The Blueprint for an AI Bill of Rights: Making Automated Systems Work for the American People, published by the White House Office of Science and Technology Policy in October 2022.(B) The Artificial Intelligence Risk Management Framework (AI RMF 1.0), released by the National Institute of Standards and Technology (NIST) in January 2023.(C) The Risk Management Framework for the Procurement of Artificial Intelligence (RMF PAIS 1.0), authored by the AI Procurement Lab and the Center for Inclusive Change in 2024.(D) The Advancing Governance, Innovation, and Risk Management for Agency Use of Artificial Intelligence Memorandum, published by the Executive Office of the President, Office of Management and Budget, dated March 28, 2024.(2) The ADS procurement standard shall include all of the following:(A) A detailed risk assessment procedure that analyzes all of the following:(i) Organizational and supply chain governance associated with the ADS.(ii) The purpose and use of the ADS.(iii) Any known potential misuses or abuses of the ADS.(iv) An assessment of the legality, traceability, and provenance of the data the ADS uses and the legality of the output of the ADS.(v) The robustness, accuracy, and reliability of the ADS.(vi) The interpretability and explainability of ~~the~~ ADS.(B) Methods for appropriate risk controls between the state agency and ADS vendor, including, but not limited to, reducing the risk through various mitigation strategies, eliminating the risk, or sharing the risk.(C) Adverse incident monitoring procedures.(D) Identification and classification of prohibited use cases and applications of ADS that the state shall not procure.(E) A detailed equity assessment that analyzes, at a minimum, all of the following:(i) The individuals and communities that will interact with the ADS.(ii) How the information or decisions generated by the ADS will impact an individuals rights, freedoms, economic status, health, health care, or well-being.(iii) Any issues that may arise if the ADS is inaccurate.(iv) How users with diverse abilities will interact with the user interface of the ADS and whether the ADS integrates and interacts with commonly used assistive technologies.(F) An assessment that analyzes the level of human oversight associated with the use of ADS.(G) Adherence to data minimization standards, including that an ADS vendor shall only use information provided by or obtained from an agency to provide the specific service authorized by the agency. Further, the data collected may not be used for training of proprietary vendor or third-party systems.(3) In developing the ADS procurement standard, the department shall do all of the following:(A) Collaborate with organizations that represent state and local government employees and industry experts, including, but not limited to, public trust and safety experts, community-based organizations, civil society groups, academic researchers, and research institutions focused on responsible ADS procurement, design, and deployment.(B) Consult with the California Privacy Protection Agency.(C) Solicit public comment on the ADS procurement standard.(4) (A) Subject to subparagraph (B), the department shall adopt regulations pursuant to this subdivision in accordance with the provisions of Chapter 3.5 (commencing with Section 11340) of Part 1 of Division 3 of Title 2 of the Government Code.(B) Regulations adopted by the department pursuant to subparagraph (A) shall not contradict either of the following:(i) Regulations adopted by the California Privacy Protection Agency pursuant to paragraph (16) of subdivision (a) of Section 1798.185 of the Civil Code.(ii) Statewide legislation that establishes a regulatory framework governing the development and deployment of ADSs.(5) Commencing January 1, 2026, and annually thereafter, the department shall review and update both of the following:(A) The ADS procurement standard.(B) Regulations adopted pursuant to this subdivision.(c) Commencing January 1, 2027, a state agency shall not procure an ADS, enter into a contract for an ADS, or enter into a contract for any service that utilizes an ADS, prior to the adoption of regulations by the department pursuant to subdivision (b).(d) Commencing January 1, 2027, a state agency may enter into a contract for an ADS, or a service that utilizes an ADS only after the department has adopted regulations pursuant to subdivision (b) and only if the contract includes a clause that does all of the following:(1) Provides a completed risk assessment of the relevant ADS that analyzes the items included in subparagraph (A) of paragraph (2) of subdivision (b).(2) Requires the state agency or the ADS vendor, or both, to adhere to appropriate procurement standards.(3) Provides procedures for adverse incident monitoring.(4) Requires authorization from the state agency before deployment of ADS upgrades and enhancements.(5) Requires the state agency or the ADS vendor, or both, to provide notice to individuals that would likely be affected by the decisions or outcomes of the ADS, and information about how to appeal or opt out of ADS decisions or outcomes.(6) Provides a termination right in the event of a significant breach of responsibility or violation by the vendor.(e) Subdivisions (c) and (d) do not apply to projects approved before January 1, 2027, through the annual budget process.
	1	+	Amended IN Assembly August 19, 2024 Amended IN Assembly July 03, 2024 Amended IN Assembly June 21, 2024 Amended IN Senate April 10, 2024 Amended IN Senate April 01, 2024 CALIFORNIA LEGISLATURE 20232024 REGULAR SESSION Senate Bill No. 892Introduced by Senator Padilla(Coauthors: Senators Rubio and Smallwood-Cuevas)January 03, 2024An act to add Section 12100.1 to the Public Contract Code, relating to public contracts.LEGISLATIVE COUNSEL'S DIGESTSB 892, as amended, Padilla. Public contracts: automated decision tools: systems: procurement standards.Existing law requires all contracts for the acquisition of information technology goods and services related to information technology projects, as defined, to be made by or under the supervision of the Department of Technology. Existing law requires all other contracts for the acquisition of information technology goods or services to be made by or under the supervision of the Department of General Services. Under existing law, both the Department of Technology and the Department of General Services are authorized to delegate their authority to another agency, as specified.Existing law, the California Consumer Privacy Act of 2018 (CCPA), grants to a consumer various rights with respect to personal information, as defined, that is collected by a business, as defined, including the right to request that a business delete personal information about the consumer that the business has collected from the consumer. Existing law, the California Privacy Rights Act of 2020, an initiative measure approved by the voters as Proposition 24 at the November 3, 2020, statewide general election, amended, added to, and reenacted the CCPA. The CCPA, as amended, establishes the California Privacy Protection Agency with full administrative power, authority, and jurisdiction to implement and enforce the CCPA.This bill would require the Department of Technology to develop and adopt regulations to create an automated decision tool (ADT) system (ADS) procurement standard, following the adoption of specified regulations by the California Privacy Protection Agency or the enactment of comprehensive ADT legislation, whichever occurs sooner. standard. To develop those regulations, the bill would require the department to consider principles and industry standards addressed in specified publications regarding AI risk management. The bill would require the ADT ADS procurement standard to include, among other things, a detailed risk assessment procedure that analyzes specified characteristics of the ADT, ADS, methods for appropriate risk controls, as provided, and adverse incident monitoring procedures. The bill would require the department to, among other things, collaborate with specified organizations to develop the ADT ADS procurement standard and review and update the ADT ADS procurement standard and related regulations, as specified. ThisCommencing January 1, 2027, this bill would prohibit a state agency from procuring an ADT, ADS, entering into a contract for an ADT, ADS, or any service that utilizes an ADT ADS, as specified, until the department has adopted regulations creating an ADT ADS procurement standard. The Commencing January 1, 2027, the bill would also require a contract for an ADT ADS or a service that utilizes an ADT ADS, as specified, to include a clause that, among other things, provides a completed risk assessment of the relevant ADT, ADS, as specified, requires adherence to appropriate risk controls, and provides procedures for adverse incident monitoring.Digest Key Vote: MAJORITY Appropriation: NO Fiscal Committee: YES Local Program: NO Bill TextThe people of the State of California do enact as follows:SECTION 1. Section 12100.1 is added to the Public Contract Code, to read:12100.1. (a) For purposes of this section, the following definitions apply:(1) Artificial intelligence or AI means an engineered or machine-based system that varies in its level of autonomy and that can, for explicit or implicit objectives, infer from the input it receives how to generate outputs that can influence physical or virtual environments.(2)Automated decision tool or ADT means an artificial intelligence system or service that makes a consequential decision, or is a substantial factor in making a consequential decision.(3)Consequential decision means a decision or judgment that has a legal, material, or similarly significant effect on an individuals life relating to access to government benefits or services, assignments of penalties by government, or the impact of, access to, or the cost, terms, or availability of, any of the following:(A)Employment with respect to all of the following:(i)Pay or promotion.(ii)Hiring or termination.(iii)Automated task allocation that limits, segregates, or classifies employees for the purpose of assigning or determining material terms or conditions of employment.(B)Education and vocational training as it relates to all of the following:(i)Assessment or placement.(ii)Detecting student cheating or plagiarism.(iii)Accreditation.(iv)Certification.(v)Admissions or enrollment.(vi)Discipline.(vii)Evaluation.(viii)Financial aid or scholarships.(C)Housing or lodging, including rental or short-term housing or lodging.(D)All of the following essential utilities:(i)Electricity.(ii)Heat.(iii)Water.(iv)Internet or telecommunications access.(v)Transportation.(E)Family planning.(F)Adoption services, reproductive services, or assessments related to child protective services.(G)Health care or health insurance, including mental health care, dental, or vision.(H)Financial services, including a financial service provided by a mortgage company, mortgage broker, or creditor.(I)All of the following aspects of the criminal justice system:(i)Risk assessments for pretrial hearings.(ii)Sentencing.(iii)Parole.(J)Legal services.(K)Private arbitration.(L)Mediation.(M)Voting. (2) (A) Automated decision system or ADS means a computational process derived from machine learning, statistical modeling, data analytics, or artificial intelligence that issues simplified output, including a score, classification, or recommendation, that is used to assist or replace human discretionary decisionmaking and materially impacts natural persons. (B) Automated decision system does not include a spam email filter, firewall, antivirus software, identity and access management tools, calculator, database, dataset, or other compilation of data. (4)(3) Department means the Department of Technology.(5)Substantial factor means an element of a decisionmaking process that is capable of altering the outcome of the process.(b) Following the adoption of regulations by the California Privacy Protection Agency pursuant to paragraph (16) of subdivision (a) of Section 1798.185 of the Civil Code, or following the enactment of similarly comprehensive statewide legislation that establishes a regulatory framework governing the development and deployment of ADTs, whichever occurs sooner, the The department shall develop and adopt regulations to create an ADT ADS procurement standard.(1) To develop regulations related to the ADT ADS procurement standard, the department shall consider principles and industry standards addressed in relevant publications, including, but not limited to, all of the following:(A) The Blueprint for an AI Bill of Rights: Making Automated Systems Work for the American People, published by the White House Office of Science and Technology Policy in October 2022.(B) The Artificial Intelligence Risk Management Framework (AI RMF 1.0), released by the National Institute of Standards and Technology (NIST) in January 2023.(C) The Risk Management Framework for the Procurement of Artificial Intelligence (RMF PAIS 1.0), authored by the AI Procurement Lab and the Center for Inclusive Change in 2024.(D) The Advancing Governance, Innovation, and Risk Management for Agency Use of Artificial Intelligence Memorandum, published by the Executive Office of the President, Office of Management and Budget, dated March 28, 2024.(2) The ADT ADS procurement standard shall include all of the following:(A) A detailed risk assessment procedure that analyzes all of the following:(i) Organizational and supply chain governance associated with the ADT. ADS.(ii) The purpose and use of the ADT. ADS.(iii) Any known potential misuses or abuses of the ADT. ADS.(iv) An assessment of the legality, traceability, and provenance of the data the ADT ADS uses and the legality of the output of the ADT. ADS.(v) The robustness, accuracy, and reliability of the ADT. ADS.(vi) The interpretability and explainability of theADT. ADS.(B) Methods for appropriate risk controls between the state agency and ADT ADS vendor, including, but not limited to, reducing the risk through various mitigation strategies, eliminating the risk, or sharing the risk.(C) Adverse incident monitoring procedures.(D) Identification and classification of prohibited use cases and applications of ADT ADS that the state shall not procure.(E) A detailed equity assessment that analyzes, at a minimum, all of the following:(i) The individuals and communities that will interact with the ADT. ADS.(ii) How the information or decisions generated by the ADT ADS will impact an individuals rights, freedoms, economic status, health, health care, or well-being.(iii) Any issues that may arise if the ADT ADS is inaccurate.(iv) How users with diverse abilities will interact with the user interface of the ADT ADS and whether the ADT ADS integrates and interacts with commonly used assistive technologies.(F) An assessment that analyzes the level of human oversight associated with the use of ADT. ADS.(G) Adherence to data minimization standards, including that an ADT ADS vendor shall only use information provided by or obtained from an agency to provide the specific service authorized by the agency. Further, the data collected may not be used for training of proprietary vendor or third-party systems.(3) In developing the ADT ADS procurement standard, the department shall do all of the following:(A) Collaborate with organizations that represent state and local government employees and industry experts, including, but not limited to, public trust and safety experts, community-based organizations, civil society groups, academic researchers, and research institutions focused on responsible ADT ADS procurement, design, and deployment.(B) Consult with the California Privacy Protection Agency.(C) Solicit public comment on the ADT ADS procurement standard.(4) (A) Subject to subparagraph (B), the department shall adopt regulations pursuant to this subdivision in accordance with the provisions of Chapter 3.5 (commencing with Section 11340) of Part 1 of Division 3 of Title 2 of the Government Code.(B) Regulations adopted by the department pursuant to subparagraph (A) shall be consistent with both not contradict either of the following:(i) Regulations adopted by the California Privacy Protection Agency pursuant to paragraph (16) of subdivision (a) of Section 1798.185 of the Civil Code.(ii) Statewide legislation that establishes a regulatory framework governing the development and deployment of ADTs. ADSs.(5) Starting Commencing January 1, 2026, and annually thereafter, the department shall review and update both of the following:(A) The ADT ADS procurement standard.(B) Regulations adopted pursuant to this subdivision.(c) A Commencing January 1, 2027, a state agency shall not procure an ADT, ADS, enter into a contract for an ADT, ADS, or enter into a contract for any service that utilizes an ADT, ADS, prior to the adoption of regulations by the department pursuant to subdivision (b).(d) A Commencing January 1, 2027, a state agency may enter into a contract for an ADT, ADS, or a service that utilizes an ADT ADS only after the department has adopted regulations pursuant to subdivision (b) and only if the contract includes a clause that does all of the following:(1) Provides a completed risk assessment of the relevant ADT ADS that analyzes the items included in subparagraph (A) of paragraph (2) of subdivision (b).(2) Requires the state agency or the ADT ADS vendor, or both, to adhere to appropriate procurement standards.(3) Provides procedures for adverse incident monitoring.(4) Requires authorization from the state agency before deployment of ADT ADS upgrades and enhancements.(5) Requires the state agency or the ADT ADS vendor, or both, to provide notice to individuals that would likely be affected by the decisions or outcomes of the ADT, ADS, and information about how to appeal or opt-out opt out of ADT ADS decisions or outcomes.(6) Provides a termination right in the event of a significant breach of responsibility or violation by the vendor.(e) Subdivisions (c) and (d) do not apply to projects approved before January 1, 2027, through the annual budget process.
2	2
3		-	~~Enrolled September 05, 2024 Passed IN Senate August 31, 2024 Passed IN Assembly August 28, 2024~~ Amended IN Assembly August 19, 2024 Amended IN Assembly July 03, 2024 Amended IN Assembly June 21, 2024 Amended IN Senate April 10, 2024 Amended IN Senate April 01, 2024 CALIFORNIA LEGISLATURE 20232024 REGULAR SESSION Senate Bill No. 892Introduced by Senator Padilla(Coauthors: Senators Rubio and Smallwood-Cuevas)January 03, 2024An act to add Section 12100.1 to the Public Contract Code, relating to public contracts.LEGISLATIVE COUNSEL'S DIGESTSB 892, Padilla. Public contracts: automated decision systems: procurement standards.Existing law requires all contracts for the acquisition of information technology goods and services related to information technology projects, as defined, to be made by or under the supervision of the Department of Technology. Existing law requires all other contracts for the acquisition of information technology goods or services to be made by or under the supervision of the Department of General Services. Under existing law, both the Department of Technology and the Department of General Services are authorized to delegate their authority to another agency, as specified.This bill would require the Department of Technology to develop and adopt regulations to create an automated decision system (ADS) procurement standard. To develop those regulations, the bill would require the department to consider principles and industry standards addressed in specified publications regarding AI risk management. The bill would require the ADS procurement standard to include, among other things, a detailed risk assessment procedure that analyzes specified characteristics of the ADS, methods for appropriate risk controls, as provided, and adverse incident monitoring procedures. The bill would require the department to, among other things, collaborate with specified organizations to develop the ADS procurement standard and review and update the ADS procurement standard and related regulations, as specified.~~Commencing~~ January 1, 2027, this bill would prohibit a state agency from procuring an ADS, entering into a contract for an ADS, or any service that utilizes an ADS, as specified, until the department has adopted regulations creating an ADS procurement standard. Commencing January 1, 2027, the bill would also require a contract for an ADS or a service that utilizes an ADS, as specified, to include a clause that, among other things, provides a completed risk assessment of the relevant ADS, as specified, requires adherence to appropriate risk controls, and provides procedures for adverse incident monitoring.Digest Key Vote: MAJORITY Appropriation: NO Fiscal Committee: YES Local Program: NO
	3	+	Amended IN Assembly August 19, 2024 Amended IN Assembly July 03, 2024 Amended IN Assembly June 21, 2024 Amended IN Senate April 10, 2024 Amended IN Senate April 01, 2024 CALIFORNIA LEGISLATURE 20232024 REGULAR SESSION Senate Bill No. 892Introduced by Senator Padilla(Coauthors: Senators Rubio and Smallwood-Cuevas)January 03, 2024An act to add Section 12100.1 to the Public Contract Code, relating to public contracts.LEGISLATIVE COUNSEL'S DIGESTSB 892, as amended, Padilla. Public contracts: automated decision tools: systems: procurement standards.Existing law requires all contracts for the acquisition of information technology goods and services related to information technology projects, as defined, to be made by or under the supervision of the Department of Technology. Existing law requires all other contracts for the acquisition of information technology goods or services to be made by or under the supervision of the Department of General Services. Under existing law, both the Department of Technology and the Department of General Services are authorized to delegate their authority to another agency, as specified.Existing law, the California Consumer Privacy Act of 2018 (CCPA), grants to a consumer various rights with respect to personal information, as defined, that is collected by a business, as defined, including the right to request that a business delete personal information about the consumer that the business has collected from the consumer. Existing law, the California Privacy Rights Act of 2020, an initiative measure approved by the voters as Proposition 24 at the November 3, 2020, statewide general election, amended, added to, and reenacted the CCPA. The CCPA, as amended, establishes the California Privacy Protection Agency with full administrative power, authority, and jurisdiction to implement and enforce the CCPA.This bill would require the Department of Technology to develop and adopt regulations to create an automated decision tool (ADT) system (ADS) procurement standard, following the adoption of specified regulations by the California Privacy Protection Agency or the enactment of comprehensive ADT legislation, whichever occurs sooner. standard. To develop those regulations, the bill would require the department to consider principles and industry standards addressed in specified publications regarding AI risk management. The bill would require the ADT ADS procurement standard to include, among other things, a detailed risk assessment procedure that analyzes specified characteristics of the ADT, ADS, methods for appropriate risk controls, as provided, and adverse incident monitoring procedures. The bill would require the department to, among other things, collaborate with specified organizations to develop the ADT ADS procurement standard and review and update the ADT ADS procurement standard and related regulations, as specified. ThisCommencing January 1, 2027, this bill would prohibit a state agency from procuring an ADT, ADS, entering into a contract for an ADT, ADS, or any service that utilizes an ADT ADS, as specified, until the department has adopted regulations creating an ADT ADS procurement standard. The Commencing January 1, 2027, the bill would also require a contract for an ADT ADS or a service that utilizes an ADT ADS, as specified, to include a clause that, among other things, provides a completed risk assessment of the relevant ADT, ADS, as specified, requires adherence to appropriate risk controls, and provides procedures for adverse incident monitoring.Digest Key Vote: MAJORITY Appropriation: NO Fiscal Committee: YES Local Program: NO
4	4
5		-	~~Enrolled September 05, 2024 Passed IN Senate August 31, 2024 Passed IN Assembly August 28, 2024~~ Amended IN Assembly August 19, 2024 Amended IN Assembly July 03, 2024 Amended IN Assembly June 21, 2024 Amended IN Senate April 10, 2024 Amended IN Senate April 01, 2024
	5	+	Amended IN Assembly August 19, 2024 Amended IN Assembly July 03, 2024 Amended IN Assembly June 21, 2024 Amended IN Senate April 10, 2024 Amended IN Senate April 01, 2024
6	6
7		-	Enrolled September 05, 2024
8		-	Passed IN Senate August 31, 2024
9		-	Passed IN Assembly August 28, 2024
10	7		Amended IN Assembly August 19, 2024
11	8		Amended IN Assembly July 03, 2024
12	9		Amended IN Assembly June 21, 2024
13	10		Amended IN Senate April 10, 2024
14	11		Amended IN Senate April 01, 2024
15	12
16	13		CALIFORNIA LEGISLATURE 20232024 REGULAR SESSION
17	14
18	15		Senate Bill
19	16
20	17		No. 892
21	18
22	19		Introduced by Senator Padilla(Coauthors: Senators Rubio and Smallwood-Cuevas)January 03, 2024
23	20
24	21		Introduced by Senator Padilla(Coauthors: Senators Rubio and Smallwood-Cuevas)
25	22		January 03, 2024
26	23
27	24		An act to add Section 12100.1 to the Public Contract Code, relating to public contracts.
28	25
29	26		LEGISLATIVE COUNSEL'S DIGEST
30	27
31	28		## LEGISLATIVE COUNSEL'S DIGEST
32	29
33		-	SB 892, Padilla. Public contracts: automated decision systems: procurement standards.
	30	+	SB 892, as amended, Padilla. Public contracts: automated decision tools: systems: procurement standards.
34	31
35		-	Existing law requires all contracts for the acquisition of information technology goods and services related to information technology projects, as defined, to be made by or under the supervision of the Department of Technology. Existing law requires all other contracts for the acquisition of information technology goods or services to be made by or under the supervision of the Department of General Services. Under existing law, both the Department of Technology and the Department of General Services are authorized to delegate their authority to another agency, as specified.This bill would require the Department of Technology to develop and adopt regulations to create an automated decision system (ADS) procurement standard. To develop those regulations, the bill would require the department to consider principles and industry standards addressed in specified publications regarding AI risk management. The bill would require the ADS procurement standard to include, among other things, a detailed risk assessment procedure that analyzes specified characteristics of the ADS, methods for appropriate risk controls, as provided, and adverse incident monitoring procedures. The bill would require the department to, among other things, collaborate with specified organizations to develop the ADS procurement standard and review and update the ADS procurement standard and related regulations, as specified.~~Commencing~~ January 1, 2027, this bill would prohibit a state agency from procuring an ADS, entering into a contract for an ADS, or any service that utilizes an ADS, as specified, until the department has adopted regulations creating an ADS procurement standard. Commencing January 1, 2027, the bill would also require a contract for an ADS or a service that utilizes an ADS, as specified, to include a clause that, among other things, provides a completed risk assessment of the relevant ADS, as specified, requires adherence to appropriate risk controls, and provides procedures for adverse incident monitoring.
	32	+	Existing law requires all contracts for the acquisition of information technology goods and services related to information technology projects, as defined, to be made by or under the supervision of the Department of Technology. Existing law requires all other contracts for the acquisition of information technology goods or services to be made by or under the supervision of the Department of General Services. Under existing law, both the Department of Technology and the Department of General Services are authorized to delegate their authority to another agency, as specified.Existing law, the California Consumer Privacy Act of 2018 (CCPA), grants to a consumer various rights with respect to personal information, as defined, that is collected by a business, as defined, including the right to request that a business delete personal information about the consumer that the business has collected from the consumer. Existing law, the California Privacy Rights Act of 2020, an initiative measure approved by the voters as Proposition 24 at the November 3, 2020, statewide general election, amended, added to, and reenacted the CCPA. The CCPA, as amended, establishes the California Privacy Protection Agency with full administrative power, authority, and jurisdiction to implement and enforce the CCPA.This bill would require the Department of Technology to develop and adopt regulations to create an automated decision tool (ADT) system (ADS) procurement standard, following the adoption of specified regulations by the California Privacy Protection Agency or the enactment of comprehensive ADT legislation, whichever occurs sooner. standard. To develop those regulations, the bill would require the department to consider principles and industry standards addressed in specified publications regarding AI risk management. The bill would require the ADT ADS procurement standard to include, among other things, a detailed risk assessment procedure that analyzes specified characteristics of the ADT, ADS, methods for appropriate risk controls, as provided, and adverse incident monitoring procedures. The bill would require the department to, among other things, collaborate with specified organizations to develop the ADT ADS procurement standard and review and update the ADT ADS procurement standard and related regulations, as specified. ThisCommencing January 1, 2027, this bill would prohibit a state agency from procuring an ADT, ADS, entering into a contract for an ADT, ADS, or any service that utilizes an ADT ADS, as specified, until the department has adopted regulations creating an ADT ADS procurement standard. The Commencing January 1, 2027, the bill would also require a contract for an ADT ADS or a service that utilizes an ADT ADS, as specified, to include a clause that, among other things, provides a completed risk assessment of the relevant ADT, ADS, as specified, requires adherence to appropriate risk controls, and provides procedures for adverse incident monitoring.
36	33
37	34		Existing law requires all contracts for the acquisition of information technology goods and services related to information technology projects, as defined, to be made by or under the supervision of the Department of Technology. Existing law requires all other contracts for the acquisition of information technology goods or services to be made by or under the supervision of the Department of General Services. Under existing law, both the Department of Technology and the Department of General Services are authorized to delegate their authority to another agency, as specified.
38	35
39		-	~~This bill would require the Department of Technology to develop and adopt regulations to create an automated decision system (ADS) procurement standard. To develop those regulations~~, the ~~bill would require~~ the ~~department~~ to ~~consider principles~~ and ~~industry standards addressed in specified publications regarding AI risk management~~. The bill would require the ADS procurement standard to include, among other things, a detailed risk assessment procedure that analyzes specified characteristics of the ADS, methods for appropriate risk controls, as ~~provided~~, and ~~adverse incident monitoring procedures.~~ The bill would require the department to, among other things, collaborate with specified organizations to develop the ADS procurement standard and review and update the ADS procurement standard and related regulations, as specified.
	36	+	Existing law, the California Consumer Privacy Act of 2018 (CCPA), grants to a consumer various rights with respect to personal information, as defined, that is collected by a business, as defined, including the right to request that a business delete personal information about the consumer that the business has collected from the consumer. Existing law, the California Privacy Rights Act of 2020, an initiative measure approved by the voters as Proposition 24 at the November 3, 2020, statewide general election, amended, added to, and reenacted the CCPA. The CCPA, as amended, establishes the California Privacy Protection Agency with full administrative power, authority, and jurisdiction to implement and enforce the CCPA.
40	37
41		-	Commencing January 1, 2027, this bill would prohibit a state agency from procuring an ADS, entering into a contract for an ADS, or any service that utilizes an ADS, as specified, until the department has adopted regulations creating an ADS procurement standard. Commencing January 1, 2027, the bill would also require a contract for an ADS or a service that utilizes an ADS, as specified, to include a clause that, among other things, provides a completed risk assessment of the relevant ADS, as specified, requires adherence to appropriate risk controls, and provides procedures for adverse incident monitoring.
	38	+	This bill would require the Department of Technology to develop and adopt regulations to create an automated decision tool (ADT) system (ADS) procurement standard, following the adoption of specified regulations by the California Privacy Protection Agency or the enactment of comprehensive ADT legislation, whichever occurs sooner. standard. To develop those regulations, the bill would require the department to consider principles and industry standards addressed in specified publications regarding AI risk management. The bill would require the ADT ADS procurement standard to include, among other things, a detailed risk assessment procedure that analyzes specified characteristics of the ADT, ADS, methods for appropriate risk controls, as provided, and adverse incident monitoring procedures. The bill would require the department to, among other things, collaborate with specified organizations to develop the ADT ADS procurement standard and review and update the ADT ADS procurement standard and related regulations, as specified.
	39	+
	40	+	This
	41	+
	42	+
	43	+
	44	+	Commencing January 1, 2027, this bill would prohibit a state agency from procuring an ADT, ADS, entering into a contract for an ADT, ADS, or any service that utilizes an ADT ADS, as specified, until the department has adopted regulations creating an ADT ADS procurement standard. The Commencing January 1, 2027, the bill would also require a contract for an ADT ADS or a service that utilizes an ADT ADS, as specified, to include a clause that, among other things, provides a completed risk assessment of the relevant ADT, ADS, as specified, requires adherence to appropriate risk controls, and provides procedures for adverse incident monitoring.
42	45
43	46		## Digest Key
44	47
45	48		## Bill Text
46	49
47		-	The people of the State of California do enact as follows:SECTION 1. Section 12100.1 is added to the Public Contract Code, to read:12100.1. (a) For purposes of this section, the following definitions apply:(1) Artificial intelligence or AI means an engineered or machine-based system that varies in its level of autonomy and that can, for explicit or implicit objectives, infer from the input it receives how to generate outputs that can influence physical or virtual environments.(2) ~~(A)~~ Automated decision system or ~~ADS~~ means a ~~computational process derived from machine learning, statistical modeling, data analytics, or artificial intelligence~~ that issues simplified output, including a score, classification, or recommendation, that is used to assist or replace human discretionary decisionmaking and materially impacts natural persons. (B) Automated decision system does not include a spam email filter, firewall, antivirus software, identity and access management tools, calculator, database, dataset, or other compilation of data.(3) Department means the Department of Technology.(b) The department shall develop and adopt regulations to create an ADS procurement standard.(1) To develop regulations related to the ADS procurement standard, the department shall consider principles and industry standards addressed in relevant publications, including, but not limited to, all of the following:(A) The Blueprint for an AI Bill of Rights: Making Automated Systems Work for the American People, published by the White House Office of Science and Technology Policy in October 2022.(B) The Artificial Intelligence Risk Management Framework (AI RMF 1.0), released by the National Institute of Standards and Technology (NIST) in January 2023.(C) The Risk Management Framework for the Procurement of Artificial Intelligence (RMF PAIS 1.0), authored by the AI Procurement Lab and the Center for Inclusive Change in 2024.(D) The Advancing Governance, Innovation, and Risk Management for Agency Use of Artificial Intelligence Memorandum, published by the Executive Office of the President, Office of Management and Budget, dated March 28, 2024.(2) The ADS procurement standard shall include all of the following:(A) A detailed risk assessment procedure that analyzes all of the following:(i) Organizational and supply chain governance associated with the ADS.(ii) The purpose and use of the ADS.(iii) Any known potential misuses or abuses of the ADS.(iv) An assessment of the legality, traceability, and provenance of the data the ADS uses and the legality of the output of the ADS.(v) The robustness, accuracy, and reliability of the ADS.(vi) The interpretability and explainability of ~~the~~ ADS.(B) Methods for appropriate risk controls between the state agency and ADS vendor, including, but not limited to, reducing the risk through various mitigation strategies, eliminating the risk, or sharing the risk.(C) Adverse incident monitoring procedures.(D) Identification and classification of prohibited use cases and applications of ADS that the state shall not procure.(E) A detailed equity assessment that analyzes, at a minimum, all of the following:(i) The individuals and communities that will interact with the ADS.(ii) How the information or decisions generated by the ADS will impact an individuals rights, freedoms, economic status, health, health care, or well-being.(iii) Any issues that may arise if the ADS is inaccurate.(iv) How users with diverse abilities will interact with the user interface of the ADS and whether the ADS integrates and interacts with commonly used assistive technologies.(F) An assessment that analyzes the level of human oversight associated with the use of ADS.(G) Adherence to data minimization standards, including that an ADS vendor shall only use information provided by or obtained from an agency to provide the specific service authorized by the agency. Further, the data collected may not be used for training of proprietary vendor or third-party systems.(3) In developing the ADS procurement standard, the department shall do all of the following:(A) Collaborate with organizations that represent state and local government employees and industry experts, including, but not limited to, public trust and safety experts, community-based organizations, civil society groups, academic researchers, and research institutions focused on responsible ADS procurement, design, and deployment.(B) Consult with the California Privacy Protection Agency.(C) Solicit public comment on the ADS procurement standard.(4) (A) Subject to subparagraph (B), the department shall adopt regulations pursuant to this subdivision in accordance with the provisions of Chapter 3.5 (commencing with Section 11340) of Part 1 of Division 3 of Title 2 of the Government Code.(B) Regulations adopted by the department pursuant to subparagraph (A) shall not contradict either of the following:(i) Regulations adopted by the California Privacy Protection Agency pursuant to paragraph (16) of subdivision (a) of Section 1798.185 of the Civil Code.(ii) Statewide legislation that establishes a regulatory framework governing the development and deployment of ADSs.(5) Commencing January 1, 2026, and annually thereafter, the department shall review and update both of the following:(A) The ADS procurement standard.(B) Regulations adopted pursuant to this subdivision.(c) Commencing January 1, 2027, a state agency shall not procure an ADS, enter into a contract for an ADS, or enter into a contract for any service that utilizes an ADS, prior to the adoption of regulations by the department pursuant to subdivision (b).(d) Commencing January 1, 2027, a state agency may enter into a contract for an ADS, or a service that utilizes an ADS only after the department has adopted regulations pursuant to subdivision (b) and only if the contract includes a clause that does all of the following:(1) Provides a completed risk assessment of the relevant ADS that analyzes the items included in subparagraph (A) of paragraph (2) of subdivision (b).(2) Requires the state agency or the ADS vendor, or both, to adhere to appropriate procurement standards.(3) Provides procedures for adverse incident monitoring.(4) Requires authorization from the state agency before deployment of ADS upgrades and enhancements.(5) Requires the state agency or the ADS vendor, or both, to provide notice to individuals that would likely be affected by the decisions or outcomes of the ADS, and information about how to appeal or opt out of ADS decisions or outcomes.(6) Provides a termination right in the event of a significant breach of responsibility or violation by the vendor.(e) Subdivisions (c) and (d) do not apply to projects approved before January 1, 2027, through the annual budget process.
	50	+	The people of the State of California do enact as follows:SECTION 1. Section 12100.1 is added to the Public Contract Code, to read:12100.1. (a) For purposes of this section, the following definitions apply:(1) Artificial intelligence or AI means an engineered or machine-based system that varies in its level of autonomy and that can, for explicit or implicit objectives, infer from the input it receives how to generate outputs that can influence physical or virtual environments.(2)Automated decision tool or ADT means an artificial intelligence system or service that makes a consequential decision, or is a substantial factor in making a consequential decision.(3)Consequential decision means a decision or judgment that has a legal, material, or similarly significant effect on an individuals life relating to access to government benefits or services, assignments of penalties by government, or the impact of, access to, or the cost, terms, or availability of, any of the following:(A)Employment with respect to all of the following:(i)Pay or promotion.(ii)Hiring or termination.(iii)Automated task allocation that limits, segregates, or classifies employees for the purpose of assigning or determining material terms or conditions of employment.(B)Education and vocational training as it relates to all of the following:(i)Assessment or placement.(ii)Detecting student cheating or plagiarism.(iii)Accreditation.(iv)Certification.(v)Admissions or enrollment.(vi)Discipline.(vii)Evaluation.(viii)Financial aid or scholarships.(C)Housing or lodging, including rental or short-term housing or lodging.(D)All of the following essential utilities:(i)Electricity.(ii)Heat.(iii)Water.(iv)Internet or telecommunications access.(v)Transportation.(E)Family planning.(F)Adoption services, reproductive services, or assessments related to child protective services.(G)Health care or health insurance, including mental health care, dental, or vision.(H)Financial services, including a financial service provided by a mortgage company, mortgage broker, or creditor.(I)All of the following aspects of the criminal justice system:(i)Risk assessments for pretrial hearings.(ii)Sentencing.(iii)Parole.(J)Legal services.(K)Private arbitration.(L)Mediation.(M)Voting. (2) (A) Automated decision system or ADS means a computational process derived from machine learning, statistical modeling, data analytics, or artificial intelligence that issues simplified output, including a score, classification, or recommendation, that is used to assist or replace human discretionary decisionmaking and materially impacts natural persons. (B) Automated decision system does not include a spam email filter, firewall, antivirus software, identity and access management tools, calculator, database, dataset, or other compilation of data. (4)(3) Department means the Department of Technology.(5)Substantial factor means an element of a decisionmaking process that is capable of altering the outcome of the process.(b) Following the adoption of regulations by the California Privacy Protection Agency pursuant to paragraph (16) of subdivision (a) of Section 1798.185 of the Civil Code, or following the enactment of similarly comprehensive statewide legislation that establishes a regulatory framework governing the development and deployment of ADTs, whichever occurs sooner, the The department shall develop and adopt regulations to create an ADT ADS procurement standard.(1) To develop regulations related to the ADT ADS procurement standard, the department shall consider principles and industry standards addressed in relevant publications, including, but not limited to, all of the following:(A) The Blueprint for an AI Bill of Rights: Making Automated Systems Work for the American People, published by the White House Office of Science and Technology Policy in October 2022.(B) The Artificial Intelligence Risk Management Framework (AI RMF 1.0), released by the National Institute of Standards and Technology (NIST) in January 2023.(C) The Risk Management Framework for the Procurement of Artificial Intelligence (RMF PAIS 1.0), authored by the AI Procurement Lab and the Center for Inclusive Change in 2024.(D) The Advancing Governance, Innovation, and Risk Management for Agency Use of Artificial Intelligence Memorandum, published by the Executive Office of the President, Office of Management and Budget, dated March 28, 2024.(2) The ADT ADS procurement standard shall include all of the following:(A) A detailed risk assessment procedure that analyzes all of the following:(i) Organizational and supply chain governance associated with the ADT. ADS.(ii) The purpose and use of the ADT. ADS.(iii) Any known potential misuses or abuses of the ADT. ADS.(iv) An assessment of the legality, traceability, and provenance of the data the ADT ADS uses and the legality of the output of the ADT. ADS.(v) The robustness, accuracy, and reliability of the ADT. ADS.(vi) The interpretability and explainability of theADT. ADS.(B) Methods for appropriate risk controls between the state agency and ADT ADS vendor, including, but not limited to, reducing the risk through various mitigation strategies, eliminating the risk, or sharing the risk.(C) Adverse incident monitoring procedures.(D) Identification and classification of prohibited use cases and applications of ADT ADS that the state shall not procure.(E) A detailed equity assessment that analyzes, at a minimum, all of the following:(i) The individuals and communities that will interact with the ADT. ADS.(ii) How the information or decisions generated by the ADT ADS will impact an individuals rights, freedoms, economic status, health, health care, or well-being.(iii) Any issues that may arise if the ADT ADS is inaccurate.(iv) How users with diverse abilities will interact with the user interface of the ADT ADS and whether the ADT ADS integrates and interacts with commonly used assistive technologies.(F) An assessment that analyzes the level of human oversight associated with the use of ADT. ADS.(G) Adherence to data minimization standards, including that an ADT ADS vendor shall only use information provided by or obtained from an agency to provide the specific service authorized by the agency. Further, the data collected may not be used for training of proprietary vendor or third-party systems.(3) In developing the ADT ADS procurement standard, the department shall do all of the following:(A) Collaborate with organizations that represent state and local government employees and industry experts, including, but not limited to, public trust and safety experts, community-based organizations, civil society groups, academic researchers, and research institutions focused on responsible ADT ADS procurement, design, and deployment.(B) Consult with the California Privacy Protection Agency.(C) Solicit public comment on the ADT ADS procurement standard.(4) (A) Subject to subparagraph (B), the department shall adopt regulations pursuant to this subdivision in accordance with the provisions of Chapter 3.5 (commencing with Section 11340) of Part 1 of Division 3 of Title 2 of the Government Code.(B) Regulations adopted by the department pursuant to subparagraph (A) shall be consistent with both not contradict either of the following:(i) Regulations adopted by the California Privacy Protection Agency pursuant to paragraph (16) of subdivision (a) of Section 1798.185 of the Civil Code.(ii) Statewide legislation that establishes a regulatory framework governing the development and deployment of ADTs. ADSs.(5) Starting Commencing January 1, 2026, and annually thereafter, the department shall review and update both of the following:(A) The ADT ADS procurement standard.(B) Regulations adopted pursuant to this subdivision.(c) A Commencing January 1, 2027, a state agency shall not procure an ADT, ADS, enter into a contract for an ADT, ADS, or enter into a contract for any service that utilizes an ADT, ADS, prior to the adoption of regulations by the department pursuant to subdivision (b).(d) A Commencing January 1, 2027, a state agency may enter into a contract for an ADT, ADS, or a service that utilizes an ADT ADS only after the department has adopted regulations pursuant to subdivision (b) and only if the contract includes a clause that does all of the following:(1) Provides a completed risk assessment of the relevant ADT ADS that analyzes the items included in subparagraph (A) of paragraph (2) of subdivision (b).(2) Requires the state agency or the ADT ADS vendor, or both, to adhere to appropriate procurement standards.(3) Provides procedures for adverse incident monitoring.(4) Requires authorization from the state agency before deployment of ADT ADS upgrades and enhancements.(5) Requires the state agency or the ADT ADS vendor, or both, to provide notice to individuals that would likely be affected by the decisions or outcomes of the ADT, ADS, and information about how to appeal or opt-out opt out of ADT ADS decisions or outcomes.(6) Provides a termination right in the event of a significant breach of responsibility or violation by the vendor.(e) Subdivisions (c) and (d) do not apply to projects approved before January 1, 2027, through the annual budget process.
48	51
49	52		The people of the State of California do enact as follows:
50	53
51	54		## The people of the State of California do enact as follows:
52	55
53		-	SECTION 1. Section 12100.1 is added to the Public Contract Code, to read:12100.1. (a) For purposes of this section, the following definitions apply:(1) Artificial intelligence or AI means an engineered or machine-based system that varies in its level of autonomy and that can, for explicit or implicit objectives, infer from the input it receives how to generate outputs that can influence physical or virtual environments.(2) ~~(A)~~ Automated decision system or ~~ADS~~ means a ~~computational process derived from machine learning, statistical modeling, data analytics, or artificial intelligence~~ that issues simplified output, including a score, classification, or recommendation, that is used to assist or replace human discretionary decisionmaking and materially impacts natural persons. (B) Automated decision system does not include a spam email filter, firewall, antivirus software, identity and access management tools, calculator, database, dataset, or other compilation of data.(3) Department means the Department of Technology.(b) The department shall develop and adopt regulations to create an ADS procurement standard.(1) To develop regulations related to the ADS procurement standard, the department shall consider principles and industry standards addressed in relevant publications, including, but not limited to, all of the following:(A) The Blueprint for an AI Bill of Rights: Making Automated Systems Work for the American People, published by the White House Office of Science and Technology Policy in October 2022.(B) The Artificial Intelligence Risk Management Framework (AI RMF 1.0), released by the National Institute of Standards and Technology (NIST) in January 2023.(C) The Risk Management Framework for the Procurement of Artificial Intelligence (RMF PAIS 1.0), authored by the AI Procurement Lab and the Center for Inclusive Change in 2024.(D) The Advancing Governance, Innovation, and Risk Management for Agency Use of Artificial Intelligence Memorandum, published by the Executive Office of the President, Office of Management and Budget, dated March 28, 2024.(2) The ADS procurement standard shall include all of the following:(A) A detailed risk assessment procedure that analyzes all of the following:(i) Organizational and supply chain governance associated with the ADS.(ii) The purpose and use of the ADS.(iii) Any known potential misuses or abuses of the ADS.(iv) An assessment of the legality, traceability, and provenance of the data the ADS uses and the legality of the output of the ADS.(v) The robustness, accuracy, and reliability of the ADS.(vi) The interpretability and explainability of ~~the~~ ADS.(B) Methods for appropriate risk controls between the state agency and ADS vendor, including, but not limited to, reducing the risk through various mitigation strategies, eliminating the risk, or sharing the risk.(C) Adverse incident monitoring procedures.(D) Identification and classification of prohibited use cases and applications of ADS that the state shall not procure.(E) A detailed equity assessment that analyzes, at a minimum, all of the following:(i) The individuals and communities that will interact with the ADS.(ii) How the information or decisions generated by the ADS will impact an individuals rights, freedoms, economic status, health, health care, or well-being.(iii) Any issues that may arise if the ADS is inaccurate.(iv) How users with diverse abilities will interact with the user interface of the ADS and whether the ADS integrates and interacts with commonly used assistive technologies.(F) An assessment that analyzes the level of human oversight associated with the use of ADS.(G) Adherence to data minimization standards, including that an ADS vendor shall only use information provided by or obtained from an agency to provide the specific service authorized by the agency. Further, the data collected may not be used for training of proprietary vendor or third-party systems.(3) In developing the ADS procurement standard, the department shall do all of the following:(A) Collaborate with organizations that represent state and local government employees and industry experts, including, but not limited to, public trust and safety experts, community-based organizations, civil society groups, academic researchers, and research institutions focused on responsible ADS procurement, design, and deployment.(B) Consult with the California Privacy Protection Agency.(C) Solicit public comment on the ADS procurement standard.(4) (A) Subject to subparagraph (B), the department shall adopt regulations pursuant to this subdivision in accordance with the provisions of Chapter 3.5 (commencing with Section 11340) of Part 1 of Division 3 of Title 2 of the Government Code.(B) Regulations adopted by the department pursuant to subparagraph (A) shall not contradict either of the following:(i) Regulations adopted by the California Privacy Protection Agency pursuant to paragraph (16) of subdivision (a) of Section 1798.185 of the Civil Code.(ii) Statewide legislation that establishes a regulatory framework governing the development and deployment of ADSs.(5) Commencing January 1, 2026, and annually thereafter, the department shall review and update both of the following:(A) The ADS procurement standard.(B) Regulations adopted pursuant to this subdivision.(c) Commencing January 1, 2027, a state agency shall not procure an ADS, enter into a contract for an ADS, or enter into a contract for any service that utilizes an ADS, prior to the adoption of regulations by the department pursuant to subdivision (b).(d) Commencing January 1, 2027, a state agency may enter into a contract for an ADS, or a service that utilizes an ADS only after the department has adopted regulations pursuant to subdivision (b) and only if the contract includes a clause that does all of the following:(1) Provides a completed risk assessment of the relevant ADS that analyzes the items included in subparagraph (A) of paragraph (2) of subdivision (b).(2) Requires the state agency or the ADS vendor, or both, to adhere to appropriate procurement standards.(3) Provides procedures for adverse incident monitoring.(4) Requires authorization from the state agency before deployment of ADS upgrades and enhancements.(5) Requires the state agency or the ADS vendor, or both, to provide notice to individuals that would likely be affected by the decisions or outcomes of the ADS, and information about how to appeal or opt out of ADS decisions or outcomes.(6) Provides a termination right in the event of a significant breach of responsibility or violation by the vendor.(e) Subdivisions (c) and (d) do not apply to projects approved before January 1, 2027, through the annual budget process.
	56	+	SECTION 1. Section 12100.1 is added to the Public Contract Code, to read:12100.1. (a) For purposes of this section, the following definitions apply:(1) Artificial intelligence or AI means an engineered or machine-based system that varies in its level of autonomy and that can, for explicit or implicit objectives, infer from the input it receives how to generate outputs that can influence physical or virtual environments.(2)Automated decision tool or ADT means an artificial intelligence system or service that makes a consequential decision, or is a substantial factor in making a consequential decision.(3)Consequential decision means a decision or judgment that has a legal, material, or similarly significant effect on an individuals life relating to access to government benefits or services, assignments of penalties by government, or the impact of, access to, or the cost, terms, or availability of, any of the following:(A)Employment with respect to all of the following:(i)Pay or promotion.(ii)Hiring or termination.(iii)Automated task allocation that limits, segregates, or classifies employees for the purpose of assigning or determining material terms or conditions of employment.(B)Education and vocational training as it relates to all of the following:(i)Assessment or placement.(ii)Detecting student cheating or plagiarism.(iii)Accreditation.(iv)Certification.(v)Admissions or enrollment.(vi)Discipline.(vii)Evaluation.(viii)Financial aid or scholarships.(C)Housing or lodging, including rental or short-term housing or lodging.(D)All of the following essential utilities:(i)Electricity.(ii)Heat.(iii)Water.(iv)Internet or telecommunications access.(v)Transportation.(E)Family planning.(F)Adoption services, reproductive services, or assessments related to child protective services.(G)Health care or health insurance, including mental health care, dental, or vision.(H)Financial services, including a financial service provided by a mortgage company, mortgage broker, or creditor.(I)All of the following aspects of the criminal justice system:(i)Risk assessments for pretrial hearings.(ii)Sentencing.(iii)Parole.(J)Legal services.(K)Private arbitration.(L)Mediation.(M)Voting. (2) (A) Automated decision system or ADS means a computational process derived from machine learning, statistical modeling, data analytics, or artificial intelligence that issues simplified output, including a score, classification, or recommendation, that is used to assist or replace human discretionary decisionmaking and materially impacts natural persons. (B) Automated decision system does not include a spam email filter, firewall, antivirus software, identity and access management tools, calculator, database, dataset, or other compilation of data. (4)(3) Department means the Department of Technology.(5)Substantial factor means an element of a decisionmaking process that is capable of altering the outcome of the process.(b) Following the adoption of regulations by the California Privacy Protection Agency pursuant to paragraph (16) of subdivision (a) of Section 1798.185 of the Civil Code, or following the enactment of similarly comprehensive statewide legislation that establishes a regulatory framework governing the development and deployment of ADTs, whichever occurs sooner, the The department shall develop and adopt regulations to create an ADT ADS procurement standard.(1) To develop regulations related to the ADT ADS procurement standard, the department shall consider principles and industry standards addressed in relevant publications, including, but not limited to, all of the following:(A) The Blueprint for an AI Bill of Rights: Making Automated Systems Work for the American People, published by the White House Office of Science and Technology Policy in October 2022.(B) The Artificial Intelligence Risk Management Framework (AI RMF 1.0), released by the National Institute of Standards and Technology (NIST) in January 2023.(C) The Risk Management Framework for the Procurement of Artificial Intelligence (RMF PAIS 1.0), authored by the AI Procurement Lab and the Center for Inclusive Change in 2024.(D) The Advancing Governance, Innovation, and Risk Management for Agency Use of Artificial Intelligence Memorandum, published by the Executive Office of the President, Office of Management and Budget, dated March 28, 2024.(2) The ADT ADS procurement standard shall include all of the following:(A) A detailed risk assessment procedure that analyzes all of the following:(i) Organizational and supply chain governance associated with the ADT. ADS.(ii) The purpose and use of the ADT. ADS.(iii) Any known potential misuses or abuses of the ADT. ADS.(iv) An assessment of the legality, traceability, and provenance of the data the ADT ADS uses and the legality of the output of the ADT. ADS.(v) The robustness, accuracy, and reliability of the ADT. ADS.(vi) The interpretability and explainability of theADT. ADS.(B) Methods for appropriate risk controls between the state agency and ADT ADS vendor, including, but not limited to, reducing the risk through various mitigation strategies, eliminating the risk, or sharing the risk.(C) Adverse incident monitoring procedures.(D) Identification and classification of prohibited use cases and applications of ADT ADS that the state shall not procure.(E) A detailed equity assessment that analyzes, at a minimum, all of the following:(i) The individuals and communities that will interact with the ADT. ADS.(ii) How the information or decisions generated by the ADT ADS will impact an individuals rights, freedoms, economic status, health, health care, or well-being.(iii) Any issues that may arise if the ADT ADS is inaccurate.(iv) How users with diverse abilities will interact with the user interface of the ADT ADS and whether the ADT ADS integrates and interacts with commonly used assistive technologies.(F) An assessment that analyzes the level of human oversight associated with the use of ADT. ADS.(G) Adherence to data minimization standards, including that an ADT ADS vendor shall only use information provided by or obtained from an agency to provide the specific service authorized by the agency. Further, the data collected may not be used for training of proprietary vendor or third-party systems.(3) In developing the ADT ADS procurement standard, the department shall do all of the following:(A) Collaborate with organizations that represent state and local government employees and industry experts, including, but not limited to, public trust and safety experts, community-based organizations, civil society groups, academic researchers, and research institutions focused on responsible ADT ADS procurement, design, and deployment.(B) Consult with the California Privacy Protection Agency.(C) Solicit public comment on the ADT ADS procurement standard.(4) (A) Subject to subparagraph (B), the department shall adopt regulations pursuant to this subdivision in accordance with the provisions of Chapter 3.5 (commencing with Section 11340) of Part 1 of Division 3 of Title 2 of the Government Code.(B) Regulations adopted by the department pursuant to subparagraph (A) shall be consistent with both not contradict either of the following:(i) Regulations adopted by the California Privacy Protection Agency pursuant to paragraph (16) of subdivision (a) of Section 1798.185 of the Civil Code.(ii) Statewide legislation that establishes a regulatory framework governing the development and deployment of ADTs. ADSs.(5) Starting Commencing January 1, 2026, and annually thereafter, the department shall review and update both of the following:(A) The ADT ADS procurement standard.(B) Regulations adopted pursuant to this subdivision.(c) A Commencing January 1, 2027, a state agency shall not procure an ADT, ADS, enter into a contract for an ADT, ADS, or enter into a contract for any service that utilizes an ADT, ADS, prior to the adoption of regulations by the department pursuant to subdivision (b).(d) A Commencing January 1, 2027, a state agency may enter into a contract for an ADT, ADS, or a service that utilizes an ADT ADS only after the department has adopted regulations pursuant to subdivision (b) and only if the contract includes a clause that does all of the following:(1) Provides a completed risk assessment of the relevant ADT ADS that analyzes the items included in subparagraph (A) of paragraph (2) of subdivision (b).(2) Requires the state agency or the ADT ADS vendor, or both, to adhere to appropriate procurement standards.(3) Provides procedures for adverse incident monitoring.(4) Requires authorization from the state agency before deployment of ADT ADS upgrades and enhancements.(5) Requires the state agency or the ADT ADS vendor, or both, to provide notice to individuals that would likely be affected by the decisions or outcomes of the ADT, ADS, and information about how to appeal or opt-out opt out of ADT ADS decisions or outcomes.(6) Provides a termination right in the event of a significant breach of responsibility or violation by the vendor.(e) Subdivisions (c) and (d) do not apply to projects approved before January 1, 2027, through the annual budget process.
54	57
55	58		SECTION 1. Section 12100.1 is added to the Public Contract Code, to read:
56	59
57	60		### SECTION 1.
58	61
59		-	12100.1. (a) For purposes of this section, the following definitions apply:(1) Artificial intelligence or AI means an engineered or machine-based system that varies in its level of autonomy and that can, for explicit or implicit objectives, infer from the input it receives how to generate outputs that can influence physical or virtual environments.(2) ~~(A)~~ Automated decision system or ~~ADS~~ means a ~~computational process derived from machine learning, statistical modeling, data analytics, or artificial intelligence~~ that ~~issues simplified output, including a score, classification, or recommendation, that is used~~ to assist or replace human discretionary decisionmaking and materially impacts natural persons. (B) Automated decision system does not include a spam email filter, firewall, antivirus software, identity and access ~~management tools, calculator, database, dataset, or other compilation of data.(3) Department means the Department of Technology.(b) The department shall develop and adopt regulations~~ to ~~create an ADS procurement standard.(1)~~ To ~~develop regulations related to the ADS procurement standard, the department shall consider principles and industry standards addressed in relevant publications, including, but not limited to, all~~ of the following:(A) The Blueprint for an AI Bill of Rights: Making Automated Systems Work for the American People, published by the White House Office of Science and Technology Policy in October 2022.(B) The Artificial Intelligence Risk Management Framework (AI RMF 1.0), released by the National Institute of Standards and Technology (NIST) in January 2023.(C) The Risk Management Framework for the Procurement of Artificial Intelligence (RMF PAIS 1.0), authored by the AI Procurement Lab and the Center for Inclusive Change in 2024.(D) The Advancing Governance, Innovation, and Risk Management for Agency Use of Artificial Intelligence Memorandum, published by the Executive Office of the President, Office of Management and Budget, dated March 28, 2024.(2) The ADS procurement standard shall include all of the following:(A) A detailed risk assessment procedure that analyzes all of the following:(i) Organizational and supply chain governance associated with the ADS.(ii) The purpose and use of the ADS.(iii) Any known potential misuses or abuses of the ADS.(iv) An assessment of the legality, traceability, and provenance of the data the ADS uses and the legality of the output of the ADS.(v) The robustness, accuracy, and reliability of the ADS.(vi) The interpretability and explainability of ~~the~~ ADS.(B) Methods for appropriate risk controls between the state agency and ADS vendor, including, but not limited to, reducing the risk through various mitigation strategies, eliminating the risk, or sharing the risk.(C) Adverse incident monitoring procedures.(D) Identification and classification of prohibited use cases and applications of ADS that the state shall not procure.(E) A detailed equity assessment that analyzes, at a minimum, all of the following:(i) The individuals and communities that will interact with the ADS.(ii) How the information or decisions generated by the ADS will impact an individuals rights, freedoms, economic status, health, health care, or well-being.(iii) Any issues that may arise if the ADS is inaccurate.(iv) How users with diverse abilities will interact with the user interface of the ADS and whether the ADS integrates and interacts with commonly used assistive technologies.(F) An assessment that analyzes the level of human oversight associated with the use of ADS.(G) Adherence to data minimization standards, including that an ADS vendor shall only use information provided by or obtained from an agency to provide the specific service authorized by the agency. Further, the data collected may not be used for training of proprietary vendor or third-party systems.(3) In developing the ADS procurement standard, the department shall do all of the following:(A) Collaborate with organizations that represent state and local government employees and industry experts, including, but not limited to, public trust and safety experts, community-based organizations, civil society groups, academic researchers, and research institutions focused on responsible ADS procurement, design, and deployment.(B) Consult with the California Privacy Protection Agency.(C) Solicit public comment on the ADS procurement standard.(4) (A) Subject to subparagraph (B), the department shall adopt regulations pursuant to this subdivision in accordance with the provisions of Chapter 3.5 (commencing with Section 11340) of Part 1 of Division 3 of Title 2 of the Government Code.(B) Regulations adopted by the department pursuant to subparagraph (A) shall not contradict either of the following:(i) Regulations adopted by the California Privacy Protection Agency pursuant to paragraph (16) of subdivision (a) of Section 1798.185 of the Civil Code.(ii) Statewide legislation that establishes a regulatory framework governing the development and deployment of ADSs.(5) Commencing January 1, 2026, and annually thereafter, the department shall review and update both of the following:(A) The ADS procurement standard.(B) Regulations adopted pursuant to this subdivision.(c) Commencing January 1, 2027, a state agency shall not procure an ADS, enter into a contract for an ADS, or enter into a contract for any service that utilizes an ADS, prior to the adoption of regulations by the department pursuant to subdivision (b).(d) Commencing January 1, 2027, a state agency may enter into a contract for an ADS, or a service that utilizes an ADS only after the department has adopted regulations pursuant to subdivision (b) and only if the contract includes a clause that does all of the following:(1) Provides a completed risk assessment of the relevant ADS that analyzes the items included in subparagraph (A) of paragraph (2) of subdivision (b).(2) Requires the state agency or the ADS vendor, or both, to adhere to appropriate procurement standards.(3) Provides procedures for adverse incident monitoring.(4) Requires authorization from the state agency before deployment of ADS upgrades and enhancements.(5) Requires the state agency or the ADS vendor, or both, to provide notice to individuals that would likely be affected by the decisions or outcomes of the ADS, and information about how to appeal or opt out of ADS decisions or outcomes.(6) Provides a termination right in the event of a significant breach of responsibility or violation by the vendor.(e) Subdivisions (c) and (d) do not apply to projects approved before January 1, 2027, through the annual budget process.
	62	+	12100.1. (a) For purposes of this section, the following definitions apply:(1) Artificial intelligence or AI means an engineered or machine-based system that varies in its level of autonomy and that can, for explicit or implicit objectives, infer from the input it receives how to generate outputs that can influence physical or virtual environments.(2)Automated decision tool or ADT means an artificial intelligence system or service that makes a consequential decision, or is a substantial factor in making a consequential decision.(3)Consequential decision means a decision or judgment that has a legal, material, or similarly significant effect on an individuals life relating to access to government benefits or services, assignments of penalties by government, or the impact of, access to, or the cost, terms, or availability of, any of the following:(A)Employment with respect to all of the following:(i)Pay or promotion.(ii)Hiring or termination.(iii)Automated task allocation that limits, segregates, or classifies employees for the purpose of assigning or determining material terms or conditions of employment.(B)Education and vocational training as it relates to all of the following:(i)Assessment or placement.(ii)Detecting student cheating or plagiarism.(iii)Accreditation.(iv)Certification.(v)Admissions or enrollment.(vi)Discipline.(vii)Evaluation.(viii)Financial aid or scholarships.(C)Housing or lodging, including rental or short-term housing or lodging.(D)All of the following essential utilities:(i)Electricity.(ii)Heat.(iii)Water.(iv)Internet or telecommunications access.(v)Transportation.(E)Family planning.(F)Adoption services, reproductive services, or assessments related to child protective services.(G)Health care or health insurance, including mental health care, dental, or vision.(H)Financial services, including a financial service provided by a mortgage company, mortgage broker, or creditor.(I)All of the following aspects of the criminal justice system:(i)Risk assessments for pretrial hearings.(ii)Sentencing.(iii)Parole.(J)Legal services.(K)Private arbitration.(L)Mediation.(M)Voting. (2) (A) Automated decision system or ADS means a computational process derived from machine learning, statistical modeling, data analytics, or artificial intelligence that issues simplified output, including a score, classification, or recommendation, that is used to assist or replace human discretionary decisionmaking and materially impacts natural persons. (B) Automated decision system does not include a spam email filter, firewall, antivirus software, identity and access management tools, calculator, database, dataset, or other compilation of data. (4)(3) Department means the Department of Technology.(5)Substantial factor means an element of a decisionmaking process that is capable of altering the outcome of the process.(b) Following the adoption of regulations by the California Privacy Protection Agency pursuant to paragraph (16) of subdivision (a) of Section 1798.185 of the Civil Code, or following the enactment of similarly comprehensive statewide legislation that establishes a regulatory framework governing the development and deployment of ADTs, whichever occurs sooner, the The department shall develop and adopt regulations to create an ADT ADS procurement standard.(1) To develop regulations related to the ADT ADS procurement standard, the department shall consider principles and industry standards addressed in relevant publications, including, but not limited to, all of the following:(A) The Blueprint for an AI Bill of Rights: Making Automated Systems Work for the American People, published by the White House Office of Science and Technology Policy in October 2022.(B) The Artificial Intelligence Risk Management Framework (AI RMF 1.0), released by the National Institute of Standards and Technology (NIST) in January 2023.(C) The Risk Management Framework for the Procurement of Artificial Intelligence (RMF PAIS 1.0), authored by the AI Procurement Lab and the Center for Inclusive Change in 2024.(D) The Advancing Governance, Innovation, and Risk Management for Agency Use of Artificial Intelligence Memorandum, published by the Executive Office of the President, Office of Management and Budget, dated March 28, 2024.(2) The ADT ADS procurement standard shall include all of the following:(A) A detailed risk assessment procedure that analyzes all of the following:(i) Organizational and supply chain governance associated with the ADT. ADS.(ii) The purpose and use of the ADT. ADS.(iii) Any known potential misuses or abuses of the ADT. ADS.(iv) An assessment of the legality, traceability, and provenance of the data the ADT ADS uses and the legality of the output of the ADT. ADS.(v) The robustness, accuracy, and reliability of the ADT. ADS.(vi) The interpretability and explainability of theADT. ADS.(B) Methods for appropriate risk controls between the state agency and ADT ADS vendor, including, but not limited to, reducing the risk through various mitigation strategies, eliminating the risk, or sharing the risk.(C) Adverse incident monitoring procedures.(D) Identification and classification of prohibited use cases and applications of ADT ADS that the state shall not procure.(E) A detailed equity assessment that analyzes, at a minimum, all of the following:(i) The individuals and communities that will interact with the ADT. ADS.(ii) How the information or decisions generated by the ADT ADS will impact an individuals rights, freedoms, economic status, health, health care, or well-being.(iii) Any issues that may arise if the ADT ADS is inaccurate.(iv) How users with diverse abilities will interact with the user interface of the ADT ADS and whether the ADT ADS integrates and interacts with commonly used assistive technologies.(F) An assessment that analyzes the level of human oversight associated with the use of ADT. ADS.(G) Adherence to data minimization standards, including that an ADT ADS vendor shall only use information provided by or obtained from an agency to provide the specific service authorized by the agency. Further, the data collected may not be used for training of proprietary vendor or third-party systems.(3) In developing the ADT ADS procurement standard, the department shall do all of the following:(A) Collaborate with organizations that represent state and local government employees and industry experts, including, but not limited to, public trust and safety experts, community-based organizations, civil society groups, academic researchers, and research institutions focused on responsible ADT ADS procurement, design, and deployment.(B) Consult with the California Privacy Protection Agency.(C) Solicit public comment on the ADT ADS procurement standard.(4) (A) Subject to subparagraph (B), the department shall adopt regulations pursuant to this subdivision in accordance with the provisions of Chapter 3.5 (commencing with Section 11340) of Part 1 of Division 3 of Title 2 of the Government Code.(B) Regulations adopted by the department pursuant to subparagraph (A) shall be consistent with both not contradict either of the following:(i) Regulations adopted by the California Privacy Protection Agency pursuant to paragraph (16) of subdivision (a) of Section 1798.185 of the Civil Code.(ii) Statewide legislation that establishes a regulatory framework governing the development and deployment of ADTs. ADSs.(5) Starting Commencing January 1, 2026, and annually thereafter, the department shall review and update both of the following:(A) The ADT ADS procurement standard.(B) Regulations adopted pursuant to this subdivision.(c) A Commencing January 1, 2027, a state agency shall not procure an ADT, ADS, enter into a contract for an ADT, ADS, or enter into a contract for any service that utilizes an ADT, ADS, prior to the adoption of regulations by the department pursuant to subdivision (b).(d) A Commencing January 1, 2027, a state agency may enter into a contract for an ADT, ADS, or a service that utilizes an ADT ADS only after the department has adopted regulations pursuant to subdivision (b) and only if the contract includes a clause that does all of the following:(1) Provides a completed risk assessment of the relevant ADT ADS that analyzes the items included in subparagraph (A) of paragraph (2) of subdivision (b).(2) Requires the state agency or the ADT ADS vendor, or both, to adhere to appropriate procurement standards.(3) Provides procedures for adverse incident monitoring.(4) Requires authorization from the state agency before deployment of ADT ADS upgrades and enhancements.(5) Requires the state agency or the ADT ADS vendor, or both, to provide notice to individuals that would likely be affected by the decisions or outcomes of the ADT, ADS, and information about how to appeal or opt-out opt out of ADT ADS decisions or outcomes.(6) Provides a termination right in the event of a significant breach of responsibility or violation by the vendor.(e) Subdivisions (c) and (d) do not apply to projects approved before January 1, 2027, through the annual budget process.
60	63
61		-	12100.1. (a) For purposes of this section, the following definitions apply:(1) Artificial intelligence or AI means an engineered or machine-based system that varies in its level of autonomy and that can, for explicit or implicit objectives, infer from the input it receives how to generate outputs that can influence physical or virtual environments.(2) ~~(A)~~ Automated decision system or ~~ADS~~ means a ~~computational process derived from machine learning, statistical modeling, data analytics, or artificial intelligence~~ that ~~issues simplified output, including a score, classification, or recommendation, that is used~~ to assist or replace human discretionary decisionmaking and materially impacts natural persons. (B) Automated decision system does not include a spam email filter, firewall, antivirus software, identity and access ~~management tools, calculator, database, dataset, or other compilation of data.(3) Department means the Department of Technology.(b) The department shall develop and adopt regulations~~ to ~~create an ADS procurement standard.(1)~~ To ~~develop regulations related to the ADS procurement standard, the department shall consider principles and industry standards addressed in relevant publications, including, but not limited to, all~~ of the following:(A) The Blueprint for an AI Bill of Rights: Making Automated Systems Work for the American People, published by the White House Office of Science and Technology Policy in October 2022.(B) The Artificial Intelligence Risk Management Framework (AI RMF 1.0), released by the National Institute of Standards and Technology (NIST) in January 2023.(C) The Risk Management Framework for the Procurement of Artificial Intelligence (RMF PAIS 1.0), authored by the AI Procurement Lab and the Center for Inclusive Change in 2024.(D) The Advancing Governance, Innovation, and Risk Management for Agency Use of Artificial Intelligence Memorandum, published by the Executive Office of the President, Office of Management and Budget, dated March 28, 2024.(2) The ADS procurement standard shall include all of the following:(A) A detailed risk assessment procedure that analyzes all of the following:(i) Organizational and supply chain governance associated with the ADS.(ii) The purpose and use of the ADS.(iii) Any known potential misuses or abuses of the ADS.(iv) An assessment of the legality, traceability, and provenance of the data the ADS uses and the legality of the output of the ADS.(v) The robustness, accuracy, and reliability of the ADS.(vi) The interpretability and explainability of ~~the~~ ADS.(B) Methods for appropriate risk controls between the state agency and ADS vendor, including, but not limited to, reducing the risk through various mitigation strategies, eliminating the risk, or sharing the risk.(C) Adverse incident monitoring procedures.(D) Identification and classification of prohibited use cases and applications of ADS that the state shall not procure.(E) A detailed equity assessment that analyzes, at a minimum, all of the following:(i) The individuals and communities that will interact with the ADS.(ii) How the information or decisions generated by the ADS will impact an individuals rights, freedoms, economic status, health, health care, or well-being.(iii) Any issues that may arise if the ADS is inaccurate.(iv) How users with diverse abilities will interact with the user interface of the ADS and whether the ADS integrates and interacts with commonly used assistive technologies.(F) An assessment that analyzes the level of human oversight associated with the use of ADS.(G) Adherence to data minimization standards, including that an ADS vendor shall only use information provided by or obtained from an agency to provide the specific service authorized by the agency. Further, the data collected may not be used for training of proprietary vendor or third-party systems.(3) In developing the ADS procurement standard, the department shall do all of the following:(A) Collaborate with organizations that represent state and local government employees and industry experts, including, but not limited to, public trust and safety experts, community-based organizations, civil society groups, academic researchers, and research institutions focused on responsible ADS procurement, design, and deployment.(B) Consult with the California Privacy Protection Agency.(C) Solicit public comment on the ADS procurement standard.(4) (A) Subject to subparagraph (B), the department shall adopt regulations pursuant to this subdivision in accordance with the provisions of Chapter 3.5 (commencing with Section 11340) of Part 1 of Division 3 of Title 2 of the Government Code.(B) Regulations adopted by the department pursuant to subparagraph (A) shall not contradict either of the following:(i) Regulations adopted by the California Privacy Protection Agency pursuant to paragraph (16) of subdivision (a) of Section 1798.185 of the Civil Code.(ii) Statewide legislation that establishes a regulatory framework governing the development and deployment of ADSs.(5) Commencing January 1, 2026, and annually thereafter, the department shall review and update both of the following:(A) The ADS procurement standard.(B) Regulations adopted pursuant to this subdivision.(c) Commencing January 1, 2027, a state agency shall not procure an ADS, enter into a contract for an ADS, or enter into a contract for any service that utilizes an ADS, prior to the adoption of regulations by the department pursuant to subdivision (b).(d) Commencing January 1, 2027, a state agency may enter into a contract for an ADS, or a service that utilizes an ADS only after the department has adopted regulations pursuant to subdivision (b) and only if the contract includes a clause that does all of the following:(1) Provides a completed risk assessment of the relevant ADS that analyzes the items included in subparagraph (A) of paragraph (2) of subdivision (b).(2) Requires the state agency or the ADS vendor, or both, to adhere to appropriate procurement standards.(3) Provides procedures for adverse incident monitoring.(4) Requires authorization from the state agency before deployment of ADS upgrades and enhancements.(5) Requires the state agency or the ADS vendor, or both, to provide notice to individuals that would likely be affected by the decisions or outcomes of the ADS, and information about how to appeal or opt out of ADS decisions or outcomes.(6) Provides a termination right in the event of a significant breach of responsibility or violation by the vendor.(e) Subdivisions (c) and (d) do not apply to projects approved before January 1, 2027, through the annual budget process.
	64	+	12100.1. (a) For purposes of this section, the following definitions apply:(1) Artificial intelligence or AI means an engineered or machine-based system that varies in its level of autonomy and that can, for explicit or implicit objectives, infer from the input it receives how to generate outputs that can influence physical or virtual environments.(2)Automated decision tool or ADT means an artificial intelligence system or service that makes a consequential decision, or is a substantial factor in making a consequential decision.(3)Consequential decision means a decision or judgment that has a legal, material, or similarly significant effect on an individuals life relating to access to government benefits or services, assignments of penalties by government, or the impact of, access to, or the cost, terms, or availability of, any of the following:(A)Employment with respect to all of the following:(i)Pay or promotion.(ii)Hiring or termination.(iii)Automated task allocation that limits, segregates, or classifies employees for the purpose of assigning or determining material terms or conditions of employment.(B)Education and vocational training as it relates to all of the following:(i)Assessment or placement.(ii)Detecting student cheating or plagiarism.(iii)Accreditation.(iv)Certification.(v)Admissions or enrollment.(vi)Discipline.(vii)Evaluation.(viii)Financial aid or scholarships.(C)Housing or lodging, including rental or short-term housing or lodging.(D)All of the following essential utilities:(i)Electricity.(ii)Heat.(iii)Water.(iv)Internet or telecommunications access.(v)Transportation.(E)Family planning.(F)Adoption services, reproductive services, or assessments related to child protective services.(G)Health care or health insurance, including mental health care, dental, or vision.(H)Financial services, including a financial service provided by a mortgage company, mortgage broker, or creditor.(I)All of the following aspects of the criminal justice system:(i)Risk assessments for pretrial hearings.(ii)Sentencing.(iii)Parole.(J)Legal services.(K)Private arbitration.(L)Mediation.(M)Voting. (2) (A) Automated decision system or ADS means a computational process derived from machine learning, statistical modeling, data analytics, or artificial intelligence that issues simplified output, including a score, classification, or recommendation, that is used to assist or replace human discretionary decisionmaking and materially impacts natural persons. (B) Automated decision system does not include a spam email filter, firewall, antivirus software, identity and access management tools, calculator, database, dataset, or other compilation of data. (4)(3) Department means the Department of Technology.(5)Substantial factor means an element of a decisionmaking process that is capable of altering the outcome of the process.(b) Following the adoption of regulations by the California Privacy Protection Agency pursuant to paragraph (16) of subdivision (a) of Section 1798.185 of the Civil Code, or following the enactment of similarly comprehensive statewide legislation that establishes a regulatory framework governing the development and deployment of ADTs, whichever occurs sooner, the The department shall develop and adopt regulations to create an ADT ADS procurement standard.(1) To develop regulations related to the ADT ADS procurement standard, the department shall consider principles and industry standards addressed in relevant publications, including, but not limited to, all of the following:(A) The Blueprint for an AI Bill of Rights: Making Automated Systems Work for the American People, published by the White House Office of Science and Technology Policy in October 2022.(B) The Artificial Intelligence Risk Management Framework (AI RMF 1.0), released by the National Institute of Standards and Technology (NIST) in January 2023.(C) The Risk Management Framework for the Procurement of Artificial Intelligence (RMF PAIS 1.0), authored by the AI Procurement Lab and the Center for Inclusive Change in 2024.(D) The Advancing Governance, Innovation, and Risk Management for Agency Use of Artificial Intelligence Memorandum, published by the Executive Office of the President, Office of Management and Budget, dated March 28, 2024.(2) The ADT ADS procurement standard shall include all of the following:(A) A detailed risk assessment procedure that analyzes all of the following:(i) Organizational and supply chain governance associated with the ADT. ADS.(ii) The purpose and use of the ADT. ADS.(iii) Any known potential misuses or abuses of the ADT. ADS.(iv) An assessment of the legality, traceability, and provenance of the data the ADT ADS uses and the legality of the output of the ADT. ADS.(v) The robustness, accuracy, and reliability of the ADT. ADS.(vi) The interpretability and explainability of theADT. ADS.(B) Methods for appropriate risk controls between the state agency and ADT ADS vendor, including, but not limited to, reducing the risk through various mitigation strategies, eliminating the risk, or sharing the risk.(C) Adverse incident monitoring procedures.(D) Identification and classification of prohibited use cases and applications of ADT ADS that the state shall not procure.(E) A detailed equity assessment that analyzes, at a minimum, all of the following:(i) The individuals and communities that will interact with the ADT. ADS.(ii) How the information or decisions generated by the ADT ADS will impact an individuals rights, freedoms, economic status, health, health care, or well-being.(iii) Any issues that may arise if the ADT ADS is inaccurate.(iv) How users with diverse abilities will interact with the user interface of the ADT ADS and whether the ADT ADS integrates and interacts with commonly used assistive technologies.(F) An assessment that analyzes the level of human oversight associated with the use of ADT. ADS.(G) Adherence to data minimization standards, including that an ADT ADS vendor shall only use information provided by or obtained from an agency to provide the specific service authorized by the agency. Further, the data collected may not be used for training of proprietary vendor or third-party systems.(3) In developing the ADT ADS procurement standard, the department shall do all of the following:(A) Collaborate with organizations that represent state and local government employees and industry experts, including, but not limited to, public trust and safety experts, community-based organizations, civil society groups, academic researchers, and research institutions focused on responsible ADT ADS procurement, design, and deployment.(B) Consult with the California Privacy Protection Agency.(C) Solicit public comment on the ADT ADS procurement standard.(4) (A) Subject to subparagraph (B), the department shall adopt regulations pursuant to this subdivision in accordance with the provisions of Chapter 3.5 (commencing with Section 11340) of Part 1 of Division 3 of Title 2 of the Government Code.(B) Regulations adopted by the department pursuant to subparagraph (A) shall be consistent with both not contradict either of the following:(i) Regulations adopted by the California Privacy Protection Agency pursuant to paragraph (16) of subdivision (a) of Section 1798.185 of the Civil Code.(ii) Statewide legislation that establishes a regulatory framework governing the development and deployment of ADTs. ADSs.(5) Starting Commencing January 1, 2026, and annually thereafter, the department shall review and update both of the following:(A) The ADT ADS procurement standard.(B) Regulations adopted pursuant to this subdivision.(c) A Commencing January 1, 2027, a state agency shall not procure an ADT, ADS, enter into a contract for an ADT, ADS, or enter into a contract for any service that utilizes an ADT, ADS, prior to the adoption of regulations by the department pursuant to subdivision (b).(d) A Commencing January 1, 2027, a state agency may enter into a contract for an ADT, ADS, or a service that utilizes an ADT ADS only after the department has adopted regulations pursuant to subdivision (b) and only if the contract includes a clause that does all of the following:(1) Provides a completed risk assessment of the relevant ADT ADS that analyzes the items included in subparagraph (A) of paragraph (2) of subdivision (b).(2) Requires the state agency or the ADT ADS vendor, or both, to adhere to appropriate procurement standards.(3) Provides procedures for adverse incident monitoring.(4) Requires authorization from the state agency before deployment of ADT ADS upgrades and enhancements.(5) Requires the state agency or the ADT ADS vendor, or both, to provide notice to individuals that would likely be affected by the decisions or outcomes of the ADT, ADS, and information about how to appeal or opt-out opt out of ADT ADS decisions or outcomes.(6) Provides a termination right in the event of a significant breach of responsibility or violation by the vendor.(e) Subdivisions (c) and (d) do not apply to projects approved before January 1, 2027, through the annual budget process.
62	65
63		-	12100.1. (a) For purposes of this section, the following definitions apply:(1) Artificial intelligence or AI means an engineered or machine-based system that varies in its level of autonomy and that can, for explicit or implicit objectives, infer from the input it receives how to generate outputs that can influence physical or virtual environments.(2) ~~(A)~~ Automated decision system or ~~ADS~~ means a ~~computational process derived from machine learning, statistical modeling, data analytics, or artificial intelligence~~ that ~~issues simplified output, including a score, classification, or recommendation, that is used~~ to assist or replace human discretionary decisionmaking and materially impacts natural persons. (B) Automated decision system does not include a spam email filter, firewall, antivirus software, identity and access ~~management tools, calculator, database, dataset, or other compilation of data.(3) Department means the Department of Technology.(b) The department shall develop and adopt regulations~~ to ~~create an ADS procurement standard.(1)~~ To ~~develop regulations related to the ADS procurement standard, the department shall consider principles and industry standards addressed in relevant publications, including, but not limited to, all~~ of the following:(A) The Blueprint for an AI Bill of Rights: Making Automated Systems Work for the American People, published by the White House Office of Science and Technology Policy in October 2022.(B) The Artificial Intelligence Risk Management Framework (AI RMF 1.0), released by the National Institute of Standards and Technology (NIST) in January 2023.(C) The Risk Management Framework for the Procurement of Artificial Intelligence (RMF PAIS 1.0), authored by the AI Procurement Lab and the Center for Inclusive Change in 2024.(D) The Advancing Governance, Innovation, and Risk Management for Agency Use of Artificial Intelligence Memorandum, published by the Executive Office of the President, Office of Management and Budget, dated March 28, 2024.(2) The ADS procurement standard shall include all of the following:(A) A detailed risk assessment procedure that analyzes all of the following:(i) Organizational and supply chain governance associated with the ADS.(ii) The purpose and use of the ADS.(iii) Any known potential misuses or abuses of the ADS.(iv) An assessment of the legality, traceability, and provenance of the data the ADS uses and the legality of the output of the ADS.(v) The robustness, accuracy, and reliability of the ADS.(vi) The interpretability and explainability of ~~the~~ ADS.(B) Methods for appropriate risk controls between the state agency and ADS vendor, including, but not limited to, reducing the risk through various mitigation strategies, eliminating the risk, or sharing the risk.(C) Adverse incident monitoring procedures.(D) Identification and classification of prohibited use cases and applications of ADS that the state shall not procure.(E) A detailed equity assessment that analyzes, at a minimum, all of the following:(i) The individuals and communities that will interact with the ADS.(ii) How the information or decisions generated by the ADS will impact an individuals rights, freedoms, economic status, health, health care, or well-being.(iii) Any issues that may arise if the ADS is inaccurate.(iv) How users with diverse abilities will interact with the user interface of the ADS and whether the ADS integrates and interacts with commonly used assistive technologies.(F) An assessment that analyzes the level of human oversight associated with the use of ADS.(G) Adherence to data minimization standards, including that an ADS vendor shall only use information provided by or obtained from an agency to provide the specific service authorized by the agency. Further, the data collected may not be used for training of proprietary vendor or third-party systems.(3) In developing the ADS procurement standard, the department shall do all of the following:(A) Collaborate with organizations that represent state and local government employees and industry experts, including, but not limited to, public trust and safety experts, community-based organizations, civil society groups, academic researchers, and research institutions focused on responsible ADS procurement, design, and deployment.(B) Consult with the California Privacy Protection Agency.(C) Solicit public comment on the ADS procurement standard.(4) (A) Subject to subparagraph (B), the department shall adopt regulations pursuant to this subdivision in accordance with the provisions of Chapter 3.5 (commencing with Section 11340) of Part 1 of Division 3 of Title 2 of the Government Code.(B) Regulations adopted by the department pursuant to subparagraph (A) shall not contradict either of the following:(i) Regulations adopted by the California Privacy Protection Agency pursuant to paragraph (16) of subdivision (a) of Section 1798.185 of the Civil Code.(ii) Statewide legislation that establishes a regulatory framework governing the development and deployment of ADSs.(5) Commencing January 1, 2026, and annually thereafter, the department shall review and update both of the following:(A) The ADS procurement standard.(B) Regulations adopted pursuant to this subdivision.(c) Commencing January 1, 2027, a state agency shall not procure an ADS, enter into a contract for an ADS, or enter into a contract for any service that utilizes an ADS, prior to the adoption of regulations by the department pursuant to subdivision (b).(d) Commencing January 1, 2027, a state agency may enter into a contract for an ADS, or a service that utilizes an ADS only after the department has adopted regulations pursuant to subdivision (b) and only if the contract includes a clause that does all of the following:(1) Provides a completed risk assessment of the relevant ADS that analyzes the items included in subparagraph (A) of paragraph (2) of subdivision (b).(2) Requires the state agency or the ADS vendor, or both, to adhere to appropriate procurement standards.(3) Provides procedures for adverse incident monitoring.(4) Requires authorization from the state agency before deployment of ADS upgrades and enhancements.(5) Requires the state agency or the ADS vendor, or both, to provide notice to individuals that would likely be affected by the decisions or outcomes of the ADS, and information about how to appeal or opt out of ADS decisions or outcomes.(6) Provides a termination right in the event of a significant breach of responsibility or violation by the vendor.(e) Subdivisions (c) and (d) do not apply to projects approved before January 1, 2027, through the annual budget process.
	66	+	12100.1. (a) For purposes of this section, the following definitions apply:(1) Artificial intelligence or AI means an engineered or machine-based system that varies in its level of autonomy and that can, for explicit or implicit objectives, infer from the input it receives how to generate outputs that can influence physical or virtual environments.(2)Automated decision tool or ADT means an artificial intelligence system or service that makes a consequential decision, or is a substantial factor in making a consequential decision.(3)Consequential decision means a decision or judgment that has a legal, material, or similarly significant effect on an individuals life relating to access to government benefits or services, assignments of penalties by government, or the impact of, access to, or the cost, terms, or availability of, any of the following:(A)Employment with respect to all of the following:(i)Pay or promotion.(ii)Hiring or termination.(iii)Automated task allocation that limits, segregates, or classifies employees for the purpose of assigning or determining material terms or conditions of employment.(B)Education and vocational training as it relates to all of the following:(i)Assessment or placement.(ii)Detecting student cheating or plagiarism.(iii)Accreditation.(iv)Certification.(v)Admissions or enrollment.(vi)Discipline.(vii)Evaluation.(viii)Financial aid or scholarships.(C)Housing or lodging, including rental or short-term housing or lodging.(D)All of the following essential utilities:(i)Electricity.(ii)Heat.(iii)Water.(iv)Internet or telecommunications access.(v)Transportation.(E)Family planning.(F)Adoption services, reproductive services, or assessments related to child protective services.(G)Health care or health insurance, including mental health care, dental, or vision.(H)Financial services, including a financial service provided by a mortgage company, mortgage broker, or creditor.(I)All of the following aspects of the criminal justice system:(i)Risk assessments for pretrial hearings.(ii)Sentencing.(iii)Parole.(J)Legal services.(K)Private arbitration.(L)Mediation.(M)Voting. (2) (A) Automated decision system or ADS means a computational process derived from machine learning, statistical modeling, data analytics, or artificial intelligence that issues simplified output, including a score, classification, or recommendation, that is used to assist or replace human discretionary decisionmaking and materially impacts natural persons. (B) Automated decision system does not include a spam email filter, firewall, antivirus software, identity and access management tools, calculator, database, dataset, or other compilation of data. (4)(3) Department means the Department of Technology.(5)Substantial factor means an element of a decisionmaking process that is capable of altering the outcome of the process.(b) Following the adoption of regulations by the California Privacy Protection Agency pursuant to paragraph (16) of subdivision (a) of Section 1798.185 of the Civil Code, or following the enactment of similarly comprehensive statewide legislation that establishes a regulatory framework governing the development and deployment of ADTs, whichever occurs sooner, the The department shall develop and adopt regulations to create an ADT ADS procurement standard.(1) To develop regulations related to the ADT ADS procurement standard, the department shall consider principles and industry standards addressed in relevant publications, including, but not limited to, all of the following:(A) The Blueprint for an AI Bill of Rights: Making Automated Systems Work for the American People, published by the White House Office of Science and Technology Policy in October 2022.(B) The Artificial Intelligence Risk Management Framework (AI RMF 1.0), released by the National Institute of Standards and Technology (NIST) in January 2023.(C) The Risk Management Framework for the Procurement of Artificial Intelligence (RMF PAIS 1.0), authored by the AI Procurement Lab and the Center for Inclusive Change in 2024.(D) The Advancing Governance, Innovation, and Risk Management for Agency Use of Artificial Intelligence Memorandum, published by the Executive Office of the President, Office of Management and Budget, dated March 28, 2024.(2) The ADT ADS procurement standard shall include all of the following:(A) A detailed risk assessment procedure that analyzes all of the following:(i) Organizational and supply chain governance associated with the ADT. ADS.(ii) The purpose and use of the ADT. ADS.(iii) Any known potential misuses or abuses of the ADT. ADS.(iv) An assessment of the legality, traceability, and provenance of the data the ADT ADS uses and the legality of the output of the ADT. ADS.(v) The robustness, accuracy, and reliability of the ADT. ADS.(vi) The interpretability and explainability of theADT. ADS.(B) Methods for appropriate risk controls between the state agency and ADT ADS vendor, including, but not limited to, reducing the risk through various mitigation strategies, eliminating the risk, or sharing the risk.(C) Adverse incident monitoring procedures.(D) Identification and classification of prohibited use cases and applications of ADT ADS that the state shall not procure.(E) A detailed equity assessment that analyzes, at a minimum, all of the following:(i) The individuals and communities that will interact with the ADT. ADS.(ii) How the information or decisions generated by the ADT ADS will impact an individuals rights, freedoms, economic status, health, health care, or well-being.(iii) Any issues that may arise if the ADT ADS is inaccurate.(iv) How users with diverse abilities will interact with the user interface of the ADT ADS and whether the ADT ADS integrates and interacts with commonly used assistive technologies.(F) An assessment that analyzes the level of human oversight associated with the use of ADT. ADS.(G) Adherence to data minimization standards, including that an ADT ADS vendor shall only use information provided by or obtained from an agency to provide the specific service authorized by the agency. Further, the data collected may not be used for training of proprietary vendor or third-party systems.(3) In developing the ADT ADS procurement standard, the department shall do all of the following:(A) Collaborate with organizations that represent state and local government employees and industry experts, including, but not limited to, public trust and safety experts, community-based organizations, civil society groups, academic researchers, and research institutions focused on responsible ADT ADS procurement, design, and deployment.(B) Consult with the California Privacy Protection Agency.(C) Solicit public comment on the ADT ADS procurement standard.(4) (A) Subject to subparagraph (B), the department shall adopt regulations pursuant to this subdivision in accordance with the provisions of Chapter 3.5 (commencing with Section 11340) of Part 1 of Division 3 of Title 2 of the Government Code.(B) Regulations adopted by the department pursuant to subparagraph (A) shall be consistent with both not contradict either of the following:(i) Regulations adopted by the California Privacy Protection Agency pursuant to paragraph (16) of subdivision (a) of Section 1798.185 of the Civil Code.(ii) Statewide legislation that establishes a regulatory framework governing the development and deployment of ADTs. ADSs.(5) Starting Commencing January 1, 2026, and annually thereafter, the department shall review and update both of the following:(A) The ADT ADS procurement standard.(B) Regulations adopted pursuant to this subdivision.(c) A Commencing January 1, 2027, a state agency shall not procure an ADT, ADS, enter into a contract for an ADT, ADS, or enter into a contract for any service that utilizes an ADT, ADS, prior to the adoption of regulations by the department pursuant to subdivision (b).(d) A Commencing January 1, 2027, a state agency may enter into a contract for an ADT, ADS, or a service that utilizes an ADT ADS only after the department has adopted regulations pursuant to subdivision (b) and only if the contract includes a clause that does all of the following:(1) Provides a completed risk assessment of the relevant ADT ADS that analyzes the items included in subparagraph (A) of paragraph (2) of subdivision (b).(2) Requires the state agency or the ADT ADS vendor, or both, to adhere to appropriate procurement standards.(3) Provides procedures for adverse incident monitoring.(4) Requires authorization from the state agency before deployment of ADT ADS upgrades and enhancements.(5) Requires the state agency or the ADT ADS vendor, or both, to provide notice to individuals that would likely be affected by the decisions or outcomes of the ADT, ADS, and information about how to appeal or opt-out opt out of ADT ADS decisions or outcomes.(6) Provides a termination right in the event of a significant breach of responsibility or violation by the vendor.(e) Subdivisions (c) and (d) do not apply to projects approved before January 1, 2027, through the annual budget process.
64	67
65	68
66	69
67	70		12100.1. (a) For purposes of this section, the following definitions apply:
68	71
69	72		(1) Artificial intelligence or AI means an engineered or machine-based system that varies in its level of autonomy and that can, for explicit or implicit objectives, infer from the input it receives how to generate outputs that can influence physical or virtual environments.
70	73
	74	+	(2)Automated decision tool or ADT means an artificial intelligence system or service that makes a consequential decision, or is a substantial factor in making a consequential decision.
	75	+
	76	+
	77	+
	78	+	(3)Consequential decision means a decision or judgment that has a legal, material, or similarly significant effect on an individuals life relating to access to government benefits or services, assignments of penalties by government, or the impact of, access to, or the cost, terms, or availability of, any of the following:
	79	+
	80	+
	81	+
	82	+	(A)Employment with respect to all of the following:
	83	+
	84	+
	85	+
	86	+	(i)Pay or promotion.
	87	+
	88	+
	89	+
	90	+	(ii)Hiring or termination.
	91	+
	92	+
	93	+
	94	+	(iii)Automated task allocation that limits, segregates, or classifies employees for the purpose of assigning or determining material terms or conditions of employment.
	95	+
	96	+
	97	+
	98	+	(B)Education and vocational training as it relates to all of the following:
	99	+
	100	+
	101	+
	102	+	(i)Assessment or placement.
	103	+
	104	+
	105	+
	106	+	(ii)Detecting student cheating or plagiarism.
	107	+
	108	+
	109	+
	110	+	(iii)Accreditation.
	111	+
	112	+
	113	+
	114	+	(iv)Certification.
	115	+
	116	+
	117	+
	118	+	(v)Admissions or enrollment.
	119	+
	120	+
	121	+
	122	+	(vi)Discipline.
	123	+
	124	+
	125	+
	126	+	(vii)Evaluation.
	127	+
	128	+
	129	+
	130	+	(viii)Financial aid or scholarships.
	131	+
	132	+
	133	+
	134	+	(C)Housing or lodging, including rental or short-term housing or lodging.
	135	+
	136	+
	137	+
	138	+	(D)All of the following essential utilities:
	139	+
	140	+
	141	+
	142	+	(i)Electricity.
	143	+
	144	+
	145	+
	146	+	(ii)Heat.
	147	+
	148	+
	149	+
	150	+	(iii)Water.
	151	+
	152	+
	153	+
	154	+	(iv)Internet or telecommunications access.
	155	+
	156	+
	157	+
	158	+	(v)Transportation.
	159	+
	160	+
	161	+
	162	+	(E)Family planning.
	163	+
	164	+
	165	+
	166	+	(F)Adoption services, reproductive services, or assessments related to child protective services.
	167	+
	168	+
	169	+
	170	+	(G)Health care or health insurance, including mental health care, dental, or vision.
	171	+
	172	+
	173	+
	174	+	(H)Financial services, including a financial service provided by a mortgage company, mortgage broker, or creditor.
	175	+
	176	+
	177	+
	178	+	(I)All of the following aspects of the criminal justice system:
	179	+
	180	+
	181	+
	182	+	(i)Risk assessments for pretrial hearings.
	183	+
	184	+
	185	+
	186	+	(ii)Sentencing.
	187	+
	188	+
	189	+
	190	+	(iii)Parole.
	191	+
	192	+
	193	+
	194	+	(J)Legal services.
	195	+
	196	+
	197	+
	198	+	(K)Private arbitration.
	199	+
	200	+
	201	+
	202	+	(L)Mediation.
	203	+
	204	+
	205	+
	206	+	(M)Voting.
	207	+
	208	+
	209	+
71	210		(2) (A) Automated decision system or ADS means a computational process derived from machine learning, statistical modeling, data analytics, or artificial intelligence that issues simplified output, including a score, classification, or recommendation, that is used to assist or replace human discretionary decisionmaking and materially impacts natural persons.
72	211
73	212		(B) Automated decision system does not include a spam email filter, firewall, antivirus software, identity and access management tools, calculator, database, dataset, or other compilation of data.
74	213
	214	+	(4)
	215	+
	216	+
	217	+
75	218		(3) Department means the Department of Technology.
76	219
77		-	(b) The ~~department shall develop and adopt regulations to create an ADS procurement standard~~.
	220	+	(5)Substantial factor means an element of a decisionmaking process that is capable of altering the outcome of the process.
78	221
79		-	(1) To develop regulations related to the ADS procurement standard, the department shall consider principles and industry standards addressed in relevant publications, including, but not limited to, all of the following:
	222	+
	223	+
	224	+	(b) Following the adoption of regulations by the California Privacy Protection Agency pursuant to paragraph (16) of subdivision (a) of Section 1798.185 of the Civil Code, or following the enactment of similarly comprehensive statewide legislation that establishes a regulatory framework governing the development and deployment of ADTs, whichever occurs sooner, the The department shall develop and adopt regulations to create an ADT ADS procurement standard.
	225	+
	226	+	(1) To develop regulations related to the ADT ADS procurement standard, the department shall consider principles and industry standards addressed in relevant publications, including, but not limited to, all of the following:
80	227
81	228		(A) The Blueprint for an AI Bill of Rights: Making Automated Systems Work for the American People, published by the White House Office of Science and Technology Policy in October 2022.
82	229
83	230		(B) The Artificial Intelligence Risk Management Framework (AI RMF 1.0), released by the National Institute of Standards and Technology (NIST) in January 2023.
84	231
85	232		(C) The Risk Management Framework for the Procurement of Artificial Intelligence (RMF PAIS 1.0), authored by the AI Procurement Lab and the Center for Inclusive Change in 2024.
86	233
87	234		(D) The Advancing Governance, Innovation, and Risk Management for Agency Use of Artificial Intelligence Memorandum, published by the Executive Office of the President, Office of Management and Budget, dated March 28, 2024.
88	235
89		-	(2) The ADS procurement standard shall include all of the following:
	236	+	(2) The ADT ADS procurement standard shall include all of the following:
90	237
91	238		(A) A detailed risk assessment procedure that analyzes all of the following:
92	239
93		-	(i) Organizational and supply chain governance associated with the ADS.
	240	+	(i) Organizational and supply chain governance associated with the ADT. ADS.
94	241
95		-	(ii) The purpose and use of the ADS.
	242	+	(ii) The purpose and use of the ADT. ADS.
96	243
97		-	(iii) Any known potential misuses or abuses of the ADS.
	244	+	(iii) Any known potential misuses or abuses of the ADT. ADS.
98	245
99		-	(iv) An assessment of the legality, traceability, and provenance of the data the ADS uses and the legality of the output of the ADS.
	246	+	(iv) An assessment of the legality, traceability, and provenance of the data the ADT ADS uses and the legality of the output of the ADT. ADS.
100	247
101		-	(v) The robustness, accuracy, and reliability of the ADS.
	248	+	(v) The robustness, accuracy, and reliability of the ADT. ADS.
102	249
103		-	(vi) The interpretability and explainability of ~~the~~ ADS.
	250	+	(vi) The interpretability and explainability of theADT. ADS.
104	251
105		-	(B) Methods for appropriate risk controls between the state agency and ADS vendor, including, but not limited to, reducing the risk through various mitigation strategies, eliminating the risk, or sharing the risk.
	252	+	(B) Methods for appropriate risk controls between the state agency and ADT ADS vendor, including, but not limited to, reducing the risk through various mitigation strategies, eliminating the risk, or sharing the risk.
106	253
107	254		(C) Adverse incident monitoring procedures.
108	255
109		-	(D) Identification and classification of prohibited use cases and applications of ADS that the state shall not procure.
	256	+	(D) Identification and classification of prohibited use cases and applications of ADT ADS that the state shall not procure.
110	257
111	258		(E) A detailed equity assessment that analyzes, at a minimum, all of the following:
112	259
113		-	(i) The individuals and communities that will interact with the ADS.
	260	+	(i) The individuals and communities that will interact with the ADT. ADS.
114	261
115		-	(ii) How the information or decisions generated by the ADS will impact an individuals rights, freedoms, economic status, health, health care, or well-being.
	262	+	(ii) How the information or decisions generated by the ADT ADS will impact an individuals rights, freedoms, economic status, health, health care, or well-being.
116	263
117		-	(iii) Any issues that may arise if the ADS is inaccurate.
	264	+	(iii) Any issues that may arise if the ADT ADS is inaccurate.
118	265
119		-	(iv) How users with diverse abilities will interact with the user interface of the ADS and whether the ADS integrates and interacts with commonly used assistive technologies.
	266	+	(iv) How users with diverse abilities will interact with the user interface of the ADT ADS and whether the ADT ADS integrates and interacts with commonly used assistive technologies.
120	267
121		-	(F) An assessment that analyzes the level of human oversight associated with the use of ADS.
	268	+	(F) An assessment that analyzes the level of human oversight associated with the use of ADT. ADS.
122	269
123		-	(G) Adherence to data minimization standards, including that an ADS vendor shall only use information provided by or obtained from an agency to provide the specific service authorized by the agency. Further, the data collected may not be used for training of proprietary vendor or third-party systems.
	270	+	(G) Adherence to data minimization standards, including that an ADT ADS vendor shall only use information provided by or obtained from an agency to provide the specific service authorized by the agency. Further, the data collected may not be used for training of proprietary vendor or third-party systems.
124	271
125		-	(3) In developing the ADS procurement standard, the department shall do all of the following:
	272	+	(3) In developing the ADT ADS procurement standard, the department shall do all of the following:
126	273
127		-	(A) Collaborate with organizations that represent state and local government employees and industry experts, including, but not limited to, public trust and safety experts, community-based organizations, civil society groups, academic researchers, and research institutions focused on responsible ADS procurement, design, and deployment.
	274	+	(A) Collaborate with organizations that represent state and local government employees and industry experts, including, but not limited to, public trust and safety experts, community-based organizations, civil society groups, academic researchers, and research institutions focused on responsible ADT ADS procurement, design, and deployment.
128	275
129	276		(B) Consult with the California Privacy Protection Agency.
130	277
131		-	(C) Solicit public comment on the ADS procurement standard.
	278	+	(C) Solicit public comment on the ADT ADS procurement standard.
132	279
133	280		(4) (A) Subject to subparagraph (B), the department shall adopt regulations pursuant to this subdivision in accordance with the provisions of Chapter 3.5 (commencing with Section 11340) of Part 1 of Division 3 of Title 2 of the Government Code.
134	281
135		-	(B) Regulations adopted by the department pursuant to subparagraph (A) shall not contradict either of the following:
	282	+	(B) Regulations adopted by the department pursuant to subparagraph (A) shall be consistent with both not contradict either of the following:
136	283
137	284		(i) Regulations adopted by the California Privacy Protection Agency pursuant to paragraph (16) of subdivision (a) of Section 1798.185 of the Civil Code.
138	285
139		-	(ii) Statewide legislation that establishes a regulatory framework governing the development and deployment of ADSs.
	286	+	(ii) Statewide legislation that establishes a regulatory framework governing the development and deployment of ADTs. ADSs.
140	287
141		-	(5) Commencing January 1, 2026, and annually thereafter, the department shall review and update both of the following:
	288	+	(5) Starting Commencing January 1, 2026, and annually thereafter, the department shall review and update both of the following:
142	289
143		-	(A) The ADS procurement standard.
	290	+	(A) The ADT ADS procurement standard.
144	291
145	292		(B) Regulations adopted pursuant to this subdivision.
146	293
147		-	(c) Commencing January 1, 2027, a state agency shall not procure an ADS, enter into a contract for an ADS, or enter into a contract for any service that utilizes an ADS, prior to the adoption of regulations by the department pursuant to subdivision (b).
	294	+	(c) A Commencing January 1, 2027, a state agency shall not procure an ADT, ADS, enter into a contract for an ADT, ADS, or enter into a contract for any service that utilizes an ADT, ADS, prior to the adoption of regulations by the department pursuant to subdivision (b).
148	295
149		-	(d) Commencing January 1, 2027, a state agency may enter into a contract for an ADS, or a service that utilizes an ADS only after the department has adopted regulations pursuant to subdivision (b) and only if the contract includes a clause that does all of the following:
	296	+	(d) A Commencing January 1, 2027, a state agency may enter into a contract for an ADT, ADS, or a service that utilizes an ADT ADS only after the department has adopted regulations pursuant to subdivision (b) and only if the contract includes a clause that does all of the following:
150	297
151		-	(1) Provides a completed risk assessment of the relevant ADS that analyzes the items included in subparagraph (A) of paragraph (2) of subdivision (b).
	298	+	(1) Provides a completed risk assessment of the relevant ADT ADS that analyzes the items included in subparagraph (A) of paragraph (2) of subdivision (b).
152	299
153		-	(2) Requires the state agency or the ADS vendor, or both, to adhere to appropriate procurement standards.
	300	+	(2) Requires the state agency or the ADT ADS vendor, or both, to adhere to appropriate procurement standards.
154	301
155	302		(3) Provides procedures for adverse incident monitoring.
156	303
157		-	(4) Requires authorization from the state agency before deployment of ADS upgrades and enhancements.
	304	+	(4) Requires authorization from the state agency before deployment of ADT ADS upgrades and enhancements.
158	305
159		-	(5) Requires the state agency or the ADS vendor, or both, to provide notice to individuals that would likely be affected by the decisions or outcomes of the ADS, and information about how to appeal or opt out of ADS decisions or outcomes.
	306	+	(5) Requires the state agency or the ADT ADS vendor, or both, to provide notice to individuals that would likely be affected by the decisions or outcomes of the ADT, ADS, and information about how to appeal or opt-out opt out of ADT ADS decisions or outcomes.
160	307
161	308		(6) Provides a termination right in the event of a significant breach of responsibility or violation by the vendor.
162	309
163	310		(e) Subdivisions (c) and (d) do not apply to projects approved before January 1, 2027, through the annual budget process.