Amended IN Assembly April 10, 2025 CALIFORNIA LEGISLATURE 20252026 REGULAR SESSION Assembly Bill No. 1018Introduced by Assembly Member Bauer-Kahan(Coauthors: Assembly Members Aguiar-Curry, Bryan, Ortega, Ward)February 20, 2025An act to add Chapter 24.6 (commencing with Section 22756) to Division 8 of the Business and Professions Code, to amend Section 51 of the Civil Code, and to add Article 3 (commencing with Section 12959) to Chapter 6 of Part 2.8 of Division 3 of Title 2 of the Government Code, relating to artificial intelligence.LEGISLATIVE COUNSEL'S DIGESTAB 1018, as amended, Bauer-Kahan. Automated decision systems.The California Fair Employment and Housing Act establishes the Civil Rights Department within the Business, Consumer Services, and Housing Agency and requires the department to, among other things, bring civil actions to enforce the act.Existing law requires, on or before September 1, 2024, the Department of Technology to conduct, in coordination with other interagency bodies as it deems appropriate, a comprehensive inventory of all high-risk automated decision systems that have been proposed for use, development, or procurement by, or are being used, developed, or procured by, any state agency.This bill would generally regulate the development and deployment of an automated decision system (ADS) used to make consequential decisions, as defined. The bill would define automated decision system to mean a computational process derived from machine learning, statistical modeling, data analytics, or artificial intelligence that issues simplified output, including a score, classification, or recommendation, that is designed or used to assist or replace human discretionary decisionmaking and materially impacts natural persons.This bill would require a developer of a covered ADS, as defined, to take certain actions, including conduct performance evaluations of the covered ADS and provide deployers to whom the developer transfers the covered ADS with certain information, including the results of those performance evaluations.This bill would, beginning January 1, 2027, require a deployer of a covered ADS to take certain actions, including provide certain disclosures to a subject of a consequential decision made or facilitated by the covered ADS, provide the subject an opportunity to opt out of the use of the covered ADS, provide the subject with an opportunity to appeal the outcome of the consequential decision, and submit the covered ADS to third-party audits, as prescribed. The bill would also prescribe requirements for a third party to audit a covered ADS.This bill would prescribe requirements for a third party to audit a covered ADS, as prescribed.This bill would require a developer, deployer, or auditor to, within 30 days of receiving a request from the Attorney General, provide an unredacted copy of the performance evaluation or disparate impact assessment prepared pursuant to the bill to the Attorney General and would exempt those records from the California Public Records Act.This bill would authorize certain public entities, including the Attorney General, to bring a specified civil action for noncompliance.Existing constitutional provisions require that a statute that limits the right of access to the meetings of public bodies or the writings of public officials and agencies be adopted with findings demonstrating the interest protected by the limitation and the need for protecting that interest.This bill would make legislative findings to that effect.Digest Key Vote: MAJORITY Appropriation: NO Fiscal Committee: YES Local Program: NO Bill TextThe people of the State of California do enact as follows:SECTION 1. Chapter 24.6 (commencing with Section 22756) is added to Division 8 of the Business and Professions Code, to read: CHAPTER 24.6. Automated Decisions Safety Act22756. As used in this chapter:(a) Artificial intelligence means an engineered or machine-based system that varies in its level of autonomy and that can, for explicit or implicit objectives, infer from the input it receives how to generate outputs that can influence physical or virtual environments.(b) (1) Automated decision system means a computational process derived from machine learning, statistical modeling, data analytics, or artificial intelligence that issues simplified output, including a score, classification, or recommendation, that is designed or used to assist or replace human discretionary decisionmaking and materially impacts natural persons.(2) Automated decision system does not mean a spam email filter, firewall, antivirus software, identity and access management tool, calculator, database, dataset, or other compilation of data.(c) Consequential decision means a decision that materially impacts the cost, terms, quality, or accessibility of any of the following to a natural person:(1) Employment-related decisions.(2) Education and vocational training as they relate to any of the following:(A) Assessment and placement.(B) Detecting student cheating and plagiarism.(C) Accreditation.(D) Certification.(E) Admissions and enrollment.(F) Discipline.(G) Evaluation.(H) Financial aid and scholarships.(I) Proctoring.(3) Housing and lodging as they relate to any of the following:(A) Rental or short-term housing and lodging.(B) Home appraisals.(C) Rental subsidies.(D) Publicly supported housing.(4) Any of the following essential utilities:(A) Electricity.(B) Heat.(C) Water.(D)Internet and telecommunications access.(E)(D) Transportation.(F)(E) Municipal trash and sewage services.(5) Family planning, adoption services, reproductive services, and assessments related to child protective services.(6) Health care and health insurance, including mental health care, dental, and vision.(7) Financial services, including a financial service provided by a mortgage company, mortgage broker, or creditor.(8) The criminal justice system with respect to pretrial release, sentencing, and alternatives to incarceration.(9) Legal services.(10) Private arbitration.(11) Mediation.(12) Elections as they relate to any of the following:(A) Voting.(B) Redistricting.(C) Voter eligibility and registration.(D) Distribution of voting information.(E) Election administration.(13) Access to government benefits or services or assignment of penalties by a government entity.(14) Places of public accommodation, as defined in Section 55.52 of the Civil Code.(15) Insurance.(16) Internet and telecommunications access.(d) Covered automated decision system or covered ADS means an automated decision system that makes or facilitates is designed or used to make or facilitate a consequential decision.(e) Credit score means a credit score, as defined in Section 1785.15.1 of the Civil Code, from a consumer credit reporting agency, as defined in Section 1785.3 of the Civil Code.(e)(f) Deployer means a person, partnership, state or local government agency, corporation, or developer that uses a covered ADS to make or facilitate a consequential decision, either directly or through by contracting with a third party. party for that purpose.(f)(g) Developer means a person, partnership, state or local government agency, corporation, or deployer that designs, codes, substantially modifies, or otherwise produces an automated decision system that makes or facilitates a consequential decision, either directly or through by contracting with a third party. party for those purposes.(g)(h) (1) Developer-approved use means a deployment context in which a developer intends a covered ADS to make or facilitate a consequential decision.(2) Developer-approved use includes any reasonably foreseeable fine tuning of the covered ADS.(h)(i) Disparate impact means a differential effect on a group of individuals who share a protected characteristic.(i)(j) Disparate treatment means differential treatment of an individual or group of individuals on the basis of a protected characteristic.(j)(k) Employment-related decision means a decision made by an employer, either directly or through a third party, that affects wages, benefits, other compensation, hours, work schedule, performance evaluation, hiring, discipline, promotion, termination, job tasks and responsibilities, assignment of work, access to work and training opportunities, productivity requirements, workplace health and safety, or other terms or conditions of employment.(k)(l) (1) Express consent means an affirmative written authorization that is granted in response to a notice that is all of the following:(A) Clear, meaningful, and prominent.(B) Conveyed in a manner that a natural person would notice and understand it.(C) Not contained within a more general notice, agreement, or set of terms and conditions.(2) Express consent does not mean an authorization that is either of the following:(A) Inferred from inaction.(B) Obtained through the use of a dark pattern, as defined in Section 56.18 of the Civil Code.(l)(m) Fine-tune means to adjust the model parameters of an automated decision system through exposure to additional data.(m)(n) Labor Commissioner means Chief of the Division of Labor Standards Enforcement.(n)(o) Personal information has the same meaning as defined in Section 1798.140 of the Civil Code.(o)(p) Protected characteristic means a characteristic listed in subdivision (b) of Section 51 of the Civil Code.(p)(q) (1) Substantial modification means a new version, release, update, or other modification to a covered ADS that materially changes its uses or outputs.(2) Substantial modification does not mean a modification that results from fine tuning.(q)(r) Trade secret has the same meaning as in Section 3426.1 of the Civil Code.22756.1. (a) (1) With respect to a covered ADS that was first deployed, or made available to potential deployers, before January 1, 2026, the developer of the covered ADS shall conduct an initial performance evaluation on the covered ADS before January 1, 2027, and shall additionally conduct a performance evaluation on the covered ADS under any of the following circumstances:(A) Following any substantial modification of the covered ADS by the developer.(B) Following any fine tuning of the covered ADS by the developer that materially changes the uses or outputs of the covered ADS.(C) No more than one year after the developer last conducted a performance evaluation on the covered ADS, for as long as the developer deploys the covered ADS or makes the covered ADS available to potential deployers.(2) With respect to a covered ADS that is first deployed or made available to potential deployers on or after January 1, 2026, the developer of the covered ADS shall conduct a performance evaluation on the covered ADS under any of the following circumstances:(A) Before initially deploying the covered ADS or making the covered ADS available to potential deployers.(B) Following any substantial modification of the covered ADS by the developer.(C) Following any fine tuning of the covered ADS by the developer that materially changes the uses or outputs of the covered ADS.(D) No more than one year after the developer last conducted a performance evaluation on the covered ADS, for as long as the developer deploys the covered ADS or makes the covered ADS available to potential deployers.(b) In conducting a performance evaluation on a covered ADS, a developer shall do all of the following:(1) Describe the purpose of the covered ADS.(2) List and describe all developer-approved uses of the covered ADS.(3) For each developer-approved use, assess evaluate the expected performance of the covered ADS and document all of the following:(A) The expected accuracy and reliability of the covered ADS.(B) Any reasonably foreseeable effects of fine tuning on the accuracy and reliability of the covered ADS.(4)For each developer-approved use, assess whether(C) Whether any disparate treatment is intended to occur and document and, if so, all of the following:(A)Whether the covered ADS is intended to treat individuals or groups of individuals differently on the basis of a protected characteristic.(B)For each disparate treatment identified under subparagraph (A), describe all of the following:(i) The conditions under which the each disparate treatment is intended to occur.(ii) Whether the each disparate treatment is necessary for a developer-approved use.(iii) Whether any alternatives not involving disparate treatment were considered.(C)(D) Any reasonably foreseeable effects of fine tuning on disparate treatment.(5)For each developer-approved use, assess whether (E) Whether any disparate impacts are reasonably likely to occur and document and, if so, all of the following:(A)Whether the covered ADS is reasonably likely to treat groups of individuals who share a protected characteristic differently.(B)For each disparate impact identified under subparagraph (A), describe all of the following:(i) The conditions under which that each disparate impact is reasonably likely to occur.(ii) Whether the each disparate impact is necessary for a developer-approved use.(iii) Whether any alternatives not involving disparate impacts were considered.(C)(F) Whether any measures have been taken by the developer to mitigate the risk of unanticipated disparate impacts resulting from the use of the covered ADS.(D)(G) With respect to a covered ADS that has been deployed, whether any unanticipated disparate impacts have been reported to the developer by a deployer, and whether the developer has taken any measures to mitigate those disparate impacts.(E)(H) Any reasonably foreseeable effects of fine tuning on disparate impacts.(6)(4) (A) Contract with an independent third-party auditor to assess the developers compliance with this subdivision.(B) (i) Except pursuant to clause (ii), a developer that contracts with an auditor pursuant to this paragraph shall provide the auditor with any available information that is reasonably necessary for the auditor to comprehensively assess developer compliance.(ii) A developer that provides documentation to an auditor pursuant to this subparagraph may make reasonable redactions for the purpose of protecting trade secrets. To the extent that a developer withholds information, the developer shall notify the auditor and provide a basis for the withholding.(C) If the deadline for conducting a performance evaluation pursuant to subdivision (a) elapses before the audit has been completed, a developer shall not deploy the covered ADS or make the covered ADS available to potential deployers until the audit has been completed.(I) A developer that receives feedback from an auditor pursuant to this paragraph shall do both of the following:(i) Consider and attempt to incorporate that feedback into the development of any subsequent version of a covered ADS.(ii) Make a high-level summary of the feedback publicly available at no cost to users of the developers internet website.(c) (1) A developer that sells, licenses, or otherwise transfers a covered ADS to a potential deployer shall provide the deployer with all of the following:(A) The results of the most recent performance evaluation conducted on the covered ADS by the developer pursuant to this chapter.(B) For each developer-approved use of the covered ADS, instructions explaining how the covered ADS should be used by the deployer to make or facilitate a consequential decision.(C) For each developer-approved use of the covered ADS, a description of whether and under what circumstances the covered ADS can be fine-tuned.(D) An explanation of the deployers responsibilities under this chapter, including a description of any circumstances under which the deployer would assume the responsibilities of a developer pursuant to subdivision (h) of Section 22756.2.(E) (i) Any technical information necessary for the deployer to comply with this chapter.(ii) A developer shall not be required to provide additional technical information to a deployer that has assumed the responsibilities of a developer pursuant to subdivision (h) of Section 22756.2.(2) (A) A developer that provides documentation to a potential deployer pursuant to this subdivision may make reasonable redactions for the purpose of protecting trade secrets.(B) To the extent that a developer withholds information pursuant to subparagraph (A), the developer shall notify the deployer and provide a basis for the withholding.(d) A developer that receives an impact assessment from an auditor of a deployed covered ADS pursuant to subdivision (b) of Section 22756.3 shall provide all of the following information to any deployer of the covered ADS:(A) Any material differences between the expected accuracy of the covered ADS and the observed accuracy of the covered ADS and the deployment conditions under which those differences are reasonably likely to occur.(B) Any material differences between the expected reliability of the covered ADS and the observed reliability of the covered ADS and the deployment conditions under which those differences are reasonably likely to occur.(C) Any unanticipated disparate impacts resulting from the use of the covered ADS and the deployment conditions under which those disparate impacts are reasonably likely to occur.(D) An explanation of any steps the deployer can take to mitigate these discrepancies.(e) A developer that receives feedback from an auditor pursuant to this chapter shall consider and attempt to incorporate that feedback into the development of any subsequent version of a covered ADS.(f) A developer that provides documentation to a deployer pursuant to this section shall ensure the documentation is all of the following:(A) Transmitted directly to the deployer or otherwise made available in a manner reasonably calculated to ensure the deployer receives the documentation.(B) Provided in English and in any other language the developer regularly uses to communicate with deployers.(C) Presented in a manner that ensures the communication clearly and effectively conveys the required information to the deployer.(g) A developer that deploys a covered ADS or makes a covered ADS available to potential deployers shall maintain all of the following documentation in an unredacted format for as long as the covered ADS remains deployed or developer deploys the covered ADS or makes the covered ADS available to potential deployers plus 10 years:(1) The results of any performance evaluations conducted on the covered ADS pursuant to this chapter.(2) Any documentation provided to deployers pursuant to this chapter.(3) Any documentation provided to, or received from, auditors pursuant to this chapter.(4) Records of any redactions made pursuant to this chapter.(h) It is unlawful to advertise to consumers in the state that a covered ADS is capable of performing in a manner not substantiated by the results of the most recent performance evaluation conducted on the covered ADS.(i) (1) A developer that deploys a covered ADS or makes a covered ADS available to potential deployers shall designate at least one employee to oversee the developers compliance with this chapter.(2) A developer shall require an employee designated pursuant to this subdivision to conduct a prompt and comprehensive review of any credible compliance issue raised to that employee.22756.2. (a) (1) Except as provided in paragraph (2), before finalizing a deployer finalizes a consequential decision made or facilitated by a covered ADS, a the deployer shall provide any subject of that decision with a plain language written disclosure containing all of the following information:(A) A statement informing the subject that a covered ADS will be used to make or facilitate the consequential decision.(B) The name, version number, and developer of the covered ADS.(C) Whether the deployers use of the covered ADS is within the scope of a developer-approved use and a description of that use.(D) (i) The personal characteristics or attributes of the subject that the covered ADS measures or assesses to make or facilitate the consequential decision.(ii) The sources of personal information collected from the subject to make or facilitate the consequential decision.(iii) Any key parameters known to disproportionately affect the outcome of the consequential decision.(E) The structure and format of the outputs of the covered ADS and a plain language description of how those outputs are used to make or facilitate the consequential decision.(F) Whether a natural person will review either of the following before the consequential decision is finalized:(i) The outputs of the covered ADS.(ii) The outcome of the consequential decision.(G) The subjects rights under subdivisions (b) and (c) (d) and the means and timeframe for exercising those rights.(H) (i) Contact information for the deployer.(ii) Contact information for the entity that manages the covered ADS, if that entity is not the deployer.(iii) Contact information for the entity that will interpret the results of the covered ADS, if that entity is not the deployer.(2) Paragraph (1) does not apply if the subject of the consequential decision is having a medical emergency.(b) (1) Before finalizing a deployer finalizes a consequential decision made or facilitated by a covered ADS, a the deployer shall provide any subject of that decision with a reasonable opportunity to opt out of the use of the covered ADS.(2) (A) A deployer may deny a request to opt out of the use of a covered ADS if either of the following is true:(i) The deployer is subject to the federal Gramm-Leach-Bliley Act, and the covered ADS makes or facilitates a consequential decision pursuant to paragraph (7) of subdivision (c) of Section 22756.(ii) The subject of the consequential decision is having a medical emergency.(B) A deployer that denies a request to opt out of the use of a covered ADS pursuant to subparagraph (A) shall provide the subject with an explanation of the basis for the denial.(c) (1) After a deployer finalizes a consequential decision is finalized, made or facilitated by a covered ADS, the deployer shall provide any subject of that decision witha plain language written disclosure shall be provided containing all of the following information within five days, and the disclosure shall include all of the information: days:(A) The personal characteristics or attributes of the subject that the covered ADS measured or assessed used to make or facilitate the consequential decision.(B) The sources of personal information collected from the subject that were used to make or facilitate the consequential decision.(C) Any key parameters that disproportionately affected the outcome of the consequential decision.(D) The structure and format of the outputs of the covered ADS and a plain language description of how those outputs were used to make or facilitate the consequential decision.(E) The role that the ADS played in making the consequential decision and whether any human judgment was involved.(F) Contact information for the deployer.(G) Contact information for the entity that manages the covered ADS, if that entity is not the deployer.(H) Contact information for the entity that will interpret the results of the covered ADS, if that entity is not the deployer.(I) The subjects rights under subdivision (d) and the means and timeframe for exercising those rights.(2) Paragraph (1) is does not applicable apply if the subject of the consequential decision is having a medical emergency.(3) A deployer that provides documentation to a subject of a consequential decision pursuant to this subdivision shall ensure the documentation is all of the following:(A) Transmitted directly to the subject.(B) Provided in English and in any other language that the deployer regularly uses to communicate with subjects.(C) Made available in formats that are accessible to people who are blind or have other disabilities.(D) Presented in a manner that ensures the communication clearly and effectively conveys the required information to the subject.(d) After finalizing a deployer finalizes a consequential decision made or facilitated by a covered ADS, a the deployer shall provide any subject of that decision with an opportunity to do both of the following within 30 business days:(1) (A) Correct any incorrect personal information used by the covered ADS to make or facilitate the consequential decision.(B) A deployer shall comply with a request to correct personal information within 30 business days of receiving the request if the request is accompanied by documentation sufficient to assess the basis for the request.(C) (i) If a deployer determines that complying with a request to correct personal information would change the outcome of the consequential decision, the deployer shall, within 30 days of making the determination, rectify the decision.(ii) If a deployer determines that complying with a request to correct personal information would not change the outcome of the consequential decision, the deployer shall, within 30 days of making the determination, inform the subject that the correction was made but that it did not alter the decision.(D) A deployer that denies a request to correct personal information shall do both of the following:(i) Provide the subject with an explanation of the basis for the denial.(ii) Provide the subject with a reasonable opportunity to request that the deployer delete the subjects personal information.(2) (A) Appeal the outcome of the consequential decision.(B) A deployer shall review a request to appeal a consequential decision within 30 business days of receiving the request. request if the request is accompanied by documentation sufficient to assess the basis for the request.(C) (i) If a deployer determines that the original decision is was incorrect, the deployer shall, within 30 days of making the determination, rectify the decision.(ii) If a deployer determines that the original decision is was correct, the deployer shall, within 30 days of making the determination, inform the subject that the consequential decision will not be altered.(D) A deployer that denies a request to appeal the outcome of a consequential decision shall provide the subject with an explanation of the basis for the denial.(e) (1) (A) A deployer that provides documentation to the subject of a consequential decision pursuant to this section may make reasonable redactions for the purpose of protecting trade secrets.(B) To the extent that a deployer withholds information pursuant to paragraph (1), the deployer shall notify the subject and provide a basis for the withholding.(2) A deployer that is required by another state or federal law to provide substantially similar notice to a subject of a consequential decision need not duplicatively provide notice to the subject under this section.(f) A deployers collection, use, retention, and sharing of personal information from a subject of a consequential decision shall be reasonably necessary and proportionate to achieve the purposes for which the personal information was collected and processed, or for another disclosed purpose that is compatible with the context in which the personal information was collected, and not further processed in a manner that is incompatible with those purposes.(g) (1) A deployer that uses a covered ADS to make or facilitate consequential decisions directly impacting more than 5999 5,999 people in a given three-year period shall contract with an independent third-party auditor to conduct an impact assessment on the covered ADS before January 1, 2030, and every three years thereafter.(2) (A) Except pursuant to subparagraph (B), a deployer that contracts with an auditor pursuant to this subdivision shall provide the auditor with any available information that is reasonably necessary for the auditor to conduct a comprehensive impact assessment on the covered ADS.(B) A deployer that provides documentation to an auditor pursuant to this paragraph may make reasonable redactions for the purpose of protecting trade secrets. To the extent that a deployer withholds information, the developer shall notify the auditor and provide a basis for the withholding.(C) This paragraph shall not be construed to require a deployer to collect any personal information from a subject of a consequential decision beyond that which the deployer collects in the ordinary course of business or as necessary to comply with state or federal law.(3) If the deadline for conducting an audit pursuant to paragraph (1) elapses before the audit has been completed, a deployer shall not use the covered ADS to make or facilitate consequential decisions until the audit has been completed.(h) A deployer that does any of the following assumes the responsibilities of a developer under this chapter:(1) Uses a covered ADS to make or facilitate consequential decisions that directly impact more than 5999 5,999 people in a given three-year period, if the deployer did not receive any documentation from the developer of the covered ADS pursuant to subdivision (c) of Section 22756.1. 22756.1 during the three-year period.(2) Uses a covered ADS to make or facilitate consequential decisions that directly impact more than 5999 5,999 people in a given three-year period, if the deployers use of the covered ADS is outside the scope of a developer-approved use.(3) Substantially modifies an automated decision system and does either of the following:(A) Uses the substantially modified system to make or facilitate consequential decisions that directly impact more than 5999 people in a given three-year period.(B) Makes the substantially modified system available to potential deployers.(i) A deployer that uses a covered ADS to make or facilitate a consequential decision shall retain the following documentation in an unredacted format for as long as the deployer uses the covered ADS remains deployed plus 10 years:(1) Any documentation received from developers pursuant to this chapter.(2) Any documentation provided pursuant to this section to subjects of consequential decisions made or facilitated by the covered ADS.(3) Any requests to correct personal information made pursuant to this section.(4) Any requests to opt out of the use of the covered ADS made pursuant to this section.(5) Any requests to appeal the outcome of a consequential decision made pursuant to this section.(6) Any documentation provided to, or received from, auditors pursuant to this chapter.(7) Records of any redactions made pursuant to this section.(j) (1) A deployer that uses a covered ADS to make or facilitate a consequential decision shall designate at least one employee to oversee the deployers compliance with this chapter.(2) A deployer shall require an employee designated pursuant to this subdivision to conduct a prompt and comprehensive review of any credible compliance issue related to the deployers use of a covered ADS that is raised to that employee.(k) In addition to the requirements of this section, a deployer that is a business subject to the California Consumer Privacy Act of 2018 (Title 1.81.5 (commencing with Section 1798.100)) is subject to any privacy-related opt-out and access regulation duly adopted by the California Privacy Protection Agency pursuant to subdivision (b) of Section 1798.199.40 of the Civil Code.(l) This section shall become operative on January 1, 2027.22756.3. (a) An auditor that conducts an impact assessment on a covered ADS pursuant to subdivision (g) of Section 22756.2 shall do all of the following:(1) (A) Request any information from the deployer of the covered ADS that is reasonably necessary for the auditor to conduct a comprehensive impact assessment.(B) This paragraph applies only to information gathered by the deployer in the ordinary course of business.(2)Document all developer-approved uses of the covered ADS that the deployer utilized during the relevant period.(3)(2) For each unique developer-approved use, use of the covered ADS by the deployer, document all of the following:(A) The observed accuracy and reliability of the covered ADS over the relevant period.(B) Whether the observed accuracy and reliability differed materially from the expected accuracy and reliability of the covered ADS, as described in documentation provided by a developer to the deployer pursuant to this chapter.(C) Whether any disparate impacts resulted from the deployers use of the covered ADS and the deployment conditions under which those disparate impacts occurred.(D) Whether each disparate impact was an anticipated disparate impact, as described in documentation provided to the deployer pursuant to this chapter.(4)(3) Whether the deployer used the covered ADS to make or facilitate a consequential decision outside of the scope of a developer-approved use.(5)(4) Whether the deployer assumed the responsibilities of a developer pursuant to subdivision (h) of Section 22756.2.(b) (1) After conducting an impact assessment on a covered ADS, an auditor shall provide the results of the impact assessment to do both of the following:(A) The Provide the results of the impact assessment to the deployer that contracted with the auditor to perform the impact assessment.(B)The developer of the covered ADS.(B) Make a high-level summary of the results of the impact assessment publicly available at no cost to users of the auditors internet website.(2) The documentation required by this section shall be both of the following:(A) Provided in English and in any other language that the auditor regularly uses to communicate with developers and deployers.(B) Presented in a manner that ensures the communication clearly and effectively conveys the required information to the developer and deployer. information.(3) An auditor shall not provide a developer make publicly available with the personal information of a subject of a consequential decision made or facilitated by a covered ADS without first obtaining the express consent of the subject.22756.4. (a) (1) Within 30 days of receiving a request from the Attorney General for a performance evaluation or impact assessment prepared pursuant to this chapter, a developer, deployer, or auditor of a covered ADS shall provide an unredacted copy of the document to the Attorney General.(2) The Attorney General may share performance evaluations and impact assessments with other enforcement entities as necessary for enforcement purposes.(b) (1) The disclosure or sharing of a performance evaluation or impact assessment pursuant to subdivision (a) does not constitute a waiver of any attorney-client privilege, work-product protection, or trade secret protection that might otherwise exist with respect to any information contained in the performance evaluation or impact assessment.(2) A performance evaluation or impact assessment disclosed or shared pursuant to subdivision (a) is exempt from the California Public Records Act (Division 10 (commencing with Section 7920.000) of Title 1 of the Government Code).(c) Each day a covered ADS is used for which a performance evaluation or impact assessment has not been submitted to the Attorney General pursuant to this section is an additional violation of this section.22756.5. (a) Any of the following public entities may bring a civil action against a developer or deployer developer, deployer, or auditor who violates this chapter:(1) The Attorney General.(2) A district attorney, county counsel, or city attorney for the jurisdiction in which the violation occurred.(3) A city prosecutor in any city having a full-time city prosecutor with the consent of the district attorney.(4) The Civil Rights Department.(5) The Labor Commissioner with respect to employment-related decisions only.(b) A court may award a prevailing plaintiff who brings an action pursuant to subdivision (a) all of the following:(1) Injunctive relief.(2) Declaratory relief.(3) Reasonable attorneys fees and litigation costs.(4) A civil penalty of up to twenty-five thousand dollars ($25,000) per violation.(c) A developer or deployer who contracts with a third party to perform the developers or deployers duties under this chapter, other than those duties related to auditing, is subject to liability under this chapter for the third partys failure to perform those duties.22756.6. (a) This chapter does not apply to an automated decision system the sole purpose of which is to do either of the following:(a)(1) Detect, protect against, or respond to cybersecurity incidents or preserve the integrity or security of computer systems.(b)(2) Operate aircraft in the national airspace.(b) The use of a consumer credit score to inform a consequential decision does not itself create an obligation under this chapter.22756.7. (a) The rights, remedies, and penalties established by this chapter are cumulative and shall not be construed to supersede the rights, remedies, or penalties established under other laws, including, but not limited to, Chapter 6 (commencing with Section 12940) of Part 2.8 of Division 3 of Title 2 of the Government Code and Section 51 of the Civil Code.(b) This chapter does not diminish the rights, privileges, or remedies of an employee under any other federal or state law or under any employment contract or collective bargaining agreement.(c) This chapter does not authorize any use of automated decision systems that is limited, restricted, or prohibited under any other applicable law.(d) This chapter does not authorize disparate impacts or disparate treatment that are limited, restricted, or prohibited under any other applicable law.22756.8.A developer or deployer who contracts with a third party to comply with duties required under this chapter, other than those duties related to auditing, is subject to liability under this chapter for the third partys failure to comply with this chapter.SEC. 2. Section 51 of the Civil Code, as amended by Section 2.5 of Chapter 779 of the Statutes of 2024, is amended to read:51. (a) This section shall be known, and may be cited, as the Unruh Civil Rights Act.(b) All persons within the jurisdiction of this state are free and equal, and no matter what their sex, race, color, religion, ancestry, national origin, disability, medical condition, genetic information, marital status, sexual orientation, citizenship, primary language, or immigration status are entitled to the full and equal accommodations, advantages, facilities, privileges, or services in all business establishments of every kind whatsoever.(c) This section shall not be construed to confer any right or privilege on a person that is conditioned or limited by law or that is applicable alike to persons of every sex, color, race, religion, ancestry, national origin, disability, medical condition, marital status, sexual orientation, citizenship, primary language, or immigration status, or to persons regardless of their genetic information.(d) Nothing in this section shall be construed to require any construction, alteration, repair, structural or otherwise, or modification of any sort whatsoever, beyond that construction, alteration, repair, or modification that is otherwise required by other provisions of law, to any new or existing establishment, facility, building, improvement, or any other structure, nor shall anything in this section be construed to augment, restrict, or alter in any way the authority of the State Architect to require construction, alteration, repair, or modifications that the State Architect otherwise possesses pursuant to other laws.(e) For purposes of this section:(1) Disability means any mental or physical disability as defined in Sections 12926 and 12926.1 of the Government Code.(2) (A) Genetic information means, with respect to any individual, information about any of the following:(i) The individuals genetic tests.(ii) The genetic tests of family members of the individual.(iii) The manifestation of a disease or disorder in family members of the individual.(B) Genetic information includes any request for, or receipt of, genetic services, or participation in clinical research that includes genetic services, by an individual or any family member of the individual.(C) Genetic information does not include information about the sex or age of any individual.(3) Medical condition has the same meaning as defined in subdivision (i) of Section 12926 of the Government Code.(4) Race is inclusive of traits associated with race, including, but not limited to, hair texture and protective hairstyles. Protective hairstyles includes, but is not limited to, such hairstyles as braids, locs, and twists.(5) Religion includes all aspects of religious belief, observance, and practice.(6) Sex includes, but is not limited to, pregnancy, childbirth, or medical conditions related to pregnancy or childbirth. Sex also includes, but is not limited to, a persons gender. Gender means sex, and includes a persons gender identity and gender expression. Gender expression means a persons gender-related appearance and behavior whether or not stereotypically associated with the persons assigned sex at birth.(7) Sex, race, color, religion, ancestry, national origin, disability, medical condition, genetic information, marital status, sexual orientation, citizenship, primary language, or immigration status includes any of the following:(A) Any combination of those characteristics.(B) A perception that the person has any particular characteristic or characteristics within the listed categories or any combination of those characteristics.(C) A perception that the person is associated with a person who has, or is perceived to have, any particular characteristic or characteristics, or any combination of characteristics, within the listed categories.(8) Sexual orientation has the same meaning as defined in subdivision (s) of Section 12926 of the Government Code.(f) A violation of the right of any individual under the federal Americans with Disabilities Act of 1990 (Public Law 101-336) shall also constitute a violation of this section.(g) Verification of immigration status and any discrimination based upon verified immigration status, where required by federal law, shall not constitute a violation of this section.(h) Nothing in this section shall be construed to require the provision of services or documents in a language other than English, beyond that which is otherwise required by other provisions of federal, state, or local law, including Section 1632.(i) In an action alleging a violation of this section in which the defendants development, modification, or use of an automated decision system, as defined in Section 22756 of the Business and Professions Code, is alleged to have committed caused or facilitated the violation, the extent to which the defendant complied with Chapter 25 (commencing with Section 22756) of Division 8 of the Business and Professions Code is relevant to, but not conclusive of, whether a the defendant violated this section.SEC. 3. Article 3 (commencing with Section 12959) is added to Chapter 6 of Part 2.8 of Division 3 of Title 2 of the Government Code, to read: Article 3. Automated Decision Systems12959. In an action alleging a violation of this chapter in which the defendants development, modification, or use of an automated decision system, as defined in Section 22756 of the Business and Professions Code, is alleged to have committed caused or facilitated the violation, the extent to which the defendant complied with Chapter 24.6 (commencing with Section 22756) of Division 8 of the Business and Professions Code is relevant to, but not conclusive of, whether a the defendant violated this chapter.SEC. 4. The Legislature finds and declares that Section 1 of this act, which adds Chapter 24.6 (commencing with Section 22756) to Division 8 of the Business and Professions Code, imposes a limitation on the publics right of access to the meetings of public bodies or the writings of public officials and agencies within the meaning of Section 3 of Article I of the California Constitution. Pursuant to that constitutional provision, the Legislature makes the following findings to demonstrate the interest protected by this limitation and the need for protecting that interest:In order to protect proprietary information, it is necessary that trade secrets disclosed in performance evaluations and impact assessments to agencies and departments pursuant to Section 1 of this act remain confidential.
Amended IN Assembly April 10, 2025 CALIFORNIA LEGISLATURE 20252026 REGULAR SESSION Assembly Bill No. 1018Introduced by Assembly Member Bauer-Kahan(Coauthors: Assembly Members Aguiar-Curry, Bryan, Ortega, Ward)February 20, 2025An act to add Chapter 24.6 (commencing with Section 22756) to Division 8 of the Business and Professions Code, to amend Section 51 of the Civil Code, and to add Article 3 (commencing with Section 12959) to Chapter 6 of Part 2.8 of Division 3 of Title 2 of the Government Code, relating to artificial intelligence.LEGISLATIVE COUNSEL'S DIGESTAB 1018, as amended, Bauer-Kahan. Automated decision systems.The California Fair Employment and Housing Act establishes the Civil Rights Department within the Business, Consumer Services, and Housing Agency and requires the department to, among other things, bring civil actions to enforce the act.Existing law requires, on or before September 1, 2024, the Department of Technology to conduct, in coordination with other interagency bodies as it deems appropriate, a comprehensive inventory of all high-risk automated decision systems that have been proposed for use, development, or procurement by, or are being used, developed, or procured by, any state agency.This bill would generally regulate the development and deployment of an automated decision system (ADS) used to make consequential decisions, as defined. The bill would define automated decision system to mean a computational process derived from machine learning, statistical modeling, data analytics, or artificial intelligence that issues simplified output, including a score, classification, or recommendation, that is designed or used to assist or replace human discretionary decisionmaking and materially impacts natural persons.This bill would require a developer of a covered ADS, as defined, to take certain actions, including conduct performance evaluations of the covered ADS and provide deployers to whom the developer transfers the covered ADS with certain information, including the results of those performance evaluations.This bill would, beginning January 1, 2027, require a deployer of a covered ADS to take certain actions, including provide certain disclosures to a subject of a consequential decision made or facilitated by the covered ADS, provide the subject an opportunity to opt out of the use of the covered ADS, provide the subject with an opportunity to appeal the outcome of the consequential decision, and submit the covered ADS to third-party audits, as prescribed. The bill would also prescribe requirements for a third party to audit a covered ADS.This bill would prescribe requirements for a third party to audit a covered ADS, as prescribed.This bill would require a developer, deployer, or auditor to, within 30 days of receiving a request from the Attorney General, provide an unredacted copy of the performance evaluation or disparate impact assessment prepared pursuant to the bill to the Attorney General and would exempt those records from the California Public Records Act.This bill would authorize certain public entities, including the Attorney General, to bring a specified civil action for noncompliance.Existing constitutional provisions require that a statute that limits the right of access to the meetings of public bodies or the writings of public officials and agencies be adopted with findings demonstrating the interest protected by the limitation and the need for protecting that interest.This bill would make legislative findings to that effect.Digest Key Vote: MAJORITY Appropriation: NO Fiscal Committee: YES Local Program: NO
Amended IN Assembly April 10, 2025
Amended IN Assembly April 10, 2025
CALIFORNIA LEGISLATURE 20252026 REGULAR SESSION
Assembly Bill
No. 1018
Introduced by Assembly Member Bauer-Kahan(Coauthors: Assembly Members Aguiar-Curry, Bryan, Ortega, Ward)February 20, 2025
Introduced by Assembly Member Bauer-Kahan(Coauthors: Assembly Members Aguiar-Curry, Bryan, Ortega, Ward)
February 20, 2025
An act to add Chapter 24.6 (commencing with Section 22756) to Division 8 of the Business and Professions Code, to amend Section 51 of the Civil Code, and to add Article 3 (commencing with Section 12959) to Chapter 6 of Part 2.8 of Division 3 of Title 2 of the Government Code, relating to artificial intelligence.
LEGISLATIVE COUNSEL'S DIGEST
## LEGISLATIVE COUNSEL'S DIGEST
AB 1018, as amended, Bauer-Kahan. Automated decision systems.
The California Fair Employment and Housing Act establishes the Civil Rights Department within the Business, Consumer Services, and Housing Agency and requires the department to, among other things, bring civil actions to enforce the act.Existing law requires, on or before September 1, 2024, the Department of Technology to conduct, in coordination with other interagency bodies as it deems appropriate, a comprehensive inventory of all high-risk automated decision systems that have been proposed for use, development, or procurement by, or are being used, developed, or procured by, any state agency.This bill would generally regulate the development and deployment of an automated decision system (ADS) used to make consequential decisions, as defined. The bill would define automated decision system to mean a computational process derived from machine learning, statistical modeling, data analytics, or artificial intelligence that issues simplified output, including a score, classification, or recommendation, that is designed or used to assist or replace human discretionary decisionmaking and materially impacts natural persons.This bill would require a developer of a covered ADS, as defined, to take certain actions, including conduct performance evaluations of the covered ADS and provide deployers to whom the developer transfers the covered ADS with certain information, including the results of those performance evaluations.This bill would, beginning January 1, 2027, require a deployer of a covered ADS to take certain actions, including provide certain disclosures to a subject of a consequential decision made or facilitated by the covered ADS, provide the subject an opportunity to opt out of the use of the covered ADS, provide the subject with an opportunity to appeal the outcome of the consequential decision, and submit the covered ADS to third-party audits, as prescribed. The bill would also prescribe requirements for a third party to audit a covered ADS.This bill would prescribe requirements for a third party to audit a covered ADS, as prescribed.This bill would require a developer, deployer, or auditor to, within 30 days of receiving a request from the Attorney General, provide an unredacted copy of the performance evaluation or disparate impact assessment prepared pursuant to the bill to the Attorney General and would exempt those records from the California Public Records Act.This bill would authorize certain public entities, including the Attorney General, to bring a specified civil action for noncompliance.Existing constitutional provisions require that a statute that limits the right of access to the meetings of public bodies or the writings of public officials and agencies be adopted with findings demonstrating the interest protected by the limitation and the need for protecting that interest.This bill would make legislative findings to that effect.
The California Fair Employment and Housing Act establishes the Civil Rights Department within the Business, Consumer Services, and Housing Agency and requires the department to, among other things, bring civil actions to enforce the act.
Existing law requires, on or before September 1, 2024, the Department of Technology to conduct, in coordination with other interagency bodies as it deems appropriate, a comprehensive inventory of all high-risk automated decision systems that have been proposed for use, development, or procurement by, or are being used, developed, or procured by, any state agency.
This bill would generally regulate the development and deployment of an automated decision system (ADS) used to make consequential decisions, as defined. The bill would define automated decision system to mean a computational process derived from machine learning, statistical modeling, data analytics, or artificial intelligence that issues simplified output, including a score, classification, or recommendation, that is designed or used to assist or replace human discretionary decisionmaking and materially impacts natural persons.
This bill would require a developer of a covered ADS, as defined, to take certain actions, including conduct performance evaluations of the covered ADS and provide deployers to whom the developer transfers the covered ADS with certain information, including the results of those performance evaluations.
This bill would, beginning January 1, 2027, require a deployer of a covered ADS to take certain actions, including provide certain disclosures to a subject of a consequential decision made or facilitated by the covered ADS, provide the subject an opportunity to opt out of the use of the covered ADS, provide the subject with an opportunity to appeal the outcome of the consequential decision, and submit the covered ADS to third-party audits, as prescribed. The bill would also prescribe requirements for a third party to audit a covered ADS.
This bill would prescribe requirements for a third party to audit a covered ADS, as prescribed.
This bill would require a developer, deployer, or auditor to, within 30 days of receiving a request from the Attorney General, provide an unredacted copy of the performance evaluation or disparate impact assessment prepared pursuant to the bill to the Attorney General and would exempt those records from the California Public Records Act.
This bill would authorize certain public entities, including the Attorney General, to bring a specified civil action for noncompliance.
Existing constitutional provisions require that a statute that limits the right of access to the meetings of public bodies or the writings of public officials and agencies be adopted with findings demonstrating the interest protected by the limitation and the need for protecting that interest.
This bill would make legislative findings to that effect.
## Digest Key
## Bill Text
The people of the State of California do enact as follows:SECTION 1. Chapter 24.6 (commencing with Section 22756) is added to Division 8 of the Business and Professions Code, to read: CHAPTER 24.6. Automated Decisions Safety Act22756. As used in this chapter:(a) Artificial intelligence means an engineered or machine-based system that varies in its level of autonomy and that can, for explicit or implicit objectives, infer from the input it receives how to generate outputs that can influence physical or virtual environments.(b) (1) Automated decision system means a computational process derived from machine learning, statistical modeling, data analytics, or artificial intelligence that issues simplified output, including a score, classification, or recommendation, that is designed or used to assist or replace human discretionary decisionmaking and materially impacts natural persons.(2) Automated decision system does not mean a spam email filter, firewall, antivirus software, identity and access management tool, calculator, database, dataset, or other compilation of data.(c) Consequential decision means a decision that materially impacts the cost, terms, quality, or accessibility of any of the following to a natural person:(1) Employment-related decisions.(2) Education and vocational training as they relate to any of the following:(A) Assessment and placement.(B) Detecting student cheating and plagiarism.(C) Accreditation.(D) Certification.(E) Admissions and enrollment.(F) Discipline.(G) Evaluation.(H) Financial aid and scholarships.(I) Proctoring.(3) Housing and lodging as they relate to any of the following:(A) Rental or short-term housing and lodging.(B) Home appraisals.(C) Rental subsidies.(D) Publicly supported housing.(4) Any of the following essential utilities:(A) Electricity.(B) Heat.(C) Water.(D)Internet and telecommunications access.(E)(D) Transportation.(F)(E) Municipal trash and sewage services.(5) Family planning, adoption services, reproductive services, and assessments related to child protective services.(6) Health care and health insurance, including mental health care, dental, and vision.(7) Financial services, including a financial service provided by a mortgage company, mortgage broker, or creditor.(8) The criminal justice system with respect to pretrial release, sentencing, and alternatives to incarceration.(9) Legal services.(10) Private arbitration.(11) Mediation.(12) Elections as they relate to any of the following:(A) Voting.(B) Redistricting.(C) Voter eligibility and registration.(D) Distribution of voting information.(E) Election administration.(13) Access to government benefits or services or assignment of penalties by a government entity.(14) Places of public accommodation, as defined in Section 55.52 of the Civil Code.(15) Insurance.(16) Internet and telecommunications access.(d) Covered automated decision system or covered ADS means an automated decision system that makes or facilitates is designed or used to make or facilitate a consequential decision.(e) Credit score means a credit score, as defined in Section 1785.15.1 of the Civil Code, from a consumer credit reporting agency, as defined in Section 1785.3 of the Civil Code.(e)(f) Deployer means a person, partnership, state or local government agency, corporation, or developer that uses a covered ADS to make or facilitate a consequential decision, either directly or through by contracting with a third party. party for that purpose.(f)(g) Developer means a person, partnership, state or local government agency, corporation, or deployer that designs, codes, substantially modifies, or otherwise produces an automated decision system that makes or facilitates a consequential decision, either directly or through by contracting with a third party. party for those purposes.(g)(h) (1) Developer-approved use means a deployment context in which a developer intends a covered ADS to make or facilitate a consequential decision.(2) Developer-approved use includes any reasonably foreseeable fine tuning of the covered ADS.(h)(i) Disparate impact means a differential effect on a group of individuals who share a protected characteristic.(i)(j) Disparate treatment means differential treatment of an individual or group of individuals on the basis of a protected characteristic.(j)(k) Employment-related decision means a decision made by an employer, either directly or through a third party, that affects wages, benefits, other compensation, hours, work schedule, performance evaluation, hiring, discipline, promotion, termination, job tasks and responsibilities, assignment of work, access to work and training opportunities, productivity requirements, workplace health and safety, or other terms or conditions of employment.(k)(l) (1) Express consent means an affirmative written authorization that is granted in response to a notice that is all of the following:(A) Clear, meaningful, and prominent.(B) Conveyed in a manner that a natural person would notice and understand it.(C) Not contained within a more general notice, agreement, or set of terms and conditions.(2) Express consent does not mean an authorization that is either of the following:(A) Inferred from inaction.(B) Obtained through the use of a dark pattern, as defined in Section 56.18 of the Civil Code.(l)(m) Fine-tune means to adjust the model parameters of an automated decision system through exposure to additional data.(m)(n) Labor Commissioner means Chief of the Division of Labor Standards Enforcement.(n)(o) Personal information has the same meaning as defined in Section 1798.140 of the Civil Code.(o)(p) Protected characteristic means a characteristic listed in subdivision (b) of Section 51 of the Civil Code.(p)(q) (1) Substantial modification means a new version, release, update, or other modification to a covered ADS that materially changes its uses or outputs.(2) Substantial modification does not mean a modification that results from fine tuning.(q)(r) Trade secret has the same meaning as in Section 3426.1 of the Civil Code.22756.1. (a) (1) With respect to a covered ADS that was first deployed, or made available to potential deployers, before January 1, 2026, the developer of the covered ADS shall conduct an initial performance evaluation on the covered ADS before January 1, 2027, and shall additionally conduct a performance evaluation on the covered ADS under any of the following circumstances:(A) Following any substantial modification of the covered ADS by the developer.(B) Following any fine tuning of the covered ADS by the developer that materially changes the uses or outputs of the covered ADS.(C) No more than one year after the developer last conducted a performance evaluation on the covered ADS, for as long as the developer deploys the covered ADS or makes the covered ADS available to potential deployers.(2) With respect to a covered ADS that is first deployed or made available to potential deployers on or after January 1, 2026, the developer of the covered ADS shall conduct a performance evaluation on the covered ADS under any of the following circumstances:(A) Before initially deploying the covered ADS or making the covered ADS available to potential deployers.(B) Following any substantial modification of the covered ADS by the developer.(C) Following any fine tuning of the covered ADS by the developer that materially changes the uses or outputs of the covered ADS.(D) No more than one year after the developer last conducted a performance evaluation on the covered ADS, for as long as the developer deploys the covered ADS or makes the covered ADS available to potential deployers.(b) In conducting a performance evaluation on a covered ADS, a developer shall do all of the following:(1) Describe the purpose of the covered ADS.(2) List and describe all developer-approved uses of the covered ADS.(3) For each developer-approved use, assess evaluate the expected performance of the covered ADS and document all of the following:(A) The expected accuracy and reliability of the covered ADS.(B) Any reasonably foreseeable effects of fine tuning on the accuracy and reliability of the covered ADS.(4)For each developer-approved use, assess whether(C) Whether any disparate treatment is intended to occur and document and, if so, all of the following:(A)Whether the covered ADS is intended to treat individuals or groups of individuals differently on the basis of a protected characteristic.(B)For each disparate treatment identified under subparagraph (A), describe all of the following:(i) The conditions under which the each disparate treatment is intended to occur.(ii) Whether the each disparate treatment is necessary for a developer-approved use.(iii) Whether any alternatives not involving disparate treatment were considered.(C)(D) Any reasonably foreseeable effects of fine tuning on disparate treatment.(5)For each developer-approved use, assess whether (E) Whether any disparate impacts are reasonably likely to occur and document and, if so, all of the following:(A)Whether the covered ADS is reasonably likely to treat groups of individuals who share a protected characteristic differently.(B)For each disparate impact identified under subparagraph (A), describe all of the following:(i) The conditions under which that each disparate impact is reasonably likely to occur.(ii) Whether the each disparate impact is necessary for a developer-approved use.(iii) Whether any alternatives not involving disparate impacts were considered.(C)(F) Whether any measures have been taken by the developer to mitigate the risk of unanticipated disparate impacts resulting from the use of the covered ADS.(D)(G) With respect to a covered ADS that has been deployed, whether any unanticipated disparate impacts have been reported to the developer by a deployer, and whether the developer has taken any measures to mitigate those disparate impacts.(E)(H) Any reasonably foreseeable effects of fine tuning on disparate impacts.(6)(4) (A) Contract with an independent third-party auditor to assess the developers compliance with this subdivision.(B) (i) Except pursuant to clause (ii), a developer that contracts with an auditor pursuant to this paragraph shall provide the auditor with any available information that is reasonably necessary for the auditor to comprehensively assess developer compliance.(ii) A developer that provides documentation to an auditor pursuant to this subparagraph may make reasonable redactions for the purpose of protecting trade secrets. To the extent that a developer withholds information, the developer shall notify the auditor and provide a basis for the withholding.(C) If the deadline for conducting a performance evaluation pursuant to subdivision (a) elapses before the audit has been completed, a developer shall not deploy the covered ADS or make the covered ADS available to potential deployers until the audit has been completed.(I) A developer that receives feedback from an auditor pursuant to this paragraph shall do both of the following:(i) Consider and attempt to incorporate that feedback into the development of any subsequent version of a covered ADS.(ii) Make a high-level summary of the feedback publicly available at no cost to users of the developers internet website.(c) (1) A developer that sells, licenses, or otherwise transfers a covered ADS to a potential deployer shall provide the deployer with all of the following:(A) The results of the most recent performance evaluation conducted on the covered ADS by the developer pursuant to this chapter.(B) For each developer-approved use of the covered ADS, instructions explaining how the covered ADS should be used by the deployer to make or facilitate a consequential decision.(C) For each developer-approved use of the covered ADS, a description of whether and under what circumstances the covered ADS can be fine-tuned.(D) An explanation of the deployers responsibilities under this chapter, including a description of any circumstances under which the deployer would assume the responsibilities of a developer pursuant to subdivision (h) of Section 22756.2.(E) (i) Any technical information necessary for the deployer to comply with this chapter.(ii) A developer shall not be required to provide additional technical information to a deployer that has assumed the responsibilities of a developer pursuant to subdivision (h) of Section 22756.2.(2) (A) A developer that provides documentation to a potential deployer pursuant to this subdivision may make reasonable redactions for the purpose of protecting trade secrets.(B) To the extent that a developer withholds information pursuant to subparagraph (A), the developer shall notify the deployer and provide a basis for the withholding.(d) A developer that receives an impact assessment from an auditor of a deployed covered ADS pursuant to subdivision (b) of Section 22756.3 shall provide all of the following information to any deployer of the covered ADS:(A) Any material differences between the expected accuracy of the covered ADS and the observed accuracy of the covered ADS and the deployment conditions under which those differences are reasonably likely to occur.(B) Any material differences between the expected reliability of the covered ADS and the observed reliability of the covered ADS and the deployment conditions under which those differences are reasonably likely to occur.(C) Any unanticipated disparate impacts resulting from the use of the covered ADS and the deployment conditions under which those disparate impacts are reasonably likely to occur.(D) An explanation of any steps the deployer can take to mitigate these discrepancies.(e) A developer that receives feedback from an auditor pursuant to this chapter shall consider and attempt to incorporate that feedback into the development of any subsequent version of a covered ADS.(f) A developer that provides documentation to a deployer pursuant to this section shall ensure the documentation is all of the following:(A) Transmitted directly to the deployer or otherwise made available in a manner reasonably calculated to ensure the deployer receives the documentation.(B) Provided in English and in any other language the developer regularly uses to communicate with deployers.(C) Presented in a manner that ensures the communication clearly and effectively conveys the required information to the deployer.(g) A developer that deploys a covered ADS or makes a covered ADS available to potential deployers shall maintain all of the following documentation in an unredacted format for as long as the covered ADS remains deployed or developer deploys the covered ADS or makes the covered ADS available to potential deployers plus 10 years:(1) The results of any performance evaluations conducted on the covered ADS pursuant to this chapter.(2) Any documentation provided to deployers pursuant to this chapter.(3) Any documentation provided to, or received from, auditors pursuant to this chapter.(4) Records of any redactions made pursuant to this chapter.(h) It is unlawful to advertise to consumers in the state that a covered ADS is capable of performing in a manner not substantiated by the results of the most recent performance evaluation conducted on the covered ADS.(i) (1) A developer that deploys a covered ADS or makes a covered ADS available to potential deployers shall designate at least one employee to oversee the developers compliance with this chapter.(2) A developer shall require an employee designated pursuant to this subdivision to conduct a prompt and comprehensive review of any credible compliance issue raised to that employee.22756.2. (a) (1) Except as provided in paragraph (2), before finalizing a deployer finalizes a consequential decision made or facilitated by a covered ADS, a the deployer shall provide any subject of that decision with a plain language written disclosure containing all of the following information:(A) A statement informing the subject that a covered ADS will be used to make or facilitate the consequential decision.(B) The name, version number, and developer of the covered ADS.(C) Whether the deployers use of the covered ADS is within the scope of a developer-approved use and a description of that use.(D) (i) The personal characteristics or attributes of the subject that the covered ADS measures or assesses to make or facilitate the consequential decision.(ii) The sources of personal information collected from the subject to make or facilitate the consequential decision.(iii) Any key parameters known to disproportionately affect the outcome of the consequential decision.(E) The structure and format of the outputs of the covered ADS and a plain language description of how those outputs are used to make or facilitate the consequential decision.(F) Whether a natural person will review either of the following before the consequential decision is finalized:(i) The outputs of the covered ADS.(ii) The outcome of the consequential decision.(G) The subjects rights under subdivisions (b) and (c) (d) and the means and timeframe for exercising those rights.(H) (i) Contact information for the deployer.(ii) Contact information for the entity that manages the covered ADS, if that entity is not the deployer.(iii) Contact information for the entity that will interpret the results of the covered ADS, if that entity is not the deployer.(2) Paragraph (1) does not apply if the subject of the consequential decision is having a medical emergency.(b) (1) Before finalizing a deployer finalizes a consequential decision made or facilitated by a covered ADS, a the deployer shall provide any subject of that decision with a reasonable opportunity to opt out of the use of the covered ADS.(2) (A) A deployer may deny a request to opt out of the use of a covered ADS if either of the following is true:(i) The deployer is subject to the federal Gramm-Leach-Bliley Act, and the covered ADS makes or facilitates a consequential decision pursuant to paragraph (7) of subdivision (c) of Section 22756.(ii) The subject of the consequential decision is having a medical emergency.(B) A deployer that denies a request to opt out of the use of a covered ADS pursuant to subparagraph (A) shall provide the subject with an explanation of the basis for the denial.(c) (1) After a deployer finalizes a consequential decision is finalized, made or facilitated by a covered ADS, the deployer shall provide any subject of that decision witha plain language written disclosure shall be provided containing all of the following information within five days, and the disclosure shall include all of the information: days:(A) The personal characteristics or attributes of the subject that the covered ADS measured or assessed used to make or facilitate the consequential decision.(B) The sources of personal information collected from the subject that were used to make or facilitate the consequential decision.(C) Any key parameters that disproportionately affected the outcome of the consequential decision.(D) The structure and format of the outputs of the covered ADS and a plain language description of how those outputs were used to make or facilitate the consequential decision.(E) The role that the ADS played in making the consequential decision and whether any human judgment was involved.(F) Contact information for the deployer.(G) Contact information for the entity that manages the covered ADS, if that entity is not the deployer.(H) Contact information for the entity that will interpret the results of the covered ADS, if that entity is not the deployer.(I) The subjects rights under subdivision (d) and the means and timeframe for exercising those rights.(2) Paragraph (1) is does not applicable apply if the subject of the consequential decision is having a medical emergency.(3) A deployer that provides documentation to a subject of a consequential decision pursuant to this subdivision shall ensure the documentation is all of the following:(A) Transmitted directly to the subject.(B) Provided in English and in any other language that the deployer regularly uses to communicate with subjects.(C) Made available in formats that are accessible to people who are blind or have other disabilities.(D) Presented in a manner that ensures the communication clearly and effectively conveys the required information to the subject.(d) After finalizing a deployer finalizes a consequential decision made or facilitated by a covered ADS, a the deployer shall provide any subject of that decision with an opportunity to do both of the following within 30 business days:(1) (A) Correct any incorrect personal information used by the covered ADS to make or facilitate the consequential decision.(B) A deployer shall comply with a request to correct personal information within 30 business days of receiving the request if the request is accompanied by documentation sufficient to assess the basis for the request.(C) (i) If a deployer determines that complying with a request to correct personal information would change the outcome of the consequential decision, the deployer shall, within 30 days of making the determination, rectify the decision.(ii) If a deployer determines that complying with a request to correct personal information would not change the outcome of the consequential decision, the deployer shall, within 30 days of making the determination, inform the subject that the correction was made but that it did not alter the decision.(D) A deployer that denies a request to correct personal information shall do both of the following:(i) Provide the subject with an explanation of the basis for the denial.(ii) Provide the subject with a reasonable opportunity to request that the deployer delete the subjects personal information.(2) (A) Appeal the outcome of the consequential decision.(B) A deployer shall review a request to appeal a consequential decision within 30 business days of receiving the request. request if the request is accompanied by documentation sufficient to assess the basis for the request.(C) (i) If a deployer determines that the original decision is was incorrect, the deployer shall, within 30 days of making the determination, rectify the decision.(ii) If a deployer determines that the original decision is was correct, the deployer shall, within 30 days of making the determination, inform the subject that the consequential decision will not be altered.(D) A deployer that denies a request to appeal the outcome of a consequential decision shall provide the subject with an explanation of the basis for the denial.(e) (1) (A) A deployer that provides documentation to the subject of a consequential decision pursuant to this section may make reasonable redactions for the purpose of protecting trade secrets.(B) To the extent that a deployer withholds information pursuant to paragraph (1), the deployer shall notify the subject and provide a basis for the withholding.(2) A deployer that is required by another state or federal law to provide substantially similar notice to a subject of a consequential decision need not duplicatively provide notice to the subject under this section.(f) A deployers collection, use, retention, and sharing of personal information from a subject of a consequential decision shall be reasonably necessary and proportionate to achieve the purposes for which the personal information was collected and processed, or for another disclosed purpose that is compatible with the context in which the personal information was collected, and not further processed in a manner that is incompatible with those purposes.(g) (1) A deployer that uses a covered ADS to make or facilitate consequential decisions directly impacting more than 5999 5,999 people in a given three-year period shall contract with an independent third-party auditor to conduct an impact assessment on the covered ADS before January 1, 2030, and every three years thereafter.(2) (A) Except pursuant to subparagraph (B), a deployer that contracts with an auditor pursuant to this subdivision shall provide the auditor with any available information that is reasonably necessary for the auditor to conduct a comprehensive impact assessment on the covered ADS.(B) A deployer that provides documentation to an auditor pursuant to this paragraph may make reasonable redactions for the purpose of protecting trade secrets. To the extent that a deployer withholds information, the developer shall notify the auditor and provide a basis for the withholding.(C) This paragraph shall not be construed to require a deployer to collect any personal information from a subject of a consequential decision beyond that which the deployer collects in the ordinary course of business or as necessary to comply with state or federal law.(3) If the deadline for conducting an audit pursuant to paragraph (1) elapses before the audit has been completed, a deployer shall not use the covered ADS to make or facilitate consequential decisions until the audit has been completed.(h) A deployer that does any of the following assumes the responsibilities of a developer under this chapter:(1) Uses a covered ADS to make or facilitate consequential decisions that directly impact more than 5999 5,999 people in a given three-year period, if the deployer did not receive any documentation from the developer of the covered ADS pursuant to subdivision (c) of Section 22756.1. 22756.1 during the three-year period.(2) Uses a covered ADS to make or facilitate consequential decisions that directly impact more than 5999 5,999 people in a given three-year period, if the deployers use of the covered ADS is outside the scope of a developer-approved use.(3) Substantially modifies an automated decision system and does either of the following:(A) Uses the substantially modified system to make or facilitate consequential decisions that directly impact more than 5999 people in a given three-year period.(B) Makes the substantially modified system available to potential deployers.(i) A deployer that uses a covered ADS to make or facilitate a consequential decision shall retain the following documentation in an unredacted format for as long as the deployer uses the covered ADS remains deployed plus 10 years:(1) Any documentation received from developers pursuant to this chapter.(2) Any documentation provided pursuant to this section to subjects of consequential decisions made or facilitated by the covered ADS.(3) Any requests to correct personal information made pursuant to this section.(4) Any requests to opt out of the use of the covered ADS made pursuant to this section.(5) Any requests to appeal the outcome of a consequential decision made pursuant to this section.(6) Any documentation provided to, or received from, auditors pursuant to this chapter.(7) Records of any redactions made pursuant to this section.(j) (1) A deployer that uses a covered ADS to make or facilitate a consequential decision shall designate at least one employee to oversee the deployers compliance with this chapter.(2) A deployer shall require an employee designated pursuant to this subdivision to conduct a prompt and comprehensive review of any credible compliance issue related to the deployers use of a covered ADS that is raised to that employee.(k) In addition to the requirements of this section, a deployer that is a business subject to the California Consumer Privacy Act of 2018 (Title 1.81.5 (commencing with Section 1798.100)) is subject to any privacy-related opt-out and access regulation duly adopted by the California Privacy Protection Agency pursuant to subdivision (b) of Section 1798.199.40 of the Civil Code.(l) This section shall become operative on January 1, 2027.22756.3. (a) An auditor that conducts an impact assessment on a covered ADS pursuant to subdivision (g) of Section 22756.2 shall do all of the following:(1) (A) Request any information from the deployer of the covered ADS that is reasonably necessary for the auditor to conduct a comprehensive impact assessment.(B) This paragraph applies only to information gathered by the deployer in the ordinary course of business.(2)Document all developer-approved uses of the covered ADS that the deployer utilized during the relevant period.(3)(2) For each unique developer-approved use, use of the covered ADS by the deployer, document all of the following:(A) The observed accuracy and reliability of the covered ADS over the relevant period.(B) Whether the observed accuracy and reliability differed materially from the expected accuracy and reliability of the covered ADS, as described in documentation provided by a developer to the deployer pursuant to this chapter.(C) Whether any disparate impacts resulted from the deployers use of the covered ADS and the deployment conditions under which those disparate impacts occurred.(D) Whether each disparate impact was an anticipated disparate impact, as described in documentation provided to the deployer pursuant to this chapter.(4)(3) Whether the deployer used the covered ADS to make or facilitate a consequential decision outside of the scope of a developer-approved use.(5)(4) Whether the deployer assumed the responsibilities of a developer pursuant to subdivision (h) of Section 22756.2.(b) (1) After conducting an impact assessment on a covered ADS, an auditor shall provide the results of the impact assessment to do both of the following:(A) The Provide the results of the impact assessment to the deployer that contracted with the auditor to perform the impact assessment.(B)The developer of the covered ADS.(B) Make a high-level summary of the results of the impact assessment publicly available at no cost to users of the auditors internet website.(2) The documentation required by this section shall be both of the following:(A) Provided in English and in any other language that the auditor regularly uses to communicate with developers and deployers.(B) Presented in a manner that ensures the communication clearly and effectively conveys the required information to the developer and deployer. information.(3) An auditor shall not provide a developer make publicly available with the personal information of a subject of a consequential decision made or facilitated by a covered ADS without first obtaining the express consent of the subject.22756.4. (a) (1) Within 30 days of receiving a request from the Attorney General for a performance evaluation or impact assessment prepared pursuant to this chapter, a developer, deployer, or auditor of a covered ADS shall provide an unredacted copy of the document to the Attorney General.(2) The Attorney General may share performance evaluations and impact assessments with other enforcement entities as necessary for enforcement purposes.(b) (1) The disclosure or sharing of a performance evaluation or impact assessment pursuant to subdivision (a) does not constitute a waiver of any attorney-client privilege, work-product protection, or trade secret protection that might otherwise exist with respect to any information contained in the performance evaluation or impact assessment.(2) A performance evaluation or impact assessment disclosed or shared pursuant to subdivision (a) is exempt from the California Public Records Act (Division 10 (commencing with Section 7920.000) of Title 1 of the Government Code).(c) Each day a covered ADS is used for which a performance evaluation or impact assessment has not been submitted to the Attorney General pursuant to this section is an additional violation of this section.22756.5. (a) Any of the following public entities may bring a civil action against a developer or deployer developer, deployer, or auditor who violates this chapter:(1) The Attorney General.(2) A district attorney, county counsel, or city attorney for the jurisdiction in which the violation occurred.(3) A city prosecutor in any city having a full-time city prosecutor with the consent of the district attorney.(4) The Civil Rights Department.(5) The Labor Commissioner with respect to employment-related decisions only.(b) A court may award a prevailing plaintiff who brings an action pursuant to subdivision (a) all of the following:(1) Injunctive relief.(2) Declaratory relief.(3) Reasonable attorneys fees and litigation costs.(4) A civil penalty of up to twenty-five thousand dollars ($25,000) per violation.(c) A developer or deployer who contracts with a third party to perform the developers or deployers duties under this chapter, other than those duties related to auditing, is subject to liability under this chapter for the third partys failure to perform those duties.22756.6. (a) This chapter does not apply to an automated decision system the sole purpose of which is to do either of the following:(a)(1) Detect, protect against, or respond to cybersecurity incidents or preserve the integrity or security of computer systems.(b)(2) Operate aircraft in the national airspace.(b) The use of a consumer credit score to inform a consequential decision does not itself create an obligation under this chapter.22756.7. (a) The rights, remedies, and penalties established by this chapter are cumulative and shall not be construed to supersede the rights, remedies, or penalties established under other laws, including, but not limited to, Chapter 6 (commencing with Section 12940) of Part 2.8 of Division 3 of Title 2 of the Government Code and Section 51 of the Civil Code.(b) This chapter does not diminish the rights, privileges, or remedies of an employee under any other federal or state law or under any employment contract or collective bargaining agreement.(c) This chapter does not authorize any use of automated decision systems that is limited, restricted, or prohibited under any other applicable law.(d) This chapter does not authorize disparate impacts or disparate treatment that are limited, restricted, or prohibited under any other applicable law.22756.8.A developer or deployer who contracts with a third party to comply with duties required under this chapter, other than those duties related to auditing, is subject to liability under this chapter for the third partys failure to comply with this chapter.SEC. 2. Section 51 of the Civil Code, as amended by Section 2.5 of Chapter 779 of the Statutes of 2024, is amended to read:51. (a) This section shall be known, and may be cited, as the Unruh Civil Rights Act.(b) All persons within the jurisdiction of this state are free and equal, and no matter what their sex, race, color, religion, ancestry, national origin, disability, medical condition, genetic information, marital status, sexual orientation, citizenship, primary language, or immigration status are entitled to the full and equal accommodations, advantages, facilities, privileges, or services in all business establishments of every kind whatsoever.(c) This section shall not be construed to confer any right or privilege on a person that is conditioned or limited by law or that is applicable alike to persons of every sex, color, race, religion, ancestry, national origin, disability, medical condition, marital status, sexual orientation, citizenship, primary language, or immigration status, or to persons regardless of their genetic information.(d) Nothing in this section shall be construed to require any construction, alteration, repair, structural or otherwise, or modification of any sort whatsoever, beyond that construction, alteration, repair, or modification that is otherwise required by other provisions of law, to any new or existing establishment, facility, building, improvement, or any other structure, nor shall anything in this section be construed to augment, restrict, or alter in any way the authority of the State Architect to require construction, alteration, repair, or modifications that the State Architect otherwise possesses pursuant to other laws.(e) For purposes of this section:(1) Disability means any mental or physical disability as defined in Sections 12926 and 12926.1 of the Government Code.(2) (A) Genetic information means, with respect to any individual, information about any of the following:(i) The individuals genetic tests.(ii) The genetic tests of family members of the individual.(iii) The manifestation of a disease or disorder in family members of the individual.(B) Genetic information includes any request for, or receipt of, genetic services, or participation in clinical research that includes genetic services, by an individual or any family member of the individual.(C) Genetic information does not include information about the sex or age of any individual.(3) Medical condition has the same meaning as defined in subdivision (i) of Section 12926 of the Government Code.(4) Race is inclusive of traits associated with race, including, but not limited to, hair texture and protective hairstyles. Protective hairstyles includes, but is not limited to, such hairstyles as braids, locs, and twists.(5) Religion includes all aspects of religious belief, observance, and practice.(6) Sex includes, but is not limited to, pregnancy, childbirth, or medical conditions related to pregnancy or childbirth. Sex also includes, but is not limited to, a persons gender. Gender means sex, and includes a persons gender identity and gender expression. Gender expression means a persons gender-related appearance and behavior whether or not stereotypically associated with the persons assigned sex at birth.(7) Sex, race, color, religion, ancestry, national origin, disability, medical condition, genetic information, marital status, sexual orientation, citizenship, primary language, or immigration status includes any of the following:(A) Any combination of those characteristics.(B) A perception that the person has any particular characteristic or characteristics within the listed categories or any combination of those characteristics.(C) A perception that the person is associated with a person who has, or is perceived to have, any particular characteristic or characteristics, or any combination of characteristics, within the listed categories.(8) Sexual orientation has the same meaning as defined in subdivision (s) of Section 12926 of the Government Code.(f) A violation of the right of any individual under the federal Americans with Disabilities Act of 1990 (Public Law 101-336) shall also constitute a violation of this section.(g) Verification of immigration status and any discrimination based upon verified immigration status, where required by federal law, shall not constitute a violation of this section.(h) Nothing in this section shall be construed to require the provision of services or documents in a language other than English, beyond that which is otherwise required by other provisions of federal, state, or local law, including Section 1632.(i) In an action alleging a violation of this section in which the defendants development, modification, or use of an automated decision system, as defined in Section 22756 of the Business and Professions Code, is alleged to have committed caused or facilitated the violation, the extent to which the defendant complied with Chapter 25 (commencing with Section 22756) of Division 8 of the Business and Professions Code is relevant to, but not conclusive of, whether a the defendant violated this section.SEC. 3. Article 3 (commencing with Section 12959) is added to Chapter 6 of Part 2.8 of Division 3 of Title 2 of the Government Code, to read: Article 3. Automated Decision Systems12959. In an action alleging a violation of this chapter in which the defendants development, modification, or use of an automated decision system, as defined in Section 22756 of the Business and Professions Code, is alleged to have committed caused or facilitated the violation, the extent to which the defendant complied with Chapter 24.6 (commencing with Section 22756) of Division 8 of the Business and Professions Code is relevant to, but not conclusive of, whether a the defendant violated this chapter.SEC. 4. The Legislature finds and declares that Section 1 of this act, which adds Chapter 24.6 (commencing with Section 22756) to Division 8 of the Business and Professions Code, imposes a limitation on the publics right of access to the meetings of public bodies or the writings of public officials and agencies within the meaning of Section 3 of Article I of the California Constitution. Pursuant to that constitutional provision, the Legislature makes the following findings to demonstrate the interest protected by this limitation and the need for protecting that interest:In order to protect proprietary information, it is necessary that trade secrets disclosed in performance evaluations and impact assessments to agencies and departments pursuant to Section 1 of this act remain confidential.
The people of the State of California do enact as follows:
## The people of the State of California do enact as follows:
SECTION 1. Chapter 24.6 (commencing with Section 22756) is added to Division 8 of the Business and Professions Code, to read: CHAPTER 24.6. Automated Decisions Safety Act22756. As used in this chapter:(a) Artificial intelligence means an engineered or machine-based system that varies in its level of autonomy and that can, for explicit or implicit objectives, infer from the input it receives how to generate outputs that can influence physical or virtual environments.(b) (1) Automated decision system means a computational process derived from machine learning, statistical modeling, data analytics, or artificial intelligence that issues simplified output, including a score, classification, or recommendation, that is designed or used to assist or replace human discretionary decisionmaking and materially impacts natural persons.(2) Automated decision system does not mean a spam email filter, firewall, antivirus software, identity and access management tool, calculator, database, dataset, or other compilation of data.(c) Consequential decision means a decision that materially impacts the cost, terms, quality, or accessibility of any of the following to a natural person:(1) Employment-related decisions.(2) Education and vocational training as they relate to any of the following:(A) Assessment and placement.(B) Detecting student cheating and plagiarism.(C) Accreditation.(D) Certification.(E) Admissions and enrollment.(F) Discipline.(G) Evaluation.(H) Financial aid and scholarships.(I) Proctoring.(3) Housing and lodging as they relate to any of the following:(A) Rental or short-term housing and lodging.(B) Home appraisals.(C) Rental subsidies.(D) Publicly supported housing.(4) Any of the following essential utilities:(A) Electricity.(B) Heat.(C) Water.(D)Internet and telecommunications access.(E)(D) Transportation.(F)(E) Municipal trash and sewage services.(5) Family planning, adoption services, reproductive services, and assessments related to child protective services.(6) Health care and health insurance, including mental health care, dental, and vision.(7) Financial services, including a financial service provided by a mortgage company, mortgage broker, or creditor.(8) The criminal justice system with respect to pretrial release, sentencing, and alternatives to incarceration.(9) Legal services.(10) Private arbitration.(11) Mediation.(12) Elections as they relate to any of the following:(A) Voting.(B) Redistricting.(C) Voter eligibility and registration.(D) Distribution of voting information.(E) Election administration.(13) Access to government benefits or services or assignment of penalties by a government entity.(14) Places of public accommodation, as defined in Section 55.52 of the Civil Code.(15) Insurance.(16) Internet and telecommunications access.(d) Covered automated decision system or covered ADS means an automated decision system that makes or facilitates is designed or used to make or facilitate a consequential decision.(e) Credit score means a credit score, as defined in Section 1785.15.1 of the Civil Code, from a consumer credit reporting agency, as defined in Section 1785.3 of the Civil Code.(e)(f) Deployer means a person, partnership, state or local government agency, corporation, or developer that uses a covered ADS to make or facilitate a consequential decision, either directly or through by contracting with a third party. party for that purpose.(f)(g) Developer means a person, partnership, state or local government agency, corporation, or deployer that designs, codes, substantially modifies, or otherwise produces an automated decision system that makes or facilitates a consequential decision, either directly or through by contracting with a third party. party for those purposes.(g)(h) (1) Developer-approved use means a deployment context in which a developer intends a covered ADS to make or facilitate a consequential decision.(2) Developer-approved use includes any reasonably foreseeable fine tuning of the covered ADS.(h)(i) Disparate impact means a differential effect on a group of individuals who share a protected characteristic.(i)(j) Disparate treatment means differential treatment of an individual or group of individuals on the basis of a protected characteristic.(j)(k) Employment-related decision means a decision made by an employer, either directly or through a third party, that affects wages, benefits, other compensation, hours, work schedule, performance evaluation, hiring, discipline, promotion, termination, job tasks and responsibilities, assignment of work, access to work and training opportunities, productivity requirements, workplace health and safety, or other terms or conditions of employment.(k)(l) (1) Express consent means an affirmative written authorization that is granted in response to a notice that is all of the following:(A) Clear, meaningful, and prominent.(B) Conveyed in a manner that a natural person would notice and understand it.(C) Not contained within a more general notice, agreement, or set of terms and conditions.(2) Express consent does not mean an authorization that is either of the following:(A) Inferred from inaction.(B) Obtained through the use of a dark pattern, as defined in Section 56.18 of the Civil Code.(l)(m) Fine-tune means to adjust the model parameters of an automated decision system through exposure to additional data.(m)(n) Labor Commissioner means Chief of the Division of Labor Standards Enforcement.(n)(o) Personal information has the same meaning as defined in Section 1798.140 of the Civil Code.(o)(p) Protected characteristic means a characteristic listed in subdivision (b) of Section 51 of the Civil Code.(p)(q) (1) Substantial modification means a new version, release, update, or other modification to a covered ADS that materially changes its uses or outputs.(2) Substantial modification does not mean a modification that results from fine tuning.(q)(r) Trade secret has the same meaning as in Section 3426.1 of the Civil Code.22756.1. (a) (1) With respect to a covered ADS that was first deployed, or made available to potential deployers, before January 1, 2026, the developer of the covered ADS shall conduct an initial performance evaluation on the covered ADS before January 1, 2027, and shall additionally conduct a performance evaluation on the covered ADS under any of the following circumstances:(A) Following any substantial modification of the covered ADS by the developer.(B) Following any fine tuning of the covered ADS by the developer that materially changes the uses or outputs of the covered ADS.(C) No more than one year after the developer last conducted a performance evaluation on the covered ADS, for as long as the developer deploys the covered ADS or makes the covered ADS available to potential deployers.(2) With respect to a covered ADS that is first deployed or made available to potential deployers on or after January 1, 2026, the developer of the covered ADS shall conduct a performance evaluation on the covered ADS under any of the following circumstances:(A) Before initially deploying the covered ADS or making the covered ADS available to potential deployers.(B) Following any substantial modification of the covered ADS by the developer.(C) Following any fine tuning of the covered ADS by the developer that materially changes the uses or outputs of the covered ADS.(D) No more than one year after the developer last conducted a performance evaluation on the covered ADS, for as long as the developer deploys the covered ADS or makes the covered ADS available to potential deployers.(b) In conducting a performance evaluation on a covered ADS, a developer shall do all of the following:(1) Describe the purpose of the covered ADS.(2) List and describe all developer-approved uses of the covered ADS.(3) For each developer-approved use, assess evaluate the expected performance of the covered ADS and document all of the following:(A) The expected accuracy and reliability of the covered ADS.(B) Any reasonably foreseeable effects of fine tuning on the accuracy and reliability of the covered ADS.(4)For each developer-approved use, assess whether(C) Whether any disparate treatment is intended to occur and document and, if so, all of the following:(A)Whether the covered ADS is intended to treat individuals or groups of individuals differently on the basis of a protected characteristic.(B)For each disparate treatment identified under subparagraph (A), describe all of the following:(i) The conditions under which the each disparate treatment is intended to occur.(ii) Whether the each disparate treatment is necessary for a developer-approved use.(iii) Whether any alternatives not involving disparate treatment were considered.(C)(D) Any reasonably foreseeable effects of fine tuning on disparate treatment.(5)For each developer-approved use, assess whether (E) Whether any disparate impacts are reasonably likely to occur and document and, if so, all of the following:(A)Whether the covered ADS is reasonably likely to treat groups of individuals who share a protected characteristic differently.(B)For each disparate impact identified under subparagraph (A), describe all of the following:(i) The conditions under which that each disparate impact is reasonably likely to occur.(ii) Whether the each disparate impact is necessary for a developer-approved use.(iii) Whether any alternatives not involving disparate impacts were considered.(C)(F) Whether any measures have been taken by the developer to mitigate the risk of unanticipated disparate impacts resulting from the use of the covered ADS.(D)(G) With respect to a covered ADS that has been deployed, whether any unanticipated disparate impacts have been reported to the developer by a deployer, and whether the developer has taken any measures to mitigate those disparate impacts.(E)(H) Any reasonably foreseeable effects of fine tuning on disparate impacts.(6)(4) (A) Contract with an independent third-party auditor to assess the developers compliance with this subdivision.(B) (i) Except pursuant to clause (ii), a developer that contracts with an auditor pursuant to this paragraph shall provide the auditor with any available information that is reasonably necessary for the auditor to comprehensively assess developer compliance.(ii) A developer that provides documentation to an auditor pursuant to this subparagraph may make reasonable redactions for the purpose of protecting trade secrets. To the extent that a developer withholds information, the developer shall notify the auditor and provide a basis for the withholding.(C) If the deadline for conducting a performance evaluation pursuant to subdivision (a) elapses before the audit has been completed, a developer shall not deploy the covered ADS or make the covered ADS available to potential deployers until the audit has been completed.(I) A developer that receives feedback from an auditor pursuant to this paragraph shall do both of the following:(i) Consider and attempt to incorporate that feedback into the development of any subsequent version of a covered ADS.(ii) Make a high-level summary of the feedback publicly available at no cost to users of the developers internet website.(c) (1) A developer that sells, licenses, or otherwise transfers a covered ADS to a potential deployer shall provide the deployer with all of the following:(A) The results of the most recent performance evaluation conducted on the covered ADS by the developer pursuant to this chapter.(B) For each developer-approved use of the covered ADS, instructions explaining how the covered ADS should be used by the deployer to make or facilitate a consequential decision.(C) For each developer-approved use of the covered ADS, a description of whether and under what circumstances the covered ADS can be fine-tuned.(D) An explanation of the deployers responsibilities under this chapter, including a description of any circumstances under which the deployer would assume the responsibilities of a developer pursuant to subdivision (h) of Section 22756.2.(E) (i) Any technical information necessary for the deployer to comply with this chapter.(ii) A developer shall not be required to provide additional technical information to a deployer that has assumed the responsibilities of a developer pursuant to subdivision (h) of Section 22756.2.(2) (A) A developer that provides documentation to a potential deployer pursuant to this subdivision may make reasonable redactions for the purpose of protecting trade secrets.(B) To the extent that a developer withholds information pursuant to subparagraph (A), the developer shall notify the deployer and provide a basis for the withholding.(d) A developer that receives an impact assessment from an auditor of a deployed covered ADS pursuant to subdivision (b) of Section 22756.3 shall provide all of the following information to any deployer of the covered ADS:(A) Any material differences between the expected accuracy of the covered ADS and the observed accuracy of the covered ADS and the deployment conditions under which those differences are reasonably likely to occur.(B) Any material differences between the expected reliability of the covered ADS and the observed reliability of the covered ADS and the deployment conditions under which those differences are reasonably likely to occur.(C) Any unanticipated disparate impacts resulting from the use of the covered ADS and the deployment conditions under which those disparate impacts are reasonably likely to occur.(D) An explanation of any steps the deployer can take to mitigate these discrepancies.(e) A developer that receives feedback from an auditor pursuant to this chapter shall consider and attempt to incorporate that feedback into the development of any subsequent version of a covered ADS.(f) A developer that provides documentation to a deployer pursuant to this section shall ensure the documentation is all of the following:(A) Transmitted directly to the deployer or otherwise made available in a manner reasonably calculated to ensure the deployer receives the documentation.(B) Provided in English and in any other language the developer regularly uses to communicate with deployers.(C) Presented in a manner that ensures the communication clearly and effectively conveys the required information to the deployer.(g) A developer that deploys a covered ADS or makes a covered ADS available to potential deployers shall maintain all of the following documentation in an unredacted format for as long as the covered ADS remains deployed or developer deploys the covered ADS or makes the covered ADS available to potential deployers plus 10 years:(1) The results of any performance evaluations conducted on the covered ADS pursuant to this chapter.(2) Any documentation provided to deployers pursuant to this chapter.(3) Any documentation provided to, or received from, auditors pursuant to this chapter.(4) Records of any redactions made pursuant to this chapter.(h) It is unlawful to advertise to consumers in the state that a covered ADS is capable of performing in a manner not substantiated by the results of the most recent performance evaluation conducted on the covered ADS.(i) (1) A developer that deploys a covered ADS or makes a covered ADS available to potential deployers shall designate at least one employee to oversee the developers compliance with this chapter.(2) A developer shall require an employee designated pursuant to this subdivision to conduct a prompt and comprehensive review of any credible compliance issue raised to that employee.22756.2. (a) (1) Except as provided in paragraph (2), before finalizing a deployer finalizes a consequential decision made or facilitated by a covered ADS, a the deployer shall provide any subject of that decision with a plain language written disclosure containing all of the following information:(A) A statement informing the subject that a covered ADS will be used to make or facilitate the consequential decision.(B) The name, version number, and developer of the covered ADS.(C) Whether the deployers use of the covered ADS is within the scope of a developer-approved use and a description of that use.(D) (i) The personal characteristics or attributes of the subject that the covered ADS measures or assesses to make or facilitate the consequential decision.(ii) The sources of personal information collected from the subject to make or facilitate the consequential decision.(iii) Any key parameters known to disproportionately affect the outcome of the consequential decision.(E) The structure and format of the outputs of the covered ADS and a plain language description of how those outputs are used to make or facilitate the consequential decision.(F) Whether a natural person will review either of the following before the consequential decision is finalized:(i) The outputs of the covered ADS.(ii) The outcome of the consequential decision.(G) The subjects rights under subdivisions (b) and (c) (d) and the means and timeframe for exercising those rights.(H) (i) Contact information for the deployer.(ii) Contact information for the entity that manages the covered ADS, if that entity is not the deployer.(iii) Contact information for the entity that will interpret the results of the covered ADS, if that entity is not the deployer.(2) Paragraph (1) does not apply if the subject of the consequential decision is having a medical emergency.(b) (1) Before finalizing a deployer finalizes a consequential decision made or facilitated by a covered ADS, a the deployer shall provide any subject of that decision with a reasonable opportunity to opt out of the use of the covered ADS.(2) (A) A deployer may deny a request to opt out of the use of a covered ADS if either of the following is true:(i) The deployer is subject to the federal Gramm-Leach-Bliley Act, and the covered ADS makes or facilitates a consequential decision pursuant to paragraph (7) of subdivision (c) of Section 22756.(ii) The subject of the consequential decision is having a medical emergency.(B) A deployer that denies a request to opt out of the use of a covered ADS pursuant to subparagraph (A) shall provide the subject with an explanation of the basis for the denial.(c) (1) After a deployer finalizes a consequential decision is finalized, made or facilitated by a covered ADS, the deployer shall provide any subject of that decision witha plain language written disclosure shall be provided containing all of the following information within five days, and the disclosure shall include all of the information: days:(A) The personal characteristics or attributes of the subject that the covered ADS measured or assessed used to make or facilitate the consequential decision.(B) The sources of personal information collected from the subject that were used to make or facilitate the consequential decision.(C) Any key parameters that disproportionately affected the outcome of the consequential decision.(D) The structure and format of the outputs of the covered ADS and a plain language description of how those outputs were used to make or facilitate the consequential decision.(E) The role that the ADS played in making the consequential decision and whether any human judgment was involved.(F) Contact information for the deployer.(G) Contact information for the entity that manages the covered ADS, if that entity is not the deployer.(H) Contact information for the entity that will interpret the results of the covered ADS, if that entity is not the deployer.(I) The subjects rights under subdivision (d) and the means and timeframe for exercising those rights.(2) Paragraph (1) is does not applicable apply if the subject of the consequential decision is having a medical emergency.(3) A deployer that provides documentation to a subject of a consequential decision pursuant to this subdivision shall ensure the documentation is all of the following:(A) Transmitted directly to the subject.(B) Provided in English and in any other language that the deployer regularly uses to communicate with subjects.(C) Made available in formats that are accessible to people who are blind or have other disabilities.(D) Presented in a manner that ensures the communication clearly and effectively conveys the required information to the subject.(d) After finalizing a deployer finalizes a consequential decision made or facilitated by a covered ADS, a the deployer shall provide any subject of that decision with an opportunity to do both of the following within 30 business days:(1) (A) Correct any incorrect personal information used by the covered ADS to make or facilitate the consequential decision.(B) A deployer shall comply with a request to correct personal information within 30 business days of receiving the request if the request is accompanied by documentation sufficient to assess the basis for the request.(C) (i) If a deployer determines that complying with a request to correct personal information would change the outcome of the consequential decision, the deployer shall, within 30 days of making the determination, rectify the decision.(ii) If a deployer determines that complying with a request to correct personal information would not change the outcome of the consequential decision, the deployer shall, within 30 days of making the determination, inform the subject that the correction was made but that it did not alter the decision.(D) A deployer that denies a request to correct personal information shall do both of the following:(i) Provide the subject with an explanation of the basis for the denial.(ii) Provide the subject with a reasonable opportunity to request that the deployer delete the subjects personal information.(2) (A) Appeal the outcome of the consequential decision.(B) A deployer shall review a request to appeal a consequential decision within 30 business days of receiving the request. request if the request is accompanied by documentation sufficient to assess the basis for the request.(C) (i) If a deployer determines that the original decision is was incorrect, the deployer shall, within 30 days of making the determination, rectify the decision.(ii) If a deployer determines that the original decision is was correct, the deployer shall, within 30 days of making the determination, inform the subject that the consequential decision will not be altered.(D) A deployer that denies a request to appeal the outcome of a consequential decision shall provide the subject with an explanation of the basis for the denial.(e) (1) (A) A deployer that provides documentation to the subject of a consequential decision pursuant to this section may make reasonable redactions for the purpose of protecting trade secrets.(B) To the extent that a deployer withholds information pursuant to paragraph (1), the deployer shall notify the subject and provide a basis for the withholding.(2) A deployer that is required by another state or federal law to provide substantially similar notice to a subject of a consequential decision need not duplicatively provide notice to the subject under this section.(f) A deployers collection, use, retention, and sharing of personal information from a subject of a consequential decision shall be reasonably necessary and proportionate to achieve the purposes for which the personal information was collected and processed, or for another disclosed purpose that is compatible with the context in which the personal information was collected, and not further processed in a manner that is incompatible with those purposes.(g) (1) A deployer that uses a covered ADS to make or facilitate consequential decisions directly impacting more than 5999 5,999 people in a given three-year period shall contract with an independent third-party auditor to conduct an impact assessment on the covered ADS before January 1, 2030, and every three years thereafter.(2) (A) Except pursuant to subparagraph (B), a deployer that contracts with an auditor pursuant to this subdivision shall provide the auditor with any available information that is reasonably necessary for the auditor to conduct a comprehensive impact assessment on the covered ADS.(B) A deployer that provides documentation to an auditor pursuant to this paragraph may make reasonable redactions for the purpose of protecting trade secrets. To the extent that a deployer withholds information, the developer shall notify the auditor and provide a basis for the withholding.(C) This paragraph shall not be construed to require a deployer to collect any personal information from a subject of a consequential decision beyond that which the deployer collects in the ordinary course of business or as necessary to comply with state or federal law.(3) If the deadline for conducting an audit pursuant to paragraph (1) elapses before the audit has been completed, a deployer shall not use the covered ADS to make or facilitate consequential decisions until the audit has been completed.(h) A deployer that does any of the following assumes the responsibilities of a developer under this chapter:(1) Uses a covered ADS to make or facilitate consequential decisions that directly impact more than 5999 5,999 people in a given three-year period, if the deployer did not receive any documentation from the developer of the covered ADS pursuant to subdivision (c) of Section 22756.1. 22756.1 during the three-year period.(2) Uses a covered ADS to make or facilitate consequential decisions that directly impact more than 5999 5,999 people in a given three-year period, if the deployers use of the covered ADS is outside the scope of a developer-approved use.(3) Substantially modifies an automated decision system and does either of the following:(A) Uses the substantially modified system to make or facilitate consequential decisions that directly impact more than 5999 people in a given three-year period.(B) Makes the substantially modified system available to potential deployers.(i) A deployer that uses a covered ADS to make or facilitate a consequential decision shall retain the following documentation in an unredacted format for as long as the deployer uses the covered ADS remains deployed plus 10 years:(1) Any documentation received from developers pursuant to this chapter.(2) Any documentation provided pursuant to this section to subjects of consequential decisions made or facilitated by the covered ADS.(3) Any requests to correct personal information made pursuant to this section.(4) Any requests to opt out of the use of the covered ADS made pursuant to this section.(5) Any requests to appeal the outcome of a consequential decision made pursuant to this section.(6) Any documentation provided to, or received from, auditors pursuant to this chapter.(7) Records of any redactions made pursuant to this section.(j) (1) A deployer that uses a covered ADS to make or facilitate a consequential decision shall designate at least one employee to oversee the deployers compliance with this chapter.(2) A deployer shall require an employee designated pursuant to this subdivision to conduct a prompt and comprehensive review of any credible compliance issue related to the deployers use of a covered ADS that is raised to that employee.(k) In addition to the requirements of this section, a deployer that is a business subject to the California Consumer Privacy Act of 2018 (Title 1.81.5 (commencing with Section 1798.100)) is subject to any privacy-related opt-out and access regulation duly adopted by the California Privacy Protection Agency pursuant to subdivision (b) of Section 1798.199.40 of the Civil Code.(l) This section shall become operative on January 1, 2027.22756.3. (a) An auditor that conducts an impact assessment on a covered ADS pursuant to subdivision (g) of Section 22756.2 shall do all of the following:(1) (A) Request any information from the deployer of the covered ADS that is reasonably necessary for the auditor to conduct a comprehensive impact assessment.(B) This paragraph applies only to information gathered by the deployer in the ordinary course of business.(2)Document all developer-approved uses of the covered ADS that the deployer utilized during the relevant period.(3)(2) For each unique developer-approved use, use of the covered ADS by the deployer, document all of the following:(A) The observed accuracy and reliability of the covered ADS over the relevant period.(B) Whether the observed accuracy and reliability differed materially from the expected accuracy and reliability of the covered ADS, as described in documentation provided by a developer to the deployer pursuant to this chapter.(C) Whether any disparate impacts resulted from the deployers use of the covered ADS and the deployment conditions under which those disparate impacts occurred.(D) Whether each disparate impact was an anticipated disparate impact, as described in documentation provided to the deployer pursuant to this chapter.(4)(3) Whether the deployer used the covered ADS to make or facilitate a consequential decision outside of the scope of a developer-approved use.(5)(4) Whether the deployer assumed the responsibilities of a developer pursuant to subdivision (h) of Section 22756.2.(b) (1) After conducting an impact assessment on a covered ADS, an auditor shall provide the results of the impact assessment to do both of the following:(A) The Provide the results of the impact assessment to the deployer that contracted with the auditor to perform the impact assessment.(B)The developer of the covered ADS.(B) Make a high-level summary of the results of the impact assessment publicly available at no cost to users of the auditors internet website.(2) The documentation required by this section shall be both of the following:(A) Provided in English and in any other language that the auditor regularly uses to communicate with developers and deployers.(B) Presented in a manner that ensures the communication clearly and effectively conveys the required information to the developer and deployer. information.(3) An auditor shall not provide a developer make publicly available with the personal information of a subject of a consequential decision made or facilitated by a covered ADS without first obtaining the express consent of the subject.22756.4. (a) (1) Within 30 days of receiving a request from the Attorney General for a performance evaluation or impact assessment prepared pursuant to this chapter, a developer, deployer, or auditor of a covered ADS shall provide an unredacted copy of the document to the Attorney General.(2) The Attorney General may share performance evaluations and impact assessments with other enforcement entities as necessary for enforcement purposes.(b) (1) The disclosure or sharing of a performance evaluation or impact assessment pursuant to subdivision (a) does not constitute a waiver of any attorney-client privilege, work-product protection, or trade secret protection that might otherwise exist with respect to any information contained in the performance evaluation or impact assessment.(2) A performance evaluation or impact assessment disclosed or shared pursuant to subdivision (a) is exempt from the California Public Records Act (Division 10 (commencing with Section 7920.000) of Title 1 of the Government Code).(c) Each day a covered ADS is used for which a performance evaluation or impact assessment has not been submitted to the Attorney General pursuant to this section is an additional violation of this section.22756.5. (a) Any of the following public entities may bring a civil action against a developer or deployer developer, deployer, or auditor who violates this chapter:(1) The Attorney General.(2) A district attorney, county counsel, or city attorney for the jurisdiction in which the violation occurred.(3) A city prosecutor in any city having a full-time city prosecutor with the consent of the district attorney.(4) The Civil Rights Department.(5) The Labor Commissioner with respect to employment-related decisions only.(b) A court may award a prevailing plaintiff who brings an action pursuant to subdivision (a) all of the following:(1) Injunctive relief.(2) Declaratory relief.(3) Reasonable attorneys fees and litigation costs.(4) A civil penalty of up to twenty-five thousand dollars ($25,000) per violation.(c) A developer or deployer who contracts with a third party to perform the developers or deployers duties under this chapter, other than those duties related to auditing, is subject to liability under this chapter for the third partys failure to perform those duties.22756.6. (a) This chapter does not apply to an automated decision system the sole purpose of which is to do either of the following:(a)(1) Detect, protect against, or respond to cybersecurity incidents or preserve the integrity or security of computer systems.(b)(2) Operate aircraft in the national airspace.(b) The use of a consumer credit score to inform a consequential decision does not itself create an obligation under this chapter.22756.7. (a) The rights, remedies, and penalties established by this chapter are cumulative and shall not be construed to supersede the rights, remedies, or penalties established under other laws, including, but not limited to, Chapter 6 (commencing with Section 12940) of Part 2.8 of Division 3 of Title 2 of the Government Code and Section 51 of the Civil Code.(b) This chapter does not diminish the rights, privileges, or remedies of an employee under any other federal or state law or under any employment contract or collective bargaining agreement.(c) This chapter does not authorize any use of automated decision systems that is limited, restricted, or prohibited under any other applicable law.(d) This chapter does not authorize disparate impacts or disparate treatment that are limited, restricted, or prohibited under any other applicable law.22756.8.A developer or deployer who contracts with a third party to comply with duties required under this chapter, other than those duties related to auditing, is subject to liability under this chapter for the third partys failure to comply with this chapter.
SECTION 1. Chapter 24.6 (commencing with Section 22756) is added to Division 8 of the Business and Professions Code, to read:
### SECTION 1.
CHAPTER 24.6. Automated Decisions Safety Act22756. As used in this chapter:(a) Artificial intelligence means an engineered or machine-based system that varies in its level of autonomy and that can, for explicit or implicit objectives, infer from the input it receives how to generate outputs that can influence physical or virtual environments.(b) (1) Automated decision system means a computational process derived from machine learning, statistical modeling, data analytics, or artificial intelligence that issues simplified output, including a score, classification, or recommendation, that is designed or used to assist or replace human discretionary decisionmaking and materially impacts natural persons.(2) Automated decision system does not mean a spam email filter, firewall, antivirus software, identity and access management tool, calculator, database, dataset, or other compilation of data.(c) Consequential decision means a decision that materially impacts the cost, terms, quality, or accessibility of any of the following to a natural person:(1) Employment-related decisions.(2) Education and vocational training as they relate to any of the following:(A) Assessment and placement.(B) Detecting student cheating and plagiarism.(C) Accreditation.(D) Certification.(E) Admissions and enrollment.(F) Discipline.(G) Evaluation.(H) Financial aid and scholarships.(I) Proctoring.(3) Housing and lodging as they relate to any of the following:(A) Rental or short-term housing and lodging.(B) Home appraisals.(C) Rental subsidies.(D) Publicly supported housing.(4) Any of the following essential utilities:(A) Electricity.(B) Heat.(C) Water.(D)Internet and telecommunications access.(E)(D) Transportation.(F)(E) Municipal trash and sewage services.(5) Family planning, adoption services, reproductive services, and assessments related to child protective services.(6) Health care and health insurance, including mental health care, dental, and vision.(7) Financial services, including a financial service provided by a mortgage company, mortgage broker, or creditor.(8) The criminal justice system with respect to pretrial release, sentencing, and alternatives to incarceration.(9) Legal services.(10) Private arbitration.(11) Mediation.(12) Elections as they relate to any of the following:(A) Voting.(B) Redistricting.(C) Voter eligibility and registration.(D) Distribution of voting information.(E) Election administration.(13) Access to government benefits or services or assignment of penalties by a government entity.(14) Places of public accommodation, as defined in Section 55.52 of the Civil Code.(15) Insurance.(16) Internet and telecommunications access.(d) Covered automated decision system or covered ADS means an automated decision system that makes or facilitates is designed or used to make or facilitate a consequential decision.(e) Credit score means a credit score, as defined in Section 1785.15.1 of the Civil Code, from a consumer credit reporting agency, as defined in Section 1785.3 of the Civil Code.(e)(f) Deployer means a person, partnership, state or local government agency, corporation, or developer that uses a covered ADS to make or facilitate a consequential decision, either directly or through by contracting with a third party. party for that purpose.(f)(g) Developer means a person, partnership, state or local government agency, corporation, or deployer that designs, codes, substantially modifies, or otherwise produces an automated decision system that makes or facilitates a consequential decision, either directly or through by contracting with a third party. party for those purposes.(g)(h) (1) Developer-approved use means a deployment context in which a developer intends a covered ADS to make or facilitate a consequential decision.(2) Developer-approved use includes any reasonably foreseeable fine tuning of the covered ADS.(h)(i) Disparate impact means a differential effect on a group of individuals who share a protected characteristic.(i)(j) Disparate treatment means differential treatment of an individual or group of individuals on the basis of a protected characteristic.(j)(k) Employment-related decision means a decision made by an employer, either directly or through a third party, that affects wages, benefits, other compensation, hours, work schedule, performance evaluation, hiring, discipline, promotion, termination, job tasks and responsibilities, assignment of work, access to work and training opportunities, productivity requirements, workplace health and safety, or other terms or conditions of employment.(k)(l) (1) Express consent means an affirmative written authorization that is granted in response to a notice that is all of the following:(A) Clear, meaningful, and prominent.(B) Conveyed in a manner that a natural person would notice and understand it.(C) Not contained within a more general notice, agreement, or set of terms and conditions.(2) Express consent does not mean an authorization that is either of the following:(A) Inferred from inaction.(B) Obtained through the use of a dark pattern, as defined in Section 56.18 of the Civil Code.(l)(m) Fine-tune means to adjust the model parameters of an automated decision system through exposure to additional data.(m)(n) Labor Commissioner means Chief of the Division of Labor Standards Enforcement.(n)(o) Personal information has the same meaning as defined in Section 1798.140 of the Civil Code.(o)(p) Protected characteristic means a characteristic listed in subdivision (b) of Section 51 of the Civil Code.(p)(q) (1) Substantial modification means a new version, release, update, or other modification to a covered ADS that materially changes its uses or outputs.(2) Substantial modification does not mean a modification that results from fine tuning.(q)(r) Trade secret has the same meaning as in Section 3426.1 of the Civil Code.22756.1. (a) (1) With respect to a covered ADS that was first deployed, or made available to potential deployers, before January 1, 2026, the developer of the covered ADS shall conduct an initial performance evaluation on the covered ADS before January 1, 2027, and shall additionally conduct a performance evaluation on the covered ADS under any of the following circumstances:(A) Following any substantial modification of the covered ADS by the developer.(B) Following any fine tuning of the covered ADS by the developer that materially changes the uses or outputs of the covered ADS.(C) No more than one year after the developer last conducted a performance evaluation on the covered ADS, for as long as the developer deploys the covered ADS or makes the covered ADS available to potential deployers.(2) With respect to a covered ADS that is first deployed or made available to potential deployers on or after January 1, 2026, the developer of the covered ADS shall conduct a performance evaluation on the covered ADS under any of the following circumstances:(A) Before initially deploying the covered ADS or making the covered ADS available to potential deployers.(B) Following any substantial modification of the covered ADS by the developer.(C) Following any fine tuning of the covered ADS by the developer that materially changes the uses or outputs of the covered ADS.(D) No more than one year after the developer last conducted a performance evaluation on the covered ADS, for as long as the developer deploys the covered ADS or makes the covered ADS available to potential deployers.(b) In conducting a performance evaluation on a covered ADS, a developer shall do all of the following:(1) Describe the purpose of the covered ADS.(2) List and describe all developer-approved uses of the covered ADS.(3) For each developer-approved use, assess evaluate the expected performance of the covered ADS and document all of the following:(A) The expected accuracy and reliability of the covered ADS.(B) Any reasonably foreseeable effects of fine tuning on the accuracy and reliability of the covered ADS.(4)For each developer-approved use, assess whether(C) Whether any disparate treatment is intended to occur and document and, if so, all of the following:(A)Whether the covered ADS is intended to treat individuals or groups of individuals differently on the basis of a protected characteristic.(B)For each disparate treatment identified under subparagraph (A), describe all of the following:(i) The conditions under which the each disparate treatment is intended to occur.(ii) Whether the each disparate treatment is necessary for a developer-approved use.(iii) Whether any alternatives not involving disparate treatment were considered.(C)(D) Any reasonably foreseeable effects of fine tuning on disparate treatment.(5)For each developer-approved use, assess whether (E) Whether any disparate impacts are reasonably likely to occur and document and, if so, all of the following:(A)Whether the covered ADS is reasonably likely to treat groups of individuals who share a protected characteristic differently.(B)For each disparate impact identified under subparagraph (A), describe all of the following:(i) The conditions under which that each disparate impact is reasonably likely to occur.(ii) Whether the each disparate impact is necessary for a developer-approved use.(iii) Whether any alternatives not involving disparate impacts were considered.(C)(F) Whether any measures have been taken by the developer to mitigate the risk of unanticipated disparate impacts resulting from the use of the covered ADS.(D)(G) With respect to a covered ADS that has been deployed, whether any unanticipated disparate impacts have been reported to the developer by a deployer, and whether the developer has taken any measures to mitigate those disparate impacts.(E)(H) Any reasonably foreseeable effects of fine tuning on disparate impacts.(6)(4) (A) Contract with an independent third-party auditor to assess the developers compliance with this subdivision.(B) (i) Except pursuant to clause (ii), a developer that contracts with an auditor pursuant to this paragraph shall provide the auditor with any available information that is reasonably necessary for the auditor to comprehensively assess developer compliance.(ii) A developer that provides documentation to an auditor pursuant to this subparagraph may make reasonable redactions for the purpose of protecting trade secrets. To the extent that a developer withholds information, the developer shall notify the auditor and provide a basis for the withholding.(C) If the deadline for conducting a performance evaluation pursuant to subdivision (a) elapses before the audit has been completed, a developer shall not deploy the covered ADS or make the covered ADS available to potential deployers until the audit has been completed.(I) A developer that receives feedback from an auditor pursuant to this paragraph shall do both of the following:(i) Consider and attempt to incorporate that feedback into the development of any subsequent version of a covered ADS.(ii) Make a high-level summary of the feedback publicly available at no cost to users of the developers internet website.(c) (1) A developer that sells, licenses, or otherwise transfers a covered ADS to a potential deployer shall provide the deployer with all of the following:(A) The results of the most recent performance evaluation conducted on the covered ADS by the developer pursuant to this chapter.(B) For each developer-approved use of the covered ADS, instructions explaining how the covered ADS should be used by the deployer to make or facilitate a consequential decision.(C) For each developer-approved use of the covered ADS, a description of whether and under what circumstances the covered ADS can be fine-tuned.(D) An explanation of the deployers responsibilities under this chapter, including a description of any circumstances under which the deployer would assume the responsibilities of a developer pursuant to subdivision (h) of Section 22756.2.(E) (i) Any technical information necessary for the deployer to comply with this chapter.(ii) A developer shall not be required to provide additional technical information to a deployer that has assumed the responsibilities of a developer pursuant to subdivision (h) of Section 22756.2.(2) (A) A developer that provides documentation to a potential deployer pursuant to this subdivision may make reasonable redactions for the purpose of protecting trade secrets.(B) To the extent that a developer withholds information pursuant to subparagraph (A), the developer shall notify the deployer and provide a basis for the withholding.(d) A developer that receives an impact assessment from an auditor of a deployed covered ADS pursuant to subdivision (b) of Section 22756.3 shall provide all of the following information to any deployer of the covered ADS:(A) Any material differences between the expected accuracy of the covered ADS and the observed accuracy of the covered ADS and the deployment conditions under which those differences are reasonably likely to occur.(B) Any material differences between the expected reliability of the covered ADS and the observed reliability of the covered ADS and the deployment conditions under which those differences are reasonably likely to occur.(C) Any unanticipated disparate impacts resulting from the use of the covered ADS and the deployment conditions under which those disparate impacts are reasonably likely to occur.(D) An explanation of any steps the deployer can take to mitigate these discrepancies.(e) A developer that receives feedback from an auditor pursuant to this chapter shall consider and attempt to incorporate that feedback into the development of any subsequent version of a covered ADS.(f) A developer that provides documentation to a deployer pursuant to this section shall ensure the documentation is all of the following:(A) Transmitted directly to the deployer or otherwise made available in a manner reasonably calculated to ensure the deployer receives the documentation.(B) Provided in English and in any other language the developer regularly uses to communicate with deployers.(C) Presented in a manner that ensures the communication clearly and effectively conveys the required information to the deployer.(g) A developer that deploys a covered ADS or makes a covered ADS available to potential deployers shall maintain all of the following documentation in an unredacted format for as long as the covered ADS remains deployed or developer deploys the covered ADS or makes the covered ADS available to potential deployers plus 10 years:(1) The results of any performance evaluations conducted on the covered ADS pursuant to this chapter.(2) Any documentation provided to deployers pursuant to this chapter.(3) Any documentation provided to, or received from, auditors pursuant to this chapter.(4) Records of any redactions made pursuant to this chapter.(h) It is unlawful to advertise to consumers in the state that a covered ADS is capable of performing in a manner not substantiated by the results of the most recent performance evaluation conducted on the covered ADS.(i) (1) A developer that deploys a covered ADS or makes a covered ADS available to potential deployers shall designate at least one employee to oversee the developers compliance with this chapter.(2) A developer shall require an employee designated pursuant to this subdivision to conduct a prompt and comprehensive review of any credible compliance issue raised to that employee.22756.2. (a) (1) Except as provided in paragraph (2), before finalizing a deployer finalizes a consequential decision made or facilitated by a covered ADS, a the deployer shall provide any subject of that decision with a plain language written disclosure containing all of the following information:(A) A statement informing the subject that a covered ADS will be used to make or facilitate the consequential decision.(B) The name, version number, and developer of the covered ADS.(C) Whether the deployers use of the covered ADS is within the scope of a developer-approved use and a description of that use.(D) (i) The personal characteristics or attributes of the subject that the covered ADS measures or assesses to make or facilitate the consequential decision.(ii) The sources of personal information collected from the subject to make or facilitate the consequential decision.(iii) Any key parameters known to disproportionately affect the outcome of the consequential decision.(E) The structure and format of the outputs of the covered ADS and a plain language description of how those outputs are used to make or facilitate the consequential decision.(F) Whether a natural person will review either of the following before the consequential decision is finalized:(i) The outputs of the covered ADS.(ii) The outcome of the consequential decision.(G) The subjects rights under subdivisions (b) and (c) (d) and the means and timeframe for exercising those rights.(H) (i) Contact information for the deployer.(ii) Contact information for the entity that manages the covered ADS, if that entity is not the deployer.(iii) Contact information for the entity that will interpret the results of the covered ADS, if that entity is not the deployer.(2) Paragraph (1) does not apply if the subject of the consequential decision is having a medical emergency.(b) (1) Before finalizing a deployer finalizes a consequential decision made or facilitated by a covered ADS, a the deployer shall provide any subject of that decision with a reasonable opportunity to opt out of the use of the covered ADS.(2) (A) A deployer may deny a request to opt out of the use of a covered ADS if either of the following is true:(i) The deployer is subject to the federal Gramm-Leach-Bliley Act, and the covered ADS makes or facilitates a consequential decision pursuant to paragraph (7) of subdivision (c) of Section 22756.(ii) The subject of the consequential decision is having a medical emergency.(B) A deployer that denies a request to opt out of the use of a covered ADS pursuant to subparagraph (A) shall provide the subject with an explanation of the basis for the denial.(c) (1) After a deployer finalizes a consequential decision is finalized, made or facilitated by a covered ADS, the deployer shall provide any subject of that decision witha plain language written disclosure shall be provided containing all of the following information within five days, and the disclosure shall include all of the information: days:(A) The personal characteristics or attributes of the subject that the covered ADS measured or assessed used to make or facilitate the consequential decision.(B) The sources of personal information collected from the subject that were used to make or facilitate the consequential decision.(C) Any key parameters that disproportionately affected the outcome of the consequential decision.(D) The structure and format of the outputs of the covered ADS and a plain language description of how those outputs were used to make or facilitate the consequential decision.(E) The role that the ADS played in making the consequential decision and whether any human judgment was involved.(F) Contact information for the deployer.(G) Contact information for the entity that manages the covered ADS, if that entity is not the deployer.(H) Contact information for the entity that will interpret the results of the covered ADS, if that entity is not the deployer.(I) The subjects rights under subdivision (d) and the means and timeframe for exercising those rights.(2) Paragraph (1) is does not applicable apply if the subject of the consequential decision is having a medical emergency.(3) A deployer that provides documentation to a subject of a consequential decision pursuant to this subdivision shall ensure the documentation is all of the following:(A) Transmitted directly to the subject.(B) Provided in English and in any other language that the deployer regularly uses to communicate with subjects.(C) Made available in formats that are accessible to people who are blind or have other disabilities.(D) Presented in a manner that ensures the communication clearly and effectively conveys the required information to the subject.(d) After finalizing a deployer finalizes a consequential decision made or facilitated by a covered ADS, a the deployer shall provide any subject of that decision with an opportunity to do both of the following within 30 business days:(1) (A) Correct any incorrect personal information used by the covered ADS to make or facilitate the consequential decision.(B) A deployer shall comply with a request to correct personal information within 30 business days of receiving the request if the request is accompanied by documentation sufficient to assess the basis for the request.(C) (i) If a deployer determines that complying with a request to correct personal information would change the outcome of the consequential decision, the deployer shall, within 30 days of making the determination, rectify the decision.(ii) If a deployer determines that complying with a request to correct personal information would not change the outcome of the consequential decision, the deployer shall, within 30 days of making the determination, inform the subject that the correction was made but that it did not alter the decision.(D) A deployer that denies a request to correct personal information shall do both of the following:(i) Provide the subject with an explanation of the basis for the denial.(ii) Provide the subject with a reasonable opportunity to request that the deployer delete the subjects personal information.(2) (A) Appeal the outcome of the consequential decision.(B) A deployer shall review a request to appeal a consequential decision within 30 business days of receiving the request. request if the request is accompanied by documentation sufficient to assess the basis for the request.(C) (i) If a deployer determines that the original decision is was incorrect, the deployer shall, within 30 days of making the determination, rectify the decision.(ii) If a deployer determines that the original decision is was correct, the deployer shall, within 30 days of making the determination, inform the subject that the consequential decision will not be altered.(D) A deployer that denies a request to appeal the outcome of a consequential decision shall provide the subject with an explanation of the basis for the denial.(e) (1) (A) A deployer that provides documentation to the subject of a consequential decision pursuant to this section may make reasonable redactions for the purpose of protecting trade secrets.(B) To the extent that a deployer withholds information pursuant to paragraph (1), the deployer shall notify the subject and provide a basis for the withholding.(2) A deployer that is required by another state or federal law to provide substantially similar notice to a subject of a consequential decision need not duplicatively provide notice to the subject under this section.(f) A deployers collection, use, retention, and sharing of personal information from a subject of a consequential decision shall be reasonably necessary and proportionate to achieve the purposes for which the personal information was collected and processed, or for another disclosed purpose that is compatible with the context in which the personal information was collected, and not further processed in a manner that is incompatible with those purposes.(g) (1) A deployer that uses a covered ADS to make or facilitate consequential decisions directly impacting more than 5999 5,999 people in a given three-year period shall contract with an independent third-party auditor to conduct an impact assessment on the covered ADS before January 1, 2030, and every three years thereafter.(2) (A) Except pursuant to subparagraph (B), a deployer that contracts with an auditor pursuant to this subdivision shall provide the auditor with any available information that is reasonably necessary for the auditor to conduct a comprehensive impact assessment on the covered ADS.(B) A deployer that provides documentation to an auditor pursuant to this paragraph may make reasonable redactions for the purpose of protecting trade secrets. To the extent that a deployer withholds information, the developer shall notify the auditor and provide a basis for the withholding.(C) This paragraph shall not be construed to require a deployer to collect any personal information from a subject of a consequential decision beyond that which the deployer collects in the ordinary course of business or as necessary to comply with state or federal law.(3) If the deadline for conducting an audit pursuant to paragraph (1) elapses before the audit has been completed, a deployer shall not use the covered ADS to make or facilitate consequential decisions until the audit has been completed.(h) A deployer that does any of the following assumes the responsibilities of a developer under this chapter:(1) Uses a covered ADS to make or facilitate consequential decisions that directly impact more than 5999 5,999 people in a given three-year period, if the deployer did not receive any documentation from the developer of the covered ADS pursuant to subdivision (c) of Section 22756.1. 22756.1 during the three-year period.(2) Uses a covered ADS to make or facilitate consequential decisions that directly impact more than 5999 5,999 people in a given three-year period, if the deployers use of the covered ADS is outside the scope of a developer-approved use.(3) Substantially modifies an automated decision system and does either of the following:(A) Uses the substantially modified system to make or facilitate consequential decisions that directly impact more than 5999 people in a given three-year period.(B) Makes the substantially modified system available to potential deployers.(i) A deployer that uses a covered ADS to make or facilitate a consequential decision shall retain the following documentation in an unredacted format for as long as the deployer uses the covered ADS remains deployed plus 10 years:(1) Any documentation received from developers pursuant to this chapter.(2) Any documentation provided pursuant to this section to subjects of consequential decisions made or facilitated by the covered ADS.(3) Any requests to correct personal information made pursuant to this section.(4) Any requests to opt out of the use of the covered ADS made pursuant to this section.(5) Any requests to appeal the outcome of a consequential decision made pursuant to this section.(6) Any documentation provided to, or received from, auditors pursuant to this chapter.(7) Records of any redactions made pursuant to this section.(j) (1) A deployer that uses a covered ADS to make or facilitate a consequential decision shall designate at least one employee to oversee the deployers compliance with this chapter.(2) A deployer shall require an employee designated pursuant to this subdivision to conduct a prompt and comprehensive review of any credible compliance issue related to the deployers use of a covered ADS that is raised to that employee.(k) In addition to the requirements of this section, a deployer that is a business subject to the California Consumer Privacy Act of 2018 (Title 1.81.5 (commencing with Section 1798.100)) is subject to any privacy-related opt-out and access regulation duly adopted by the California Privacy Protection Agency pursuant to subdivision (b) of Section 1798.199.40 of the Civil Code.(l) This section shall become operative on January 1, 2027.22756.3. (a) An auditor that conducts an impact assessment on a covered ADS pursuant to subdivision (g) of Section 22756.2 shall do all of the following:(1) (A) Request any information from the deployer of the covered ADS that is reasonably necessary for the auditor to conduct a comprehensive impact assessment.(B) This paragraph applies only to information gathered by the deployer in the ordinary course of business.(2)Document all developer-approved uses of the covered ADS that the deployer utilized during the relevant period.(3)(2) For each unique developer-approved use, use of the covered ADS by the deployer, document all of the following:(A) The observed accuracy and reliability of the covered ADS over the relevant period.(B) Whether the observed accuracy and reliability differed materially from the expected accuracy and reliability of the covered ADS, as described in documentation provided by a developer to the deployer pursuant to this chapter.(C) Whether any disparate impacts resulted from the deployers use of the covered ADS and the deployment conditions under which those disparate impacts occurred.(D) Whether each disparate impact was an anticipated disparate impact, as described in documentation provided to the deployer pursuant to this chapter.(4)(3) Whether the deployer used the covered ADS to make or facilitate a consequential decision outside of the scope of a developer-approved use.(5)(4) Whether the deployer assumed the responsibilities of a developer pursuant to subdivision (h) of Section 22756.2.(b) (1) After conducting an impact assessment on a covered ADS, an auditor shall provide the results of the impact assessment to do both of the following:(A) The Provide the results of the impact assessment to the deployer that contracted with the auditor to perform the impact assessment.(B)The developer of the covered ADS.(B) Make a high-level summary of the results of the impact assessment publicly available at no cost to users of the auditors internet website.(2) The documentation required by this section shall be both of the following:(A) Provided in English and in any other language that the auditor regularly uses to communicate with developers and deployers.(B) Presented in a manner that ensures the communication clearly and effectively conveys the required information to the developer and deployer. information.(3) An auditor shall not provide a developer make publicly available with the personal information of a subject of a consequential decision made or facilitated by a covered ADS without first obtaining the express consent of the subject.22756.4. (a) (1) Within 30 days of receiving a request from the Attorney General for a performance evaluation or impact assessment prepared pursuant to this chapter, a developer, deployer, or auditor of a covered ADS shall provide an unredacted copy of the document to the Attorney General.(2) The Attorney General may share performance evaluations and impact assessments with other enforcement entities as necessary for enforcement purposes.(b) (1) The disclosure or sharing of a performance evaluation or impact assessment pursuant to subdivision (a) does not constitute a waiver of any attorney-client privilege, work-product protection, or trade secret protection that might otherwise exist with respect to any information contained in the performance evaluation or impact assessment.(2) A performance evaluation or impact assessment disclosed or shared pursuant to subdivision (a) is exempt from the California Public Records Act (Division 10 (commencing with Section 7920.000) of Title 1 of the Government Code).(c) Each day a covered ADS is used for which a performance evaluation or impact assessment has not been submitted to the Attorney General pursuant to this section is an additional violation of this section.22756.5. (a) Any of the following public entities may bring a civil action against a developer or deployer developer, deployer, or auditor who violates this chapter:(1) The Attorney General.(2) A district attorney, county counsel, or city attorney for the jurisdiction in which the violation occurred.(3) A city prosecutor in any city having a full-time city prosecutor with the consent of the district attorney.(4) The Civil Rights Department.(5) The Labor Commissioner with respect to employment-related decisions only.(b) A court may award a prevailing plaintiff who brings an action pursuant to subdivision (a) all of the following:(1) Injunctive relief.(2) Declaratory relief.(3) Reasonable attorneys fees and litigation costs.(4) A civil penalty of up to twenty-five thousand dollars ($25,000) per violation.(c) A developer or deployer who contracts with a third party to perform the developers or deployers duties under this chapter, other than those duties related to auditing, is subject to liability under this chapter for the third partys failure to perform those duties.22756.6. (a) This chapter does not apply to an automated decision system the sole purpose of which is to do either of the following:(a)(1) Detect, protect against, or respond to cybersecurity incidents or preserve the integrity or security of computer systems.(b)(2) Operate aircraft in the national airspace.(b) The use of a consumer credit score to inform a consequential decision does not itself create an obligation under this chapter.22756.7. (a) The rights, remedies, and penalties established by this chapter are cumulative and shall not be construed to supersede the rights, remedies, or penalties established under other laws, including, but not limited to, Chapter 6 (commencing with Section 12940) of Part 2.8 of Division 3 of Title 2 of the Government Code and Section 51 of the Civil Code.(b) This chapter does not diminish the rights, privileges, or remedies of an employee under any other federal or state law or under any employment contract or collective bargaining agreement.(c) This chapter does not authorize any use of automated decision systems that is limited, restricted, or prohibited under any other applicable law.(d) This chapter does not authorize disparate impacts or disparate treatment that are limited, restricted, or prohibited under any other applicable law.22756.8.A developer or deployer who contracts with a third party to comply with duties required under this chapter, other than those duties related to auditing, is subject to liability under this chapter for the third partys failure to comply with this chapter.
CHAPTER 24.6. Automated Decisions Safety Act22756. As used in this chapter:(a) Artificial intelligence means an engineered or machine-based system that varies in its level of autonomy and that can, for explicit or implicit objectives, infer from the input it receives how to generate outputs that can influence physical or virtual environments.(b) (1) Automated decision system means a computational process derived from machine learning, statistical modeling, data analytics, or artificial intelligence that issues simplified output, including a score, classification, or recommendation, that is designed or used to assist or replace human discretionary decisionmaking and materially impacts natural persons.(2) Automated decision system does not mean a spam email filter, firewall, antivirus software, identity and access management tool, calculator, database, dataset, or other compilation of data.(c) Consequential decision means a decision that materially impacts the cost, terms, quality, or accessibility of any of the following to a natural person:(1) Employment-related decisions.(2) Education and vocational training as they relate to any of the following:(A) Assessment and placement.(B) Detecting student cheating and plagiarism.(C) Accreditation.(D) Certification.(E) Admissions and enrollment.(F) Discipline.(G) Evaluation.(H) Financial aid and scholarships.(I) Proctoring.(3) Housing and lodging as they relate to any of the following:(A) Rental or short-term housing and lodging.(B) Home appraisals.(C) Rental subsidies.(D) Publicly supported housing.(4) Any of the following essential utilities:(A) Electricity.(B) Heat.(C) Water.(D)Internet and telecommunications access.(E)(D) Transportation.(F)(E) Municipal trash and sewage services.(5) Family planning, adoption services, reproductive services, and assessments related to child protective services.(6) Health care and health insurance, including mental health care, dental, and vision.(7) Financial services, including a financial service provided by a mortgage company, mortgage broker, or creditor.(8) The criminal justice system with respect to pretrial release, sentencing, and alternatives to incarceration.(9) Legal services.(10) Private arbitration.(11) Mediation.(12) Elections as they relate to any of the following:(A) Voting.(B) Redistricting.(C) Voter eligibility and registration.(D) Distribution of voting information.(E) Election administration.(13) Access to government benefits or services or assignment of penalties by a government entity.(14) Places of public accommodation, as defined in Section 55.52 of the Civil Code.(15) Insurance.(16) Internet and telecommunications access.(d) Covered automated decision system or covered ADS means an automated decision system that makes or facilitates is designed or used to make or facilitate a consequential decision.(e) Credit score means a credit score, as defined in Section 1785.15.1 of the Civil Code, from a consumer credit reporting agency, as defined in Section 1785.3 of the Civil Code.(e)(f) Deployer means a person, partnership, state or local government agency, corporation, or developer that uses a covered ADS to make or facilitate a consequential decision, either directly or through by contracting with a third party. party for that purpose.(f)(g) Developer means a person, partnership, state or local government agency, corporation, or deployer that designs, codes, substantially modifies, or otherwise produces an automated decision system that makes or facilitates a consequential decision, either directly or through by contracting with a third party. party for those purposes.(g)(h) (1) Developer-approved use means a deployment context in which a developer intends a covered ADS to make or facilitate a consequential decision.(2) Developer-approved use includes any reasonably foreseeable fine tuning of the covered ADS.(h)(i) Disparate impact means a differential effect on a group of individuals who share a protected characteristic.(i)(j) Disparate treatment means differential treatment of an individual or group of individuals on the basis of a protected characteristic.(j)(k) Employment-related decision means a decision made by an employer, either directly or through a third party, that affects wages, benefits, other compensation, hours, work schedule, performance evaluation, hiring, discipline, promotion, termination, job tasks and responsibilities, assignment of work, access to work and training opportunities, productivity requirements, workplace health and safety, or other terms or conditions of employment.(k)(l) (1) Express consent means an affirmative written authorization that is granted in response to a notice that is all of the following:(A) Clear, meaningful, and prominent.(B) Conveyed in a manner that a natural person would notice and understand it.(C) Not contained within a more general notice, agreement, or set of terms and conditions.(2) Express consent does not mean an authorization that is either of the following:(A) Inferred from inaction.(B) Obtained through the use of a dark pattern, as defined in Section 56.18 of the Civil Code.(l)(m) Fine-tune means to adjust the model parameters of an automated decision system through exposure to additional data.(m)(n) Labor Commissioner means Chief of the Division of Labor Standards Enforcement.(n)(o) Personal information has the same meaning as defined in Section 1798.140 of the Civil Code.(o)(p) Protected characteristic means a characteristic listed in subdivision (b) of Section 51 of the Civil Code.(p)(q) (1) Substantial modification means a new version, release, update, or other modification to a covered ADS that materially changes its uses or outputs.(2) Substantial modification does not mean a modification that results from fine tuning.(q)(r) Trade secret has the same meaning as in Section 3426.1 of the Civil Code.22756.1. (a) (1) With respect to a covered ADS that was first deployed, or made available to potential deployers, before January 1, 2026, the developer of the covered ADS shall conduct an initial performance evaluation on the covered ADS before January 1, 2027, and shall additionally conduct a performance evaluation on the covered ADS under any of the following circumstances:(A) Following any substantial modification of the covered ADS by the developer.(B) Following any fine tuning of the covered ADS by the developer that materially changes the uses or outputs of the covered ADS.(C) No more than one year after the developer last conducted a performance evaluation on the covered ADS, for as long as the developer deploys the covered ADS or makes the covered ADS available to potential deployers.(2) With respect to a covered ADS that is first deployed or made available to potential deployers on or after January 1, 2026, the developer of the covered ADS shall conduct a performance evaluation on the covered ADS under any of the following circumstances:(A) Before initially deploying the covered ADS or making the covered ADS available to potential deployers.(B) Following any substantial modification of the covered ADS by the developer.(C) Following any fine tuning of the covered ADS by the developer that materially changes the uses or outputs of the covered ADS.(D) No more than one year after the developer last conducted a performance evaluation on the covered ADS, for as long as the developer deploys the covered ADS or makes the covered ADS available to potential deployers.(b) In conducting a performance evaluation on a covered ADS, a developer shall do all of the following:(1) Describe the purpose of the covered ADS.(2) List and describe all developer-approved uses of the covered ADS.(3) For each developer-approved use, assess evaluate the expected performance of the covered ADS and document all of the following:(A) The expected accuracy and reliability of the covered ADS.(B) Any reasonably foreseeable effects of fine tuning on the accuracy and reliability of the covered ADS.(4)For each developer-approved use, assess whether(C) Whether any disparate treatment is intended to occur and document and, if so, all of the following:(A)Whether the covered ADS is intended to treat individuals or groups of individuals differently on the basis of a protected characteristic.(B)For each disparate treatment identified under subparagraph (A), describe all of the following:(i) The conditions under which the each disparate treatment is intended to occur.(ii) Whether the each disparate treatment is necessary for a developer-approved use.(iii) Whether any alternatives not involving disparate treatment were considered.(C)(D) Any reasonably foreseeable effects of fine tuning on disparate treatment.(5)For each developer-approved use, assess whether (E) Whether any disparate impacts are reasonably likely to occur and document and, if so, all of the following:(A)Whether the covered ADS is reasonably likely to treat groups of individuals who share a protected characteristic differently.(B)For each disparate impact identified under subparagraph (A), describe all of the following:(i) The conditions under which that each disparate impact is reasonably likely to occur.(ii) Whether the each disparate impact is necessary for a developer-approved use.(iii) Whether any alternatives not involving disparate impacts were considered.(C)(F) Whether any measures have been taken by the developer to mitigate the risk of unanticipated disparate impacts resulting from the use of the covered ADS.(D)(G) With respect to a covered ADS that has been deployed, whether any unanticipated disparate impacts have been reported to the developer by a deployer, and whether the developer has taken any measures to mitigate those disparate impacts.(E)(H) Any reasonably foreseeable effects of fine tuning on disparate impacts.(6)(4) (A) Contract with an independent third-party auditor to assess the developers compliance with this subdivision.(B) (i) Except pursuant to clause (ii), a developer that contracts with an auditor pursuant to this paragraph shall provide the auditor with any available information that is reasonably necessary for the auditor to comprehensively assess developer compliance.(ii) A developer that provides documentation to an auditor pursuant to this subparagraph may make reasonable redactions for the purpose of protecting trade secrets. To the extent that a developer withholds information, the developer shall notify the auditor and provide a basis for the withholding.(C) If the deadline for conducting a performance evaluation pursuant to subdivision (a) elapses before the audit has been completed, a developer shall not deploy the covered ADS or make the covered ADS available to potential deployers until the audit has been completed.(I) A developer that receives feedback from an auditor pursuant to this paragraph shall do both of the following:(i) Consider and attempt to incorporate that feedback into the development of any subsequent version of a covered ADS.(ii) Make a high-level summary of the feedback publicly available at no cost to users of the developers internet website.(c) (1) A developer that sells, licenses, or otherwise transfers a covered ADS to a potential deployer shall provide the deployer with all of the following:(A) The results of the most recent performance evaluation conducted on the covered ADS by the developer pursuant to this chapter.(B) For each developer-approved use of the covered ADS, instructions explaining how the covered ADS should be used by the deployer to make or facilitate a consequential decision.(C) For each developer-approved use of the covered ADS, a description of whether and under what circumstances the covered ADS can be fine-tuned.(D) An explanation of the deployers responsibilities under this chapter, including a description of any circumstances under which the deployer would assume the responsibilities of a developer pursuant to subdivision (h) of Section 22756.2.(E) (i) Any technical information necessary for the deployer to comply with this chapter.(ii) A developer shall not be required to provide additional technical information to a deployer that has assumed the responsibilities of a developer pursuant to subdivision (h) of Section 22756.2.(2) (A) A developer that provides documentation to a potential deployer pursuant to this subdivision may make reasonable redactions for the purpose of protecting trade secrets.(B) To the extent that a developer withholds information pursuant to subparagraph (A), the developer shall notify the deployer and provide a basis for the withholding.(d) A developer that receives an impact assessment from an auditor of a deployed covered ADS pursuant to subdivision (b) of Section 22756.3 shall provide all of the following information to any deployer of the covered ADS:(A) Any material differences between the expected accuracy of the covered ADS and the observed accuracy of the covered ADS and the deployment conditions under which those differences are reasonably likely to occur.(B) Any material differences between the expected reliability of the covered ADS and the observed reliability of the covered ADS and the deployment conditions under which those differences are reasonably likely to occur.(C) Any unanticipated disparate impacts resulting from the use of the covered ADS and the deployment conditions under which those disparate impacts are reasonably likely to occur.(D) An explanation of any steps the deployer can take to mitigate these discrepancies.(e) A developer that receives feedback from an auditor pursuant to this chapter shall consider and attempt to incorporate that feedback into the development of any subsequent version of a covered ADS.(f) A developer that provides documentation to a deployer pursuant to this section shall ensure the documentation is all of the following:(A) Transmitted directly to the deployer or otherwise made available in a manner reasonably calculated to ensure the deployer receives the documentation.(B) Provided in English and in any other language the developer regularly uses to communicate with deployers.(C) Presented in a manner that ensures the communication clearly and effectively conveys the required information to the deployer.(g) A developer that deploys a covered ADS or makes a covered ADS available to potential deployers shall maintain all of the following documentation in an unredacted format for as long as the covered ADS remains deployed or developer deploys the covered ADS or makes the covered ADS available to potential deployers plus 10 years:(1) The results of any performance evaluations conducted on the covered ADS pursuant to this chapter.(2) Any documentation provided to deployers pursuant to this chapter.(3) Any documentation provided to, or received from, auditors pursuant to this chapter.(4) Records of any redactions made pursuant to this chapter.(h) It is unlawful to advertise to consumers in the state that a covered ADS is capable of performing in a manner not substantiated by the results of the most recent performance evaluation conducted on the covered ADS.(i) (1) A developer that deploys a covered ADS or makes a covered ADS available to potential deployers shall designate at least one employee to oversee the developers compliance with this chapter.(2) A developer shall require an employee designated pursuant to this subdivision to conduct a prompt and comprehensive review of any credible compliance issue raised to that employee.22756.2. (a) (1) Except as provided in paragraph (2), before finalizing a deployer finalizes a consequential decision made or facilitated by a covered ADS, a the deployer shall provide any subject of that decision with a plain language written disclosure containing all of the following information:(A) A statement informing the subject that a covered ADS will be used to make or facilitate the consequential decision.(B) The name, version number, and developer of the covered ADS.(C) Whether the deployers use of the covered ADS is within the scope of a developer-approved use and a description of that use.(D) (i) The personal characteristics or attributes of the subject that the covered ADS measures or assesses to make or facilitate the consequential decision.(ii) The sources of personal information collected from the subject to make or facilitate the consequential decision.(iii) Any key parameters known to disproportionately affect the outcome of the consequential decision.(E) The structure and format of the outputs of the covered ADS and a plain language description of how those outputs are used to make or facilitate the consequential decision.(F) Whether a natural person will review either of the following before the consequential decision is finalized:(i) The outputs of the covered ADS.(ii) The outcome of the consequential decision.(G) The subjects rights under subdivisions (b) and (c) (d) and the means and timeframe for exercising those rights.(H) (i) Contact information for the deployer.(ii) Contact information for the entity that manages the covered ADS, if that entity is not the deployer.(iii) Contact information for the entity that will interpret the results of the covered ADS, if that entity is not the deployer.(2) Paragraph (1) does not apply if the subject of the consequential decision is having a medical emergency.(b) (1) Before finalizing a deployer finalizes a consequential decision made or facilitated by a covered ADS, a the deployer shall provide any subject of that decision with a reasonable opportunity to opt out of the use of the covered ADS.(2) (A) A deployer may deny a request to opt out of the use of a covered ADS if either of the following is true:(i) The deployer is subject to the federal Gramm-Leach-Bliley Act, and the covered ADS makes or facilitates a consequential decision pursuant to paragraph (7) of subdivision (c) of Section 22756.(ii) The subject of the consequential decision is having a medical emergency.(B) A deployer that denies a request to opt out of the use of a covered ADS pursuant to subparagraph (A) shall provide the subject with an explanation of the basis for the denial.(c) (1) After a deployer finalizes a consequential decision is finalized, made or facilitated by a covered ADS, the deployer shall provide any subject of that decision witha plain language written disclosure shall be provided containing all of the following information within five days, and the disclosure shall include all of the information: days:(A) The personal characteristics or attributes of the subject that the covered ADS measured or assessed used to make or facilitate the consequential decision.(B) The sources of personal information collected from the subject that were used to make or facilitate the consequential decision.(C) Any key parameters that disproportionately affected the outcome of the consequential decision.(D) The structure and format of the outputs of the covered ADS and a plain language description of how those outputs were used to make or facilitate the consequential decision.(E) The role that the ADS played in making the consequential decision and whether any human judgment was involved.(F) Contact information for the deployer.(G) Contact information for the entity that manages the covered ADS, if that entity is not the deployer.(H) Contact information for the entity that will interpret the results of the covered ADS, if that entity is not the deployer.(I) The subjects rights under subdivision (d) and the means and timeframe for exercising those rights.(2) Paragraph (1) is does not applicable apply if the subject of the consequential decision is having a medical emergency.(3) A deployer that provides documentation to a subject of a consequential decision pursuant to this subdivision shall ensure the documentation is all of the following:(A) Transmitted directly to the subject.(B) Provided in English and in any other language that the deployer regularly uses to communicate with subjects.(C) Made available in formats that are accessible to people who are blind or have other disabilities.(D) Presented in a manner that ensures the communication clearly and effectively conveys the required information to the subject.(d) After finalizing a deployer finalizes a consequential decision made or facilitated by a covered ADS, a the deployer shall provide any subject of that decision with an opportunity to do both of the following within 30 business days:(1) (A) Correct any incorrect personal information used by the covered ADS to make or facilitate the consequential decision.(B) A deployer shall comply with a request to correct personal information within 30 business days of receiving the request if the request is accompanied by documentation sufficient to assess the basis for the request.(C) (i) If a deployer determines that complying with a request to correct personal information would change the outcome of the consequential decision, the deployer shall, within 30 days of making the determination, rectify the decision.(ii) If a deployer determines that complying with a request to correct personal information would not change the outcome of the consequential decision, the deployer shall, within 30 days of making the determination, inform the subject that the correction was made but that it did not alter the decision.(D) A deployer that denies a request to correct personal information shall do both of the following:(i) Provide the subject with an explanation of the basis for the denial.(ii) Provide the subject with a reasonable opportunity to request that the deployer delete the subjects personal information.(2) (A) Appeal the outcome of the consequential decision.(B) A deployer shall review a request to appeal a consequential decision within 30 business days of receiving the request. request if the request is accompanied by documentation sufficient to assess the basis for the request.(C) (i) If a deployer determines that the original decision is was incorrect, the deployer shall, within 30 days of making the determination, rectify the decision.(ii) If a deployer determines that the original decision is was correct, the deployer shall, within 30 days of making the determination, inform the subject that the consequential decision will not be altered.(D) A deployer that denies a request to appeal the outcome of a consequential decision shall provide the subject with an explanation of the basis for the denial.(e) (1) (A) A deployer that provides documentation to the subject of a consequential decision pursuant to this section may make reasonable redactions for the purpose of protecting trade secrets.(B) To the extent that a deployer withholds information pursuant to paragraph (1), the deployer shall notify the subject and provide a basis for the withholding.(2) A deployer that is required by another state or federal law to provide substantially similar notice to a subject of a consequential decision need not duplicatively provide notice to the subject under this section.(f) A deployers collection, use, retention, and sharing of personal information from a subject of a consequential decision shall be reasonably necessary and proportionate to achieve the purposes for which the personal information was collected and processed, or for another disclosed purpose that is compatible with the context in which the personal information was collected, and not further processed in a manner that is incompatible with those purposes.(g) (1) A deployer that uses a covered ADS to make or facilitate consequential decisions directly impacting more than 5999 5,999 people in a given three-year period shall contract with an independent third-party auditor to conduct an impact assessment on the covered ADS before January 1, 2030, and every three years thereafter.(2) (A) Except pursuant to subparagraph (B), a deployer that contracts with an auditor pursuant to this subdivision shall provide the auditor with any available information that is reasonably necessary for the auditor to conduct a comprehensive impact assessment on the covered ADS.(B) A deployer that provides documentation to an auditor pursuant to this paragraph may make reasonable redactions for the purpose of protecting trade secrets. To the extent that a deployer withholds information, the developer shall notify the auditor and provide a basis for the withholding.(C) This paragraph shall not be construed to require a deployer to collect any personal information from a subject of a consequential decision beyond that which the deployer collects in the ordinary course of business or as necessary to comply with state or federal law.(3) If the deadline for conducting an audit pursuant to paragraph (1) elapses before the audit has been completed, a deployer shall not use the covered ADS to make or facilitate consequential decisions until the audit has been completed.(h) A deployer that does any of the following assumes the responsibilities of a developer under this chapter:(1) Uses a covered ADS to make or facilitate consequential decisions that directly impact more than 5999 5,999 people in a given three-year period, if the deployer did not receive any documentation from the developer of the covered ADS pursuant to subdivision (c) of Section 22756.1. 22756.1 during the three-year period.(2) Uses a covered ADS to make or facilitate consequential decisions that directly impact more than 5999 5,999 people in a given three-year period, if the deployers use of the covered ADS is outside the scope of a developer-approved use.(3) Substantially modifies an automated decision system and does either of the following:(A) Uses the substantially modified system to make or facilitate consequential decisions that directly impact more than 5999 people in a given three-year period.(B) Makes the substantially modified system available to potential deployers.(i) A deployer that uses a covered ADS to make or facilitate a consequential decision shall retain the following documentation in an unredacted format for as long as the deployer uses the covered ADS remains deployed plus 10 years:(1) Any documentation received from developers pursuant to this chapter.(2) Any documentation provided pursuant to this section to subjects of consequential decisions made or facilitated by the covered ADS.(3) Any requests to correct personal information made pursuant to this section.(4) Any requests to opt out of the use of the covered ADS made pursuant to this section.(5) Any requests to appeal the outcome of a consequential decision made pursuant to this section.(6) Any documentation provided to, or received from, auditors pursuant to this chapter.(7) Records of any redactions made pursuant to this section.(j) (1) A deployer that uses a covered ADS to make or facilitate a consequential decision shall designate at least one employee to oversee the deployers compliance with this chapter.(2) A deployer shall require an employee designated pursuant to this subdivision to conduct a prompt and comprehensive review of any credible compliance issue related to the deployers use of a covered ADS that is raised to that employee.(k) In addition to the requirements of this section, a deployer that is a business subject to the California Consumer Privacy Act of 2018 (Title 1.81.5 (commencing with Section 1798.100)) is subject to any privacy-related opt-out and access regulation duly adopted by the California Privacy Protection Agency pursuant to subdivision (b) of Section 1798.199.40 of the Civil Code.(l) This section shall become operative on January 1, 2027.22756.3. (a) An auditor that conducts an impact assessment on a covered ADS pursuant to subdivision (g) of Section 22756.2 shall do all of the following:(1) (A) Request any information from the deployer of the covered ADS that is reasonably necessary for the auditor to conduct a comprehensive impact assessment.(B) This paragraph applies only to information gathered by the deployer in the ordinary course of business.(2)Document all developer-approved uses of the covered ADS that the deployer utilized during the relevant period.(3)(2) For each unique developer-approved use, use of the covered ADS by the deployer, document all of the following:(A) The observed accuracy and reliability of the covered ADS over the relevant period.(B) Whether the observed accuracy and reliability differed materially from the expected accuracy and reliability of the covered ADS, as described in documentation provided by a developer to the deployer pursuant to this chapter.(C) Whether any disparate impacts resulted from the deployers use of the covered ADS and the deployment conditions under which those disparate impacts occurred.(D) Whether each disparate impact was an anticipated disparate impact, as described in documentation provided to the deployer pursuant to this chapter.(4)(3) Whether the deployer used the covered ADS to make or facilitate a consequential decision outside of the scope of a developer-approved use.(5)(4) Whether the deployer assumed the responsibilities of a developer pursuant to subdivision (h) of Section 22756.2.(b) (1) After conducting an impact assessment on a covered ADS, an auditor shall provide the results of the impact assessment to do both of the following:(A) The Provide the results of the impact assessment to the deployer that contracted with the auditor to perform the impact assessment.(B)The developer of the covered ADS.(B) Make a high-level summary of the results of the impact assessment publicly available at no cost to users of the auditors internet website.(2) The documentation required by this section shall be both of the following:(A) Provided in English and in any other language that the auditor regularly uses to communicate with developers and deployers.(B) Presented in a manner that ensures the communication clearly and effectively conveys the required information to the developer and deployer. information.(3) An auditor shall not provide a developer make publicly available with the personal information of a subject of a consequential decision made or facilitated by a covered ADS without first obtaining the express consent of the subject.22756.4. (a) (1) Within 30 days of receiving a request from the Attorney General for a performance evaluation or impact assessment prepared pursuant to this chapter, a developer, deployer, or auditor of a covered ADS shall provide an unredacted copy of the document to the Attorney General.(2) The Attorney General may share performance evaluations and impact assessments with other enforcement entities as necessary for enforcement purposes.(b) (1) The disclosure or sharing of a performance evaluation or impact assessment pursuant to subdivision (a) does not constitute a waiver of any attorney-client privilege, work-product protection, or trade secret protection that might otherwise exist with respect to any information contained in the performance evaluation or impact assessment.(2) A performance evaluation or impact assessment disclosed or shared pursuant to subdivision (a) is exempt from the California Public Records Act (Division 10 (commencing with Section 7920.000) of Title 1 of the Government Code).(c) Each day a covered ADS is used for which a performance evaluation or impact assessment has not been submitted to the Attorney General pursuant to this section is an additional violation of this section.22756.5. (a) Any of the following public entities may bring a civil action against a developer or deployer developer, deployer, or auditor who violates this chapter:(1) The Attorney General.(2) A district attorney, county counsel, or city attorney for the jurisdiction in which the violation occurred.(3) A city prosecutor in any city having a full-time city prosecutor with the consent of the district attorney.(4) The Civil Rights Department.(5) The Labor Commissioner with respect to employment-related decisions only.(b) A court may award a prevailing plaintiff who brings an action pursuant to subdivision (a) all of the following:(1) Injunctive relief.(2) Declaratory relief.(3) Reasonable attorneys fees and litigation costs.(4) A civil penalty of up to twenty-five thousand dollars ($25,000) per violation.(c) A developer or deployer who contracts with a third party to perform the developers or deployers duties under this chapter, other than those duties related to auditing, is subject to liability under this chapter for the third partys failure to perform those duties.22756.6. (a) This chapter does not apply to an automated decision system the sole purpose of which is to do either of the following:(a)(1) Detect, protect against, or respond to cybersecurity incidents or preserve the integrity or security of computer systems.(b)(2) Operate aircraft in the national airspace.(b) The use of a consumer credit score to inform a consequential decision does not itself create an obligation under this chapter.22756.7. (a) The rights, remedies, and penalties established by this chapter are cumulative and shall not be construed to supersede the rights, remedies, or penalties established under other laws, including, but not limited to, Chapter 6 (commencing with Section 12940) of Part 2.8 of Division 3 of Title 2 of the Government Code and Section 51 of the Civil Code.(b) This chapter does not diminish the rights, privileges, or remedies of an employee under any other federal or state law or under any employment contract or collective bargaining agreement.(c) This chapter does not authorize any use of automated decision systems that is limited, restricted, or prohibited under any other applicable law.(d) This chapter does not authorize disparate impacts or disparate treatment that are limited, restricted, or prohibited under any other applicable law.22756.8.A developer or deployer who contracts with a third party to comply with duties required under this chapter, other than those duties related to auditing, is subject to liability under this chapter for the third partys failure to comply with this chapter.
CHAPTER 24.6. Automated Decisions Safety Act
CHAPTER 24.6. Automated Decisions Safety Act
22756. As used in this chapter:(a) Artificial intelligence means an engineered or machine-based system that varies in its level of autonomy and that can, for explicit or implicit objectives, infer from the input it receives how to generate outputs that can influence physical or virtual environments.(b) (1) Automated decision system means a computational process derived from machine learning, statistical modeling, data analytics, or artificial intelligence that issues simplified output, including a score, classification, or recommendation, that is designed or used to assist or replace human discretionary decisionmaking and materially impacts natural persons.(2) Automated decision system does not mean a spam email filter, firewall, antivirus software, identity and access management tool, calculator, database, dataset, or other compilation of data.(c) Consequential decision means a decision that materially impacts the cost, terms, quality, or accessibility of any of the following to a natural person:(1) Employment-related decisions.(2) Education and vocational training as they relate to any of the following:(A) Assessment and placement.(B) Detecting student cheating and plagiarism.(C) Accreditation.(D) Certification.(E) Admissions and enrollment.(F) Discipline.(G) Evaluation.(H) Financial aid and scholarships.(I) Proctoring.(3) Housing and lodging as they relate to any of the following:(A) Rental or short-term housing and lodging.(B) Home appraisals.(C) Rental subsidies.(D) Publicly supported housing.(4) Any of the following essential utilities:(A) Electricity.(B) Heat.(C) Water.(D)Internet and telecommunications access.(E)(D) Transportation.(F)(E) Municipal trash and sewage services.(5) Family planning, adoption services, reproductive services, and assessments related to child protective services.(6) Health care and health insurance, including mental health care, dental, and vision.(7) Financial services, including a financial service provided by a mortgage company, mortgage broker, or creditor.(8) The criminal justice system with respect to pretrial release, sentencing, and alternatives to incarceration.(9) Legal services.(10) Private arbitration.(11) Mediation.(12) Elections as they relate to any of the following:(A) Voting.(B) Redistricting.(C) Voter eligibility and registration.(D) Distribution of voting information.(E) Election administration.(13) Access to government benefits or services or assignment of penalties by a government entity.(14) Places of public accommodation, as defined in Section 55.52 of the Civil Code.(15) Insurance.(16) Internet and telecommunications access.(d) Covered automated decision system or covered ADS means an automated decision system that makes or facilitates is designed or used to make or facilitate a consequential decision.(e) Credit score means a credit score, as defined in Section 1785.15.1 of the Civil Code, from a consumer credit reporting agency, as defined in Section 1785.3 of the Civil Code.(e)(f) Deployer means a person, partnership, state or local government agency, corporation, or developer that uses a covered ADS to make or facilitate a consequential decision, either directly or through by contracting with a third party. party for that purpose.(f)(g) Developer means a person, partnership, state or local government agency, corporation, or deployer that designs, codes, substantially modifies, or otherwise produces an automated decision system that makes or facilitates a consequential decision, either directly or through by contracting with a third party. party for those purposes.(g)(h) (1) Developer-approved use means a deployment context in which a developer intends a covered ADS to make or facilitate a consequential decision.(2) Developer-approved use includes any reasonably foreseeable fine tuning of the covered ADS.(h)(i) Disparate impact means a differential effect on a group of individuals who share a protected characteristic.(i)(j) Disparate treatment means differential treatment of an individual or group of individuals on the basis of a protected characteristic.(j)(k) Employment-related decision means a decision made by an employer, either directly or through a third party, that affects wages, benefits, other compensation, hours, work schedule, performance evaluation, hiring, discipline, promotion, termination, job tasks and responsibilities, assignment of work, access to work and training opportunities, productivity requirements, workplace health and safety, or other terms or conditions of employment.(k)(l) (1) Express consent means an affirmative written authorization that is granted in response to a notice that is all of the following:(A) Clear, meaningful, and prominent.(B) Conveyed in a manner that a natural person would notice and understand it.(C) Not contained within a more general notice, agreement, or set of terms and conditions.(2) Express consent does not mean an authorization that is either of the following:(A) Inferred from inaction.(B) Obtained through the use of a dark pattern, as defined in Section 56.18 of the Civil Code.(l)(m) Fine-tune means to adjust the model parameters of an automated decision system through exposure to additional data.(m)(n) Labor Commissioner means Chief of the Division of Labor Standards Enforcement.(n)(o) Personal information has the same meaning as defined in Section 1798.140 of the Civil Code.(o)(p) Protected characteristic means a characteristic listed in subdivision (b) of Section 51 of the Civil Code.(p)(q) (1) Substantial modification means a new version, release, update, or other modification to a covered ADS that materially changes its uses or outputs.(2) Substantial modification does not mean a modification that results from fine tuning.(q)(r) Trade secret has the same meaning as in Section 3426.1 of the Civil Code.
22756. As used in this chapter:
(a) Artificial intelligence means an engineered or machine-based system that varies in its level of autonomy and that can, for explicit or implicit objectives, infer from the input it receives how to generate outputs that can influence physical or virtual environments.
(b) (1) Automated decision system means a computational process derived from machine learning, statistical modeling, data analytics, or artificial intelligence that issues simplified output, including a score, classification, or recommendation, that is designed or used to assist or replace human discretionary decisionmaking and materially impacts natural persons.
(2) Automated decision system does not mean a spam email filter, firewall, antivirus software, identity and access management tool, calculator, database, dataset, or other compilation of data.
(c) Consequential decision means a decision that materially impacts the cost, terms, quality, or accessibility of any of the following to a natural person:
(1) Employment-related decisions.
(2) Education and vocational training as they relate to any of the following:
(A) Assessment and placement.
(B) Detecting student cheating and plagiarism.
(C) Accreditation.
(D) Certification.
(E) Admissions and enrollment.
(F) Discipline.
(G) Evaluation.
(H) Financial aid and scholarships.
(I) Proctoring.
(3) Housing and lodging as they relate to any of the following:
(A) Rental or short-term housing and lodging.
(B) Home appraisals.
(C) Rental subsidies.
(D) Publicly supported housing.
(4) Any of the following essential utilities:
(A) Electricity.
(B) Heat.
(C) Water.
(D)Internet and telecommunications access.
(E)
(D) Transportation.
(F)
(E) Municipal trash and sewage services.
(5) Family planning, adoption services, reproductive services, and assessments related to child protective services.
(6) Health care and health insurance, including mental health care, dental, and vision.
(7) Financial services, including a financial service provided by a mortgage company, mortgage broker, or creditor.
(8) The criminal justice system with respect to pretrial release, sentencing, and alternatives to incarceration.
(9) Legal services.
(10) Private arbitration.
(11) Mediation.
(12) Elections as they relate to any of the following:
(A) Voting.
(B) Redistricting.
(C) Voter eligibility and registration.
(D) Distribution of voting information.
(E) Election administration.
(13) Access to government benefits or services or assignment of penalties by a government entity.
(14) Places of public accommodation, as defined in Section 55.52 of the Civil Code.
(15) Insurance.
(16) Internet and telecommunications access.
(d) Covered automated decision system or covered ADS means an automated decision system that makes or facilitates is designed or used to make or facilitate a consequential decision.
(e) Credit score means a credit score, as defined in Section 1785.15.1 of the Civil Code, from a consumer credit reporting agency, as defined in Section 1785.3 of the Civil Code.
(e)
(f) Deployer means a person, partnership, state or local government agency, corporation, or developer that uses a covered ADS to make or facilitate a consequential decision, either directly or through by contracting with a third party. party for that purpose.
(f)
(g) Developer means a person, partnership, state or local government agency, corporation, or deployer that designs, codes, substantially modifies, or otherwise produces an automated decision system that makes or facilitates a consequential decision, either directly or through by contracting with a third party. party for those purposes.
(g)
(h) (1) Developer-approved use means a deployment context in which a developer intends a covered ADS to make or facilitate a consequential decision.
(2) Developer-approved use includes any reasonably foreseeable fine tuning of the covered ADS.
(h)
(i) Disparate impact means a differential effect on a group of individuals who share a protected characteristic.
(i)
(j) Disparate treatment means differential treatment of an individual or group of individuals on the basis of a protected characteristic.
(j)
(k) Employment-related decision means a decision made by an employer, either directly or through a third party, that affects wages, benefits, other compensation, hours, work schedule, performance evaluation, hiring, discipline, promotion, termination, job tasks and responsibilities, assignment of work, access to work and training opportunities, productivity requirements, workplace health and safety, or other terms or conditions of employment.
(k)
(l) (1) Express consent means an affirmative written authorization that is granted in response to a notice that is all of the following:
(A) Clear, meaningful, and prominent.
(B) Conveyed in a manner that a natural person would notice and understand it.
(C) Not contained within a more general notice, agreement, or set of terms and conditions.
(2) Express consent does not mean an authorization that is either of the following:
(A) Inferred from inaction.
(B) Obtained through the use of a dark pattern, as defined in Section 56.18 of the Civil Code.
(l)
(m) Fine-tune means to adjust the model parameters of an automated decision system through exposure to additional data.
(m)
(n) Labor Commissioner means Chief of the Division of Labor Standards Enforcement.
(n)
(o) Personal information has the same meaning as defined in Section 1798.140 of the Civil Code.
(o)
(p) Protected characteristic means a characteristic listed in subdivision (b) of Section 51 of the Civil Code.
(p)
(q) (1) Substantial modification means a new version, release, update, or other modification to a covered ADS that materially changes its uses or outputs.
(2) Substantial modification does not mean a modification that results from fine tuning.
(q)
(r) Trade secret has the same meaning as in Section 3426.1 of the Civil Code.
22756.1. (a) (1) With respect to a covered ADS that was first deployed, or made available to potential deployers, before January 1, 2026, the developer of the covered ADS shall conduct an initial performance evaluation on the covered ADS before January 1, 2027, and shall additionally conduct a performance evaluation on the covered ADS under any of the following circumstances:(A) Following any substantial modification of the covered ADS by the developer.(B) Following any fine tuning of the covered ADS by the developer that materially changes the uses or outputs of the covered ADS.(C) No more than one year after the developer last conducted a performance evaluation on the covered ADS, for as long as the developer deploys the covered ADS or makes the covered ADS available to potential deployers.(2) With respect to a covered ADS that is first deployed or made available to potential deployers on or after January 1, 2026, the developer of the covered ADS shall conduct a performance evaluation on the covered ADS under any of the following circumstances:(A) Before initially deploying the covered ADS or making the covered ADS available to potential deployers.(B) Following any substantial modification of the covered ADS by the developer.(C) Following any fine tuning of the covered ADS by the developer that materially changes the uses or outputs of the covered ADS.(D) No more than one year after the developer last conducted a performance evaluation on the covered ADS, for as long as the developer deploys the covered ADS or makes the covered ADS available to potential deployers.(b) In conducting a performance evaluation on a covered ADS, a developer shall do all of the following:(1) Describe the purpose of the covered ADS.(2) List and describe all developer-approved uses of the covered ADS.(3) For each developer-approved use, assess evaluate the expected performance of the covered ADS and document all of the following:(A) The expected accuracy and reliability of the covered ADS.(B) Any reasonably foreseeable effects of fine tuning on the accuracy and reliability of the covered ADS.(4)For each developer-approved use, assess whether(C) Whether any disparate treatment is intended to occur and document and, if so, all of the following:(A)Whether the covered ADS is intended to treat individuals or groups of individuals differently on the basis of a protected characteristic.(B)For each disparate treatment identified under subparagraph (A), describe all of the following:(i) The conditions under which the each disparate treatment is intended to occur.(ii) Whether the each disparate treatment is necessary for a developer-approved use.(iii) Whether any alternatives not involving disparate treatment were considered.(C)(D) Any reasonably foreseeable effects of fine tuning on disparate treatment.(5)For each developer-approved use, assess whether (E) Whether any disparate impacts are reasonably likely to occur and document and, if so, all of the following:(A)Whether the covered ADS is reasonably likely to treat groups of individuals who share a protected characteristic differently.(B)For each disparate impact identified under subparagraph (A), describe all of the following:(i) The conditions under which that each disparate impact is reasonably likely to occur.(ii) Whether the each disparate impact is necessary for a developer-approved use.(iii) Whether any alternatives not involving disparate impacts were considered.(C)(F) Whether any measures have been taken by the developer to mitigate the risk of unanticipated disparate impacts resulting from the use of the covered ADS.(D)(G) With respect to a covered ADS that has been deployed, whether any unanticipated disparate impacts have been reported to the developer by a deployer, and whether the developer has taken any measures to mitigate those disparate impacts.(E)(H) Any reasonably foreseeable effects of fine tuning on disparate impacts.(6)(4) (A) Contract with an independent third-party auditor to assess the developers compliance with this subdivision.(B) (i) Except pursuant to clause (ii), a developer that contracts with an auditor pursuant to this paragraph shall provide the auditor with any available information that is reasonably necessary for the auditor to comprehensively assess developer compliance.(ii) A developer that provides documentation to an auditor pursuant to this subparagraph may make reasonable redactions for the purpose of protecting trade secrets. To the extent that a developer withholds information, the developer shall notify the auditor and provide a basis for the withholding.(C) If the deadline for conducting a performance evaluation pursuant to subdivision (a) elapses before the audit has been completed, a developer shall not deploy the covered ADS or make the covered ADS available to potential deployers until the audit has been completed.(I) A developer that receives feedback from an auditor pursuant to this paragraph shall do both of the following:(i) Consider and attempt to incorporate that feedback into the development of any subsequent version of a covered ADS.(ii) Make a high-level summary of the feedback publicly available at no cost to users of the developers internet website.(c) (1) A developer that sells, licenses, or otherwise transfers a covered ADS to a potential deployer shall provide the deployer with all of the following:(A) The results of the most recent performance evaluation conducted on the covered ADS by the developer pursuant to this chapter.(B) For each developer-approved use of the covered ADS, instructions explaining how the covered ADS should be used by the deployer to make or facilitate a consequential decision.(C) For each developer-approved use of the covered ADS, a description of whether and under what circumstances the covered ADS can be fine-tuned.(D) An explanation of the deployers responsibilities under this chapter, including a description of any circumstances under which the deployer would assume the responsibilities of a developer pursuant to subdivision (h) of Section 22756.2.(E) (i) Any technical information necessary for the deployer to comply with this chapter.(ii) A developer shall not be required to provide additional technical information to a deployer that has assumed the responsibilities of a developer pursuant to subdivision (h) of Section 22756.2.(2) (A) A developer that provides documentation to a potential deployer pursuant to this subdivision may make reasonable redactions for the purpose of protecting trade secrets.(B) To the extent that a developer withholds information pursuant to subparagraph (A), the developer shall notify the deployer and provide a basis for the withholding.(d) A developer that receives an impact assessment from an auditor of a deployed covered ADS pursuant to subdivision (b) of Section 22756.3 shall provide all of the following information to any deployer of the covered ADS:(A) Any material differences between the expected accuracy of the covered ADS and the observed accuracy of the covered ADS and the deployment conditions under which those differences are reasonably likely to occur.(B) Any material differences between the expected reliability of the covered ADS and the observed reliability of the covered ADS and the deployment conditions under which those differences are reasonably likely to occur.(C) Any unanticipated disparate impacts resulting from the use of the covered ADS and the deployment conditions under which those disparate impacts are reasonably likely to occur.(D) An explanation of any steps the deployer can take to mitigate these discrepancies.(e) A developer that receives feedback from an auditor pursuant to this chapter shall consider and attempt to incorporate that feedback into the development of any subsequent version of a covered ADS.(f) A developer that provides documentation to a deployer pursuant to this section shall ensure the documentation is all of the following:(A) Transmitted directly to the deployer or otherwise made available in a manner reasonably calculated to ensure the deployer receives the documentation.(B) Provided in English and in any other language the developer regularly uses to communicate with deployers.(C) Presented in a manner that ensures the communication clearly and effectively conveys the required information to the deployer.(g) A developer that deploys a covered ADS or makes a covered ADS available to potential deployers shall maintain all of the following documentation in an unredacted format for as long as the covered ADS remains deployed or developer deploys the covered ADS or makes the covered ADS available to potential deployers plus 10 years:(1) The results of any performance evaluations conducted on the covered ADS pursuant to this chapter.(2) Any documentation provided to deployers pursuant to this chapter.(3) Any documentation provided to, or received from, auditors pursuant to this chapter.(4) Records of any redactions made pursuant to this chapter.(h) It is unlawful to advertise to consumers in the state that a covered ADS is capable of performing in a manner not substantiated by the results of the most recent performance evaluation conducted on the covered ADS.(i) (1) A developer that deploys a covered ADS or makes a covered ADS available to potential deployers shall designate at least one employee to oversee the developers compliance with this chapter.(2) A developer shall require an employee designated pursuant to this subdivision to conduct a prompt and comprehensive review of any credible compliance issue raised to that employee.
22756.1. (a) (1) With respect to a covered ADS that was first deployed, or made available to potential deployers, before January 1, 2026, the developer of the covered ADS shall conduct an initial performance evaluation on the covered ADS before January 1, 2027, and shall additionally conduct a performance evaluation on the covered ADS under any of the following circumstances:
(A) Following any substantial modification of the covered ADS by the developer.
(B) Following any fine tuning of the covered ADS by the developer that materially changes the uses or outputs of the covered ADS.
(C) No more than one year after the developer last conducted a performance evaluation on the covered ADS, for as long as the developer deploys the covered ADS or makes the covered ADS available to potential deployers.
(2) With respect to a covered ADS that is first deployed or made available to potential deployers on or after January 1, 2026, the developer of the covered ADS shall conduct a performance evaluation on the covered ADS under any of the following circumstances:
(A) Before initially deploying the covered ADS or making the covered ADS available to potential deployers.
(B) Following any substantial modification of the covered ADS by the developer.
(C) Following any fine tuning of the covered ADS by the developer that materially changes the uses or outputs of the covered ADS.
(D) No more than one year after the developer last conducted a performance evaluation on the covered ADS, for as long as the developer deploys the covered ADS or makes the covered ADS available to potential deployers.
(b) In conducting a performance evaluation on a covered ADS, a developer shall do all of the following:
(1) Describe the purpose of the covered ADS.
(2) List and describe all developer-approved uses of the covered ADS.
(3) For each developer-approved use, assess evaluate the expected performance of the covered ADS and document all of the following:
(A) The expected accuracy and reliability of the covered ADS.
(B) Any reasonably foreseeable effects of fine tuning on the accuracy and reliability of the covered ADS.
(4)For each developer-approved use, assess whether
(C) Whether any disparate treatment is intended to occur and document and, if so, all of the following:
(A)Whether the covered ADS is intended to treat individuals or groups of individuals differently on the basis of a protected characteristic.
(B)For each disparate treatment identified under subparagraph (A), describe all of the following:
(i) The conditions under which the each disparate treatment is intended to occur.
(ii) Whether the each disparate treatment is necessary for a developer-approved use.
(iii) Whether any alternatives not involving disparate treatment were considered.
(C)
(D) Any reasonably foreseeable effects of fine tuning on disparate treatment.
(5)For each developer-approved use, assess whether
(E) Whether any disparate impacts are reasonably likely to occur and document and, if so, all of the following:
(A)Whether the covered ADS is reasonably likely to treat groups of individuals who share a protected characteristic differently.
(B)For each disparate impact identified under subparagraph (A), describe all of the following:
(i) The conditions under which that each disparate impact is reasonably likely to occur.
(ii) Whether the each disparate impact is necessary for a developer-approved use.
(iii) Whether any alternatives not involving disparate impacts were considered.
(C)
(F) Whether any measures have been taken by the developer to mitigate the risk of unanticipated disparate impacts resulting from the use of the covered ADS.
(D)
(G) With respect to a covered ADS that has been deployed, whether any unanticipated disparate impacts have been reported to the developer by a deployer, and whether the developer has taken any measures to mitigate those disparate impacts.
(E)
(H) Any reasonably foreseeable effects of fine tuning on disparate impacts.
(6)
(4) (A) Contract with an independent third-party auditor to assess the developers compliance with this subdivision.
(B) (i) Except pursuant to clause (ii), a developer that contracts with an auditor pursuant to this paragraph shall provide the auditor with any available information that is reasonably necessary for the auditor to comprehensively assess developer compliance.
(ii) A developer that provides documentation to an auditor pursuant to this subparagraph may make reasonable redactions for the purpose of protecting trade secrets. To the extent that a developer withholds information, the developer shall notify the auditor and provide a basis for the withholding.
(C) If the deadline for conducting a performance evaluation pursuant to subdivision (a) elapses before the audit has been completed, a developer shall not deploy the covered ADS or make the covered ADS available to potential deployers until the audit has been completed.
(I) A developer that receives feedback from an auditor pursuant to this paragraph shall do both of the following:
(i) Consider and attempt to incorporate that feedback into the development of any subsequent version of a covered ADS.
(ii) Make a high-level summary of the feedback publicly available at no cost to users of the developers internet website.
(c) (1) A developer that sells, licenses, or otherwise transfers a covered ADS to a potential deployer shall provide the deployer with all of the following:
(A) The results of the most recent performance evaluation conducted on the covered ADS by the developer pursuant to this chapter.
(B) For each developer-approved use of the covered ADS, instructions explaining how the covered ADS should be used by the deployer to make or facilitate a consequential decision.
(C) For each developer-approved use of the covered ADS, a description of whether and under what circumstances the covered ADS can be fine-tuned.
(D) An explanation of the deployers responsibilities under this chapter, including a description of any circumstances under which the deployer would assume the responsibilities of a developer pursuant to subdivision (h) of Section 22756.2.
(E) (i) Any technical information necessary for the deployer to comply with this chapter.
(ii) A developer shall not be required to provide additional technical information to a deployer that has assumed the responsibilities of a developer pursuant to subdivision (h) of Section 22756.2.
(2) (A) A developer that provides documentation to a potential deployer pursuant to this subdivision may make reasonable redactions for the purpose of protecting trade secrets.
(B) To the extent that a developer withholds information pursuant to subparagraph (A), the developer shall notify the deployer and provide a basis for the withholding.
(d) A developer that receives an impact assessment from an auditor of a deployed covered ADS pursuant to subdivision (b) of Section 22756.3 shall provide all of the following information to any deployer of the covered ADS:
(A) Any material differences between the expected accuracy of the covered ADS and the observed accuracy of the covered ADS and the deployment conditions under which those differences are reasonably likely to occur.
(B) Any material differences between the expected reliability of the covered ADS and the observed reliability of the covered ADS and the deployment conditions under which those differences are reasonably likely to occur.
(C) Any unanticipated disparate impacts resulting from the use of the covered ADS and the deployment conditions under which those disparate impacts are reasonably likely to occur.
(D) An explanation of any steps the deployer can take to mitigate these discrepancies.
(e) A developer that receives feedback from an auditor pursuant to this chapter shall consider and attempt to incorporate that feedback into the development of any subsequent version of a covered ADS.
(f) A developer that provides documentation to a deployer pursuant to this section shall ensure the documentation is all of the following:
(A) Transmitted directly to the deployer or otherwise made available in a manner reasonably calculated to ensure the deployer receives the documentation.
(B) Provided in English and in any other language the developer regularly uses to communicate with deployers.
(C) Presented in a manner that ensures the communication clearly and effectively conveys the required information to the deployer.
(g) A developer that deploys a covered ADS or makes a covered ADS available to potential deployers shall maintain all of the following documentation in an unredacted format for as long as the covered ADS remains deployed or developer deploys the covered ADS or makes the covered ADS available to potential deployers plus 10 years:
(1) The results of any performance evaluations conducted on the covered ADS pursuant to this chapter.
(2) Any documentation provided to deployers pursuant to this chapter.
(3) Any documentation provided to, or received from, auditors pursuant to this chapter.
(4) Records of any redactions made pursuant to this chapter.
(h) It is unlawful to advertise to consumers in the state that a covered ADS is capable of performing in a manner not substantiated by the results of the most recent performance evaluation conducted on the covered ADS.
(i) (1) A developer that deploys a covered ADS or makes a covered ADS available to potential deployers shall designate at least one employee to oversee the developers compliance with this chapter.
(2) A developer shall require an employee designated pursuant to this subdivision to conduct a prompt and comprehensive review of any credible compliance issue raised to that employee.
22756.2. (a) (1) Except as provided in paragraph (2), before finalizing a deployer finalizes a consequential decision made or facilitated by a covered ADS, a the deployer shall provide any subject of that decision with a plain language written disclosure containing all of the following information:(A) A statement informing the subject that a covered ADS will be used to make or facilitate the consequential decision.(B) The name, version number, and developer of the covered ADS.(C) Whether the deployers use of the covered ADS is within the scope of a developer-approved use and a description of that use.(D) (i) The personal characteristics or attributes of the subject that the covered ADS measures or assesses to make or facilitate the consequential decision.(ii) The sources of personal information collected from the subject to make or facilitate the consequential decision.(iii) Any key parameters known to disproportionately affect the outcome of the consequential decision.(E) The structure and format of the outputs of the covered ADS and a plain language description of how those outputs are used to make or facilitate the consequential decision.(F) Whether a natural person will review either of the following before the consequential decision is finalized:(i) The outputs of the covered ADS.(ii) The outcome of the consequential decision.(G) The subjects rights under subdivisions (b) and (c) (d) and the means and timeframe for exercising those rights.(H) (i) Contact information for the deployer.(ii) Contact information for the entity that manages the covered ADS, if that entity is not the deployer.(iii) Contact information for the entity that will interpret the results of the covered ADS, if that entity is not the deployer.(2) Paragraph (1) does not apply if the subject of the consequential decision is having a medical emergency.(b) (1) Before finalizing a deployer finalizes a consequential decision made or facilitated by a covered ADS, a the deployer shall provide any subject of that decision with a reasonable opportunity to opt out of the use of the covered ADS.(2) (A) A deployer may deny a request to opt out of the use of a covered ADS if either of the following is true:(i) The deployer is subject to the federal Gramm-Leach-Bliley Act, and the covered ADS makes or facilitates a consequential decision pursuant to paragraph (7) of subdivision (c) of Section 22756.(ii) The subject of the consequential decision is having a medical emergency.(B) A deployer that denies a request to opt out of the use of a covered ADS pursuant to subparagraph (A) shall provide the subject with an explanation of the basis for the denial.(c) (1) After a deployer finalizes a consequential decision is finalized, made or facilitated by a covered ADS, the deployer shall provide any subject of that decision witha plain language written disclosure shall be provided containing all of the following information within five days, and the disclosure shall include all of the information: days:(A) The personal characteristics or attributes of the subject that the covered ADS measured or assessed used to make or facilitate the consequential decision.(B) The sources of personal information collected from the subject that were used to make or facilitate the consequential decision.(C) Any key parameters that disproportionately affected the outcome of the consequential decision.(D) The structure and format of the outputs of the covered ADS and a plain language description of how those outputs were used to make or facilitate the consequential decision.(E) The role that the ADS played in making the consequential decision and whether any human judgment was involved.(F) Contact information for the deployer.(G) Contact information for the entity that manages the covered ADS, if that entity is not the deployer.(H) Contact information for the entity that will interpret the results of the covered ADS, if that entity is not the deployer.(I) The subjects rights under subdivision (d) and the means and timeframe for exercising those rights.(2) Paragraph (1) is does not applicable apply if the subject of the consequential decision is having a medical emergency.(3) A deployer that provides documentation to a subject of a consequential decision pursuant to this subdivision shall ensure the documentation is all of the following:(A) Transmitted directly to the subject.(B) Provided in English and in any other language that the deployer regularly uses to communicate with subjects.(C) Made available in formats that are accessible to people who are blind or have other disabilities.(D) Presented in a manner that ensures the communication clearly and effectively conveys the required information to the subject.(d) After finalizing a deployer finalizes a consequential decision made or facilitated by a covered ADS, a the deployer shall provide any subject of that decision with an opportunity to do both of the following within 30 business days:(1) (A) Correct any incorrect personal information used by the covered ADS to make or facilitate the consequential decision.(B) A deployer shall comply with a request to correct personal information within 30 business days of receiving the request if the request is accompanied by documentation sufficient to assess the basis for the request.(C) (i) If a deployer determines that complying with a request to correct personal information would change the outcome of the consequential decision, the deployer shall, within 30 days of making the determination, rectify the decision.(ii) If a deployer determines that complying with a request to correct personal information would not change the outcome of the consequential decision, the deployer shall, within 30 days of making the determination, inform the subject that the correction was made but that it did not alter the decision.(D) A deployer that denies a request to correct personal information shall do both of the following:(i) Provide the subject with an explanation of the basis for the denial.(ii) Provide the subject with a reasonable opportunity to request that the deployer delete the subjects personal information.(2) (A) Appeal the outcome of the consequential decision.(B) A deployer shall review a request to appeal a consequential decision within 30 business days of receiving the request. request if the request is accompanied by documentation sufficient to assess the basis for the request.(C) (i) If a deployer determines that the original decision is was incorrect, the deployer shall, within 30 days of making the determination, rectify the decision.(ii) If a deployer determines that the original decision is was correct, the deployer shall, within 30 days of making the determination, inform the subject that the consequential decision will not be altered.(D) A deployer that denies a request to appeal the outcome of a consequential decision shall provide the subject with an explanation of the basis for the denial.(e) (1) (A) A deployer that provides documentation to the subject of a consequential decision pursuant to this section may make reasonable redactions for the purpose of protecting trade secrets.(B) To the extent that a deployer withholds information pursuant to paragraph (1), the deployer shall notify the subject and provide a basis for the withholding.(2) A deployer that is required by another state or federal law to provide substantially similar notice to a subject of a consequential decision need not duplicatively provide notice to the subject under this section.(f) A deployers collection, use, retention, and sharing of personal information from a subject of a consequential decision shall be reasonably necessary and proportionate to achieve the purposes for which the personal information was collected and processed, or for another disclosed purpose that is compatible with the context in which the personal information was collected, and not further processed in a manner that is incompatible with those purposes.(g) (1) A deployer that uses a covered ADS to make or facilitate consequential decisions directly impacting more than 5999 5,999 people in a given three-year period shall contract with an independent third-party auditor to conduct an impact assessment on the covered ADS before January 1, 2030, and every three years thereafter.(2) (A) Except pursuant to subparagraph (B), a deployer that contracts with an auditor pursuant to this subdivision shall provide the auditor with any available information that is reasonably necessary for the auditor to conduct a comprehensive impact assessment on the covered ADS.(B) A deployer that provides documentation to an auditor pursuant to this paragraph may make reasonable redactions for the purpose of protecting trade secrets. To the extent that a deployer withholds information, the developer shall notify the auditor and provide a basis for the withholding.(C) This paragraph shall not be construed to require a deployer to collect any personal information from a subject of a consequential decision beyond that which the deployer collects in the ordinary course of business or as necessary to comply with state or federal law.(3) If the deadline for conducting an audit pursuant to paragraph (1) elapses before the audit has been completed, a deployer shall not use the covered ADS to make or facilitate consequential decisions until the audit has been completed.(h) A deployer that does any of the following assumes the responsibilities of a developer under this chapter:(1) Uses a covered ADS to make or facilitate consequential decisions that directly impact more than 5999 5,999 people in a given three-year period, if the deployer did not receive any documentation from the developer of the covered ADS pursuant to subdivision (c) of Section 22756.1. 22756.1 during the three-year period.(2) Uses a covered ADS to make or facilitate consequential decisions that directly impact more than 5999 5,999 people in a given three-year period, if the deployers use of the covered ADS is outside the scope of a developer-approved use.(3) Substantially modifies an automated decision system and does either of the following:(A) Uses the substantially modified system to make or facilitate consequential decisions that directly impact more than 5999 people in a given three-year period.(B) Makes the substantially modified system available to potential deployers.(i) A deployer that uses a covered ADS to make or facilitate a consequential decision shall retain the following documentation in an unredacted format for as long as the deployer uses the covered ADS remains deployed plus 10 years:(1) Any documentation received from developers pursuant to this chapter.(2) Any documentation provided pursuant to this section to subjects of consequential decisions made or facilitated by the covered ADS.(3) Any requests to correct personal information made pursuant to this section.(4) Any requests to opt out of the use of the covered ADS made pursuant to this section.(5) Any requests to appeal the outcome of a consequential decision made pursuant to this section.(6) Any documentation provided to, or received from, auditors pursuant to this chapter.(7) Records of any redactions made pursuant to this section.(j) (1) A deployer that uses a covered ADS to make or facilitate a consequential decision shall designate at least one employee to oversee the deployers compliance with this chapter.(2) A deployer shall require an employee designated pursuant to this subdivision to conduct a prompt and comprehensive review of any credible compliance issue related to the deployers use of a covered ADS that is raised to that employee.(k) In addition to the requirements of this section, a deployer that is a business subject to the California Consumer Privacy Act of 2018 (Title 1.81.5 (commencing with Section 1798.100)) is subject to any privacy-related opt-out and access regulation duly adopted by the California Privacy Protection Agency pursuant to subdivision (b) of Section 1798.199.40 of the Civil Code.(l) This section shall become operative on January 1, 2027.
22756.2. (a) (1) Except as provided in paragraph (2), before finalizing a deployer finalizes a consequential decision made or facilitated by a covered ADS, a the deployer shall provide any subject of that decision with a plain language written disclosure containing all of the following information:
(A) A statement informing the subject that a covered ADS will be used to make or facilitate the consequential decision.
(B) The name, version number, and developer of the covered ADS.
(C) Whether the deployers use of the covered ADS is within the scope of a developer-approved use and a description of that use.
(D) (i) The personal characteristics or attributes of the subject that the covered ADS measures or assesses to make or facilitate the consequential decision.
(ii) The sources of personal information collected from the subject to make or facilitate the consequential decision.
(iii) Any key parameters known to disproportionately affect the outcome of the consequential decision.
(E) The structure and format of the outputs of the covered ADS and a plain language description of how those outputs are used to make or facilitate the consequential decision.
(F) Whether a natural person will review either of the following before the consequential decision is finalized:
(i) The outputs of the covered ADS.
(ii) The outcome of the consequential decision.
(G) The subjects rights under subdivisions (b) and (c) (d) and the means and timeframe for exercising those rights.
(H) (i) Contact information for the deployer.
(ii) Contact information for the entity that manages the covered ADS, if that entity is not the deployer.
(iii) Contact information for the entity that will interpret the results of the covered ADS, if that entity is not the deployer.
(2) Paragraph (1) does not apply if the subject of the consequential decision is having a medical emergency.
(b) (1) Before finalizing a deployer finalizes a consequential decision made or facilitated by a covered ADS, a the deployer shall provide any subject of that decision with a reasonable opportunity to opt out of the use of the covered ADS.
(2) (A) A deployer may deny a request to opt out of the use of a covered ADS if either of the following is true:
(i) The deployer is subject to the federal Gramm-Leach-Bliley Act, and the covered ADS makes or facilitates a consequential decision pursuant to paragraph (7) of subdivision (c) of Section 22756.
(ii) The subject of the consequential decision is having a medical emergency.
(B) A deployer that denies a request to opt out of the use of a covered ADS pursuant to subparagraph (A) shall provide the subject with an explanation of the basis for the denial.
(c) (1) After a deployer finalizes a consequential decision is finalized, made or facilitated by a covered ADS, the deployer shall provide any subject of that decision witha plain language written disclosure shall be provided containing all of the following information within five days, and the disclosure shall include all of the information: days:
(A) The personal characteristics or attributes of the subject that the covered ADS measured or assessed used to make or facilitate the consequential decision.
(B) The sources of personal information collected from the subject that were used to make or facilitate the consequential decision.
(C) Any key parameters that disproportionately affected the outcome of the consequential decision.
(D) The structure and format of the outputs of the covered ADS and a plain language description of how those outputs were used to make or facilitate the consequential decision.
(E) The role that the ADS played in making the consequential decision and whether any human judgment was involved.
(F) Contact information for the deployer.
(G) Contact information for the entity that manages the covered ADS, if that entity is not the deployer.
(H) Contact information for the entity that will interpret the results of the covered ADS, if that entity is not the deployer.
(I) The subjects rights under subdivision (d) and the means and timeframe for exercising those rights.
(2) Paragraph (1) is does not applicable apply if the subject of the consequential decision is having a medical emergency.
(3) A deployer that provides documentation to a subject of a consequential decision pursuant to this subdivision shall ensure the documentation is all of the following:
(A) Transmitted directly to the subject.
(B) Provided in English and in any other language that the deployer regularly uses to communicate with subjects.
(C) Made available in formats that are accessible to people who are blind or have other disabilities.
(D) Presented in a manner that ensures the communication clearly and effectively conveys the required information to the subject.
(d) After finalizing a deployer finalizes a consequential decision made or facilitated by a covered ADS, a the deployer shall provide any subject of that decision with an opportunity to do both of the following within 30 business days:
(1) (A) Correct any incorrect personal information used by the covered ADS to make or facilitate the consequential decision.
(B) A deployer shall comply with a request to correct personal information within 30 business days of receiving the request if the request is accompanied by documentation sufficient to assess the basis for the request.
(C) (i) If a deployer determines that complying with a request to correct personal information would change the outcome of the consequential decision, the deployer shall, within 30 days of making the determination, rectify the decision.
(ii) If a deployer determines that complying with a request to correct personal information would not change the outcome of the consequential decision, the deployer shall, within 30 days of making the determination, inform the subject that the correction was made but that it did not alter the decision.
(D) A deployer that denies a request to correct personal information shall do both of the following:
(i) Provide the subject with an explanation of the basis for the denial.
(ii) Provide the subject with a reasonable opportunity to request that the deployer delete the subjects personal information.
(2) (A) Appeal the outcome of the consequential decision.
(B) A deployer shall review a request to appeal a consequential decision within 30 business days of receiving the request. request if the request is accompanied by documentation sufficient to assess the basis for the request.
(C) (i) If a deployer determines that the original decision is was incorrect, the deployer shall, within 30 days of making the determination, rectify the decision.
(ii) If a deployer determines that the original decision is was correct, the deployer shall, within 30 days of making the determination, inform the subject that the consequential decision will not be altered.
(D) A deployer that denies a request to appeal the outcome of a consequential decision shall provide the subject with an explanation of the basis for the denial.
(e) (1) (A) A deployer that provides documentation to the subject of a consequential decision pursuant to this section may make reasonable redactions for the purpose of protecting trade secrets.
(B) To the extent that a deployer withholds information pursuant to paragraph (1), the deployer shall notify the subject and provide a basis for the withholding.
(2) A deployer that is required by another state or federal law to provide substantially similar notice to a subject of a consequential decision need not duplicatively provide notice to the subject under this section.
(f) A deployers collection, use, retention, and sharing of personal information from a subject of a consequential decision shall be reasonably necessary and proportionate to achieve the purposes for which the personal information was collected and processed, or for another disclosed purpose that is compatible with the context in which the personal information was collected, and not further processed in a manner that is incompatible with those purposes.
(g) (1) A deployer that uses a covered ADS to make or facilitate consequential decisions directly impacting more than 5999 5,999 people in a given three-year period shall contract with an independent third-party auditor to conduct an impact assessment on the covered ADS before January 1, 2030, and every three years thereafter.
(2) (A) Except pursuant to subparagraph (B), a deployer that contracts with an auditor pursuant to this subdivision shall provide the auditor with any available information that is reasonably necessary for the auditor to conduct a comprehensive impact assessment on the covered ADS.
(B) A deployer that provides documentation to an auditor pursuant to this paragraph may make reasonable redactions for the purpose of protecting trade secrets. To the extent that a deployer withholds information, the developer shall notify the auditor and provide a basis for the withholding.
(C) This paragraph shall not be construed to require a deployer to collect any personal information from a subject of a consequential decision beyond that which the deployer collects in the ordinary course of business or as necessary to comply with state or federal law.
(3) If the deadline for conducting an audit pursuant to paragraph (1) elapses before the audit has been completed, a deployer shall not use the covered ADS to make or facilitate consequential decisions until the audit has been completed.
(h) A deployer that does any of the following assumes the responsibilities of a developer under this chapter:
(1) Uses a covered ADS to make or facilitate consequential decisions that directly impact more than 5999 5,999 people in a given three-year period, if the deployer did not receive any documentation from the developer of the covered ADS pursuant to subdivision (c) of Section 22756.1. 22756.1 during the three-year period.
(2) Uses a covered ADS to make or facilitate consequential decisions that directly impact more than 5999 5,999 people in a given three-year period, if the deployers use of the covered ADS is outside the scope of a developer-approved use.
(3) Substantially modifies an automated decision system and does either of the following:
(A) Uses the substantially modified system to make or facilitate consequential decisions that directly impact more than 5999 people in a given three-year period.
(B) Makes the substantially modified system available to potential deployers.
(i) A deployer that uses a covered ADS to make or facilitate a consequential decision shall retain the following documentation in an unredacted format for as long as the deployer uses the covered ADS remains deployed plus 10 years:
(1) Any documentation received from developers pursuant to this chapter.
(2) Any documentation provided pursuant to this section to subjects of consequential decisions made or facilitated by the covered ADS.
(3) Any requests to correct personal information made pursuant to this section.
(4) Any requests to opt out of the use of the covered ADS made pursuant to this section.
(5) Any requests to appeal the outcome of a consequential decision made pursuant to this section.
(6) Any documentation provided to, or received from, auditors pursuant to this chapter.
(7) Records of any redactions made pursuant to this section.
(j) (1) A deployer that uses a covered ADS to make or facilitate a consequential decision shall designate at least one employee to oversee the deployers compliance with this chapter.
(2) A deployer shall require an employee designated pursuant to this subdivision to conduct a prompt and comprehensive review of any credible compliance issue related to the deployers use of a covered ADS that is raised to that employee.
(k) In addition to the requirements of this section, a deployer that is a business subject to the California Consumer Privacy Act of 2018 (Title 1.81.5 (commencing with Section 1798.100)) is subject to any privacy-related opt-out and access regulation duly adopted by the California Privacy Protection Agency pursuant to subdivision (b) of Section 1798.199.40 of the Civil Code.
(l) This section shall become operative on January 1, 2027.
22756.3. (a) An auditor that conducts an impact assessment on a covered ADS pursuant to subdivision (g) of Section 22756.2 shall do all of the following:(1) (A) Request any information from the deployer of the covered ADS that is reasonably necessary for the auditor to conduct a comprehensive impact assessment.(B) This paragraph applies only to information gathered by the deployer in the ordinary course of business.(2)Document all developer-approved uses of the covered ADS that the deployer utilized during the relevant period.(3)(2) For each unique developer-approved use, use of the covered ADS by the deployer, document all of the following:(A) The observed accuracy and reliability of the covered ADS over the relevant period.(B) Whether the observed accuracy and reliability differed materially from the expected accuracy and reliability of the covered ADS, as described in documentation provided by a developer to the deployer pursuant to this chapter.(C) Whether any disparate impacts resulted from the deployers use of the covered ADS and the deployment conditions under which those disparate impacts occurred.(D) Whether each disparate impact was an anticipated disparate impact, as described in documentation provided to the deployer pursuant to this chapter.(4)(3) Whether the deployer used the covered ADS to make or facilitate a consequential decision outside of the scope of a developer-approved use.(5)(4) Whether the deployer assumed the responsibilities of a developer pursuant to subdivision (h) of Section 22756.2.(b) (1) After conducting an impact assessment on a covered ADS, an auditor shall provide the results of the impact assessment to do both of the following:(A) The Provide the results of the impact assessment to the deployer that contracted with the auditor to perform the impact assessment.(B)The developer of the covered ADS.(B) Make a high-level summary of the results of the impact assessment publicly available at no cost to users of the auditors internet website.(2) The documentation required by this section shall be both of the following:(A) Provided in English and in any other language that the auditor regularly uses to communicate with developers and deployers.(B) Presented in a manner that ensures the communication clearly and effectively conveys the required information to the developer and deployer. information.(3) An auditor shall not provide a developer make publicly available with the personal information of a subject of a consequential decision made or facilitated by a covered ADS without first obtaining the express consent of the subject.
22756.3. (a) An auditor that conducts an impact assessment on a covered ADS pursuant to subdivision (g) of Section 22756.2 shall do all of the following:
(1) (A) Request any information from the deployer of the covered ADS that is reasonably necessary for the auditor to conduct a comprehensive impact assessment.
(B) This paragraph applies only to information gathered by the deployer in the ordinary course of business.
(2)Document all developer-approved uses of the covered ADS that the deployer utilized during the relevant period.
(3)
(2) For each unique developer-approved use, use of the covered ADS by the deployer, document all of the following:
(A) The observed accuracy and reliability of the covered ADS over the relevant period.
(B) Whether the observed accuracy and reliability differed materially from the expected accuracy and reliability of the covered ADS, as described in documentation provided by a developer to the deployer pursuant to this chapter.
(C) Whether any disparate impacts resulted from the deployers use of the covered ADS and the deployment conditions under which those disparate impacts occurred.
(D) Whether each disparate impact was an anticipated disparate impact, as described in documentation provided to the deployer pursuant to this chapter.
(4)
(3) Whether the deployer used the covered ADS to make or facilitate a consequential decision outside of the scope of a developer-approved use.
(5)
(4) Whether the deployer assumed the responsibilities of a developer pursuant to subdivision (h) of Section 22756.2.
(b) (1) After conducting an impact assessment on a covered ADS, an auditor shall provide the results of the impact assessment to do both of the following:
(A) The Provide the results of the impact assessment to the deployer that contracted with the auditor to perform the impact assessment.
(B)The developer of the covered ADS.
(B) Make a high-level summary of the results of the impact assessment publicly available at no cost to users of the auditors internet website.
(2) The documentation required by this section shall be both of the following:
(A) Provided in English and in any other language that the auditor regularly uses to communicate with developers and deployers.
(B) Presented in a manner that ensures the communication clearly and effectively conveys the required information to the developer and deployer. information.
(3) An auditor shall not provide a developer make publicly available with the personal information of a subject of a consequential decision made or facilitated by a covered ADS without first obtaining the express consent of the subject.
22756.4. (a) (1) Within 30 days of receiving a request from the Attorney General for a performance evaluation or impact assessment prepared pursuant to this chapter, a developer, deployer, or auditor of a covered ADS shall provide an unredacted copy of the document to the Attorney General.(2) The Attorney General may share performance evaluations and impact assessments with other enforcement entities as necessary for enforcement purposes.(b) (1) The disclosure or sharing of a performance evaluation or impact assessment pursuant to subdivision (a) does not constitute a waiver of any attorney-client privilege, work-product protection, or trade secret protection that might otherwise exist with respect to any information contained in the performance evaluation or impact assessment.(2) A performance evaluation or impact assessment disclosed or shared pursuant to subdivision (a) is exempt from the California Public Records Act (Division 10 (commencing with Section 7920.000) of Title 1 of the Government Code).(c) Each day a covered ADS is used for which a performance evaluation or impact assessment has not been submitted to the Attorney General pursuant to this section is an additional violation of this section.
22756.4. (a) (1) Within 30 days of receiving a request from the Attorney General for a performance evaluation or impact assessment prepared pursuant to this chapter, a developer, deployer, or auditor of a covered ADS shall provide an unredacted copy of the document to the Attorney General.
(2) The Attorney General may share performance evaluations and impact assessments with other enforcement entities as necessary for enforcement purposes.
(b) (1) The disclosure or sharing of a performance evaluation or impact assessment pursuant to subdivision (a) does not constitute a waiver of any attorney-client privilege, work-product protection, or trade secret protection that might otherwise exist with respect to any information contained in the performance evaluation or impact assessment.
(2) A performance evaluation or impact assessment disclosed or shared pursuant to subdivision (a) is exempt from the California Public Records Act (Division 10 (commencing with Section 7920.000) of Title 1 of the Government Code).
(c) Each day a covered ADS is used for which a performance evaluation or impact assessment has not been submitted to the Attorney General pursuant to this section is an additional violation of this section.
22756.5. (a) Any of the following public entities may bring a civil action against a developer or deployer developer, deployer, or auditor who violates this chapter:(1) The Attorney General.(2) A district attorney, county counsel, or city attorney for the jurisdiction in which the violation occurred.(3) A city prosecutor in any city having a full-time city prosecutor with the consent of the district attorney.(4) The Civil Rights Department.(5) The Labor Commissioner with respect to employment-related decisions only.(b) A court may award a prevailing plaintiff who brings an action pursuant to subdivision (a) all of the following:(1) Injunctive relief.(2) Declaratory relief.(3) Reasonable attorneys fees and litigation costs.(4) A civil penalty of up to twenty-five thousand dollars ($25,000) per violation.(c) A developer or deployer who contracts with a third party to perform the developers or deployers duties under this chapter, other than those duties related to auditing, is subject to liability under this chapter for the third partys failure to perform those duties.
22756.5. (a) Any of the following public entities may bring a civil action against a developer or deployer developer, deployer, or auditor who violates this chapter:
(1) The Attorney General.
(2) A district attorney, county counsel, or city attorney for the jurisdiction in which the violation occurred.
(3) A city prosecutor in any city having a full-time city prosecutor with the consent of the district attorney.
(4) The Civil Rights Department.
(5) The Labor Commissioner with respect to employment-related decisions only.
(b) A court may award a prevailing plaintiff who brings an action pursuant to subdivision (a) all of the following:
(1) Injunctive relief.
(2) Declaratory relief.
(3) Reasonable attorneys fees and litigation costs.
(4) A civil penalty of up to twenty-five thousand dollars ($25,000) per violation.
(c) A developer or deployer who contracts with a third party to perform the developers or deployers duties under this chapter, other than those duties related to auditing, is subject to liability under this chapter for the third partys failure to perform those duties.
22756.6. (a) This chapter does not apply to an automated decision system the sole purpose of which is to do either of the following:(a)(1) Detect, protect against, or respond to cybersecurity incidents or preserve the integrity or security of computer systems.(b)(2) Operate aircraft in the national airspace.(b) The use of a consumer credit score to inform a consequential decision does not itself create an obligation under this chapter.
22756.6. (a) This chapter does not apply to an automated decision system the sole purpose of which is to do either of the following:
(a)
(1) Detect, protect against, or respond to cybersecurity incidents or preserve the integrity or security of computer systems.
(b)
(2) Operate aircraft in the national airspace.
(b) The use of a consumer credit score to inform a consequential decision does not itself create an obligation under this chapter.
22756.7. (a) The rights, remedies, and penalties established by this chapter are cumulative and shall not be construed to supersede the rights, remedies, or penalties established under other laws, including, but not limited to, Chapter 6 (commencing with Section 12940) of Part 2.8 of Division 3 of Title 2 of the Government Code and Section 51 of the Civil Code.(b) This chapter does not diminish the rights, privileges, or remedies of an employee under any other federal or state law or under any employment contract or collective bargaining agreement.(c) This chapter does not authorize any use of automated decision systems that is limited, restricted, or prohibited under any other applicable law.(d) This chapter does not authorize disparate impacts or disparate treatment that are limited, restricted, or prohibited under any other applicable law.
22756.7. (a) The rights, remedies, and penalties established by this chapter are cumulative and shall not be construed to supersede the rights, remedies, or penalties established under other laws, including, but not limited to, Chapter 6 (commencing with Section 12940) of Part 2.8 of Division 3 of Title 2 of the Government Code and Section 51 of the Civil Code.
(b) This chapter does not diminish the rights, privileges, or remedies of an employee under any other federal or state law or under any employment contract or collective bargaining agreement.
(c) This chapter does not authorize any use of automated decision systems that is limited, restricted, or prohibited under any other applicable law.
(d) This chapter does not authorize disparate impacts or disparate treatment that are limited, restricted, or prohibited under any other applicable law.
A developer or deployer who contracts with a third party to comply with duties required under this chapter, other than those duties related to auditing, is subject to liability under this chapter for the third partys failure to comply with this chapter.
SEC. 2. Section 51 of the Civil Code, as amended by Section 2.5 of Chapter 779 of the Statutes of 2024, is amended to read:51. (a) This section shall be known, and may be cited, as the Unruh Civil Rights Act.(b) All persons within the jurisdiction of this state are free and equal, and no matter what their sex, race, color, religion, ancestry, national origin, disability, medical condition, genetic information, marital status, sexual orientation, citizenship, primary language, or immigration status are entitled to the full and equal accommodations, advantages, facilities, privileges, or services in all business establishments of every kind whatsoever.(c) This section shall not be construed to confer any right or privilege on a person that is conditioned or limited by law or that is applicable alike to persons of every sex, color, race, religion, ancestry, national origin, disability, medical condition, marital status, sexual orientation, citizenship, primary language, or immigration status, or to persons regardless of their genetic information.(d) Nothing in this section shall be construed to require any construction, alteration, repair, structural or otherwise, or modification of any sort whatsoever, beyond that construction, alteration, repair, or modification that is otherwise required by other provisions of law, to any new or existing establishment, facility, building, improvement, or any other structure, nor shall anything in this section be construed to augment, restrict, or alter in any way the authority of the State Architect to require construction, alteration, repair, or modifications that the State Architect otherwise possesses pursuant to other laws.(e) For purposes of this section:(1) Disability means any mental or physical disability as defined in Sections 12926 and 12926.1 of the Government Code.(2) (A) Genetic information means, with respect to any individual, information about any of the following:(i) The individuals genetic tests.(ii) The genetic tests of family members of the individual.(iii) The manifestation of a disease or disorder in family members of the individual.(B) Genetic information includes any request for, or receipt of, genetic services, or participation in clinical research that includes genetic services, by an individual or any family member of the individual.(C) Genetic information does not include information about the sex or age of any individual.(3) Medical condition has the same meaning as defined in subdivision (i) of Section 12926 of the Government Code.(4) Race is inclusive of traits associated with race, including, but not limited to, hair texture and protective hairstyles. Protective hairstyles includes, but is not limited to, such hairstyles as braids, locs, and twists.(5) Religion includes all aspects of religious belief, observance, and practice.(6) Sex includes, but is not limited to, pregnancy, childbirth, or medical conditions related to pregnancy or childbirth. Sex also includes, but is not limited to, a persons gender. Gender means sex, and includes a persons gender identity and gender expression. Gender expression means a persons gender-related appearance and behavior whether or not stereotypically associated with the persons assigned sex at birth.(7) Sex, race, color, religion, ancestry, national origin, disability, medical condition, genetic information, marital status, sexual orientation, citizenship, primary language, or immigration status includes any of the following:(A) Any combination of those characteristics.(B) A perception that the person has any particular characteristic or characteristics within the listed categories or any combination of those characteristics.(C) A perception that the person is associated with a person who has, or is perceived to have, any particular characteristic or characteristics, or any combination of characteristics, within the listed categories.(8) Sexual orientation has the same meaning as defined in subdivision (s) of Section 12926 of the Government Code.(f) A violation of the right of any individual under the federal Americans with Disabilities Act of 1990 (Public Law 101-336) shall also constitute a violation of this section.(g) Verification of immigration status and any discrimination based upon verified immigration status, where required by federal law, shall not constitute a violation of this section.(h) Nothing in this section shall be construed to require the provision of services or documents in a language other than English, beyond that which is otherwise required by other provisions of federal, state, or local law, including Section 1632.(i) In an action alleging a violation of this section in which the defendants development, modification, or use of an automated decision system, as defined in Section 22756 of the Business and Professions Code, is alleged to have committed caused or facilitated the violation, the extent to which the defendant complied with Chapter 25 (commencing with Section 22756) of Division 8 of the Business and Professions Code is relevant to, but not conclusive of, whether a the defendant violated this section.
SEC. 2. Section 51 of the Civil Code, as amended by Section 2.5 of Chapter 779 of the Statutes of 2024, is amended to read:
### SEC. 2.
51. (a) This section shall be known, and may be cited, as the Unruh Civil Rights Act.(b) All persons within the jurisdiction of this state are free and equal, and no matter what their sex, race, color, religion, ancestry, national origin, disability, medical condition, genetic information, marital status, sexual orientation, citizenship, primary language, or immigration status are entitled to the full and equal accommodations, advantages, facilities, privileges, or services in all business establishments of every kind whatsoever.(c) This section shall not be construed to confer any right or privilege on a person that is conditioned or limited by law or that is applicable alike to persons of every sex, color, race, religion, ancestry, national origin, disability, medical condition, marital status, sexual orientation, citizenship, primary language, or immigration status, or to persons regardless of their genetic information.(d) Nothing in this section shall be construed to require any construction, alteration, repair, structural or otherwise, or modification of any sort whatsoever, beyond that construction, alteration, repair, or modification that is otherwise required by other provisions of law, to any new or existing establishment, facility, building, improvement, or any other structure, nor shall anything in this section be construed to augment, restrict, or alter in any way the authority of the State Architect to require construction, alteration, repair, or modifications that the State Architect otherwise possesses pursuant to other laws.(e) For purposes of this section:(1) Disability means any mental or physical disability as defined in Sections 12926 and 12926.1 of the Government Code.(2) (A) Genetic information means, with respect to any individual, information about any of the following:(i) The individuals genetic tests.(ii) The genetic tests of family members of the individual.(iii) The manifestation of a disease or disorder in family members of the individual.(B) Genetic information includes any request for, or receipt of, genetic services, or participation in clinical research that includes genetic services, by an individual or any family member of the individual.(C) Genetic information does not include information about the sex or age of any individual.(3) Medical condition has the same meaning as defined in subdivision (i) of Section 12926 of the Government Code.(4) Race is inclusive of traits associated with race, including, but not limited to, hair texture and protective hairstyles. Protective hairstyles includes, but is not limited to, such hairstyles as braids, locs, and twists.(5) Religion includes all aspects of religious belief, observance, and practice.(6) Sex includes, but is not limited to, pregnancy, childbirth, or medical conditions related to pregnancy or childbirth. Sex also includes, but is not limited to, a persons gender. Gender means sex, and includes a persons gender identity and gender expression. Gender expression means a persons gender-related appearance and behavior whether or not stereotypically associated with the persons assigned sex at birth.(7) Sex, race, color, religion, ancestry, national origin, disability, medical condition, genetic information, marital status, sexual orientation, citizenship, primary language, or immigration status includes any of the following:(A) Any combination of those characteristics.(B) A perception that the person has any particular characteristic or characteristics within the listed categories or any combination of those characteristics.(C) A perception that the person is associated with a person who has, or is perceived to have, any particular characteristic or characteristics, or any combination of characteristics, within the listed categories.(8) Sexual orientation has the same meaning as defined in subdivision (s) of Section 12926 of the Government Code.(f) A violation of the right of any individual under the federal Americans with Disabilities Act of 1990 (Public Law 101-336) shall also constitute a violation of this section.(g) Verification of immigration status and any discrimination based upon verified immigration status, where required by federal law, shall not constitute a violation of this section.(h) Nothing in this section shall be construed to require the provision of services or documents in a language other than English, beyond that which is otherwise required by other provisions of federal, state, or local law, including Section 1632.(i) In an action alleging a violation of this section in which the defendants development, modification, or use of an automated decision system, as defined in Section 22756 of the Business and Professions Code, is alleged to have committed caused or facilitated the violation, the extent to which the defendant complied with Chapter 25 (commencing with Section 22756) of Division 8 of the Business and Professions Code is relevant to, but not conclusive of, whether a the defendant violated this section.
51. (a) This section shall be known, and may be cited, as the Unruh Civil Rights Act.(b) All persons within the jurisdiction of this state are free and equal, and no matter what their sex, race, color, religion, ancestry, national origin, disability, medical condition, genetic information, marital status, sexual orientation, citizenship, primary language, or immigration status are entitled to the full and equal accommodations, advantages, facilities, privileges, or services in all business establishments of every kind whatsoever.(c) This section shall not be construed to confer any right or privilege on a person that is conditioned or limited by law or that is applicable alike to persons of every sex, color, race, religion, ancestry, national origin, disability, medical condition, marital status, sexual orientation, citizenship, primary language, or immigration status, or to persons regardless of their genetic information.(d) Nothing in this section shall be construed to require any construction, alteration, repair, structural or otherwise, or modification of any sort whatsoever, beyond that construction, alteration, repair, or modification that is otherwise required by other provisions of law, to any new or existing establishment, facility, building, improvement, or any other structure, nor shall anything in this section be construed to augment, restrict, or alter in any way the authority of the State Architect to require construction, alteration, repair, or modifications that the State Architect otherwise possesses pursuant to other laws.(e) For purposes of this section:(1) Disability means any mental or physical disability as defined in Sections 12926 and 12926.1 of the Government Code.(2) (A) Genetic information means, with respect to any individual, information about any of the following:(i) The individuals genetic tests.(ii) The genetic tests of family members of the individual.(iii) The manifestation of a disease or disorder in family members of the individual.(B) Genetic information includes any request for, or receipt of, genetic services, or participation in clinical research that includes genetic services, by an individual or any family member of the individual.(C) Genetic information does not include information about the sex or age of any individual.(3) Medical condition has the same meaning as defined in subdivision (i) of Section 12926 of the Government Code.(4) Race is inclusive of traits associated with race, including, but not limited to, hair texture and protective hairstyles. Protective hairstyles includes, but is not limited to, such hairstyles as braids, locs, and twists.(5) Religion includes all aspects of religious belief, observance, and practice.(6) Sex includes, but is not limited to, pregnancy, childbirth, or medical conditions related to pregnancy or childbirth. Sex also includes, but is not limited to, a persons gender. Gender means sex, and includes a persons gender identity and gender expression. Gender expression means a persons gender-related appearance and behavior whether or not stereotypically associated with the persons assigned sex at birth.(7) Sex, race, color, religion, ancestry, national origin, disability, medical condition, genetic information, marital status, sexual orientation, citizenship, primary language, or immigration status includes any of the following:(A) Any combination of those characteristics.(B) A perception that the person has any particular characteristic or characteristics within the listed categories or any combination of those characteristics.(C) A perception that the person is associated with a person who has, or is perceived to have, any particular characteristic or characteristics, or any combination of characteristics, within the listed categories.(8) Sexual orientation has the same meaning as defined in subdivision (s) of Section 12926 of the Government Code.(f) A violation of the right of any individual under the federal Americans with Disabilities Act of 1990 (Public Law 101-336) shall also constitute a violation of this section.(g) Verification of immigration status and any discrimination based upon verified immigration status, where required by federal law, shall not constitute a violation of this section.(h) Nothing in this section shall be construed to require the provision of services or documents in a language other than English, beyond that which is otherwise required by other provisions of federal, state, or local law, including Section 1632.(i) In an action alleging a violation of this section in which the defendants development, modification, or use of an automated decision system, as defined in Section 22756 of the Business and Professions Code, is alleged to have committed caused or facilitated the violation, the extent to which the defendant complied with Chapter 25 (commencing with Section 22756) of Division 8 of the Business and Professions Code is relevant to, but not conclusive of, whether a the defendant violated this section.
51. (a) This section shall be known, and may be cited, as the Unruh Civil Rights Act.(b) All persons within the jurisdiction of this state are free and equal, and no matter what their sex, race, color, religion, ancestry, national origin, disability, medical condition, genetic information, marital status, sexual orientation, citizenship, primary language, or immigration status are entitled to the full and equal accommodations, advantages, facilities, privileges, or services in all business establishments of every kind whatsoever.(c) This section shall not be construed to confer any right or privilege on a person that is conditioned or limited by law or that is applicable alike to persons of every sex, color, race, religion, ancestry, national origin, disability, medical condition, marital status, sexual orientation, citizenship, primary language, or immigration status, or to persons regardless of their genetic information.(d) Nothing in this section shall be construed to require any construction, alteration, repair, structural or otherwise, or modification of any sort whatsoever, beyond that construction, alteration, repair, or modification that is otherwise required by other provisions of law, to any new or existing establishment, facility, building, improvement, or any other structure, nor shall anything in this section be construed to augment, restrict, or alter in any way the authority of the State Architect to require construction, alteration, repair, or modifications that the State Architect otherwise possesses pursuant to other laws.(e) For purposes of this section:(1) Disability means any mental or physical disability as defined in Sections 12926 and 12926.1 of the Government Code.(2) (A) Genetic information means, with respect to any individual, information about any of the following:(i) The individuals genetic tests.(ii) The genetic tests of family members of the individual.(iii) The manifestation of a disease or disorder in family members of the individual.(B) Genetic information includes any request for, or receipt of, genetic services, or participation in clinical research that includes genetic services, by an individual or any family member of the individual.(C) Genetic information does not include information about the sex or age of any individual.(3) Medical condition has the same meaning as defined in subdivision (i) of Section 12926 of the Government Code.(4) Race is inclusive of traits associated with race, including, but not limited to, hair texture and protective hairstyles. Protective hairstyles includes, but is not limited to, such hairstyles as braids, locs, and twists.(5) Religion includes all aspects of religious belief, observance, and practice.(6) Sex includes, but is not limited to, pregnancy, childbirth, or medical conditions related to pregnancy or childbirth. Sex also includes, but is not limited to, a persons gender. Gender means sex, and includes a persons gender identity and gender expression. Gender expression means a persons gender-related appearance and behavior whether or not stereotypically associated with the persons assigned sex at birth.(7) Sex, race, color, religion, ancestry, national origin, disability, medical condition, genetic information, marital status, sexual orientation, citizenship, primary language, or immigration status includes any of the following:(A) Any combination of those characteristics.(B) A perception that the person has any particular characteristic or characteristics within the listed categories or any combination of those characteristics.(C) A perception that the person is associated with a person who has, or is perceived to have, any particular characteristic or characteristics, or any combination of characteristics, within the listed categories.(8) Sexual orientation has the same meaning as defined in subdivision (s) of Section 12926 of the Government Code.(f) A violation of the right of any individual under the federal Americans with Disabilities Act of 1990 (Public Law 101-336) shall also constitute a violation of this section.(g) Verification of immigration status and any discrimination based upon verified immigration status, where required by federal law, shall not constitute a violation of this section.(h) Nothing in this section shall be construed to require the provision of services or documents in a language other than English, beyond that which is otherwise required by other provisions of federal, state, or local law, including Section 1632.(i) In an action alleging a violation of this section in which the defendants development, modification, or use of an automated decision system, as defined in Section 22756 of the Business and Professions Code, is alleged to have committed caused or facilitated the violation, the extent to which the defendant complied with Chapter 25 (commencing with Section 22756) of Division 8 of the Business and Professions Code is relevant to, but not conclusive of, whether a the defendant violated this section.
51. (a) This section shall be known, and may be cited, as the Unruh Civil Rights Act.
(b) All persons within the jurisdiction of this state are free and equal, and no matter what their sex, race, color, religion, ancestry, national origin, disability, medical condition, genetic information, marital status, sexual orientation, citizenship, primary language, or immigration status are entitled to the full and equal accommodations, advantages, facilities, privileges, or services in all business establishments of every kind whatsoever.
(c) This section shall not be construed to confer any right or privilege on a person that is conditioned or limited by law or that is applicable alike to persons of every sex, color, race, religion, ancestry, national origin, disability, medical condition, marital status, sexual orientation, citizenship, primary language, or immigration status, or to persons regardless of their genetic information.
(d) Nothing in this section shall be construed to require any construction, alteration, repair, structural or otherwise, or modification of any sort whatsoever, beyond that construction, alteration, repair, or modification that is otherwise required by other provisions of law, to any new or existing establishment, facility, building, improvement, or any other structure, nor shall anything in this section be construed to augment, restrict, or alter in any way the authority of the State Architect to require construction, alteration, repair, or modifications that the State Architect otherwise possesses pursuant to other laws.
(e) For purposes of this section:
(1) Disability means any mental or physical disability as defined in Sections 12926 and 12926.1 of the Government Code.
(2) (A) Genetic information means, with respect to any individual, information about any of the following:
(i) The individuals genetic tests.
(ii) The genetic tests of family members of the individual.
(iii) The manifestation of a disease or disorder in family members of the individual.
(B) Genetic information includes any request for, or receipt of, genetic services, or participation in clinical research that includes genetic services, by an individual or any family member of the individual.
(C) Genetic information does not include information about the sex or age of any individual.
(3) Medical condition has the same meaning as defined in subdivision (i) of Section 12926 of the Government Code.
(4) Race is inclusive of traits associated with race, including, but not limited to, hair texture and protective hairstyles. Protective hairstyles includes, but is not limited to, such hairstyles as braids, locs, and twists.
(5) Religion includes all aspects of religious belief, observance, and practice.
(6) Sex includes, but is not limited to, pregnancy, childbirth, or medical conditions related to pregnancy or childbirth. Sex also includes, but is not limited to, a persons gender. Gender means sex, and includes a persons gender identity and gender expression. Gender expression means a persons gender-related appearance and behavior whether or not stereotypically associated with the persons assigned sex at birth.
(7) Sex, race, color, religion, ancestry, national origin, disability, medical condition, genetic information, marital status, sexual orientation, citizenship, primary language, or immigration status includes any of the following:
(A) Any combination of those characteristics.
(B) A perception that the person has any particular characteristic or characteristics within the listed categories or any combination of those characteristics.
(C) A perception that the person is associated with a person who has, or is perceived to have, any particular characteristic or characteristics, or any combination of characteristics, within the listed categories.
(8) Sexual orientation has the same meaning as defined in subdivision (s) of Section 12926 of the Government Code.
(f) A violation of the right of any individual under the federal Americans with Disabilities Act of 1990 (Public Law 101-336) shall also constitute a violation of this section.
(g) Verification of immigration status and any discrimination based upon verified immigration status, where required by federal law, shall not constitute a violation of this section.
(h) Nothing in this section shall be construed to require the provision of services or documents in a language other than English, beyond that which is otherwise required by other provisions of federal, state, or local law, including Section 1632.
(i) In an action alleging a violation of this section in which the defendants development, modification, or use of an automated decision system, as defined in Section 22756 of the Business and Professions Code, is alleged to have committed caused or facilitated the violation, the extent to which the defendant complied with Chapter 25 (commencing with Section 22756) of Division 8 of the Business and Professions Code is relevant to, but not conclusive of, whether a the defendant violated this section.
SEC. 3. Article 3 (commencing with Section 12959) is added to Chapter 6 of Part 2.8 of Division 3 of Title 2 of the Government Code, to read: Article 3. Automated Decision Systems12959. In an action alleging a violation of this chapter in which the defendants development, modification, or use of an automated decision system, as defined in Section 22756 of the Business and Professions Code, is alleged to have committed caused or facilitated the violation, the extent to which the defendant complied with Chapter 24.6 (commencing with Section 22756) of Division 8 of the Business and Professions Code is relevant to, but not conclusive of, whether a the defendant violated this chapter.
SEC. 3. Article 3 (commencing with Section 12959) is added to Chapter 6 of Part 2.8 of Division 3 of Title 2 of the Government Code, to read:
### SEC. 3.
Article 3. Automated Decision Systems12959. In an action alleging a violation of this chapter in which the defendants development, modification, or use of an automated decision system, as defined in Section 22756 of the Business and Professions Code, is alleged to have committed caused or facilitated the violation, the extent to which the defendant complied with Chapter 24.6 (commencing with Section 22756) of Division 8 of the Business and Professions Code is relevant to, but not conclusive of, whether a the defendant violated this chapter.
Article 3. Automated Decision Systems12959. In an action alleging a violation of this chapter in which the defendants development, modification, or use of an automated decision system, as defined in Section 22756 of the Business and Professions Code, is alleged to have committed caused or facilitated the violation, the extent to which the defendant complied with Chapter 24.6 (commencing with Section 22756) of Division 8 of the Business and Professions Code is relevant to, but not conclusive of, whether a the defendant violated this chapter.
Article 3. Automated Decision Systems
Article 3. Automated Decision Systems
12959. In an action alleging a violation of this chapter in which the defendants development, modification, or use of an automated decision system, as defined in Section 22756 of the Business and Professions Code, is alleged to have committed caused or facilitated the violation, the extent to which the defendant complied with Chapter 24.6 (commencing with Section 22756) of Division 8 of the Business and Professions Code is relevant to, but not conclusive of, whether a the defendant violated this chapter.
12959. In an action alleging a violation of this chapter in which the defendants development, modification, or use of an automated decision system, as defined in Section 22756 of the Business and Professions Code, is alleged to have committed caused or facilitated the violation, the extent to which the defendant complied with Chapter 24.6 (commencing with Section 22756) of Division 8 of the Business and Professions Code is relevant to, but not conclusive of, whether a the defendant violated this chapter.
SEC. 4. The Legislature finds and declares that Section 1 of this act, which adds Chapter 24.6 (commencing with Section 22756) to Division 8 of the Business and Professions Code, imposes a limitation on the publics right of access to the meetings of public bodies or the writings of public officials and agencies within the meaning of Section 3 of Article I of the California Constitution. Pursuant to that constitutional provision, the Legislature makes the following findings to demonstrate the interest protected by this limitation and the need for protecting that interest:In order to protect proprietary information, it is necessary that trade secrets disclosed in performance evaluations and impact assessments to agencies and departments pursuant to Section 1 of this act remain confidential.
SEC. 4. The Legislature finds and declares that Section 1 of this act, which adds Chapter 24.6 (commencing with Section 22756) to Division 8 of the Business and Professions Code, imposes a limitation on the publics right of access to the meetings of public bodies or the writings of public officials and agencies within the meaning of Section 3 of Article I of the California Constitution. Pursuant to that constitutional provision, the Legislature makes the following findings to demonstrate the interest protected by this limitation and the need for protecting that interest:In order to protect proprietary information, it is necessary that trade secrets disclosed in performance evaluations and impact assessments to agencies and departments pursuant to Section 1 of this act remain confidential.
SEC. 4. The Legislature finds and declares that Section 1 of this act, which adds Chapter 24.6 (commencing with Section 22756) to Division 8 of the Business and Professions Code, imposes a limitation on the publics right of access to the meetings of public bodies or the writings of public officials and agencies within the meaning of Section 3 of Article I of the California Constitution. Pursuant to that constitutional provision, the Legislature makes the following findings to demonstrate the interest protected by this limitation and the need for protecting that interest:
### SEC. 4.
In order to protect proprietary information, it is necessary that trade secrets disclosed in performance evaluations and impact assessments to agencies and departments pursuant to Section 1 of this act remain confidential.