| 1 | 1 | | CALIFORNIA LEGISLATURE 20252026 REGULAR SESSION Senate Bill No. 468Introduced by Senator BeckerFebruary 19, 2025 An act to add Title 1.81.28 (commencing with Section 1798.91.2) to Part 4 of Division 3 of the Civil Code, relating to artificial intelligence. LEGISLATIVE COUNSEL'S DIGESTSB 468, as introduced, Becker. High-risk artificial intelligence systems: duty to protect personal information.Existing law, the California Consumer Privacy Act of 2018 (CCPA), grants a consumer various rights with respect to personal information that is collected or sold by a business. The CCPA defines various terms for these purposes. The California Privacy Rights Act of 2020 (CPRA), approved by the voters as Proposition 24 at the November 3, 2020, statewide general election, amended, added to, and reenacted the CCPA and establishes the California Privacy Protection Agency (agency) and vests the agency with full administrative power, authority, and jurisdiction to enforce the CCPA. Existing law requires, on or before January 1, 2026, and before each time thereafter that a generative artificial intelligence system or service, as defined, or a substantial modification to a generative artificial intelligence system or service, released on or after January 1, 2022, is made available to Californians for use, regardless of whether the terms of that use include compensation, a developer of the system or service to post on the developers internet website documentation, as specified, regarding the data used to train the generative artificial intelligence system or service. This bill would impose a duty on a covered deployer, defined as a business that deploys a high-risk artificial intelligence system that processes personal information, to protect personal information held by the covered deployer, subject to certain requirements. In this regard, the bill would require a covered deployer whose high-risk artificial intelligence systems process personal information to develop, implement, and maintain a comprehensive information security program, as specified, that contains administrative, technical, and physical safeguards that are appropriate for, among other things, the covered deployers size, scope, and type of business. The bill would require the program described above to meet specified requirements, including, among other things, that the program incorporates safeguards that are consistent with the safeguards for the protection of personal information and information of a similar character under applicable state or federal laws and regulations. Existing law, the Unfair Competition Law, establishes a statutory cause of action for unfair competition, including any unlawful, unfair, or fraudulent business act or practice and unfair, deceptive, untrue, or misleading advertising, and establishes remedies and penalties in that regard, including injunctive relief and civil penalties. This bill would specify that a violation of the above-described provisions relating to the duty of a covered deployer to protect information, including the requirement that a covered deployer maintain the comprehensive information security program described above, constitute a deceptive trade act or practice under that law.Existing law, the Administrative Procedure Act, governs the procedure for the adoption, amendment, or repeal of regulations by state agencies and for the review of those regulatory actions by the Office of Administrative Law.This bill would authorize the agency to adopt regulations pursuant to the act to implement these provisions, and would exempt, notwithstanding that provision, any regulations adopted by the agency to establish fees from the act. The bill would define various terms for these purposes.The California Privacy Rights Act of 2020 authorizes the Legislature to amend the act to further the purposes and intent of the act by a majority vote of both houses of the Legislature, as specified.This bill would declare that its provisions further the purposes and intent of the California Privacy Rights Act of 2020. Digest Key Vote: MAJORITY Appropriation: NO Fiscal Committee: YES Local Program: NO Bill TextThe people of the State of California do enact as follows:SECTION 1. Title 1.81.28 (commencing with Section 1798.91.2) is added to Part 4 of Division 3 of the Civil Code, to read:TITLE 1.81.28. High-risk Artificial Intelligence Systems1798.91.2. For purposes of this title, the following definitions shall apply:(a) Artificial intelligence has the same meaning as that term is defined in Section 11546.45.5 of the Government Code.(b) Business has the same meaning as that term is defined in Section 1798.140.(c) Consumer has the same meaning as that term is defined in Section 1798.140.(d) Covered deployer means a business that deploys a high-risk artificial intelligence system that processes personal information.(e) Deploy means to put into effect or commercialize.(f) Deployer means a person doing business in this state that deploys a high-risk artificial intelligence system.(g) High-risk artificial intelligence system has the same meaning as high-risk automated decision system, as that term is defined in Section 11546.45.5 of the Government Code.(h) Personal information has the same meaning as that term is defined in Section 1798.140.(i) Processes or processing have the same meaning as processing, as that term is defined in Section 1798.140.1798.91.3. (a) A covered deployer conducting business in this state shall have a duty to protect personal information held by the covered deployer as provided by this section.(b) A covered deployer whose high-risk artificial intelligence systems process personal information shall develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts and contains administrative, technical, and physical safeguards that are appropriate for all of the following:(1) The covered deployers size, scope, and type of business.(2) The amount of resources available to the covered deployer.(3) The amount of data stored by the covered deployer.(4) The need for security and confidentiality of personal information stored by the covered deployer.(c) The comprehensive information security program required by subdivision (a) shall meet all of the following requirements:(1) The program shall incorporate safeguards that are consistent with the safeguards for the protection of personal information and information of a similar character under state or federal laws and regulations applicable to the covered deployer.(2) The program shall include the designation of one or more employees of the covered deployer to maintain the program.(3) The program shall require the identification and assessment of reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of any electronic, paper, or other record containing personal information, and the establishment of a process for evaluating and improving, as necessary, the effectiveness of the current safeguards for limiting those risks, including by all of the following:(A) Requiring ongoing employee and contractor education and training, including education and training for temporary employees and contractors of the covered deployer, on the proper use of security procedures and protocols and the importance of personal information security.(B) Mandating employee compliance with policies and procedures established under the program.(C) Providing a means for detecting and preventing security system failures.(4) The program shall include security policies for the covered deployers employees relating to the storage, access, and transportation of records containing personal information outside of the covered deployers physical business premises.(5) The program shall provide disciplinary measures for violations of a policy or procedure established under the program.(6) The program shall include measures for preventing a terminated employee from accessing records containing personal information.(7) The program shall provide policies for the supervision of third-party service providers that include both of the following:(A) Taking reasonable steps to select and retain third-party service providers that are capable of maintaining appropriate security measures to protect personal information consistent with applicable law.(B) Requiring third-party service providers by contract to implement and maintain appropriate security measures for personal information.(8) The program shall provide reasonable restrictions on physical access to records containing personal information, including by requiring the records containing the data to be stored in a locked facility, storage area, or container.(9) The program shall include regular monitoring to ensure that the program is operating in a manner reasonably calculated to prevent unauthorized access to or unauthorized use of personal information and, as necessary, upgrading information safeguards to limit the risk of unauthorized access to or unauthorized use of personal information.(10) The program shall require the regular review of the scope of the programs security measures that must occur subject to both of the following timeframes:(A) At least annually.(B) Whenever there is a material change in the covered deployers business practices that may reasonably affect the security or integrity of records containing personal information.(11) The program shall require the documentation of responsive actions taken in connection with any incident involving a breach of security, including a mandatory postincident review of each event and the actions taken, if any, in response to that event to make changes in business practices relating to protection of personal information.(12) The program shall, to the extent feasible, include all of the following procedures and protocols with respect to computer system security requirements or procedures and protocols providing a higher degree of security, for the protection of personal information:(A) The use of secure user authentication protocols that include all of the following features:(i) The control of user login credentials and other identifiers.(ii) The use of a reasonably secure method of assigning and selecting passwords or using unique identifier technologies, which may include biometrics or token devices.(iii) The control of data security passwords to ensure that the passwords are kept in a location and a format that do not compromise the security of the data the passwords protect.(iv) The restriction of access to only active users and active user accounts.(v) The blocking of access to user credentials or identification after multiple unsuccessful attempts to gain access.(B) The use of secure access control measures that include both of the following:(i) The restriction of access to records and files containing personal information to only employees or contractors who need access to that personal information to perform the job duties of the employees or contractors.(ii) The assignment of a unique identification and a password to each employee or contractor with access to a computer containing personal information, that may not be a vendor-supplied default password, or the use of another protocol reasonably designed to maintain the integrity of the security of the access controls to personal information.(C) The encryption of both of the following:(i) Transmitted records and files containing personal information that will travel across public networks.(ii) Data containing personal information that is transmitted wirelessly.(D) The use of reasonable monitoring of systems for unauthorized use of or access to personal information.(E) The encryption of all personal information stored on laptop computers or other portable devices.(F) For files containing personal information on a system that is connected to the internet, the use of reasonably current firewall protection and operating system security patches that are reasonably designed to maintain the integrity of the personal information.(G) The use of both of the following:(i) A reasonably current version of system security agent software that shall include malware protection and reasonably current patches and virus definitions.(ii) A version of a system security agent software that is supportable with current patches and virus definitions, and is set to receive the most current security updates on a regular basis.(d) A violation of this section by a covered deployer constitutes a deceptive trade act or practice under the Unfair Competition Law (Chapter 5 (commencing with Section 17200) of Part 2 of Division 7 of the Business and Professions Code).1798.91.4. (a) Except as provided in subdivision (b), the California Privacy Protection Agency may adopt regulations pursuant to the Administrative Procedure Act (Chapter 3.5 (commencing with Section 11340) of Part 1 of Division 3 of Title 2 of the Government Code) to implement and administer this title. (b) Notwithstanding subdivision (a), any regulation adopted by the California Privacy Protection Agency to establish fees authorized by this title shall be exempt from the Administrative Procedure Act (Chapter 3.5 (commencing with Section 11340) of Part 1 of Division 3 of Title 2 of the Government Code). SEC. 2. The Legislature finds and declares that this act furthers the purposes and intent of the California Privacy Rights Act of 2020 by ensuring consumers rights, including the constitutional right to privacy, are protected by enabling and empowering Californians to request that covered deployers secure their high-risk artificial intelligence systems that process personal information. |
|---|
| 2 | 2 | | |
|---|
| 3 | 3 | | CALIFORNIA LEGISLATURE 20252026 REGULAR SESSION Senate Bill No. 468Introduced by Senator BeckerFebruary 19, 2025 An act to add Title 1.81.28 (commencing with Section 1798.91.2) to Part 4 of Division 3 of the Civil Code, relating to artificial intelligence. LEGISLATIVE COUNSEL'S DIGESTSB 468, as introduced, Becker. High-risk artificial intelligence systems: duty to protect personal information.Existing law, the California Consumer Privacy Act of 2018 (CCPA), grants a consumer various rights with respect to personal information that is collected or sold by a business. The CCPA defines various terms for these purposes. The California Privacy Rights Act of 2020 (CPRA), approved by the voters as Proposition 24 at the November 3, 2020, statewide general election, amended, added to, and reenacted the CCPA and establishes the California Privacy Protection Agency (agency) and vests the agency with full administrative power, authority, and jurisdiction to enforce the CCPA. Existing law requires, on or before January 1, 2026, and before each time thereafter that a generative artificial intelligence system or service, as defined, or a substantial modification to a generative artificial intelligence system or service, released on or after January 1, 2022, is made available to Californians for use, regardless of whether the terms of that use include compensation, a developer of the system or service to post on the developers internet website documentation, as specified, regarding the data used to train the generative artificial intelligence system or service. This bill would impose a duty on a covered deployer, defined as a business that deploys a high-risk artificial intelligence system that processes personal information, to protect personal information held by the covered deployer, subject to certain requirements. In this regard, the bill would require a covered deployer whose high-risk artificial intelligence systems process personal information to develop, implement, and maintain a comprehensive information security program, as specified, that contains administrative, technical, and physical safeguards that are appropriate for, among other things, the covered deployers size, scope, and type of business. The bill would require the program described above to meet specified requirements, including, among other things, that the program incorporates safeguards that are consistent with the safeguards for the protection of personal information and information of a similar character under applicable state or federal laws and regulations. Existing law, the Unfair Competition Law, establishes a statutory cause of action for unfair competition, including any unlawful, unfair, or fraudulent business act or practice and unfair, deceptive, untrue, or misleading advertising, and establishes remedies and penalties in that regard, including injunctive relief and civil penalties. This bill would specify that a violation of the above-described provisions relating to the duty of a covered deployer to protect information, including the requirement that a covered deployer maintain the comprehensive information security program described above, constitute a deceptive trade act or practice under that law.Existing law, the Administrative Procedure Act, governs the procedure for the adoption, amendment, or repeal of regulations by state agencies and for the review of those regulatory actions by the Office of Administrative Law.This bill would authorize the agency to adopt regulations pursuant to the act to implement these provisions, and would exempt, notwithstanding that provision, any regulations adopted by the agency to establish fees from the act. The bill would define various terms for these purposes.The California Privacy Rights Act of 2020 authorizes the Legislature to amend the act to further the purposes and intent of the act by a majority vote of both houses of the Legislature, as specified.This bill would declare that its provisions further the purposes and intent of the California Privacy Rights Act of 2020. Digest Key Vote: MAJORITY Appropriation: NO Fiscal Committee: YES Local Program: NO |
|---|
| 4 | 4 | | |
|---|
| 5 | 5 | | |
|---|
| 6 | 6 | | |
|---|
| 7 | 7 | | |
|---|
| 8 | 8 | | |
|---|
| 9 | 9 | | CALIFORNIA LEGISLATURE 20252026 REGULAR SESSION |
|---|
| 10 | 10 | | |
|---|
| 11 | 11 | | Senate Bill |
|---|
| 12 | 12 | | |
|---|
| 13 | 13 | | No. 468 |
|---|
| 14 | 14 | | |
|---|
| 15 | 15 | | Introduced by Senator BeckerFebruary 19, 2025 |
|---|
| 16 | 16 | | |
|---|
| 17 | 17 | | Introduced by Senator Becker |
|---|
| 18 | 18 | | February 19, 2025 |
|---|
| 19 | 19 | | |
|---|
| 20 | 20 | | An act to add Title 1.81.28 (commencing with Section 1798.91.2) to Part 4 of Division 3 of the Civil Code, relating to artificial intelligence. |
|---|
| 21 | 21 | | |
|---|
| 22 | 22 | | LEGISLATIVE COUNSEL'S DIGEST |
|---|
| 23 | 23 | | |
|---|
| 24 | 24 | | ## LEGISLATIVE COUNSEL'S DIGEST |
|---|
| 25 | 25 | | |
|---|
| 26 | 26 | | SB 468, as introduced, Becker. High-risk artificial intelligence systems: duty to protect personal information. |
|---|
| 27 | 27 | | |
|---|
| 28 | 28 | | Existing law, the California Consumer Privacy Act of 2018 (CCPA), grants a consumer various rights with respect to personal information that is collected or sold by a business. The CCPA defines various terms for these purposes. The California Privacy Rights Act of 2020 (CPRA), approved by the voters as Proposition 24 at the November 3, 2020, statewide general election, amended, added to, and reenacted the CCPA and establishes the California Privacy Protection Agency (agency) and vests the agency with full administrative power, authority, and jurisdiction to enforce the CCPA. Existing law requires, on or before January 1, 2026, and before each time thereafter that a generative artificial intelligence system or service, as defined, or a substantial modification to a generative artificial intelligence system or service, released on or after January 1, 2022, is made available to Californians for use, regardless of whether the terms of that use include compensation, a developer of the system or service to post on the developers internet website documentation, as specified, regarding the data used to train the generative artificial intelligence system or service. This bill would impose a duty on a covered deployer, defined as a business that deploys a high-risk artificial intelligence system that processes personal information, to protect personal information held by the covered deployer, subject to certain requirements. In this regard, the bill would require a covered deployer whose high-risk artificial intelligence systems process personal information to develop, implement, and maintain a comprehensive information security program, as specified, that contains administrative, technical, and physical safeguards that are appropriate for, among other things, the covered deployers size, scope, and type of business. The bill would require the program described above to meet specified requirements, including, among other things, that the program incorporates safeguards that are consistent with the safeguards for the protection of personal information and information of a similar character under applicable state or federal laws and regulations. Existing law, the Unfair Competition Law, establishes a statutory cause of action for unfair competition, including any unlawful, unfair, or fraudulent business act or practice and unfair, deceptive, untrue, or misleading advertising, and establishes remedies and penalties in that regard, including injunctive relief and civil penalties. This bill would specify that a violation of the above-described provisions relating to the duty of a covered deployer to protect information, including the requirement that a covered deployer maintain the comprehensive information security program described above, constitute a deceptive trade act or practice under that law.Existing law, the Administrative Procedure Act, governs the procedure for the adoption, amendment, or repeal of regulations by state agencies and for the review of those regulatory actions by the Office of Administrative Law.This bill would authorize the agency to adopt regulations pursuant to the act to implement these provisions, and would exempt, notwithstanding that provision, any regulations adopted by the agency to establish fees from the act. The bill would define various terms for these purposes.The California Privacy Rights Act of 2020 authorizes the Legislature to amend the act to further the purposes and intent of the act by a majority vote of both houses of the Legislature, as specified.This bill would declare that its provisions further the purposes and intent of the California Privacy Rights Act of 2020. |
|---|
| 29 | 29 | | |
|---|
| 30 | 30 | | Existing law, the California Consumer Privacy Act of 2018 (CCPA), grants a consumer various rights with respect to personal information that is collected or sold by a business. The CCPA defines various terms for these purposes. The California Privacy Rights Act of 2020 (CPRA), approved by the voters as Proposition 24 at the November 3, 2020, statewide general election, amended, added to, and reenacted the CCPA and establishes the California Privacy Protection Agency (agency) and vests the agency with full administrative power, authority, and jurisdiction to enforce the CCPA. |
|---|
| 31 | 31 | | |
|---|
| 32 | 32 | | Existing law requires, on or before January 1, 2026, and before each time thereafter that a generative artificial intelligence system or service, as defined, or a substantial modification to a generative artificial intelligence system or service, released on or after January 1, 2022, is made available to Californians for use, regardless of whether the terms of that use include compensation, a developer of the system or service to post on the developers internet website documentation, as specified, regarding the data used to train the generative artificial intelligence system or service. |
|---|
| 33 | 33 | | |
|---|
| 34 | 34 | | This bill would impose a duty on a covered deployer, defined as a business that deploys a high-risk artificial intelligence system that processes personal information, to protect personal information held by the covered deployer, subject to certain requirements. In this regard, the bill would require a covered deployer whose high-risk artificial intelligence systems process personal information to develop, implement, and maintain a comprehensive information security program, as specified, that contains administrative, technical, and physical safeguards that are appropriate for, among other things, the covered deployers size, scope, and type of business. The bill would require the program described above to meet specified requirements, including, among other things, that the program incorporates safeguards that are consistent with the safeguards for the protection of personal information and information of a similar character under applicable state or federal laws and regulations. |
|---|
| 35 | 35 | | |
|---|
| 36 | 36 | | Existing law, the Unfair Competition Law, establishes a statutory cause of action for unfair competition, including any unlawful, unfair, or fraudulent business act or practice and unfair, deceptive, untrue, or misleading advertising, and establishes remedies and penalties in that regard, including injunctive relief and civil penalties. |
|---|
| 37 | 37 | | |
|---|
| 38 | 38 | | This bill would specify that a violation of the above-described provisions relating to the duty of a covered deployer to protect information, including the requirement that a covered deployer maintain the comprehensive information security program described above, constitute a deceptive trade act or practice under that law. |
|---|
| 39 | 39 | | |
|---|
| 40 | 40 | | Existing law, the Administrative Procedure Act, governs the procedure for the adoption, amendment, or repeal of regulations by state agencies and for the review of those regulatory actions by the Office of Administrative Law. |
|---|
| 41 | 41 | | |
|---|
| 42 | 42 | | This bill would authorize the agency to adopt regulations pursuant to the act to implement these provisions, and would exempt, notwithstanding that provision, any regulations adopted by the agency to establish fees from the act. The bill would define various terms for these purposes. |
|---|
| 43 | 43 | | |
|---|
| 44 | 44 | | The California Privacy Rights Act of 2020 authorizes the Legislature to amend the act to further the purposes and intent of the act by a majority vote of both houses of the Legislature, as specified. |
|---|
| 45 | 45 | | |
|---|
| 46 | 46 | | This bill would declare that its provisions further the purposes and intent of the California Privacy Rights Act of 2020. |
|---|
| 47 | 47 | | |
|---|
| 48 | 48 | | ## Digest Key |
|---|
| 49 | 49 | | |
|---|
| 50 | 50 | | ## Bill Text |
|---|
| 51 | 51 | | |
|---|
| 52 | 52 | | The people of the State of California do enact as follows:SECTION 1. Title 1.81.28 (commencing with Section 1798.91.2) is added to Part 4 of Division 3 of the Civil Code, to read:TITLE 1.81.28. High-risk Artificial Intelligence Systems1798.91.2. For purposes of this title, the following definitions shall apply:(a) Artificial intelligence has the same meaning as that term is defined in Section 11546.45.5 of the Government Code.(b) Business has the same meaning as that term is defined in Section 1798.140.(c) Consumer has the same meaning as that term is defined in Section 1798.140.(d) Covered deployer means a business that deploys a high-risk artificial intelligence system that processes personal information.(e) Deploy means to put into effect or commercialize.(f) Deployer means a person doing business in this state that deploys a high-risk artificial intelligence system.(g) High-risk artificial intelligence system has the same meaning as high-risk automated decision system, as that term is defined in Section 11546.45.5 of the Government Code.(h) Personal information has the same meaning as that term is defined in Section 1798.140.(i) Processes or processing have the same meaning as processing, as that term is defined in Section 1798.140.1798.91.3. (a) A covered deployer conducting business in this state shall have a duty to protect personal information held by the covered deployer as provided by this section.(b) A covered deployer whose high-risk artificial intelligence systems process personal information shall develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts and contains administrative, technical, and physical safeguards that are appropriate for all of the following:(1) The covered deployers size, scope, and type of business.(2) The amount of resources available to the covered deployer.(3) The amount of data stored by the covered deployer.(4) The need for security and confidentiality of personal information stored by the covered deployer.(c) The comprehensive information security program required by subdivision (a) shall meet all of the following requirements:(1) The program shall incorporate safeguards that are consistent with the safeguards for the protection of personal information and information of a similar character under state or federal laws and regulations applicable to the covered deployer.(2) The program shall include the designation of one or more employees of the covered deployer to maintain the program.(3) The program shall require the identification and assessment of reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of any electronic, paper, or other record containing personal information, and the establishment of a process for evaluating and improving, as necessary, the effectiveness of the current safeguards for limiting those risks, including by all of the following:(A) Requiring ongoing employee and contractor education and training, including education and training for temporary employees and contractors of the covered deployer, on the proper use of security procedures and protocols and the importance of personal information security.(B) Mandating employee compliance with policies and procedures established under the program.(C) Providing a means for detecting and preventing security system failures.(4) The program shall include security policies for the covered deployers employees relating to the storage, access, and transportation of records containing personal information outside of the covered deployers physical business premises.(5) The program shall provide disciplinary measures for violations of a policy or procedure established under the program.(6) The program shall include measures for preventing a terminated employee from accessing records containing personal information.(7) The program shall provide policies for the supervision of third-party service providers that include both of the following:(A) Taking reasonable steps to select and retain third-party service providers that are capable of maintaining appropriate security measures to protect personal information consistent with applicable law.(B) Requiring third-party service providers by contract to implement and maintain appropriate security measures for personal information.(8) The program shall provide reasonable restrictions on physical access to records containing personal information, including by requiring the records containing the data to be stored in a locked facility, storage area, or container.(9) The program shall include regular monitoring to ensure that the program is operating in a manner reasonably calculated to prevent unauthorized access to or unauthorized use of personal information and, as necessary, upgrading information safeguards to limit the risk of unauthorized access to or unauthorized use of personal information.(10) The program shall require the regular review of the scope of the programs security measures that must occur subject to both of the following timeframes:(A) At least annually.(B) Whenever there is a material change in the covered deployers business practices that may reasonably affect the security or integrity of records containing personal information.(11) The program shall require the documentation of responsive actions taken in connection with any incident involving a breach of security, including a mandatory postincident review of each event and the actions taken, if any, in response to that event to make changes in business practices relating to protection of personal information.(12) The program shall, to the extent feasible, include all of the following procedures and protocols with respect to computer system security requirements or procedures and protocols providing a higher degree of security, for the protection of personal information:(A) The use of secure user authentication protocols that include all of the following features:(i) The control of user login credentials and other identifiers.(ii) The use of a reasonably secure method of assigning and selecting passwords or using unique identifier technologies, which may include biometrics or token devices.(iii) The control of data security passwords to ensure that the passwords are kept in a location and a format that do not compromise the security of the data the passwords protect.(iv) The restriction of access to only active users and active user accounts.(v) The blocking of access to user credentials or identification after multiple unsuccessful attempts to gain access.(B) The use of secure access control measures that include both of the following:(i) The restriction of access to records and files containing personal information to only employees or contractors who need access to that personal information to perform the job duties of the employees or contractors.(ii) The assignment of a unique identification and a password to each employee or contractor with access to a computer containing personal information, that may not be a vendor-supplied default password, or the use of another protocol reasonably designed to maintain the integrity of the security of the access controls to personal information.(C) The encryption of both of the following:(i) Transmitted records and files containing personal information that will travel across public networks.(ii) Data containing personal information that is transmitted wirelessly.(D) The use of reasonable monitoring of systems for unauthorized use of or access to personal information.(E) The encryption of all personal information stored on laptop computers or other portable devices.(F) For files containing personal information on a system that is connected to the internet, the use of reasonably current firewall protection and operating system security patches that are reasonably designed to maintain the integrity of the personal information.(G) The use of both of the following:(i) A reasonably current version of system security agent software that shall include malware protection and reasonably current patches and virus definitions.(ii) A version of a system security agent software that is supportable with current patches and virus definitions, and is set to receive the most current security updates on a regular basis.(d) A violation of this section by a covered deployer constitutes a deceptive trade act or practice under the Unfair Competition Law (Chapter 5 (commencing with Section 17200) of Part 2 of Division 7 of the Business and Professions Code).1798.91.4. (a) Except as provided in subdivision (b), the California Privacy Protection Agency may adopt regulations pursuant to the Administrative Procedure Act (Chapter 3.5 (commencing with Section 11340) of Part 1 of Division 3 of Title 2 of the Government Code) to implement and administer this title. (b) Notwithstanding subdivision (a), any regulation adopted by the California Privacy Protection Agency to establish fees authorized by this title shall be exempt from the Administrative Procedure Act (Chapter 3.5 (commencing with Section 11340) of Part 1 of Division 3 of Title 2 of the Government Code). SEC. 2. The Legislature finds and declares that this act furthers the purposes and intent of the California Privacy Rights Act of 2020 by ensuring consumers rights, including the constitutional right to privacy, are protected by enabling and empowering Californians to request that covered deployers secure their high-risk artificial intelligence systems that process personal information. |
|---|
| 53 | 53 | | |
|---|
| 54 | 54 | | The people of the State of California do enact as follows: |
|---|
| 55 | 55 | | |
|---|
| 56 | 56 | | ## The people of the State of California do enact as follows: |
|---|
| 57 | 57 | | |
|---|
| 58 | 58 | | SECTION 1. Title 1.81.28 (commencing with Section 1798.91.2) is added to Part 4 of Division 3 of the Civil Code, to read:TITLE 1.81.28. High-risk Artificial Intelligence Systems1798.91.2. For purposes of this title, the following definitions shall apply:(a) Artificial intelligence has the same meaning as that term is defined in Section 11546.45.5 of the Government Code.(b) Business has the same meaning as that term is defined in Section 1798.140.(c) Consumer has the same meaning as that term is defined in Section 1798.140.(d) Covered deployer means a business that deploys a high-risk artificial intelligence system that processes personal information.(e) Deploy means to put into effect or commercialize.(f) Deployer means a person doing business in this state that deploys a high-risk artificial intelligence system.(g) High-risk artificial intelligence system has the same meaning as high-risk automated decision system, as that term is defined in Section 11546.45.5 of the Government Code.(h) Personal information has the same meaning as that term is defined in Section 1798.140.(i) Processes or processing have the same meaning as processing, as that term is defined in Section 1798.140.1798.91.3. (a) A covered deployer conducting business in this state shall have a duty to protect personal information held by the covered deployer as provided by this section.(b) A covered deployer whose high-risk artificial intelligence systems process personal information shall develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts and contains administrative, technical, and physical safeguards that are appropriate for all of the following:(1) The covered deployers size, scope, and type of business.(2) The amount of resources available to the covered deployer.(3) The amount of data stored by the covered deployer.(4) The need for security and confidentiality of personal information stored by the covered deployer.(c) The comprehensive information security program required by subdivision (a) shall meet all of the following requirements:(1) The program shall incorporate safeguards that are consistent with the safeguards for the protection of personal information and information of a similar character under state or federal laws and regulations applicable to the covered deployer.(2) The program shall include the designation of one or more employees of the covered deployer to maintain the program.(3) The program shall require the identification and assessment of reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of any electronic, paper, or other record containing personal information, and the establishment of a process for evaluating and improving, as necessary, the effectiveness of the current safeguards for limiting those risks, including by all of the following:(A) Requiring ongoing employee and contractor education and training, including education and training for temporary employees and contractors of the covered deployer, on the proper use of security procedures and protocols and the importance of personal information security.(B) Mandating employee compliance with policies and procedures established under the program.(C) Providing a means for detecting and preventing security system failures.(4) The program shall include security policies for the covered deployers employees relating to the storage, access, and transportation of records containing personal information outside of the covered deployers physical business premises.(5) The program shall provide disciplinary measures for violations of a policy or procedure established under the program.(6) The program shall include measures for preventing a terminated employee from accessing records containing personal information.(7) The program shall provide policies for the supervision of third-party service providers that include both of the following:(A) Taking reasonable steps to select and retain third-party service providers that are capable of maintaining appropriate security measures to protect personal information consistent with applicable law.(B) Requiring third-party service providers by contract to implement and maintain appropriate security measures for personal information.(8) The program shall provide reasonable restrictions on physical access to records containing personal information, including by requiring the records containing the data to be stored in a locked facility, storage area, or container.(9) The program shall include regular monitoring to ensure that the program is operating in a manner reasonably calculated to prevent unauthorized access to or unauthorized use of personal information and, as necessary, upgrading information safeguards to limit the risk of unauthorized access to or unauthorized use of personal information.(10) The program shall require the regular review of the scope of the programs security measures that must occur subject to both of the following timeframes:(A) At least annually.(B) Whenever there is a material change in the covered deployers business practices that may reasonably affect the security or integrity of records containing personal information.(11) The program shall require the documentation of responsive actions taken in connection with any incident involving a breach of security, including a mandatory postincident review of each event and the actions taken, if any, in response to that event to make changes in business practices relating to protection of personal information.(12) The program shall, to the extent feasible, include all of the following procedures and protocols with respect to computer system security requirements or procedures and protocols providing a higher degree of security, for the protection of personal information:(A) The use of secure user authentication protocols that include all of the following features:(i) The control of user login credentials and other identifiers.(ii) The use of a reasonably secure method of assigning and selecting passwords or using unique identifier technologies, which may include biometrics or token devices.(iii) The control of data security passwords to ensure that the passwords are kept in a location and a format that do not compromise the security of the data the passwords protect.(iv) The restriction of access to only active users and active user accounts.(v) The blocking of access to user credentials or identification after multiple unsuccessful attempts to gain access.(B) The use of secure access control measures that include both of the following:(i) The restriction of access to records and files containing personal information to only employees or contractors who need access to that personal information to perform the job duties of the employees or contractors.(ii) The assignment of a unique identification and a password to each employee or contractor with access to a computer containing personal information, that may not be a vendor-supplied default password, or the use of another protocol reasonably designed to maintain the integrity of the security of the access controls to personal information.(C) The encryption of both of the following:(i) Transmitted records and files containing personal information that will travel across public networks.(ii) Data containing personal information that is transmitted wirelessly.(D) The use of reasonable monitoring of systems for unauthorized use of or access to personal information.(E) The encryption of all personal information stored on laptop computers or other portable devices.(F) For files containing personal information on a system that is connected to the internet, the use of reasonably current firewall protection and operating system security patches that are reasonably designed to maintain the integrity of the personal information.(G) The use of both of the following:(i) A reasonably current version of system security agent software that shall include malware protection and reasonably current patches and virus definitions.(ii) A version of a system security agent software that is supportable with current patches and virus definitions, and is set to receive the most current security updates on a regular basis.(d) A violation of this section by a covered deployer constitutes a deceptive trade act or practice under the Unfair Competition Law (Chapter 5 (commencing with Section 17200) of Part 2 of Division 7 of the Business and Professions Code).1798.91.4. (a) Except as provided in subdivision (b), the California Privacy Protection Agency may adopt regulations pursuant to the Administrative Procedure Act (Chapter 3.5 (commencing with Section 11340) of Part 1 of Division 3 of Title 2 of the Government Code) to implement and administer this title. (b) Notwithstanding subdivision (a), any regulation adopted by the California Privacy Protection Agency to establish fees authorized by this title shall be exempt from the Administrative Procedure Act (Chapter 3.5 (commencing with Section 11340) of Part 1 of Division 3 of Title 2 of the Government Code). |
|---|
| 59 | 59 | | |
|---|
| 60 | 60 | | SECTION 1. Title 1.81.28 (commencing with Section 1798.91.2) is added to Part 4 of Division 3 of the Civil Code, to read: |
|---|
| 61 | 61 | | |
|---|
| 62 | 62 | | ### SECTION 1. |
|---|
| 63 | 63 | | |
|---|
| 64 | 64 | | TITLE 1.81.28. High-risk Artificial Intelligence Systems1798.91.2. For purposes of this title, the following definitions shall apply:(a) Artificial intelligence has the same meaning as that term is defined in Section 11546.45.5 of the Government Code.(b) Business has the same meaning as that term is defined in Section 1798.140.(c) Consumer has the same meaning as that term is defined in Section 1798.140.(d) Covered deployer means a business that deploys a high-risk artificial intelligence system that processes personal information.(e) Deploy means to put into effect or commercialize.(f) Deployer means a person doing business in this state that deploys a high-risk artificial intelligence system.(g) High-risk artificial intelligence system has the same meaning as high-risk automated decision system, as that term is defined in Section 11546.45.5 of the Government Code.(h) Personal information has the same meaning as that term is defined in Section 1798.140.(i) Processes or processing have the same meaning as processing, as that term is defined in Section 1798.140.1798.91.3. (a) A covered deployer conducting business in this state shall have a duty to protect personal information held by the covered deployer as provided by this section.(b) A covered deployer whose high-risk artificial intelligence systems process personal information shall develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts and contains administrative, technical, and physical safeguards that are appropriate for all of the following:(1) The covered deployers size, scope, and type of business.(2) The amount of resources available to the covered deployer.(3) The amount of data stored by the covered deployer.(4) The need for security and confidentiality of personal information stored by the covered deployer.(c) The comprehensive information security program required by subdivision (a) shall meet all of the following requirements:(1) The program shall incorporate safeguards that are consistent with the safeguards for the protection of personal information and information of a similar character under state or federal laws and regulations applicable to the covered deployer.(2) The program shall include the designation of one or more employees of the covered deployer to maintain the program.(3) The program shall require the identification and assessment of reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of any electronic, paper, or other record containing personal information, and the establishment of a process for evaluating and improving, as necessary, the effectiveness of the current safeguards for limiting those risks, including by all of the following:(A) Requiring ongoing employee and contractor education and training, including education and training for temporary employees and contractors of the covered deployer, on the proper use of security procedures and protocols and the importance of personal information security.(B) Mandating employee compliance with policies and procedures established under the program.(C) Providing a means for detecting and preventing security system failures.(4) The program shall include security policies for the covered deployers employees relating to the storage, access, and transportation of records containing personal information outside of the covered deployers physical business premises.(5) The program shall provide disciplinary measures for violations of a policy or procedure established under the program.(6) The program shall include measures for preventing a terminated employee from accessing records containing personal information.(7) The program shall provide policies for the supervision of third-party service providers that include both of the following:(A) Taking reasonable steps to select and retain third-party service providers that are capable of maintaining appropriate security measures to protect personal information consistent with applicable law.(B) Requiring third-party service providers by contract to implement and maintain appropriate security measures for personal information.(8) The program shall provide reasonable restrictions on physical access to records containing personal information, including by requiring the records containing the data to be stored in a locked facility, storage area, or container.(9) The program shall include regular monitoring to ensure that the program is operating in a manner reasonably calculated to prevent unauthorized access to or unauthorized use of personal information and, as necessary, upgrading information safeguards to limit the risk of unauthorized access to or unauthorized use of personal information.(10) The program shall require the regular review of the scope of the programs security measures that must occur subject to both of the following timeframes:(A) At least annually.(B) Whenever there is a material change in the covered deployers business practices that may reasonably affect the security or integrity of records containing personal information.(11) The program shall require the documentation of responsive actions taken in connection with any incident involving a breach of security, including a mandatory postincident review of each event and the actions taken, if any, in response to that event to make changes in business practices relating to protection of personal information.(12) The program shall, to the extent feasible, include all of the following procedures and protocols with respect to computer system security requirements or procedures and protocols providing a higher degree of security, for the protection of personal information:(A) The use of secure user authentication protocols that include all of the following features:(i) The control of user login credentials and other identifiers.(ii) The use of a reasonably secure method of assigning and selecting passwords or using unique identifier technologies, which may include biometrics or token devices.(iii) The control of data security passwords to ensure that the passwords are kept in a location and a format that do not compromise the security of the data the passwords protect.(iv) The restriction of access to only active users and active user accounts.(v) The blocking of access to user credentials or identification after multiple unsuccessful attempts to gain access.(B) The use of secure access control measures that include both of the following:(i) The restriction of access to records and files containing personal information to only employees or contractors who need access to that personal information to perform the job duties of the employees or contractors.(ii) The assignment of a unique identification and a password to each employee or contractor with access to a computer containing personal information, that may not be a vendor-supplied default password, or the use of another protocol reasonably designed to maintain the integrity of the security of the access controls to personal information.(C) The encryption of both of the following:(i) Transmitted records and files containing personal information that will travel across public networks.(ii) Data containing personal information that is transmitted wirelessly.(D) The use of reasonable monitoring of systems for unauthorized use of or access to personal information.(E) The encryption of all personal information stored on laptop computers or other portable devices.(F) For files containing personal information on a system that is connected to the internet, the use of reasonably current firewall protection and operating system security patches that are reasonably designed to maintain the integrity of the personal information.(G) The use of both of the following:(i) A reasonably current version of system security agent software that shall include malware protection and reasonably current patches and virus definitions.(ii) A version of a system security agent software that is supportable with current patches and virus definitions, and is set to receive the most current security updates on a regular basis.(d) A violation of this section by a covered deployer constitutes a deceptive trade act or practice under the Unfair Competition Law (Chapter 5 (commencing with Section 17200) of Part 2 of Division 7 of the Business and Professions Code).1798.91.4. (a) Except as provided in subdivision (b), the California Privacy Protection Agency may adopt regulations pursuant to the Administrative Procedure Act (Chapter 3.5 (commencing with Section 11340) of Part 1 of Division 3 of Title 2 of the Government Code) to implement and administer this title. (b) Notwithstanding subdivision (a), any regulation adopted by the California Privacy Protection Agency to establish fees authorized by this title shall be exempt from the Administrative Procedure Act (Chapter 3.5 (commencing with Section 11340) of Part 1 of Division 3 of Title 2 of the Government Code). |
|---|
| 65 | 65 | | |
|---|
| 66 | 66 | | TITLE 1.81.28. High-risk Artificial Intelligence Systems1798.91.2. For purposes of this title, the following definitions shall apply:(a) Artificial intelligence has the same meaning as that term is defined in Section 11546.45.5 of the Government Code.(b) Business has the same meaning as that term is defined in Section 1798.140.(c) Consumer has the same meaning as that term is defined in Section 1798.140.(d) Covered deployer means a business that deploys a high-risk artificial intelligence system that processes personal information.(e) Deploy means to put into effect or commercialize.(f) Deployer means a person doing business in this state that deploys a high-risk artificial intelligence system.(g) High-risk artificial intelligence system has the same meaning as high-risk automated decision system, as that term is defined in Section 11546.45.5 of the Government Code.(h) Personal information has the same meaning as that term is defined in Section 1798.140.(i) Processes or processing have the same meaning as processing, as that term is defined in Section 1798.140.1798.91.3. (a) A covered deployer conducting business in this state shall have a duty to protect personal information held by the covered deployer as provided by this section.(b) A covered deployer whose high-risk artificial intelligence systems process personal information shall develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts and contains administrative, technical, and physical safeguards that are appropriate for all of the following:(1) The covered deployers size, scope, and type of business.(2) The amount of resources available to the covered deployer.(3) The amount of data stored by the covered deployer.(4) The need for security and confidentiality of personal information stored by the covered deployer.(c) The comprehensive information security program required by subdivision (a) shall meet all of the following requirements:(1) The program shall incorporate safeguards that are consistent with the safeguards for the protection of personal information and information of a similar character under state or federal laws and regulations applicable to the covered deployer.(2) The program shall include the designation of one or more employees of the covered deployer to maintain the program.(3) The program shall require the identification and assessment of reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of any electronic, paper, or other record containing personal information, and the establishment of a process for evaluating and improving, as necessary, the effectiveness of the current safeguards for limiting those risks, including by all of the following:(A) Requiring ongoing employee and contractor education and training, including education and training for temporary employees and contractors of the covered deployer, on the proper use of security procedures and protocols and the importance of personal information security.(B) Mandating employee compliance with policies and procedures established under the program.(C) Providing a means for detecting and preventing security system failures.(4) The program shall include security policies for the covered deployers employees relating to the storage, access, and transportation of records containing personal information outside of the covered deployers physical business premises.(5) The program shall provide disciplinary measures for violations of a policy or procedure established under the program.(6) The program shall include measures for preventing a terminated employee from accessing records containing personal information.(7) The program shall provide policies for the supervision of third-party service providers that include both of the following:(A) Taking reasonable steps to select and retain third-party service providers that are capable of maintaining appropriate security measures to protect personal information consistent with applicable law.(B) Requiring third-party service providers by contract to implement and maintain appropriate security measures for personal information.(8) The program shall provide reasonable restrictions on physical access to records containing personal information, including by requiring the records containing the data to be stored in a locked facility, storage area, or container.(9) The program shall include regular monitoring to ensure that the program is operating in a manner reasonably calculated to prevent unauthorized access to or unauthorized use of personal information and, as necessary, upgrading information safeguards to limit the risk of unauthorized access to or unauthorized use of personal information.(10) The program shall require the regular review of the scope of the programs security measures that must occur subject to both of the following timeframes:(A) At least annually.(B) Whenever there is a material change in the covered deployers business practices that may reasonably affect the security or integrity of records containing personal information.(11) The program shall require the documentation of responsive actions taken in connection with any incident involving a breach of security, including a mandatory postincident review of each event and the actions taken, if any, in response to that event to make changes in business practices relating to protection of personal information.(12) The program shall, to the extent feasible, include all of the following procedures and protocols with respect to computer system security requirements or procedures and protocols providing a higher degree of security, for the protection of personal information:(A) The use of secure user authentication protocols that include all of the following features:(i) The control of user login credentials and other identifiers.(ii) The use of a reasonably secure method of assigning and selecting passwords or using unique identifier technologies, which may include biometrics or token devices.(iii) The control of data security passwords to ensure that the passwords are kept in a location and a format that do not compromise the security of the data the passwords protect.(iv) The restriction of access to only active users and active user accounts.(v) The blocking of access to user credentials or identification after multiple unsuccessful attempts to gain access.(B) The use of secure access control measures that include both of the following:(i) The restriction of access to records and files containing personal information to only employees or contractors who need access to that personal information to perform the job duties of the employees or contractors.(ii) The assignment of a unique identification and a password to each employee or contractor with access to a computer containing personal information, that may not be a vendor-supplied default password, or the use of another protocol reasonably designed to maintain the integrity of the security of the access controls to personal information.(C) The encryption of both of the following:(i) Transmitted records and files containing personal information that will travel across public networks.(ii) Data containing personal information that is transmitted wirelessly.(D) The use of reasonable monitoring of systems for unauthorized use of or access to personal information.(E) The encryption of all personal information stored on laptop computers or other portable devices.(F) For files containing personal information on a system that is connected to the internet, the use of reasonably current firewall protection and operating system security patches that are reasonably designed to maintain the integrity of the personal information.(G) The use of both of the following:(i) A reasonably current version of system security agent software that shall include malware protection and reasonably current patches and virus definitions.(ii) A version of a system security agent software that is supportable with current patches and virus definitions, and is set to receive the most current security updates on a regular basis.(d) A violation of this section by a covered deployer constitutes a deceptive trade act or practice under the Unfair Competition Law (Chapter 5 (commencing with Section 17200) of Part 2 of Division 7 of the Business and Professions Code).1798.91.4. (a) Except as provided in subdivision (b), the California Privacy Protection Agency may adopt regulations pursuant to the Administrative Procedure Act (Chapter 3.5 (commencing with Section 11340) of Part 1 of Division 3 of Title 2 of the Government Code) to implement and administer this title. (b) Notwithstanding subdivision (a), any regulation adopted by the California Privacy Protection Agency to establish fees authorized by this title shall be exempt from the Administrative Procedure Act (Chapter 3.5 (commencing with Section 11340) of Part 1 of Division 3 of Title 2 of the Government Code). |
|---|
| 67 | 67 | | |
|---|
| 68 | 68 | | TITLE 1.81.28. High-risk Artificial Intelligence Systems |
|---|
| 69 | 69 | | |
|---|
| 70 | 70 | | TITLE 1.81.28. High-risk Artificial Intelligence Systems |
|---|
| 71 | 71 | | |
|---|
| 72 | 72 | | 1798.91.2. For purposes of this title, the following definitions shall apply:(a) Artificial intelligence has the same meaning as that term is defined in Section 11546.45.5 of the Government Code.(b) Business has the same meaning as that term is defined in Section 1798.140.(c) Consumer has the same meaning as that term is defined in Section 1798.140.(d) Covered deployer means a business that deploys a high-risk artificial intelligence system that processes personal information.(e) Deploy means to put into effect or commercialize.(f) Deployer means a person doing business in this state that deploys a high-risk artificial intelligence system.(g) High-risk artificial intelligence system has the same meaning as high-risk automated decision system, as that term is defined in Section 11546.45.5 of the Government Code.(h) Personal information has the same meaning as that term is defined in Section 1798.140.(i) Processes or processing have the same meaning as processing, as that term is defined in Section 1798.140. |
|---|
| 73 | 73 | | |
|---|
| 74 | 74 | | |
|---|
| 75 | 75 | | |
|---|
| 76 | 76 | | 1798.91.2. For purposes of this title, the following definitions shall apply: |
|---|
| 77 | 77 | | |
|---|
| 78 | 78 | | (a) Artificial intelligence has the same meaning as that term is defined in Section 11546.45.5 of the Government Code. |
|---|
| 79 | 79 | | |
|---|
| 80 | 80 | | (b) Business has the same meaning as that term is defined in Section 1798.140. |
|---|
| 81 | 81 | | |
|---|
| 82 | 82 | | (c) Consumer has the same meaning as that term is defined in Section 1798.140. |
|---|
| 83 | 83 | | |
|---|
| 84 | 84 | | (d) Covered deployer means a business that deploys a high-risk artificial intelligence system that processes personal information. |
|---|
| 85 | 85 | | |
|---|
| 86 | 86 | | (e) Deploy means to put into effect or commercialize. |
|---|
| 87 | 87 | | |
|---|
| 88 | 88 | | (f) Deployer means a person doing business in this state that deploys a high-risk artificial intelligence system. |
|---|
| 89 | 89 | | |
|---|
| 90 | 90 | | (g) High-risk artificial intelligence system has the same meaning as high-risk automated decision system, as that term is defined in Section 11546.45.5 of the Government Code. |
|---|
| 91 | 91 | | |
|---|
| 92 | 92 | | (h) Personal information has the same meaning as that term is defined in Section 1798.140. |
|---|
| 93 | 93 | | |
|---|
| 94 | 94 | | (i) Processes or processing have the same meaning as processing, as that term is defined in Section 1798.140. |
|---|
| 95 | 95 | | |
|---|
| 96 | 96 | | 1798.91.3. (a) A covered deployer conducting business in this state shall have a duty to protect personal information held by the covered deployer as provided by this section.(b) A covered deployer whose high-risk artificial intelligence systems process personal information shall develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts and contains administrative, technical, and physical safeguards that are appropriate for all of the following:(1) The covered deployers size, scope, and type of business.(2) The amount of resources available to the covered deployer.(3) The amount of data stored by the covered deployer.(4) The need for security and confidentiality of personal information stored by the covered deployer.(c) The comprehensive information security program required by subdivision (a) shall meet all of the following requirements:(1) The program shall incorporate safeguards that are consistent with the safeguards for the protection of personal information and information of a similar character under state or federal laws and regulations applicable to the covered deployer.(2) The program shall include the designation of one or more employees of the covered deployer to maintain the program.(3) The program shall require the identification and assessment of reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of any electronic, paper, or other record containing personal information, and the establishment of a process for evaluating and improving, as necessary, the effectiveness of the current safeguards for limiting those risks, including by all of the following:(A) Requiring ongoing employee and contractor education and training, including education and training for temporary employees and contractors of the covered deployer, on the proper use of security procedures and protocols and the importance of personal information security.(B) Mandating employee compliance with policies and procedures established under the program.(C) Providing a means for detecting and preventing security system failures.(4) The program shall include security policies for the covered deployers employees relating to the storage, access, and transportation of records containing personal information outside of the covered deployers physical business premises.(5) The program shall provide disciplinary measures for violations of a policy or procedure established under the program.(6) The program shall include measures for preventing a terminated employee from accessing records containing personal information.(7) The program shall provide policies for the supervision of third-party service providers that include both of the following:(A) Taking reasonable steps to select and retain third-party service providers that are capable of maintaining appropriate security measures to protect personal information consistent with applicable law.(B) Requiring third-party service providers by contract to implement and maintain appropriate security measures for personal information.(8) The program shall provide reasonable restrictions on physical access to records containing personal information, including by requiring the records containing the data to be stored in a locked facility, storage area, or container.(9) The program shall include regular monitoring to ensure that the program is operating in a manner reasonably calculated to prevent unauthorized access to or unauthorized use of personal information and, as necessary, upgrading information safeguards to limit the risk of unauthorized access to or unauthorized use of personal information.(10) The program shall require the regular review of the scope of the programs security measures that must occur subject to both of the following timeframes:(A) At least annually.(B) Whenever there is a material change in the covered deployers business practices that may reasonably affect the security or integrity of records containing personal information.(11) The program shall require the documentation of responsive actions taken in connection with any incident involving a breach of security, including a mandatory postincident review of each event and the actions taken, if any, in response to that event to make changes in business practices relating to protection of personal information.(12) The program shall, to the extent feasible, include all of the following procedures and protocols with respect to computer system security requirements or procedures and protocols providing a higher degree of security, for the protection of personal information:(A) The use of secure user authentication protocols that include all of the following features:(i) The control of user login credentials and other identifiers.(ii) The use of a reasonably secure method of assigning and selecting passwords or using unique identifier technologies, which may include biometrics or token devices.(iii) The control of data security passwords to ensure that the passwords are kept in a location and a format that do not compromise the security of the data the passwords protect.(iv) The restriction of access to only active users and active user accounts.(v) The blocking of access to user credentials or identification after multiple unsuccessful attempts to gain access.(B) The use of secure access control measures that include both of the following:(i) The restriction of access to records and files containing personal information to only employees or contractors who need access to that personal information to perform the job duties of the employees or contractors.(ii) The assignment of a unique identification and a password to each employee or contractor with access to a computer containing personal information, that may not be a vendor-supplied default password, or the use of another protocol reasonably designed to maintain the integrity of the security of the access controls to personal information.(C) The encryption of both of the following:(i) Transmitted records and files containing personal information that will travel across public networks.(ii) Data containing personal information that is transmitted wirelessly.(D) The use of reasonable monitoring of systems for unauthorized use of or access to personal information.(E) The encryption of all personal information stored on laptop computers or other portable devices.(F) For files containing personal information on a system that is connected to the internet, the use of reasonably current firewall protection and operating system security patches that are reasonably designed to maintain the integrity of the personal information.(G) The use of both of the following:(i) A reasonably current version of system security agent software that shall include malware protection and reasonably current patches and virus definitions.(ii) A version of a system security agent software that is supportable with current patches and virus definitions, and is set to receive the most current security updates on a regular basis.(d) A violation of this section by a covered deployer constitutes a deceptive trade act or practice under the Unfair Competition Law (Chapter 5 (commencing with Section 17200) of Part 2 of Division 7 of the Business and Professions Code). |
|---|
| 97 | 97 | | |
|---|
| 98 | 98 | | |
|---|
| 99 | 99 | | |
|---|
| 100 | 100 | | 1798.91.3. (a) A covered deployer conducting business in this state shall have a duty to protect personal information held by the covered deployer as provided by this section. |
|---|
| 101 | 101 | | |
|---|
| 102 | 102 | | (b) A covered deployer whose high-risk artificial intelligence systems process personal information shall develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts and contains administrative, technical, and physical safeguards that are appropriate for all of the following: |
|---|
| 103 | 103 | | |
|---|
| 104 | 104 | | (1) The covered deployers size, scope, and type of business. |
|---|
| 105 | 105 | | |
|---|
| 106 | 106 | | (2) The amount of resources available to the covered deployer. |
|---|
| 107 | 107 | | |
|---|
| 108 | 108 | | (3) The amount of data stored by the covered deployer. |
|---|
| 109 | 109 | | |
|---|
| 110 | 110 | | (4) The need for security and confidentiality of personal information stored by the covered deployer. |
|---|
| 111 | 111 | | |
|---|
| 112 | 112 | | (c) The comprehensive information security program required by subdivision (a) shall meet all of the following requirements: |
|---|
| 113 | 113 | | |
|---|
| 114 | 114 | | (1) The program shall incorporate safeguards that are consistent with the safeguards for the protection of personal information and information of a similar character under state or federal laws and regulations applicable to the covered deployer. |
|---|
| 115 | 115 | | |
|---|
| 116 | 116 | | (2) The program shall include the designation of one or more employees of the covered deployer to maintain the program. |
|---|
| 117 | 117 | | |
|---|
| 118 | 118 | | (3) The program shall require the identification and assessment of reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of any electronic, paper, or other record containing personal information, and the establishment of a process for evaluating and improving, as necessary, the effectiveness of the current safeguards for limiting those risks, including by all of the following: |
|---|
| 119 | 119 | | |
|---|
| 120 | 120 | | (A) Requiring ongoing employee and contractor education and training, including education and training for temporary employees and contractors of the covered deployer, on the proper use of security procedures and protocols and the importance of personal information security. |
|---|
| 121 | 121 | | |
|---|
| 122 | 122 | | (B) Mandating employee compliance with policies and procedures established under the program. |
|---|
| 123 | 123 | | |
|---|
| 124 | 124 | | (C) Providing a means for detecting and preventing security system failures. |
|---|
| 125 | 125 | | |
|---|
| 126 | 126 | | (4) The program shall include security policies for the covered deployers employees relating to the storage, access, and transportation of records containing personal information outside of the covered deployers physical business premises. |
|---|
| 127 | 127 | | |
|---|
| 128 | 128 | | (5) The program shall provide disciplinary measures for violations of a policy or procedure established under the program. |
|---|
| 129 | 129 | | |
|---|
| 130 | 130 | | (6) The program shall include measures for preventing a terminated employee from accessing records containing personal information. |
|---|
| 131 | 131 | | |
|---|
| 132 | 132 | | (7) The program shall provide policies for the supervision of third-party service providers that include both of the following: |
|---|
| 133 | 133 | | |
|---|
| 134 | 134 | | (A) Taking reasonable steps to select and retain third-party service providers that are capable of maintaining appropriate security measures to protect personal information consistent with applicable law. |
|---|
| 135 | 135 | | |
|---|
| 136 | 136 | | (B) Requiring third-party service providers by contract to implement and maintain appropriate security measures for personal information. |
|---|
| 137 | 137 | | |
|---|
| 138 | 138 | | (8) The program shall provide reasonable restrictions on physical access to records containing personal information, including by requiring the records containing the data to be stored in a locked facility, storage area, or container. |
|---|
| 139 | 139 | | |
|---|
| 140 | 140 | | (9) The program shall include regular monitoring to ensure that the program is operating in a manner reasonably calculated to prevent unauthorized access to or unauthorized use of personal information and, as necessary, upgrading information safeguards to limit the risk of unauthorized access to or unauthorized use of personal information. |
|---|
| 141 | 141 | | |
|---|
| 142 | 142 | | (10) The program shall require the regular review of the scope of the programs security measures that must occur subject to both of the following timeframes: |
|---|
| 143 | 143 | | |
|---|
| 144 | 144 | | (A) At least annually. |
|---|
| 145 | 145 | | |
|---|
| 146 | 146 | | (B) Whenever there is a material change in the covered deployers business practices that may reasonably affect the security or integrity of records containing personal information. |
|---|
| 147 | 147 | | |
|---|
| 148 | 148 | | (11) The program shall require the documentation of responsive actions taken in connection with any incident involving a breach of security, including a mandatory postincident review of each event and the actions taken, if any, in response to that event to make changes in business practices relating to protection of personal information. |
|---|
| 149 | 149 | | |
|---|
| 150 | 150 | | (12) The program shall, to the extent feasible, include all of the following procedures and protocols with respect to computer system security requirements or procedures and protocols providing a higher degree of security, for the protection of personal information: |
|---|
| 151 | 151 | | |
|---|
| 152 | 152 | | (A) The use of secure user authentication protocols that include all of the following features: |
|---|
| 153 | 153 | | |
|---|
| 154 | 154 | | (i) The control of user login credentials and other identifiers. |
|---|
| 155 | 155 | | |
|---|
| 156 | 156 | | (ii) The use of a reasonably secure method of assigning and selecting passwords or using unique identifier technologies, which may include biometrics or token devices. |
|---|
| 157 | 157 | | |
|---|
| 158 | 158 | | (iii) The control of data security passwords to ensure that the passwords are kept in a location and a format that do not compromise the security of the data the passwords protect. |
|---|
| 159 | 159 | | |
|---|
| 160 | 160 | | (iv) The restriction of access to only active users and active user accounts. |
|---|
| 161 | 161 | | |
|---|
| 162 | 162 | | (v) The blocking of access to user credentials or identification after multiple unsuccessful attempts to gain access. |
|---|
| 163 | 163 | | |
|---|
| 164 | 164 | | (B) The use of secure access control measures that include both of the following: |
|---|
| 165 | 165 | | |
|---|
| 166 | 166 | | (i) The restriction of access to records and files containing personal information to only employees or contractors who need access to that personal information to perform the job duties of the employees or contractors. |
|---|
| 167 | 167 | | |
|---|
| 168 | 168 | | (ii) The assignment of a unique identification and a password to each employee or contractor with access to a computer containing personal information, that may not be a vendor-supplied default password, or the use of another protocol reasonably designed to maintain the integrity of the security of the access controls to personal information. |
|---|
| 169 | 169 | | |
|---|
| 170 | 170 | | (C) The encryption of both of the following: |
|---|
| 171 | 171 | | |
|---|
| 172 | 172 | | (i) Transmitted records and files containing personal information that will travel across public networks. |
|---|
| 173 | 173 | | |
|---|
| 174 | 174 | | (ii) Data containing personal information that is transmitted wirelessly. |
|---|
| 175 | 175 | | |
|---|
| 176 | 176 | | (D) The use of reasonable monitoring of systems for unauthorized use of or access to personal information. |
|---|
| 177 | 177 | | |
|---|
| 178 | 178 | | (E) The encryption of all personal information stored on laptop computers or other portable devices. |
|---|
| 179 | 179 | | |
|---|
| 180 | 180 | | (F) For files containing personal information on a system that is connected to the internet, the use of reasonably current firewall protection and operating system security patches that are reasonably designed to maintain the integrity of the personal information. |
|---|
| 181 | 181 | | |
|---|
| 182 | 182 | | (G) The use of both of the following: |
|---|
| 183 | 183 | | |
|---|
| 184 | 184 | | (i) A reasonably current version of system security agent software that shall include malware protection and reasonably current patches and virus definitions. |
|---|
| 185 | 185 | | |
|---|
| 186 | 186 | | (ii) A version of a system security agent software that is supportable with current patches and virus definitions, and is set to receive the most current security updates on a regular basis. |
|---|
| 187 | 187 | | |
|---|
| 188 | 188 | | (d) A violation of this section by a covered deployer constitutes a deceptive trade act or practice under the Unfair Competition Law (Chapter 5 (commencing with Section 17200) of Part 2 of Division 7 of the Business and Professions Code). |
|---|
| 189 | 189 | | |
|---|
| 190 | 190 | | 1798.91.4. (a) Except as provided in subdivision (b), the California Privacy Protection Agency may adopt regulations pursuant to the Administrative Procedure Act (Chapter 3.5 (commencing with Section 11340) of Part 1 of Division 3 of Title 2 of the Government Code) to implement and administer this title. (b) Notwithstanding subdivision (a), any regulation adopted by the California Privacy Protection Agency to establish fees authorized by this title shall be exempt from the Administrative Procedure Act (Chapter 3.5 (commencing with Section 11340) of Part 1 of Division 3 of Title 2 of the Government Code). |
|---|
| 191 | 191 | | |
|---|
| 192 | 192 | | |
|---|
| 193 | 193 | | |
|---|
| 194 | 194 | | 1798.91.4. (a) Except as provided in subdivision (b), the California Privacy Protection Agency may adopt regulations pursuant to the Administrative Procedure Act (Chapter 3.5 (commencing with Section 11340) of Part 1 of Division 3 of Title 2 of the Government Code) to implement and administer this title. |
|---|
| 195 | 195 | | |
|---|
| 196 | 196 | | (b) Notwithstanding subdivision (a), any regulation adopted by the California Privacy Protection Agency to establish fees authorized by this title shall be exempt from the Administrative Procedure Act (Chapter 3.5 (commencing with Section 11340) of Part 1 of Division 3 of Title 2 of the Government Code). |
|---|
| 197 | 197 | | |
|---|
| 198 | 198 | | SEC. 2. The Legislature finds and declares that this act furthers the purposes and intent of the California Privacy Rights Act of 2020 by ensuring consumers rights, including the constitutional right to privacy, are protected by enabling and empowering Californians to request that covered deployers secure their high-risk artificial intelligence systems that process personal information. |
|---|
| 199 | 199 | | |
|---|
| 200 | 200 | | SEC. 2. The Legislature finds and declares that this act furthers the purposes and intent of the California Privacy Rights Act of 2020 by ensuring consumers rights, including the constitutional right to privacy, are protected by enabling and empowering Californians to request that covered deployers secure their high-risk artificial intelligence systems that process personal information. |
|---|
| 201 | 201 | | |
|---|
| 202 | 202 | | SEC. 2. The Legislature finds and declares that this act furthers the purposes and intent of the California Privacy Rights Act of 2020 by ensuring consumers rights, including the constitutional right to privacy, are protected by enabling and empowering Californians to request that covered deployers secure their high-risk artificial intelligence systems that process personal information. |
|---|
| 203 | 203 | | |
|---|
| 204 | 204 | | ### SEC. 2. |
|---|