WHAT THIS BILL REGULATES · 2 REQUIREMENT TYPES
How Is This Bill Enforced
Verbatim statutory text on the left; plain-language analysis and a per-section checklist on the right. Numbered markers cross-link to the matching checklist row.
(a)(1) "Automated decision systemAutomated decision system"Automated decision system" means a computational process derived from machine learning, statistical modeling, data analytics, or artificial intelligence that issues simplified output, including a score, classification, or recommendation, that is used to assist or replace human discretionary decisionmaking and materially impacts natural persons. "Automated decision system" does not include a spam email filter, firewall, antivirus software, identity and access management tools, calculator, database, dataset, or other compilation of data.Gov. Code § 11546.45.5(a)(1)" means a computational process derived from machine learning, statistical modeling, data analytics, or artificial intelligence that issues simplified output, including a score, classification, or recommendation, that is used to assist or replace human discretionary decisionmaking and materially impacts natural persons. "Automated decision systemAutomated decision system"Automated decision system" means a computational process derived from machine learning, statistical modeling, data analytics, or artificial intelligence that issues simplified output, including a score, classification, or recommendation, that is used to assist or replace human discretionary decisionmaking and materially impacts natural persons. "Automated decision system" does not include a spam email filter, firewall, antivirus software, identity and access management tools, calculator, database, dataset, or other compilation of data.Gov. Code § 11546.45.5(a)(1)" does not include a spam email filter, firewall, antivirus software, identity and access management tools, calculator, database, dataset, or other compilation of data.
(a)(2) "BoardBoard"Board" means any administrative or regulatory board, commission, committee, council, association, or authority consisting of more than one person whose members are appointed by the Governor, the Legislature, or both.Gov. Code § 11546.45.5(a)(2)" means any administrative or regulatory boardBoard"Board" means any administrative or regulatory board, commission, committee, council, association, or authority consisting of more than one person whose members are appointed by the Governor, the Legislature, or both.Gov. Code § 11546.45.5(a)(2), commission, committee, council, association, or authority consisting of more than one person whose members are appointed by the Governor, the Legislature, or both.
(a)(3) "DepartmentDepartment"Department" means the Department of Technology.Gov. Code § 11546.45.5(a)(3)" means the Department of Technology.
(a)(4) "High-risk automated decision systemHigh-risk automated decision system"High-risk automated decision system" means an automated decision system that is used to assist or replace human discretionary decisions that have a legal or similarly significant effect, including decisions that materially impact access to, or approval for, housing or accommodations, education, employment, credit, health care, and criminal justice.Gov. Code § 11546.45.5(a)(4)" means an automated decision systemAutomated decision system"Automated decision system" means a computational process derived from machine learning, statistical modeling, data analytics, or artificial intelligence that issues simplified output, including a score, classification, or recommendation, that is used to assist or replace human discretionary decisionmaking and materially impacts natural persons. "Automated decision system" does not include a spam email filter, firewall, antivirus software, identity and access management tools, calculator, database, dataset, or other compilation of data.Gov. Code § 11546.45.5(a)(1) that is used to assist or replace human discretionary decisions that have a legal or similarly significant effect, including decisions that materially impact access to, or approval for, housing or accommodations, education, employment, credit, health care, and criminal justice.
(a)(5) "State agencyState agency"State agency" means any of the following: (i) Any state office, department, division, or bureau. (ii) The California State University. (iii) The Board of Parole Hearings. (iv) Any board or other professional licensing and regulatory body under the administration or oversight of the Department of Consumer Affairs. "State agency" does not include the University of California, the Legislature, the judicial branch, or any board, except as provided in subparagraph (A).Gov. Code § 11546.45.5(a)(5)" means any of the following: (i) Any state office, departmentDepartment"Department" means the Department of Technology.Gov. Code § 11546.45.5(a)(3), division, or bureau. (ii) The California State University. (iii) The Board of Parole Hearings. (iv) Any boardBoard"Board" means any administrative or regulatory board, commission, committee, council, association, or authority consisting of more than one person whose members are appointed by the Governor, the Legislature, or both.Gov. Code § 11546.45.5(a)(2) or other professional licensing and regulatory body under the administration or oversight of the Department of Consumer Affairs. (B) "State agencyState agency"State agency" means any of the following: (i) Any state office, department, division, or bureau. (ii) The California State University. (iii) The Board of Parole Hearings. (iv) Any board or other professional licensing and regulatory body under the administration or oversight of the Department of Consumer Affairs. "State agency" does not include the University of California, the Legislature, the judicial branch, or any board, except as provided in subparagraph (A).Gov. Code § 11546.45.5(a)(5)" does not include the University of California, the Legislature, the judicial branch, or any boardBoard"Board" means any administrative or regulatory board, commission, committee, council, association, or authority consisting of more than one person whose members are appointed by the Governor, the Legislature, or both.Gov. Code § 11546.45.5(a)(2), except as provided in subparagraph (A).
Subdivision (a) establishes the five defined terms that scope the bill's inventory and reporting obligations. The key definitional choices are: automated decision system is defined broadly to include any computational process derived from ML, statistical modeling, data analytics, or AI that issues simplified output used to assist or replace human discretionary decision-making and materially impacts natural persons, but explicitly excludes spam filters, firewalls, antivirus software, IAM tools, calculators, databases, and datasets. High-risk automated decision system narrows the scope to systems with legal or similarly significant effects in housing, education, employment, credit, health care, and criminal justice. State agency covers executive branch offices, CSU, the Board of Parole Hearings, and DCA licensing boards, but expressly excludes UC, the Legislature, and the judiciary.
(b) 1 On or before September 1, 2024, the Department of Technology shall conduct, in coordination with other interagency bodies as it deems appropriate, a comprehensive inventory of all high-risk automated decision systemsHigh-risk automated decision system"High-risk automated decision system" means an automated decision system that is used to assist or replace human discretionary decisions that have a legal or similarly significant effect, including decisions that materially impact access to, or approval for, housing or accommodations, education, employment, credit, health care, and criminal justice.Gov. Code § 11546.45.5(a)(4) that have been proposed for use, development, or procurement by, or are being used, developed, or procured by, any state agencyState agency"State agency" means any of the following: (i) Any state office, department, division, or bureau. (ii) The California State University. (iii) The Board of Parole Hearings. (iv) Any board or other professional licensing and regulatory body under the administration or oversight of the Department of Consumer Affairs. "State agency" does not include the University of California, the Legislature, the judicial branch, or any board, except as provided in subparagraph (A).Gov. Code § 11546.45.5(a)(5).
Subdivision (b) imposes the bill's core operative obligation: the Department of Technology must conduct a comprehensive inventory of all high-risk automated decision systems across state agencies by September 1, 2024. The inventory covers systems at every stage of the procurement and deployment lifecycle — proposed, in development, being procured, or currently in use. The Department may coordinate with other interagency bodies as it deems appropriate, giving it discretion over the collaborative structure of the inventory process.
(c) 2 The comprehensive inventory described by subdivision (b) shall include a description of all of the following:
(c)(1) 2 Any decision the automated decision systemAutomated decision system"Automated decision system" means a computational process derived from machine learning, statistical modeling, data analytics, or artificial intelligence that issues simplified output, including a score, classification, or recommendation, that is used to assist or replace human discretionary decisionmaking and materially impacts natural persons. "Automated decision system" does not include a spam email filter, firewall, antivirus software, identity and access management tools, calculator, database, dataset, or other compilation of data.Gov. Code § 11546.45.5(a)(1) can make or support and the intended benefits of that use. (B) The alternatives to any use described in subparagraph (A).
(c)(2) 2 The results of any research assessing the efficacy and relative benefits of the uses and alternatives of the automated decision systemAutomated decision system"Automated decision system" means a computational process derived from machine learning, statistical modeling, data analytics, or artificial intelligence that issues simplified output, including a score, classification, or recommendation, that is used to assist or replace human discretionary decisionmaking and materially impacts natural persons. "Automated decision system" does not include a spam email filter, firewall, antivirus software, identity and access management tools, calculator, database, dataset, or other compilation of data.Gov. Code § 11546.45.5(a)(1) described by paragraph (1).
(c)(3) 2 The categories of data and personal information the automated decision systemAutomated decision system"Automated decision system" means a computational process derived from machine learning, statistical modeling, data analytics, or artificial intelligence that issues simplified output, including a score, classification, or recommendation, that is used to assist or replace human discretionary decisionmaking and materially impacts natural persons. "Automated decision system" does not include a spam email filter, firewall, antivirus software, identity and access management tools, calculator, database, dataset, or other compilation of data.Gov. Code § 11546.45.5(a)(1) uses to make its decisions.
(c)(4) 2 The measures in place, if any, to mitigate the risks, including cybersecurity risk and the risk of inaccurate, unfairly discriminatory, or biased decisions, of the automated decision systemAutomated decision system"Automated decision system" means a computational process derived from machine learning, statistical modeling, data analytics, or artificial intelligence that issues simplified output, including a score, classification, or recommendation, that is used to assist or replace human discretionary decisionmaking and materially impacts natural persons. "Automated decision system" does not include a spam email filter, firewall, antivirus software, identity and access management tools, calculator, database, dataset, or other compilation of data.Gov. Code § 11546.45.5(a)(1). (B) Measures described by this paragraph may include, but are not limited to, any of the following: (i) Performance metrics to gauge the accuracy of the system. (ii) Cybersecurity controls. (iii) Privacy controls. (iv) Risk assessments or audits for potential risks. (v) Measures or processes in place to contest an automated decision.
Subdivision (c) prescribes the required content of the comprehensive inventory. Each inventoried system must be described along four dimensions: the decisions the system can make or support and the intended benefits, plus any alternatives considered; the results of efficacy research assessing the system and its alternatives; the categories of data and personal information the system uses; and risk mitigation measures in place, including measures addressing cybersecurity, inaccuracy, unfair discrimination, and bias. The illustrative list of mitigation measures — performance metrics, cybersecurity controls, privacy controls, risk assessments or audits, and contestation processes — is non-exhaustive.
(d)(1) 3 On or before January 1, 2025, and annually thereafter, the departmentDepartment"Department" means the Department of Technology.Gov. Code § 11546.45.5(a)(3) shall submit a report of the comprehensive inventory described in subdivision (b) to the Assembly Committee on Privacy and Consumer Protection and the Senate Committee on Governmental Organization.
(d)(2) The requirement for submitting a report imposed under paragraph (1) is inoperative on January 1, 2029, pursuant to Section 10231.5.
(d)(3) A report to be submitted pursuant to paragraph (1) shall be submitted in compliance with Section 9795.
Subdivision (d) establishes the annual reporting cadence and legislative recipients. The Department must submit the inventory report to the Assembly Committee on Privacy and Consumer Protection and the Senate Committee on Governmental Organization beginning January 1, 2025. The reporting requirement sunsets on January 1, 2029, pursuant to Government Code Section 10231.5. Reports must comply with Government Code Section 9795, which governs the format and delivery of legislative reports.