WHAT THIS BILL REGULATES · 2 REQUIREMENT TYPES
How Is This Bill Enforced
Verbatim statutory text on the left; plain-language analysis and a per-section checklist on the right. Numbered markers cross-link to the matching checklist row.
(a)(1) "Artificial intelligenceArtificial intelligence"Artificial intelligence" or "AI" means an engineered or machine-based system that varies in its level of autonomy and that can, for explicit or implicit objectives, infer from the input it receives how to generate outputs that can influence physical or virtual environments.Pub. Contract Code § 12100.1(a)(1)" or "AI" means an engineered or machine-based system that varies in its level of autonomy and that can, for explicit or implicit objectives, infer from the input it receives how to generate outputs that can influence physical or virtual environments.
(a)(2)(A)–(B) "Automated decision systemAutomated decision system"Automated decision system" or "ADS" means a computational process derived from machine learning, statistical modeling, data analytics, or artificial intelligence that issues simplified output, including a score, classification, or recommendation, that is used to assist or replace human discretionary decisionmaking and materially impacts natural persons. "Automated decision system" does not include a spam email filter, firewall, antivirus software, identity and access management tools, calculator, database, dataset, or other compilation of data.Pub. Contract Code § 12100.1(a)(2)" or "ADS" means a computational process derived from machine learning, statistical modeling, data analytics, or artificial intelligenceArtificial intelligence"Artificial intelligence" or "AI" means an engineered or machine-based system that varies in its level of autonomy and that can, for explicit or implicit objectives, infer from the input it receives how to generate outputs that can influence physical or virtual environments.Pub. Contract Code § 12100.1(a)(1) that issues simplified output, including a score, classification, or recommendation, that is used to assist or replace human discretionary decisionmaking and materially impacts natural persons. (B) "Automated decision systemAutomated decision system"Automated decision system" or "ADS" means a computational process derived from machine learning, statistical modeling, data analytics, or artificial intelligence that issues simplified output, including a score, classification, or recommendation, that is used to assist or replace human discretionary decisionmaking and materially impacts natural persons. "Automated decision system" does not include a spam email filter, firewall, antivirus software, identity and access management tools, calculator, database, dataset, or other compilation of data.Pub. Contract Code § 12100.1(a)(2)" does not include a spam email filter, firewall, antivirus software, identity and access management tools, calculator, database, dataset, or other compilation of data.
(a)(3) "DepartmentDepartment"Department" means the Department of Technology.Pub. Contract Code § 12100.1(a)(3)" means the Department of Technology.
Subdivision (a) establishes the three defined terms used throughout the bill. The definition of automated decision system is broad — covering any computational process derived from machine learning, statistical modeling, data analytics, or AI that issues simplified output used to assist or replace human discretionary decisionmaking and materially impacts natural persons — but explicitly carves out spam filters, firewalls, antivirus software, identity and access management tools, calculators, databases, datasets, and other compilations of data.
(b) 1 The departmentDepartment"Department" means the Department of Technology.Pub. Contract Code § 12100.1(a)(3) shall develop and adopt regulations to create an ADS procurement standard.
(b)(1)(A)–(D) 1 To develop regulations related to the ADS procurement standard, the departmentDepartment"Department" means the Department of Technology.Pub. Contract Code § 12100.1(a)(3) shall consider principles and industry standards addressed in relevant publications, including, but not limited to, all of the following: (A) The Blueprint for an AI Bill of Rights: Making Automated Systems Work for the American People, published by the White House Office of Science and Technology Policy in October 2022. (B) The Artificial IntelligenceArtificial intelligence"Artificial intelligence" or "AI" means an engineered or machine-based system that varies in its level of autonomy and that can, for explicit or implicit objectives, infer from the input it receives how to generate outputs that can influence physical or virtual environments.Pub. Contract Code § 12100.1(a)(1) Risk Management Framework (AI RMF 1.0), released by the National Institute of Standards and Technology (NIST) in January 2023. (C) The Risk Management Framework for the Procurement of Artificial IntelligenceArtificial intelligence"Artificial intelligence" or "AI" means an engineered or machine-based system that varies in its level of autonomy and that can, for explicit or implicit objectives, infer from the input it receives how to generate outputs that can influence physical or virtual environments.Pub. Contract Code § 12100.1(a)(1) (RMF PAIS 1.0), authored by the AI Procurement Lab and the Center for Inclusive Change in 2024. (D) The Advancing Governance, Innovation, and Risk Management for Agency Use of Artificial IntelligenceArtificial intelligence"Artificial intelligence" or "AI" means an engineered or machine-based system that varies in its level of autonomy and that can, for explicit or implicit objectives, infer from the input it receives how to generate outputs that can influence physical or virtual environments.Pub. Contract Code § 12100.1(a)(1) Memorandum, published by the Executive Office of the President, Office of Management and Budget, dated March 28, 2024.
(b)(2)(A)–(G) 1 The ADS procurement standard shall include all of the following: (A) A detailed risk assessment procedure that analyzes all of the following: (i) Organizational and supply chain governance associated with the ADS. (ii) The purpose and use of the ADS. (iii) Any known potential misuses or abuses of the ADS. (iv) An assessment of the legality, traceability, and provenance of the data the ADS uses and the legality of the output of the ADS. (v) The robustness, accuracy, and reliability of the ADS. (vi) The interpretability and explainability of the ADS. (B) Methods for appropriate risk controls between the state agency and ADS vendor, including, but not limited to, reducing the risk through various mitigation strategies, eliminating the risk, or sharing the risk. (C) Adverse incident monitoring procedures. (D) Identification and classification of prohibited use cases and applications of ADS that the state shall not procure. (E) A detailed equity assessment that analyzes, at a minimum, all of the following: (i) The individuals and communities that will interact with the ADS. (ii) How the information or decisions generated by the ADS will impact an individual's rights, freedoms, economic status, health, health care, or well-being. (iii) Any issues that may arise if the ADS is inaccurate. (iv) How users with diverse abilities will interact with the user interface of the ADS and whether the ADS integrates and interacts with commonly used assistive technologies. (F) An assessment that analyzes the level of human oversight associated with the use of ADS. (G) Adherence to data minimization standards, including that an ADS vendor shall only use information provided by or obtained from an agency to provide the specific service authorized by the agency. Further, the data collected may not be used for training of proprietary vendor or third-party systems.
(b)(3)(A)–(C) 1 In developing the ADS procurement standard, the departmentDepartment"Department" means the Department of Technology.Pub. Contract Code § 12100.1(a)(3) shall do all of the following: (A) Collaborate with organizations that represent state and local government employees and industry experts, including, but not limited to, public trust and safety experts, community-based organizations, civil society groups, academic researchers, and research institutions focused on responsible ADS procurement, design, and deployment. (B) Consult with the California Privacy Protection Agency. (C) Solicit public comment on the ADS procurement standard.
(b)(4)(A)–(B) 1 Subject to subparagraph (B), the departmentDepartment"Department" means the Department of Technology.Pub. Contract Code § 12100.1(a)(3) shall adopt regulations pursuant to this subdivision in accordance with the provisions of Chapter 3.5 (commencing with Section 11340) of Part 1 of Division 3 of Title 2 of the Government Code. (B) Regulations adopted by the departmentDepartment"Department" means the Department of Technology.Pub. Contract Code § 12100.1(a)(3) pursuant to subparagraph (A) shall not contradict either of the following: (i) Regulations adopted by the California Privacy Protection Agency pursuant to paragraph (16) of subdivision (a) of Section 1798.185 of the Civil Code. (ii) Statewide legislation that establishes a regulatory framework governing the development and deployment of ADSs.
(b)(5)(A)–(B) 2 Commencing January 1, 2026, and annually thereafter, the departmentDepartment"Department" means the Department of Technology.Pub. Contract Code § 12100.1(a)(3) shall review and update both of the following: (A) The ADS procurement standard. (B) Regulations adopted pursuant to this subdivision.
Subdivision (b) imposes the bill's core rulemaking mandate on the Department of Technology. The Department must develop and adopt regulations creating an ADS procurement standard, considering specified publications including the NIST AI Risk Management Framework and the White House Blueprint for an AI Bill of Rights. The standard must address seven substantive components: a detailed risk assessment procedure analyzing governance, purpose, misuse potential, data legality and provenance, robustness, and explainability; risk control methods; adverse incident monitoring; prohibited use case identification; a detailed equity assessment; human oversight assessment; and data minimization standards including a prohibition on using agency-provided data for training proprietary vendor or third-party systems.
The Department must collaborate with specified stakeholders, consult with the California Privacy Protection Agency, and solicit public comment. The resulting regulations must not contradict CPPA automated decisionmaking regulations or statewide ADS legislation. Beginning January 1, 2026, the Department must annually review and update both the standard and its regulations.
(c) 3 Commencing January 1, 2027, a state agency shall not procure an ADS, enter into a contract for an ADS, or enter into a contract for any service that utilizes an ADS, prior to the adoption of regulations by the departmentDepartment"Department" means the Department of Technology.Pub. Contract Code § 12100.1(a)(3) pursuant to subdivision (b).
Subdivision (c) creates a procurement moratorium: beginning January 1, 2027, state agencies may not procure an ADS, enter into a contract for an ADS, or enter into a contract for any service that utilizes an ADS until the Department of Technology has adopted the ADS procurement standard regulations required by subdivision (b). This effectively gates all state ADS procurement on the Department's completion of the rulemaking process.
(d)(1)–(3) 4 Commencing January 1, 2027, a state agency may enter into a contract for an ADS, or a service that utilizes an ADS only after the departmentDepartment"Department" means the Department of Technology.Pub. Contract Code § 12100.1(a)(3) has adopted regulations pursuant to subdivision (b) and only if the contract includes a clause that does all of the following: (1) Provides a completed risk assessment of the relevant ADS that analyzes the items included in subparagraph (A) of paragraph (2) of subdivision (b). (2) Requires the state agency or the ADS vendor, or both, to adhere to appropriate procurement standards. (3) Provides procedures for adverse incident monitoring.
(d)(4) 4 Requires authorization from the state agency before deployment of ADS upgrades and enhancements.
(d)(5) 5 Requires the state agency or the ADS vendor, or both, to provide notice to individuals that would likely be affected by the decisions or outcomes of the ADS, and information about how to appeal or opt out of ADS decisions or outcomes.
(d)(6) 4 Provides a termination right in the event of a significant breach of responsibility or violation by the vendor.
Subdivision (d) establishes the operative contractual requirements for state agency ADS procurement beginning January 1, 2027. Once the Department has adopted its regulations, a state agency may enter into a contract for an ADS or a service utilizing an ADS only if the contract includes clauses requiring: a completed risk assessment, adherence to appropriate procurement standards, adverse incident monitoring procedures, pre-deployment authorization for upgrades and enhancements, notice to affected individuals with appeal and opt-out information, and a vendor termination right for significant breaches. The notice-and-appeal requirement in paragraph (5) is particularly notable — it extends beyond internal government process to impose a direct obligation to inform individuals affected by ADS decisions and provide mechanisms for appeal or opt-out.
(e) Subdivisions (c) and (d) do not apply to projects approved before January 1, 2027, through the annual budget process.
Subdivision (e) exempts projects already approved before January 1, 2027, through the annual budget process from the procurement moratorium and contractual clause requirements of subdivisions (c) and (d). This grandfather clause ensures that ongoing state technology projects are not disrupted mid-stream.