Existing law, the California Consumer Privacy Act of 2018 (CCPA), grants a consumer various rights with respect to personal information that is collected or sold by a business. The CCPA defines various terms for these purposes. The California Privacy Rights Act of 2020 (CPRA), approved by the voters as Proposition 24 at the November 3, 2020, statewide general election, amended, added to, and reenacted the CCPA and establishes the California Privacy Protection Agency (agency) and vests the agency with full administrative power, authority, and jurisdiction to enforce the CCPA.

Existing law requires, on or before January 1, 2026, and before each time thereafter that a generative artificial intelligence system or service, as defined, or a substantial modification to a generative artificial intelligence system or service, released on or after January 1, 2022, is made available to Californians for use, regardless of whether the terms of that use include compensation, a developer of the system or service to post on the developer’s internet website documentation, as specified, regarding the data used to train the generative artificial intelligence system or service.

This bill would impose a duty on a covered deployer, defined as a business that deploys a high-risk artificial intelligence system that processes personal information, to protect personal information held by the covered deployer, subject to certain requirements. In this regard, the bill would require a covered deployer whose high-risk artificial intelligence systems process personal information to develop, implement, and maintain a comprehensive information security program, as specified, that contains administrative, technical, and physical safeguards that are appropriate for, among other things, the covered deployer’s size, scope, and type of business. The bill would require the program described above to meet specified requirements, including, among other things, that the program incorporates safeguards that are consistent with the safeguards for the protection of personal information and information of a similar character under applicable state or federal laws and regulations.

Existing law, the Unfair Competition Law, establishes a statutory cause of action for unfair competition, including any unlawful, unfair, or fraudulent business act or practice and unfair, deceptive, untrue, or misleading advertising, and establishes remedies and penalties in that regard, including injunctive relief and civil penalties.

This bill would specify that a violation of the above-described provisions relating to the duty of a covered deployer to protect information, including the requirement that a covered deployer maintain the comprehensive information security program described above, constitute a deceptive trade act or practice under that law.

Existing law, the Administrative Procedure Act, governs the procedure for the adoption, amendment, or repeal of regulations by state agencies and for the review of those regulatory actions by the Office of Administrative Law.

This bill would authorize the agency to adopt regulations pursuant to the act to implement these provisions, and would exempt, notwithstanding that provision, any regulations adopted by the agency to establish fees from the act. The bill would define various terms for these purposes.

The California Privacy Rights Act of 2020 authorizes the Legislature to amend the act to further the purposes and intent of the act by a majority vote of both houses of the Legislature, as specified.

This bill would declare that its provisions further the purposes and intent of the California Privacy Rights Act of 2020.