Bill Text: CA SB892 | 2023-2024 | Regular Session | Amended
Bill Title: Public contracts: automated decision systems: procurement standards.
Spectrum: Partisan Bill (Democrat 3-0)
Status: (Engrossed) 2024-08-30 - From special consent calendar on motion of Senator Jones. [SB892 Detail]
Download: California-2023-SB892-Amended.html
|
Amended
IN
Assembly
August 19, 2024 |
|
Amended
IN
Assembly
July 03, 2024 |
|
Amended
IN
Assembly
June 21, 2024 |
|
Amended
IN
Senate
April 10, 2024 |
|
Amended
IN
Senate
April 01, 2024 |
CALIFORNIA LEGISLATURE—
2023–2024 REGULAR SESSION
Senate Bill
No. 892
| Introduced by Senator Padilla (Coauthors: Senators Rubio and Smallwood-Cuevas) |
January 03, 2024 |
An act to add Section 12100.1 to the Public Contract Code, relating to public contracts.
LEGISLATIVE COUNSEL'S DIGEST
SB 892, as amended, Padilla.
Public contracts: automated decision tools: systems: procurement standards.
Existing law requires all contracts for the acquisition of information technology goods and services related to information technology projects, as defined, to be made by or under the supervision of the Department of Technology. Existing law requires all other contracts for the acquisition of information technology goods or services to be made by or under the supervision of the Department of General Services. Under existing law, both the Department of Technology and the Department of General Services are authorized to delegate their authority to another agency, as specified.
Existing law, the California Consumer Privacy Act of 2018 (CCPA), grants to a consumer various rights with respect to personal information, as defined, that is collected by a business, as defined, including the right to request that a business delete
personal information about the consumer that the business has collected from the consumer. Existing law, the California Privacy Rights Act of 2020, an initiative measure approved by the voters as Proposition 24 at the November 3, 2020, statewide general election, amended, added to, and reenacted the CCPA. The CCPA, as amended, establishes the California Privacy Protection Agency with full administrative power, authority, and jurisdiction to implement and enforce the CCPA.
This bill would require the Department of Technology to develop and adopt regulations to create an automated decision tool (ADT) system (ADS) procurement standard, following the adoption of specified regulations by the California Privacy Protection Agency or the enactment of comprehensive ADT legislation, whichever occurs sooner.
standard. To develop those regulations, the bill would require the department to consider principles and industry standards addressed in specified publications regarding AI risk management. The bill would require the ADT ADS procurement standard to include, among other things, a detailed risk assessment procedure that analyzes specified characteristics of the ADT, ADS, methods for appropriate risk controls, as provided, and adverse incident monitoring procedures. The bill would require the department to, among other things, collaborate with specified organizations to develop the ADT
ADS procurement standard and review and update the ADT
ADS procurement standard and related regulations, as specified.
This
Commencing January 1, 2027, this bill would prohibit a state agency from procuring an ADT, ADS, entering into a contract for an ADT, ADS, or any service that utilizes an ADT
ADS, as specified, until the department has adopted regulations creating an ADT
ADS procurement standard. The Commencing January 1, 2027, the bill would also require a contract for an ADT ADS or a service that utilizes an ADT ADS, as specified, to include a clause that, among other things, provides a completed risk assessment of the relevant ADT,
ADS, as specified, requires adherence to appropriate risk controls, and provides procedures for adverse incident monitoring.
Digest Key
Vote: MAJORITY Appropriation: NO Fiscal Committee: YES Local Program: NOBill Text
The people of the State of California do enact as follows:
SECTION 1.
Section 12100.1 is added to the Public Contract Code, to read:12100.1.
(a) For purposes of this section, the following definitions apply:(1) “Artificial intelligence” or “AI” means an engineered or machine-based system that varies in its level of autonomy and that can, for explicit or implicit objectives, infer from the input it receives how to generate outputs that can influence physical or virtual environments.
(2)“Automated decision tool” or “ADT” means an artificial intelligence system or service that makes a consequential decision, or is a substantial factor in making a consequential decision.
(3)“Consequential decision” means a decision or judgment that has a legal, material, or similarly significant effect on an individual’s life relating to access to government benefits or services, assignments of penalties by government, or the impact of, access to, or the cost, terms, or availability of, any of the following:
(A)Employment with respect to all of the following:
(i)Pay or promotion.
(ii)Hiring or termination.
(iii)Automated task allocation that limits, segregates, or classifies employees for the purpose of assigning or determining material terms or conditions of employment.
(B)Education and vocational training as it relates to all of the following:
(i)Assessment or placement.
(ii)Detecting student cheating or plagiarism.
(iii)Accreditation.
(iv)Certification.
(v)Admissions or enrollment.
(vi)Discipline.
(vii)Evaluation.
(viii)Financial aid or scholarships.
(C)Housing or lodging, including rental or short-term housing or lodging.
(D)All of the following essential utilities:
(i)Electricity.
(ii)Heat.
(iii)Water.
(iv)Internet or telecommunications access.
(v)Transportation.
(E)Family planning.
(F)Adoption services, reproductive services, or assessments related to child protective services.
(G)Health care or health insurance, including mental health care, dental, or vision.
(H)Financial services, including a financial service provided by a mortgage company, mortgage broker, or creditor.
(I)All of the following aspects of the criminal justice system:
(i)Risk assessments for pretrial hearings.
(ii)Sentencing.
(iii)Parole.
(J)Legal services.
(K)Private arbitration.
(L)Mediation.
(M)Voting.
(2) (A) “Automated decision system” or “ADS” means a computational process derived from machine learning, statistical modeling, data analytics, or artificial intelligence that issues simplified output, including a score, classification, or recommendation, that is used to assist or replace human discretionary decisionmaking and materially impacts natural persons.
(B) “Automated decision system” does not include a spam email filter, firewall, antivirus software, identity and access management tools, calculator, database, dataset, or other compilation of data.
(4)
(3) “Department” means the Department of Technology.
(5)“Substantial factor” means an element of a decisionmaking process that is capable of altering the outcome of the process.
(b) Following the adoption of regulations by the California Privacy Protection Agency pursuant to paragraph (16) of subdivision (a) of Section 1798.185 of the Civil Code, or following the enactment of similarly comprehensive statewide legislation that establishes a regulatory framework governing the
development and deployment of ADTs, whichever occurs sooner, the The department shall develop and adopt regulations to create an ADT ADS procurement standard.
(1) To develop regulations related to the ADT ADS procurement standard, the department shall consider principles and industry standards addressed in relevant publications, including, but not limited to, all of the
following:
(A) The Blueprint for an AI Bill of Rights: Making Automated Systems Work for the American People, published by the White House Office of Science and Technology Policy in October 2022.
(B) The Artificial Intelligence Risk Management Framework (AI RMF 1.0), released by the National Institute of Standards and Technology (NIST) in January 2023.
(C) The Risk Management Framework for the Procurement of Artificial Intelligence (RMF PAIS 1.0), authored by the AI Procurement Lab and the Center for Inclusive Change in 2024.
(D) The Advancing Governance, Innovation, and Risk Management for Agency Use of Artificial Intelligence Memorandum, published by the
Executive Office of the President, Office of Management and Budget, dated March 28, 2024.
(2) The ADT ADS procurement standard shall include all of the following:
(A) A detailed risk assessment procedure that analyzes all of the following:
(i) Organizational and supply chain governance associated with the ADT. ADS.
(ii) The purpose and use of the ADT. ADS.
(iii) Any known potential misuses or abuses of the ADT. ADS.
(iv) An assessment of the legality, traceability, and provenance of the data the ADT ADS uses and the legality of the output of the ADT.
ADS.
(v) The robustness, accuracy, and reliability of the ADT. ADS.
(vi) The interpretability and explainability of the ADT. ADS.
(B) Methods for appropriate risk controls between the state agency and ADT
ADS vendor, including, but not limited to, reducing the risk through various mitigation strategies, eliminating the risk, or sharing the risk.
(C) Adverse incident monitoring procedures.
(D) Identification and classification of prohibited use cases and applications of ADT
ADS
that the state shall not procure.
(E) A detailed equity assessment that analyzes, at a minimum, all of the following:
(i) The individuals and communities that will interact with the
ADT. ADS.
(ii) How the information or decisions generated by the ADT ADS will impact an individual’s rights, freedoms, economic status, health, health care, or well-being.
(iii) Any issues that may arise if the ADT ADS is inaccurate.
(iv) How users with diverse abilities will
interact with the user interface of the ADT ADS and whether the ADT ADS integrates and interacts with commonly used assistive technologies.
(F) An assessment that analyzes the level of human oversight associated with the use of ADT. ADS.
(G) Adherence to data minimization
standards, including that an ADT ADS vendor shall only use information provided by or obtained from an agency to provide the specific service authorized by the agency. Further, the data collected may not be used for training of proprietary vendor or third-party systems.
(3) In developing the ADT ADS procurement standard, the department shall do all of the following:
(A) Collaborate with organizations that represent state and local government
employees and industry experts, including, but not limited to, public trust and safety experts, community-based organizations, civil society groups, academic researchers, and research institutions focused on responsible ADT ADS
procurement, design, and deployment.
(B) Consult with the California Privacy Protection Agency.
(C) Solicit public comment on the ADT ADS procurement standard.
(4) (A) Subject to subparagraph (B), the department shall adopt regulations pursuant to this subdivision in accordance with the provisions of Chapter 3.5 (commencing with Section 11340) of Part 1 of Division 3 of Title 2 of the Government Code.
(B) Regulations adopted by the department pursuant
to subparagraph (A) shall be consistent with both not contradict either of the following:
(i) Regulations adopted by the California Privacy Protection Agency pursuant to paragraph (16) of subdivision (a) of Section 1798.185 of the Civil Code.
(ii) Statewide legislation that establishes a regulatory framework governing the development and deployment of ADTs. ADSs.
(5) Starting Commencing
January 1, 2026, and annually thereafter, the department shall review and update both of the following:
(A) The ADT ADS procurement standard.
(B) Regulations adopted pursuant to this subdivision.
(c) A Commencing January 1, 2027, a state agency shall not procure an ADT,
ADS, enter into a contract for an ADT,
ADS, or enter into a contract for any service that utilizes an ADT, ADS, prior to the adoption of regulations by the department pursuant to subdivision (b).
(d) A Commencing January 1, 2027, a state agency may enter into a contract for an ADT, ADS, or a service that utilizes an ADT
ADS only after the department has adopted regulations pursuant to subdivision (b) and only if the contract includes a clause that does all of the following:
(1) Provides a completed risk assessment of the relevant ADT ADS that analyzes the items included in subparagraph (A) of paragraph (2) of subdivision (b).
(2) Requires the state agency or the ADT ADS vendor, or both, to adhere to
appropriate procurement standards.
(3) Provides procedures for adverse incident monitoring.
(4) Requires authorization from the state agency before deployment of ADT ADS upgrades and enhancements.
(5) Requires the state agency or the ADT ADS
vendor, or both, to provide notice to individuals that would likely be affected by the decisions or outcomes of the ADT, ADS, and information about how to appeal or opt-out opt out of ADT ADS decisions or outcomes.
(6) Provides a termination right in the event of a significant breach of responsibility or violation by
the vendor.
(e) Subdivisions (c) and (d) do not apply to projects approved before January 1, 2027, through the annual budget process.
