United States of America: Bill to regulate high-risk artificial intelligence systems including duty to protect personal information was introduced (SB 468) to the California Senate

On 19 February 2025, a Bill on high-risk artificial intelligence systems, including data protection obligations for businesses deploying high-risk artificial intelligence (AI) systems that process personal information in California, was introduced to the California Senate. The Bill proposes amendments to the California Civil Code, requiring covered AI deployers to implement information security programmes to protect personal information. It defines "covered deployers" as companies that use high-risk AI systems to process personal information. The required security programs must incorporate administrative, technical, and physical safeguards, including employee training, data access controls, encryption, and system monitoring. The bill also classifies violations of these obligations as deceptive trade practices under California's Unfair Competition Law. The California Privacy Protection Agency (CPPA) would be empowered to adopt and enforce regulations to implement these provisions, consistent with the California Privacy Rights Act of 2020 and its consumer privacy framework.