AI, Cybersecurity Bills Among Tech Legislation Being Considered

With a key legislative deadline in their rearview mirrors, state lawmakers continue mulling a slate of proposed bills with potential significance in the government technology world.

Friday was the last day for members of the state Senate and Assembly to pass bills introduced in their respective houses — which they did, including two pieces of legislation that had seemed potentially stalled. As legislative committees now resume their discussion of these proposed laws, their members must also finalize a state budget; the state Constitution gives lawmakers until June 15 to approve a state budget for the 2023-2024 Fiscal Year starting July 1. Among the takeaways:

Two proposed laws with definite import for IT vendors and government technologists had seemed sidelined but are now back in the mix.

• State Senate Bill 721, from Sen. Josh Becker, D-Menlo Park, would create the 10-member California Interagency Artificial Intelligence Working Group to hear from stakeholders in “academia, consumer advocacy groups, and small, medium, and large businesses affected by artificial intelligence policies.” The group would be tasked with recommending a definition of AI, studying its implications “for data collection to inform testing, evaluation, verification and validation of AI,” determining “proactive steps” to prevent AI-assisted misinformation campaigns and “unnecessary exposure for children” to AI’s harmful effects, determining which agencies should develop and oversee AI policy, and determining how the group and the Department of Justice can “leverage the substantial and growing expertise of the California Privacy Protection Agency in the long-term development of data privacy policies” governing AI. The group would have to report to the Legislature by Jan. 1, 2025, and every two years afterward, until Jan. 1, 2030. The bill reached the state Assembly May 25 and has been referred to the Assembly Committee on Privacy and Consumer Protection, where it will be considered at 1:30 p.m. June 27.
• State Assembly Bill 302, from Assemblymember Christopher M. Ward, D-San Diego, would give the California Department of Technology, working with “other interagency bodies,” until Sept. 1, 2024, to do a “comprehensive inventory of all high-risk automated decision systems” that have been “proposed for use, development, or procurement by,” or are being used, developed or procured by state agencies. That inventory would have to have a description of the “categories of data and personal information the automated decision system uses to make its decisions.” By Jan. 1, 2025, and yearly afterward, CDT would have to report on that inventory to legislative committees. The bill reached the Senate May 31 and has been ordered to its Rules Committee for assignment.
  

Elsewhere across the statehouse, lawmakers saw some of their technology bills clear their houses of origin, and others held.

• AB 1667, from Assemblymember Jacqui Irwin, D-Thousand Oaks, would have created the California Cybersecurity Awareness and Education Council at CDT, but it was held under submission in the Assembly. But Irwin’s AB 749 made it to the Senate Rules Committee for assignment on May 31. It would require state agencies by Jan. 1, 2025, to stand up “specified actions” around “data, hardware, software, internal systems and essential third-party software, including multifactor authentication for access to all systems and data” owned, managed, maintained or utilized by or on behalf of the agency. The agencies would also have to implement a “zero trust architecture ... and prioritize” using solutions that either comply with, are authorized by or align to “federal guidelines, programs and frameworks.” The chief of the Office of Information Security in CDT would have until Jan. 1, 2024, to “develop uniform technology policies, standards and procedures” to be used by all state agencies around “zero trust architecture, including multifactor authentication” on all systems in the State Administrative and Statewide Information Management manuals.
• AB 522, from Assemblymember Ash Kalra, D-San Jose, would update the Electronic Communications Privacy Act on the extent to which a state department can obtain “electronic communication information from a service provider.” It would authorize a department to “use an administrative subpoena to obtain electronic communication information from a service provider” if conditions are met, including that the department has already served the customer notice of the administrative subpoena and included a copy. The bill would make service providers copy “any electronic communication information” in the subpoena’s scope and keep it until “information is disclosed ... or the subpoena is quashed or modified” and the provider would have to keep a record of any such disclosures for five years. The bill was sent June 1 to the Senate Rules Committee for assignment.
• AB 687, from Assemblymember Gregg Hart, D-Santa Barbara, would somewhat expand the reach of the Department of Cannabis Control’s track-and-trace program which follows the distribution and movement of cannabis. It would require the program, for cannabis sales done by delivery, to capture the ZIP code where the product was delivered — and require the department to let “specified local agencies and the California Cannabis Authority” have “read access to the electronic database, including the track and trace program data,” in support of taxing and regulating cannabis and for “locally relevant research into the commercial cannabis marketplace.” As a result, it would require any software, database or other IT system the department uses to issue, maintain or revoke state licenses to be interoperable with software from local entities and the Authority. The Authority and the locals would have to “maintain specified data privacy policies.” The bill was sent June 1 to the Senate Rules Committee for assignment.