I. Introduction
The rapid evolution of artificial intelligence (AI) necessitates the development of robust regulatory frameworks that address AI’s risks and influence on society. California, a leader in regulatory frameworks, is at the forefront of addressing AI-related risks.
California Assembly Bill 2885 (AB 2885), one of the state's most recent initiatives, specifically addresses AI development, deployment, and regulation. This legislative bill aims to standardize the definition of "artificial intelligence" in various California laws. This is crucial considering the AI industry's explosive growth and growing applicability in everyday life. The Bill has amended the Business and Professions Code, the Education Code, and the Government Code relating to artificial intelligence. The Secretary of State passed and chaptered AB 2885 on September 28, 2024.
This guide dives into the key definitions under AB 2885, amendments, key provisions, implications for businesses, and how Securiti can help ensure swift compliance.
II. Key Definitions
AB 2885 amended the Business and Professions Code, the Education Code, and the Government Code relating to artificial intelligence for the following definitions:
A. Artificial Intelligence
“Artificial Intelligence” means an engineered or machine-based system that varies in its level of autonomy and that can, for explicit or implicit objectives, infer from the input it receives how to generate outputs that can influence physical or virtual environments.
B. Automated Decision System
“Automated decision system” means a computational process derived from machine learning, statistical modeling, data analytics, or artificial intelligence that issues simplified output, including a score, classification, or recommendation, that is used to assist or replace human discretionary decision-making and materially impacts natural persons. “Automated decision system” does not include a spam email filter, firewall, antivirus software, identity and access management tools, calculator, database, dataset, or other compilation of data.
C. Content
“Content” means statements or comments made by users and media that are created, posted, shared, or otherwise interacted with by users on an internet-based service or application. It does not include media put on a service or application exclusively for cloud storage, transmitting files, or file collaboration.
D. Deepfake
“Deepfake” means audio or visual content, generated or manipulated by artificial intelligence, that would falsely appear to be authentic or truthful and features depictions of people appearing to say or do things they did not say or do without their consent.
E. Digital Content Forgery
“Digital content forgery” means the use of technologies, including artificial intelligence and machine learning techniques, to fabricate or manipulate audio, visual, or text content with the intent to mislead.
F. Digital Content Provenance
“Digital content provenance” means the verifiable chronology of the original piece of digital content, such as an image, video, audio recording, or electronic document.
G. High-risk Automated Decision System
“High-risk automated decision system” means an automated decision system that is used to assist or replace human discretionary decisions that have a legal or similarly significant effect, including decisions that materially impact access to, or approval for, housing or accommodations, education, employment, credit, health care, and criminal justice.
III. Government Operations Agency
Section 4 of AB 2885 outlines the amendments to the Government Code. The law establishes a Government Operations Agency governed by the Secretary of Government Operations, who must assess the impact and risks of deepfakes and digital content forgery technologies on California’s state government, California-based businesses, and residents. The evaluation will cover:
- The widespread prevalence of deepfakes and related privacy risks.
- The potential privacy impacts of these technologies and the impact of digital content forgery technologies on civic engagement, including voter influence.
- Legal implications surrounding these technologies.
- Best practices for mitigating the risks, including the feasibility of adopting a digital content provenance standard to combat forgery and deepfakes.
This evaluation aims to enhance privacy, security, and trust in digital content. Additionally, the Secretary of Government Operations is tasked with developing a plan that includes:
- Investigating the feasibility and challenges of developing digital content provenance standards for state departments.
- Enhancing scrutiny of digital forgeries for internet companies, journalists, watchdog organizations, and the public.
- Developing mechanisms for content creators to cryptographically certify the authenticity of original media and nondeceptive manipulations.
- Developing or identifying tools for the public to verify media authenticity while safeguarding privacy and civil liberties.
This plan aims to improve trust in digital content while protecting personal privacy.
Report
The Secretary of Government Operations must submit a report to the Legislature by October 1, 2024, evaluating the possible applications and risks of deepfake technology for California businesses and the state government. This report will include a coordinated plan and recommendations for amending the definitions of digital content forgery and deepfakes. The report must comply with Government Code Section 9795. This provision will expire on January 1, 2025, unless any other future legislation extends it.
IV. The Department of Technology
AB 2885 establishes the Department of Technology, by amending the Government Code, to conduct a detailed inventory of all high-risk automated decision systems that have been proposed for use, development, or procurement by any state agency or that are currently being used, developed, or procured by any state agency by September 1, 2024, at the latest, in coordination with other interagency bodies as it considers appropriate. This inventory must include the following:
- Decisions that an automated decision system can make or support and intended benefits.
- Research results that evaluate the effectiveness and comparative advantages of the automated decision system's applications and alternatives.
- Data categories and personal information used.
- Risk mitigation measures, including performance metrics, cybersecurity controls, privacy controls, and risk assessments.
- Processes for contesting decisions made by these systems.
This aims to ensure transparency, security, and fairness in AI use by state entities.
Report
The Department of Technology must provide a comprehensive inventory report on high-risk automated decision systems to the Senate Committee on Governmental Organization and the Assembly Committee on Privacy and Consumer Protection by January 1, 2025, and every year after that. This reporting obligation will expire on January 1, 2029. According to Section 9795 of the Government Code, all reports must follow the correct submission protocols for legislative reports.
V. Key Provisions Under AB 2885
AB 2885’s key provisions include:
A. High-Risk AI Systems Inventory
The Department of Technology must identify and list state entities using "high-risk AI systems" in an inventory. These systems are classified as high-risk because they have the potential to substantially influence people or groups, especially in areas like public safety, employment, or healthcare. The aim is to ensure that governmental entities are well-informed about AI's applications and possible societal effects.
The Department of Technology will evaluate how these systems make decisions and ensure they are utilized responsibly. The inventory will include descriptions of the AI systems, their intended application, and any data used in their training or functioning.
B. Deepfake and Manipulative AI Content
AB 2885 highlights concerns over AI-generated manipulative content, such as deepfakes, which pose a significant risk to public safety and privacy. AB 2885 proposes mechanisms to detect and mitigate the use of AI-generated deceptive content within state operations.
C. Economic Development Subsidies
Section 53083.1 of the Government Code, as amended, mandates that local authorities provide comprehensive information to the public before granting warehouse distribution center subsidies for economic development. This includes the beneficiary's information, the subsidy’s schedule, projected job creation, wages, and tax revenue.
Agencies must also conduct yearly public hearings and report on AI's impacts on employment, particularly AI-related automation. Nondisclosure agreements are prohibited, and agencies must report to the Governor’s Office. These measures ensure transparency and accountability for public subsidies.
VI. Implications of AB 2885
AB 2885 introduces multiple implications for various entities impacted by its provisions.
A. For State Agencies
The bill mandates that state agencies conduct comprehensive audits of bias and fairness, evaluate their AI systems, and ensure that AI usage is transparent. Although these steps may result in higher administrative expenses, they aim to ensure AI's appropriate and moral use.
B. For Californians
The measure protects individuals against ambiguous or biased AI judgments. It empowers individuals with the right to know how AI tools impact them and the ability to dispute AI system decision-making.
C. For Technology Developers
AI system developers must comply with evolving guidelines on transparency, bias mitigation, and ethical considerations. Failure to non-comply may lead to greater scrutiny of the AI models AI developers produce and potentially influence the design of future AI technologies.
VII. How Securiti Can Help
Securiti is the pioneer of the Data Command Center, a centralized platform that enables the safe use of data and GenAI. It provides unified data intelligence, controls and orchestration across hybrid multicloud environments. Large global enterprises rely on Securiti's Data Command Center for data security, privacy, governance, and compliance.
Securiti’s Genstack AI Suite removes the complexities and risks inherent in the GenAI lifecycle, empowering organizations to swiftly and safely utilize their structured and unstructured data anywhere with any AI and LLMs. It provides features such as secure data ingestion and extraction, data masking, anonymization, and redaction, as well as indexing and retrieval capabilities. Additionally, it facilitates the configuration of LLMs for Q&A, inline data controls for governance, privacy, and security, and LLM firewalls to enable the safe adoption of GenAI.
Request a demo to learn more.
