KLS Keeping Law Simple Legislation in plain English

Straight-ahead summaries built from the official bill text. We keep the source links front and center and leave the decision up to you.

Back to California

SB-468 • 2026

High-risk artificial intelligence systems: duty to protect personal information.

High-risk artificial intelligence systems: duty to protect personal information.

Elections Privacy Technology
Passed Legislature

This bill passed both chambers and reached final enrollment, even if later executive action is not shown here.

Sponsor
Becker
Last action
2026-02-02
Official status
Returned to Secretary of Senate pursuant to Joint Rule 56.
Effective date
Not listed

Plain English Breakdown

The bill summary and digest do not provide specific details on penalties for non-compliance or the exact cost implications for businesses.

High-risk AI Systems: Protecting Personal Information

This law requires businesses using high-risk artificial intelligence systems to protect personal information by creating and following strict security rules.

What This Bill Does

  • Defines a 'covered deployer' as a business that uses high-risk AI systems processing personal data.
  • Requires covered deployers to create, implement, and maintain a comprehensive information security program with administrative, technical, and physical safeguards appropriate for the company's size, scope, and type of business.
  • Specifies that the security program must incorporate safeguards consistent with applicable state or federal laws and regulations.

Who It Names or Affects

  • Businesses using high-risk AI systems to process personal information.
  • The California Privacy Protection Agency, which can make rules about how businesses must follow the new requirements.

Terms To Know

High-risk artificial intelligence system
An AI system used by a business that handles sensitive or large amounts of personal information and could cause harm if it fails to protect this data properly.
Covered deployer
A company that uses high-risk AI systems processing personal information and must follow the new rules about protecting personal information.

Limits and Unknowns

  • The bill does not specify what happens if a business fails to comply with these requirements.
  • It is unclear how much it will cost businesses to create and maintain the required security programs.
  • The exact details of the regulations that the agency can make are not defined in this law.

Bill History

  1. 2026-02-02 California Legislative Information

    Returned to Secretary of Senate pursuant to Joint Rule 56.

  2. 2025-05-23 California Legislative Information

    May 23 hearing: Held in committee and under submission.

  3. 2025-05-16 California Legislative Information

    Set for hearing May 23.

  4. 2025-05-05 California Legislative Information

    May 5 hearing: Placed on APPR. suspense file.

  5. 2025-04-25 California Legislative Information

    Set for hearing May 5.

  6. 2025-04-23 California Legislative Information

    From committee: Do pass and re-refer to Com. on APPR. (Ayes 11. Noes 0. Page 835.) (April 22). Re-referred to Com. on APPR.

  7. 2025-03-25 California Legislative Information

    Set for hearing April 22.

  8. 2025-02-26 California Legislative Information

    Referred to Com. on JUD.

  9. 2025-02-20 California Legislative Information

    From printer. May be acted upon on or after March 22.

  10. 2025-02-19 California Legislative Information

    Introduced. Read first time. To Com. on RLS. for assignment. To print.

Official Summary Text

SB 468, as introduced, Becker.
High-risk artificial intelligence systems: duty to protect personal information.
Existing law, the California Consumer Privacy Act of 2018 (CCPA), grants a consumer various rights with respect to personal information that is collected or sold by a business. The CCPA defines various terms for these purposes. The California Privacy Rights Act of 2020 (CPRA), approved by the voters as Proposition 24 at the November 3, 2020, statewide general election, amended, added to, and reenacted the CCPA and establishes the California Privacy Protection Agency (agency) and vests the agency with full administrative power, authority, and jurisdiction to enforce the CCPA.
Existing law requires, on or before January 1, 2026, and before each time thereafter that a generative artificial intelligence system or service, as defined, or a substantial modification to a generative artificial intelligence system or service, released
on or after January 1, 2022, is made available to Californians for use, regardless of whether the terms of that use include compensation, a developer of the system or service to post on the developer’s internet website documentation, as specified, regarding the data used to train the generative artificial intelligence system or service.
This bill would impose a duty on a covered deployer, defined as a business that deploys a high-risk artificial intelligence system that processes personal information, to protect personal information held by the covered deployer, subject to certain requirements. In this regard, the bill would require a covered deployer whose high-risk artificial intelligence systems process personal information to develop, implement, and maintain a comprehensive information security program, as specified, that contains administrative, technical, and physical safeguards that are appropriate for, among other things, the covered
deployer’s size, scope, and type of business. The bill would require the program described above to meet specified requirements, including, among other things, that the program incorporates safeguards that are consistent with the safeguards for the protection of personal information and information of a similar character under applicable state or federal laws and regulations.
Existing law, the Unfair Competition Law, establishes a statutory cause of action for unfair competition, including any unlawful, unfair, or fraudulent business act or practice and unfair, deceptive, untrue, or misleading advertising, and establishes remedies and penalties in that regard, including injunctive relief and civil penalties.
This bill would specify that a violation of the above-described provisions relating to the duty of a covered deployer to protect information, including the requirement that a covered deployer
maintain the comprehensive information security program described above, constitute a deceptive trade act or practice under that law.
Existing law, the Administrative Procedure Act, governs the procedure for the adoption, amendment, or repeal of regulations by state agencies and for the review of those regulatory actions by the Office of Administrative Law.
This bill would authorize the agency to adopt regulations pursuant to the act to implement these provisions, and would exempt, notwithstanding that provision, any regulations adopted by the agency to establish fees from the act. The bill would define various terms for these purposes.
The California Privacy Rights Act of 2020 authorizes the Legislature to amend the act to further the purposes and intent of the act by a majority vote of both houses of the Legislature, as specified.
This bill would declare that its provisions further the purposes and intent of the California Privacy Rights Act of 2020.

Current Bill Text

Read the full stored bill text 
Download Bill PDF