California AB 1170, SEC. 27-28 (CCPA Amendment 2025)

This is a binding California state statute (AB 1170) amending the California Civil Code with mandatory obligations, enforcement mechanisms through the California Privacy Protection Agency and Attorney General, and legal penalties for non-compliance.

The document has minimal coverage of risk domains, with primary focus on privacy compromise (2.1) through definitions of personal information and data processing. It addresses automated decision-making and profiling (7.1, 7.3) through regulatory requirements. Coverage is concentrated in privacy/security and system safety domains, with limited explicit coverage of other risk categories.

This is a cross-sectoral privacy regulation that applies to all businesses operating in California that meet specified thresholds for revenue, data volume, or data-derived revenue. The regulation governs automated processing and profiling across all economic sectors where businesses collect and process consumer personal information. No specific sectors are exclusively targeted; rather, the law applies horizontally to any qualifying business regardless of industry.

The document primarily addresses the Deploy and Operate and Monitor stages through requirements for automated decision-making systems, profiling, and ongoing risk assessments. It implicitly covers Build and Use Model through definitions of automated processing and profiling. The focus is on post-deployment governance, consumer rights, and ongoing monitoring rather than early-stage development.

The document explicitly mentions automated processing and profiling as forms of AI systems. It does not use terms like 'AI models,' 'AI systems,' 'frontier AI,' 'general purpose AI,' or 'foundation models.' There are no compute thresholds mentioned. The focus is on automated decision-making technology and profiling rather than specific AI model categories.