SB 420 and Automated Decision Systems: California’s Next Step on AI Regulation

By: Adriana Beach

Status: As of June 9, jointly referred to the Assembly Privacy and Consumer Protection and Judiciary Committee but failed to advance out of committees before the close of the legislative session on September 12, 2025.

California’s SB 420 seeks to establish a regulatory framework for high-risk automated decision systems (ADS) in the state, requiring developers and deployers to conduct impact assessments, publish disclosures, and implement a governance program. It also establishes potential civil liability, with a built-in cure period available in certain cases.

Discretionary Cure Period

The discretionary cure period is one of the bill’s more striking features. The Attorney General or the Civil Rights Department must issue a 45-days’ written notice of alleged violation of SB 420 to a developer or deployer. Regulators may then, at their discretion, provide a developer or deployer with a cure period to address the alleged violations. In deciding whether to grant the cure window, regulators may weigh factors such as intent, voluntary compliance, company size and resources, and magnitude of impact. This approach reflects an effort to balance enforcement with flexibility, though its impact on deterrence remains uncertain.

Impact Assessment and Risks Known to Developers

The bill also requires ADS developers to prepare impact assessments describing safeguards to mitigate and monitor against “risks known to the developer” of algorithmic discrimination. Therefore, the obligation does not extend to risks that are foreseeable. This narrower standard means companies must account for the risks they know but may not be held responsible for harms they arguably should have anticipated. The distinction narrows liability exposure but leaves open questions about how regulators will address emerging risks outside a developer’s documented or actual knowledge.

Governance Program

In line with the Colorado AI Act, SB 420 also mandates a governance program.  Developers and deployers must “establish, document, implement, and maintain” administrative and technical safeguards proportionate to system complexity, resources, and deployment context. Amendments clarify that governance should align with recognized frameworks such as the NIST AI Risk Management Framework and must include risk documentation, incident response processes, and periodic review. This shifts the focus from one-time audits toward continuous oversight, a change likely to require new compliance infrastructure.

Challenges to SB 420

Despite its ambition, SB 420 faces headwinds. Industry groups have pressed for safe harbors and trade secret protections, while health care organizations expressed concern over civil penalties (up to $25,000 per violation) in sensitive contexts. Business advocacy groups, such as the Business Software Alliance, have signaled conditional support but urged narrower liability standards. The bill passed the Senate by a 26–9 vote, reflecting strong support but with some opposition that potentially signals ongoing debate about the scope of AI regulation in California.

The bill doesn’t allocate new state funding for enforcement, leaving agencies to rely on existing budgets or future appropriations. At the same time, its requirements could impose nontrivial costs: developers will need resources for risk assessments and monitoring, while deployers (particularly in health care, employment, and financial services) may need to expand staffing and infrastructure to support governance programs.

Conclusion

Overall, SB 420 represents California’s latest attempt to formalize AI accountability. Its cure period provides a compliance safety valve, its focus on “known risks” narrows liability, and its governance mandate signals a shift toward systemic oversight. It remains to be seen whether it survives the legislative process during the 2026 session and proves workable in practice.