(a) A business that controls the collection of a consumer’s personal information shall, at or before the point of collection, inform consumers of the following: (1) The categories of personal information to be collected and the purposes for which the categories of personal information are collected or used and whether that information is sold or shared. A business shall not collect additional categories of personal information or use personal information collected for additional purposes that are incompatible with the disclosed purpose for which the personal information was collected without providing the consumer with notice consistent with this section. (2) If the business collects sensitive personal information, the categories of sensitive personal information to be collected and the purposes for which the categories of sensitive personal information are collected or used, and whether that information is sold or shared. A business shall not collect additional categories of sensitive personal information or use sensitive personal information collected for additional purposes that are incompatible with the disclosed purpose for which the sensitive personal information was collected without providing the consumer with notice consistent with this section. (3) The length of time the business intends to retain each category of personal information, including sensitive personal information, or if that is not possible, the criteria used to determine that period provided that a business shall not retain a consumer’s personal information or sensitive personal information for each disclosed purpose for which the personal information was collected for longer than is reasonably necessary for that disclosed purpose.

A consumer shall have the right, at any time, to direct a business that collects sensitive personal information about the consumer to limit its use of the consumer’s sensitive personal information to that use which is necessary to perform the services or provide the goods reasonably expected by an average consumer who requests those goods or services.

Includes: (1) personal information that reveals a consumer’s racial or ethnic origin; (2) a consumer’s health or medical information; (3) inferences drawn from any personal information to create a profile about a consumer reflecting the consumer’s health.

The Agency shall promulgate regulations governing the use of automated decisionmaking technology, including profiling. The regulations shall establish consumer rights to access information and to opt out of the use of automated decisionmaking technology.

A consumer whose nonencrypted and nonredacted personal information is subject to an unauthorized access, exfiltration, theft, or disclosure may bring a civil action for statutory damages of $100 to $750 per consumer per incident, or actual damages, whichever is greater.

Any technology that processes personal information and uses computation to execute a decision, replace human decisionmaking, or substantially replace human decisionmaking. “Substantially replace” means using the technology’s output as a key factor in a human’s decisionmaking.

A decision that results in the provision or denial of, or that significantly affects: financial or lending services; housing; insurance; education enrollment; employment or independent contractor opportunities; healthcare access or service; or access to essential goods or services.

A business that uses ADMT to make a significant decision concerning a consumer must provide a Pre-use Notice before using ADMT with respect to that consumer. The Pre-use Notice must inform the consumer about: (1) the type of ADMT used; (2) the purpose and logic of the ADMT; (3) how to exercise the right to opt out.

A business must conduct and document a risk assessment before initiating processing activities that pose significant risk to consumer privacy, including use of ADMT for a significant decision concerning a consumer. Assessments must identify and weigh benefits against potential risks to consumers, including risks from algorithmic discrimination based on protected characteristics.

ADMT obligations apply to businesses using ADMT for significant decisions beginning January 1, 2027. Risk assessment obligations are effective January 1, 2026. As of the exam date (March 2026), pre-use notice and opt-out obligations are not yet operative, but risk assessments are required.

AI systems listed in Annex III are classified as high-risk. Annex III, point 5(c) covers AI systems intended to be used for making decisions or materially influencing decisions on access to and enjoyment of essential private services and public services, including healthcare.

A risk management system shall be established, implemented, documented, and maintained in relation to high-risk AI systems. The risk management system shall consist of a continuous iterative process run throughout the entire lifecycle of a high-risk AI system.

Training, validation, and testing data sets shall be subject to appropriate data governance and management practices. Those practices shall concern, in particular: the examination in view of possible biases that could affect health, safety or fundamental rights or lead to discrimination prohibited under Union law.

High-risk AI systems shall be designed and developed in such a way to ensure that their operation is sufficiently transparent to enable deployers to interpret the system’s output and use it appropriately. The provider shall ensure that high-risk AI systems are accompanied by instructions for use including: the level of accuracy, robustness, and cybersecurity against which the system has been tested and validated, and any known and foreseeable limitations.

Providers of high-risk AI systems shall report any serious incident to the market surveillance authorities of the Member States where that incident occurred. A “serious incident” includes any malfunctioning of a high-risk AI system that has led or may lead to the death of a person or serious damage to a person’s health.

High-risk AI systems that have been placed on the market or put into service before August 2, 2026 shall comply with this Regulation by August 2, 2027, provided they have not undergone significant changes in their design since their initial placing on the market or putting into service.

The TFAIA applies to “frontier developers” — persons who train a “frontier model” using more than 10²⁶ floating-point operations. A “large frontier developer” additionally has annual gross revenues exceeding $500 million. Students must assess whether Nexus Health meets these thresholds.

“Frontier model” means a foundation model trained using a quantity of computing power greater than 10²⁶ integer or floating-point operations. “Frontier developer” means a person that trains a frontier model and makes it publicly available to Californians.

A frontier developer shall not make, adopt, or enforce a rule, regulation, policy, or contract that prevents a covered employee from disclosing to the Attorney General, a federal authority, or a person with authority over the covered employee, information that the covered employee reasonably believes discloses that the frontier developer’s activities pose a specific and substantial danger to the public health or safety resulting from a catastrophic risk, or that the frontier developer has violated the TFAIA. A frontier developer shall not retaliate against a covered employee for such disclosures.

“Covered employee” means an employee responsible for assessing, managing, or addressing the risk of a critical safety incident in the company.

California Labor Code § 1102.5 (not reproduced in full) provides broader whistleblower protections for employees who report violations of state or federal law to government agencies. Students should note whether § 1102.5 may provide an independent basis for protection where the TFAIA does not apply.

If a lawyer for an organization knows that an officer, employee, or other person associated with the organization is engaged in action, intends to act, or refuses to act in a matter related to the representation that is a violation of a legal obligation to the organization, or a violation of law that reasonably might be imputed to the organization, and that is likely to result in substantial injury to the organization, then the lawyer shall proceed as is reasonably necessary in the best interest of the organization. Unless the lawyer reasonably believes that it is not necessary in the best interest of the organization to do so, the lawyer shall refer the matter to higher authority in the organization.

A lawyer may reveal information relating to the representation of a client to the extent the lawyer reasonably believes necessary to prevent reasonably certain death or substantial bodily harm.

A lawyer may reveal information relating to the representation of a client to the extent the lawyer reasonably believes necessary to prevent the client from committing a crime or fraud that is reasonably certain to result in substantial financial injury to another and in furtherance of which the client has used or is using the lawyer’s services.

In representing a client, a lawyer shall exercise independent professional judgment and render candid advice. In addition to legal considerations, a lawyer may refer to other considerations such as moral, economic, social and political factors, that may be relevant to the client’s situation.

The CPPA announced that regulations covering cybersecurity audits, risk assessments, and automated decisionmaking technology were approved on September 22, 2025 and take effect January 1, 2026, with ADMT-specific consumer rights operative January 1, 2027. The regulations require businesses using ADMT for significant decisions to provide pre-use notices and honor opt-out rights. Risk assessments are required before initiating processing activities posing significant risk, including use of ADMT for significant decisions affecting healthcare access.