Berkeley Cybersecurity and AI Ethics Ordinance

Technology and Data California 3 Minutes Read ยท published March 01, 2026 Flag of California

Berkeley, California is actively developing municipal guidance for cybersecurity practices and the ethical use of artificial intelligence in city operations. This article summarizes scope, responsible offices, enforcement pathways and practical steps for compliance under Berkeley city law and related administrative policies.

Scope & Purpose

The ordinance and accompanying administrative standards aim to protect city data, ensure secure procurement and procurement reviews for AI systems, and require transparency in automated decision-making used by City departments. The rules apply to city agencies, contractors handling city data, and vendors supplying AI-enabled services for municipal functions.

Standards & Principles

  • Risk assessment and data classification for city-held information.
  • Procurement review and vendor disclosures for AI systems, including documentation of training data and model limitations.
  • Security controls: access management, encryption in transit and at rest, and incident response procedures.
  • Ethics requirements: bias mitigation, human oversight, and documented governance for automated decisions.
  • Transparency obligations: public notice when automated decision systems are used for significant public-facing decisions.
City departments must balance innovation with privacy and civil rights protections.

Penalties & Enforcement

Primary legal authority and enforceable provisions are codified in the City of Berkeley municipal code and related administrative policies; specific fine amounts and schedules are not specified on the cited page.Berkeley Municipal Code[1]

  • Fines: monetary penalties for violations are not specified on the cited municipal code page; refer to department guidance for administrative penalties.
  • Escalation: first offence, repeat, and continuing offence treatment is not specified on the cited page.
  • Non-monetary sanctions: orders to cease use of a system, mandatory remediation, contract suspension, or referral to civil court are possible enforcement actions.
  • Enforcer: primary oversight typically falls to the City Manager or designated department such as the Information Technology Department; contact the City of Berkeley IT Department for incident reporting and compliance inquiries.City of Berkeley IT Department[2]
  • Appeals and review: administrative appeal routes and judicial review are available where specified; time limits for appeal are not specified on the cited municipal code page.
  • Defences and discretion: exemptions, variances, or documented permits may be available under departmental policies; specifics are not specified on the cited page.
If you suspect a violation, document dates and affected records before filing a complaint.

Applications & Forms

No single citywide public application form for AI governance or cybersecurity certification is published on the municipal code page; departments may require vendor questionnaires, security attestations, or contract clauses during procurement. Contact the IT Department or the contracting department for forms and submission instructions.City of Berkeley IT Department[2]

Common Violations

  • Failure to complete required risk assessments or privacy impact assessments for AI systems.
  • Omitting required vendor disclosures during procurement.
  • Poorly configured access controls leading to data exposure.
Early vendor engagement and contract clauses reduce enforcement risk.

Action Steps

  • Inventory systems that use automated decision-making and classify data sensitivity.
  • Require vendor documentation on model design, datasets, and bias mitigation before procurement.
  • Adopt incident response plans and schedule regular security assessments.

FAQ

Who enforces Berkeley cybersecurity and AI ethics rules?
The City Manager and designated departments such as Information Technology and the contracting department oversee enforcement and compliance.
Are there specific fines for violations?
The municipal code page does not list specific fine amounts; departments set administrative remedies and may refer matters for civil enforcement.
How do I report a suspected misuse of AI by the city?
Report to the Information Technology Department or the City Manager's office and preserve relevant records and dates.

How-To

  1. Identify all city systems and vendors that use AI or automated decision-making and document their purposes.
  2. Conduct a privacy and risk assessment addressing data flows, bias risks, and security controls.
  3. Submit procurement disclosures and required security attestations to the contracting authority before award.
  4. Implement monitoring, human oversight, and a remediation plan for identified harms.

Key Takeaways

  • Berkeley requires risk-based governance for cybersecurity and AI in city operations.
  • Departments enforce standards; vendor transparency and contract terms are critical.
  • Contact the IT Department for forms, reporting, and compliance guidance.

Help and Support / Resources

    Categories

    General Governance and Administration Public Safety Public Health and Welfare Land Use and Zoning Housing and Building Standards Transportation Environmental Protection Parks and Public Spaces Business and Consumer Protection Taxation and Finance Labor and Employment Education Civil Rights and Equity Elections and Campaign Finance Events and Special Uses Signs and Advertising Utilities and Infrastructure Technology and Data