Bill would update OPDP duties to include AI project reviews and new performance reporting

The committee heard testimony on House Bill 2,606 to change performance measures and duties for the Office of Privacy and Data Protection (OPDP). OPDP staff and the bill sponsor said the measure aligns statutory duties with the office’s current role and implements recommendations from a JLARC (Joint Legislative Audit and Review Committee) performance audit.

Katie Ruckel, the state chief privacy officer and director of OPDP (housed in WATEC), testified the bill directly responds to JLARC’s 2025 audit and updates OPDP’s reporting to include measures such as improvements in agency privacy practices from training, numbers and types of technical assistance requests, and completion counts for privacy threshold and impact assessments. The bill also adds responsibility for OPDP to review agency projects that use artificial intelligence, with an AI risk assessment aligned to the NIST AI risk management framework for high‑risk projects that process personally identifiable information (PII).

Ruckel said the AI risk assessment would focus on higher‑risk projects, incorporate human review for generative and other high‑risk systems, and be operationalized within OPDP’s existing security design review and privacy impact processes. She testified the bill can be implemented within existing resources and urged committee support.

Committee members asked how OPDP would carry out reviews and respond to incidents; Ruckel described the existing security design review process, the role of human‑in‑the‑loop safeguards, and offered to work with agencies to mitigate incidents. The committee closed the hearing after receiving questions and thanks for the testimony.