Introduction
California has taken significant legislative steps to regulate privacy and artificial intelligence (AI) as the state’s legislative session concludes. Governor Gavin Newsom has signed several bills that address various aspects of AI and data privacy, reflecting California’s commitment to balancing innovation with consumer protection.
Description
California Governor Gavin Newsom has recently enacted a series of significant bills aimed at regulating privacy and artificial intelligence (AI) as the legislative session concluded. Among these [7], Assembly Bill 1008 [1] [2] [8], signed on September 28, 2024 [2], amends the California Consumer Privacy Act (CCPA) to clarify that personal information can exist in various formats, including data stored by AI systems and biometric data collected without consumer consent. This legislation also expands the definition of personal information to include AI outputs and neural data derived from consumer activity, with new requirements for AI systems taking effect on January 1, 2025.
Additionally, Senate Bill 1223 broadens the definition of “sensitive personal information” to encompass neural data [5], effective January 1, 2025 [1] [3] [7]. Assembly Bill 2013 mandates that businesses utilizing generative AI disclose specific information on their websites [4], including high-level summaries of the datasets used for training their models, prior to making the systems available to Californians [7], with an effective date of January 1, 2026 [7]. Furthermore, Senate Bill 942 [1] [8], known as the California AI Transparency Act [4] [7], requires generative AI systems with over one million monthly users to provide tools for consumers to identify AI-generated content [5] [7], including an “AI-detecting” tool and a “manifest” to accompany such content [4], also effective January 1, 2026 [1] [7]. This legislation establishes additional disclosure and notice requirements for AI system providers [6], mandates watermarking [6], and sets licensing obligations for third parties utilizing AI systems [6].
Senate Bill 896 [1] [8], known as the “Generative Artificial Intelligence Accountability Act,” establishes a framework for the governance of generative AI within state agencies, emphasizing the importance of protecting civil liberties [9], promoting equity [9], and maintaining public trust in AI technologies [9]. It mandates the California Office of Emergency Services to conduct annual risk assessments to identify potential threats, including cyberattacks and bioterrorism [9], and requires state agencies to inform users when they are interacting with AI-generated communications [1], including providing contact information for human representatives [1] [8].
Similarly, Assembly Bill 3030 imposes requirements on healthcare providers using generative AI for patient communications [1], requiring disclaimers about AI involvement and instructions for contacting human providers unless the communication is reviewed by a licensed professional [1] [8]. Senate Bill 1120 establishes compliance requirements for health insurers utilizing AI in utilization review [1], ensuring decisions are based on individual patient data rather than group datasets [1] [8], and prohibits discrimination based on personal characteristics such as race [9], gender [9], or religion [9].
Assembly Bill 2602 mandates that studios enter a written contract with actors before creating AI-generated digital replicas of their voice or likeness [3], requiring professional representation for the actor during negotiations [3]. This legislation includes fair use-like exemptions for news [3], commentary [3], parody [3], and biographical works [3], addressing concerns arising from recent incidents involving AI-generated voices mimicking famous actors [3]. Notably, this law applies only to contracts signed after January 1, 2025 [3], leaving prior agreements unaffected [3].
Additionally, Assembly Bill 2905 updates regulations on automatic dialing devices to require disclosure when AI-generated voices are used in calls [1] [8]. Assembly Bill 1824 mandates that acquiring companies in mergers honor consumers’ original opt-out preferences regarding personal information [5]. Senate Bill 1394 introduces requirements for connected vehicles [5], including notifications when external access occurs and ensuring that abuser access is disabled upon request [5]. Assembly Bill 2655 addresses the use of AI-generated deepfakes in elections [5], obligating large online platforms to remove or label misleading content and providing legal recourse for candidates [5]. Assembly Bill 2355 requires political advertisement committees that use AI-generated or substantially altered images [3], audio [3], or video to disclose that the content has been altered [3], enhancing transparency in an era where deepfakes can mislead viewers [3].
Several proposed bills, including Senate Bill 1047, which sought to impose strict safety regulations on large-scale AI models [5], were vetoed [5], reflecting concerns about stifling innovation [5]. The Governor’s decision to veto these bills [4], alongside the enactment of new legislation, underscores a balanced approach to fostering innovation in California while upholding consumer privacy rights [4]. Additional legislative efforts aim to enhance privacy protections for children and expand opt-out requirements for websites [5]. The recent legislative actions underscore California’s leadership in establishing standards for technology and data use [5], emphasizing the necessity for robust governance programs for AI developers and deployers [5]. Future legislative initiatives are anticipated, including proposals for impact assessments on automated decision tools to combat algorithmic discrimination [5], alongside ongoing regulatory developments concerning artificial decision-making technologies and privacy impact assessments [5].
Conclusion
The legislative measures enacted by California highlight the state’s proactive stance in addressing the challenges posed by AI and data privacy. By implementing comprehensive regulations, California aims to protect consumer rights while fostering an environment conducive to technological innovation. These efforts not only set a precedent for other states but also contribute to the broader discourse on responsible AI governance and data protection. As technology continues to evolve, California’s legislative framework will likely serve as a model for balancing innovation with ethical considerations and consumer safeguards.
References
[1] https://www.aoshearman.com/en/insights/ao-shearman-on-tech/zooming-in-on-ai-9-understanding-californias-new-ai-legislation
[2] https://www.lexology.com/library/detail.aspx?g=c98b3652-1df9-450c-ad10-6c5d60cb973f
[3] https://www.linkedin.com/pulse/california-ai-bills-key-legislation-shaping-future-sasha-sternik-o0pve
[4] https://www.tagalliances.com/specialty-groups/ip-it-cyber-security/15008-with-the-end-of-the-2024-legislative-term-governor-gavin-newsom-takes-a-measured-approach-to-data-privacy-legislation
[5] https://www.jdsupra.com/legalnews/california-privacy-and-ai-roundup-what-2126005/
[6] https://www.onetrust.com/resources/californias-approach-to-ai-unpacking-new-legislation-webinar/
[7] https://www.manatt.com/insights/newsletters/client-alert/california-privacy-and-ai-roundup-what-passed-and
[8] https://www.jdsupra.com/legalnews/zooming-in-on-ai-9-understanding-6034685/
[9] https://blog.em3law.com/2024/10/15/ai-legislation-california-2024/