0

AI Chats and Law Enforcement: What Are You Sharing? 

AI & Algorithms , ,
AI chat platforms are increasingly becoming repositories of sensitive personal, professional, and legal information, and the legal frameworks governing what can be done with that information remain unsettled. This can have serious repercussions for individuals, businesses, and their advisors who happen to find themselves in the complex intersection of law enforcement and information privacy.  

What are users actually sharing?

The volume and sensitivity of information flowing into AI chat platforms go beyond what many users fully appreciate. Chatbots prompt users to provide background, context, and points of view, all of which may reveal intentions. This interface allows AI models to respond conversationally and prompt further explanation, inviting more disclosure than traditional searches. Below, we have highlighted two key reasons this leads to additional information being disclosed in this context:

The Illusion of the Advisor

Users increasingly interact with AI platforms as they would with a trusted professional, an attorney, therapist, or financial planner. However, AI chat platforms are not bound by traditional confidentiality obligations that govern licensed professionals. There is no attorney-client privilege, no therapist-patient privilege, and no fiduciary duty attached to a chatbot conversation. The sensitivity of the content does not create the protection the user may assume exists.

Agentic AI’s increased access

As the industry moves from chat interfaces to AI agents, this risk may continue to grow. Agentic AI is a tool that streamlines workflows; however, it requires broad, constant access to a user’s data across devices and applications. Major technology companies have already released early versions. As these agents become standard, the question of what an AI platform “knows” will no longer be limited to what was typed into a chat window, but may instead extend to digital communications such as email and text, documents, financial records, and location history.

What Can the Government Access?

Prosecutors and investigators have already begun seeking access to chatbot conversation histories in criminal investigations, and the legal framework governing those requests is still taking shape. However, there are a few current frameworks governing the chatbot’s permissible uses and disclosures of user intentions. 

Subpoenas and Third-Party Doctrine

Under the traditional application of the third-party doctrine, information voluntarily shared with a third-party platform has lesser protection than the Fourth Amendment typically affords. A government agency seeking chat transcripts may obtain them via subpoena without meeting the higher probable cause standard required for a warrant. The Supreme Court introduced some limits in Carpenter v. United States (2018), but its application to AI conversation logs is entirely untested.

National Security Demands

AI platforms may be subject to National Security Letters and Foreign Intelligence Surveillance Act (FISA) orders requiring disclosure of user data, with limited judicial oversight and strict non-disclosure obligations. A platform that receives such a demand often cannot notify the affected user, who has no opportunity to contest the disclosure. For businesses using AI tools for sensitive professional work, this exposure can be far-reaching and hard to foresee until it materializes. 

The Regulatory Gap

Currently, frameworks are designed for passive content-hosting platforms. However, these privacy frameworks are a poor fit for conversational AI.  

Ambiguity in Section 230 Protections

Section 230 of the Communications Decency Act shields platforms from liability for user-generated content. Whether that shield extends to AI chatbot outputs generated by the platform, not merely hosted by it, remains unresolved. A chatbot that produces a harmful response is authoring a reply, not hosting a post. Courts have not yet answered whether Section 230 immunity applies, and platforms that assume it does may find that assumption is not correct.

Consent Frameworks and Cross-border Complexity

Most AI platforms rely on broad, scroll-past consent mechanisms that regulators increasingly consider inadequate to secure meaningful consent. In the absence of comprehensive federal privacy legislation, compliance obligations vary by state and sector, and for multinational organizations, cross-border data flows through AI platforms may simultaneously implicate GDPR transfer requirements and foreign mandatory access regimes.

Key Takeaways

As AI use becomes more and more prevalent for use of everyday tasks and sensitive information alike, individuals and businesses may want to consider the following key takeaways: 
  • Establish policies governing employee use of AI chat platforms for work matters, with explicit restrictions on sharing confidential, privileged, or regulated information.
  • Review data retention and third-party sharing policies for any AI platforms in use, and update litigation hold procedures to treat AI chat logs as a discoverable data category.
  • Assess AI agent tools – those requiring broad device and application access – before deployment, with legal review of data exposure and applicable frameworks.
  • Brief leadership on the government access risk: AI chat transcripts may be subpoenaed or compelled under national security processes, often without user notification.
  • For multinational organizations, conduct a cross-border data flow analysis covering AI platform use and compliance with GDPR and analogous transfer frameworks.
When using these AI tools, it’s important to remember that the legal protections available for information shared with AI are not proportional to the information’s sensitivity or the user’s reasonable expectations. Closing that gap is, at this moment, primarily the responsibility of the user and the organizations that employ them. While legal frameworks are developing to align these interests, it is best to implement best practices early. 
0

Risks of Shared AI Workspaces and Confidentiality, Security, and Privacy Concerns

AI & Algorithms , ,
Traditionally, the relationship between a company and its outside advisors, law firms, consultants, and financial advisors has been governed by confidentiality agreements, attorney-client privilege, and codes of professional ethics. These agreements assure that these outside advisors have access only to the information necessary for the scope of the project. However, artificial intelligence is becoming a mainstay in these working relationships, dismantling that clear separation.  AI-powered productivity tools are increasingly deployed not just within a single organization, but across shared digital workspaces, the collaborative platforms where companies and their external advisors jointly draft documents, manage new projects, exchange data, and make decisions. This shift represents a fundamentally new risk landscape, one that most organizations and their advisors have not yet adequately mapped.  This post identifies the three primary risk categories that arise when AI enters these shared spaces and the key considerations to mitigate them.  

Risk 1: Confidentiality

When AI tools operate within a shared workspace, there are two primary threats to client confidentiality:  1) Cross-client training and model contamination, and  2) over-input of information.  

Cross-Client Training Model Contamination

Many AI tools learn continuously from user interactions. For example, if a law firm’s AI assistant is trained, even implicitly, on documents, queries, and outputs across multiple client engagements sharing a platform environment. In this case, client information can become embedded in the model’s behavior. The AI may begin surfacing language, structures, or strategic approaches drawn from one client’s confidential materials when assisting another.  This is an example of cross-client training contamination. 

Over-Input of Information

When processing the information above, AI tools may ask follow-up questions, or the user may want to include additional context and guidance for the tool. These prompts and the need for greater contextual clarity may drive users to input additional information, information that may not normally be shared or be strictly necessary for the task at hand. This could lead to AI tools being trained on, and potentially re-sharing, information that is not strictly necessary. 

Risk 2: Overexposure

AI processes operating across shared workspaces introduce a new failure mode: overexposure through automated workflow. When an AI agent is tasked with summarizing documents, preparing briefings, or surfacing relevant materials, it may draw on content from across the workspace without respecting the role-based and project-based permissions designed to contain that information.

Misconfiguration and Permission Gaps

AI tools in shared workspaces are typically configured by IT or platform administrators, not by the lawyers or compliance officers who understand the sensitivity of the underlying information. Permissioning structures that may be technically correct for human access often fail to account for how AI agents traverse and aggregate information. A consultant with project-scoped access to a workspace may, through the AI layer, receive synthesized summaries that draw on materials outside their authorized scope.

Role and Project Segmentation Failures

Even well-intentioned configurations can break down when AI tools are updated. For example, this could occur when team membership changes or when workspace structures evolve mid-engagement. Unlike a human employee who is subject to ongoing supervision, an AI system with broad access will continue operating at that level until it is explicitly restricted. The moment of overexposure may be difficult to trace, making the discovery of these failures especially challenging. 

Risk 3: Accountability

Who is Responsible when AI makes the decision? Professional service relationships often assign responsibilities clearly; for example, the lawyer is responsible for legal advice, the auditor for the audit opinion, and the consultant for the recommendation. These lines of responsibility are the foundation of malpractice liability, professional licensing, and regulatory compliance. However, AI tools make this division more complicated. 

The Absence of Auditable Decision Trails

Many AI tools used in professional services do not generate decision logs or explainable outputs in a meaningful sense. When a deal recommendation, a compliance conclusion, or a litigation strategy is influenced by an AI-generated analysis, there may be no record of what data the AI considered, what it weighted, or what it excluded. If the decision is later challenged in litigation, a regulatory proceeding, or a malpractice claim, the AI’s contribution cannot be reconstructed or audited.

Diffused Liability Across a Shared Platform

In a shared workspace involving the company, its law firm, its auditors, and potentially a technology platform provider, an AI-assisted error may have no clear owner. Did the AI fail because of a platform defect? Because the law firm configured it incorrectly? Because the company provided bad inputs? Because no human professional adequately reviewed the output? Engagement letters, platform terms of service, and professional liability policies may not be drafted to answer these questions.

Key Considerations in Light of these Risks

The risks described may be present in any organization that has extended its advisory relationships (law firms, consultants, and financial advisors, to name a few) into AI-enabled collaborative platforms. To minimize these risks, organizations may want to consider the following tips:  Consider…
  • Auditing shared platforms and tools currently used with outside advisors to identify any AI features, and map what data those features can access. 
  • Reviewing engagement agreements, NDAs, and platform terms of service for AI-specific confidentiality provisions. 
  • Assessing whether AI access controls in shared workspaces respect role-based and project-based information silos and construct limitations where they do not. 
  • Establishing AI decision-logging protocols with outside advisors, including requirements for human review and sign-off before AI-influenced advice is acted upon. 
  • Negotiating clear contractual allocation of liability for AI-related errors across the full advisory chain, company, advisors, and platform providers. 
  • Briefing executive leadership and the board on AI-specific risks in advisory relationships, particularly in regulated industries where privilege and data protection obligations are most acute. 
Establishing governance frameworks for AI early in advisory relationships may enable companies to reduce their own exposure and hold advisors accountable if one of the risks of use materializes. 
0
AI and Legal Privilege

AI and Legal Privilege: Updates from Federal District Courts

AI & Algorithms

AI and Legal Privilege: Updates from Federal District Courts 

US v. Heppner and Warner v. Gilbarco

“Chat, is our conversation protected?”  As usual, the answer may be “it depends.”

Highlights from two recent federal district court cases, US v. Heppner and Warner v. Gilbarco, provide different answers to this question. The learning? If you are using AI tools for legal-related matters, you should think twice before entering personal information or other case-related information.

United States v. Heppner

On February 17, 2026, the federal district court for the Southern District of New York found that neither attorney-client privilege nor the work product doctrine applied in protecting legal strategy materials that were generated using a public version of Claude. In its memorandum of reasoning, the court states its ruling “appears to answer a question of first impression nationwide: whether, when a user communicated with a publicly available AI platform in connection with a pending criminal investigation, are the AI user’s communication protected by attorney-client privilege or the work product doctrine?” The court answers with a resounding “no,” given the circumstances of the case. In Heppner, the court first ruled that the defendant’s conversations with AI were not covered by attorney-client privilege. This is because attorney-client privilege attaches with:
  1. Communications between a client and their attorney,
  2. which are intended to be, and were, kept confidential,
  3. for the purposes of obtaining or providing legal advice.
The court held that the AI-generated communications failed at least two, if not all three of these elements. Not only were the conversations not with counsel, but Heppner’s communications were not confidential because he used a public or consumer version of the Claude platform. The court notes that the platform’s privacy policy specifies that user inputs and outputs are used for training purposes, and that the platform reserves the right to disclose this information to third parties, including governmental regulatory authorities. In Heppner, the court also held that the work product doctrine also did not apply to the materials generated from the public or consumer version of Claude. This is because the work product doctrine requires that materials are prepared by or at the direction of counsel. Because these documents were not prepared by or on behalf of counsel, and did not reflect the defense counsel’s strategy, the court held the work product doctrine did not apply.

Warner v. Gilbarco

On February 10, 2026, the Eastern District of Michigan heard a similar – but not identical case – and found that the work generated by AI was attorney-client work product. In this case, the AI tools were used to prepare legal materials. However, in contrast to Heppner, the court reasoned that “ChatGPT (and other generative AI programs) are tools, not persons” and found that both the attorney-client privilege and work product doctrine apply. Although the court determined that sensitive information pertaining to the case was provided to ChatGPT, they found that this was not equivalent to a “voluntary disclosure to a third person,” which would ordinarily waive attorney-client privilege, did not apply. This is because the AI was not considered a third person. Additionally, the court found that work product waiver requires disclosure to an adversary or in a manner likely to reach an adversary. Because this was not found to be the case with the disclosure to ChatGPT, this doctrine was not waived.

Key Takeaways

Although these two similar cases come to different conclusions, it is important to note that they are not factually identical. It is also important to emphasize that these are early federal district court cases, and these matters of first impression are likely to evolve in the coming year. In the meantime, individuals (and other entities) using generative AI for legal advice should consider these cases and their outcomes. If you are planning on using generative AI for legal advice, you should consider the AI tools you’re using, the configurations of those tools, and the purposes for which you are using the tools. Credit: Emma Wallace
0
Automated decision-making technologies (ADMT) in employment decisions

Using AI’s Tools in Hiring, Firing, and Compensation Decisions

AI & Algorithms

What Employers Need to Know About Using ADMT in Employment Decisions

Decisions about hiring, termination, and compensation represent substantial administrative costs for employers. Automated decision-making technologies (“ADMT”) can significantly streamline the process. However, employers using ADMT should be aware of recent and existing regulations governing the use of AI tools in evaluating prospective and current employees.

In addition to recent AI-specific regulation, use of AI tools in making employment decisions may be regulated by existing anti-discrimination statutes. Use of an algorithm that discriminates against a protected class identified in federal statutes – most notably Title VII of the Civil Rights Act and the Americans with Disabilities Act (ADA) – may expose employers to liability. What is ADMT? ADMT, or automated decision-making technology, is any technology that processes personal information and uses computation to replace or substantially replace human decision-making. AI tools used in employment may be one type of ADMT available to employers. In the context of ADMT, significant employment decisions may include:
  • Hiring
  • Allocating work or compensation
  • Promotion and demotion
  • Suspension and termination
State and local compliance requirements may create exceptions for businesses that do not use the AI tool’s recommendations as a substitute for human discretion. However, this may be a high bar to overcome, and not all types of human involvement qualify for an exception. For further explanation, please refer to the “Best Practices for Employers” section below. What are the risks of employment discrimination? AI and other ADMT tools involved in significant employment decisions may pose two key risks regarding employment discrimination. There is a risk they may: 1) Exclude or disadvantage applicants from a protected group identified in Title VII or applicants with disabilities. Groups are protected by the statute on the basis of race, color, sex, religion, or national origin. This may apply even if there is no intent to discriminate: If the technology is shown to have a disproportionate effect on a protected group, the employer may be vulnerable to a lawsuit. For example, if ADMT tends to exclude candidates with names that suggest a particular racial or national identity, this could pose risk to the employer using this ADMT. 2) Screen out candidates based on aspects of their application that characterize a disability recognized by the ADA. This screening process may apply to a seemingly neutral selection criterion. For example, an AI tool that screens employees out for a resume gap lasting longer than four months could raise a risk of liability if the individual has a disability requiring substantial recovery periods after medical intervention. What types of ADMT pose particular risks of discrimination? Certain types of ADMT may pose particular risks of violating state and federal regulations. This may include AI-hiring tools with algorithms that:
  • Fail to take into account reasonable accommodations or available workplace alternatives in their assessment of a candidate’s ability to uphold the employer’s performance standards
  • Fail to include measures to mitigate against sensitivity to names of candidates – which contain information as to the gender and/or ethnic or racial origins of the applicant
  • Are overly reliant on inferences between the applicant and existing successful employees, which may reinforce existing hiring biases
  • Fail to account for possible reasonable accommodations related to their disability that are available to the applicant
  • Rely on an empirical evaluation of an individual’s conformity with a subjective standard such as “culture fit”.Additionally, video-interviewing software that includes emotion-recognition technology without human involvement in their hiring decision, and hiring tools that require the applicant to provide medical information prior to employment may also create additional risk.
Best Practices for Employers When selecting an AI tool for use in your employment decisions, there are measures employers can take to potentially reduce the risk of discrimination. 1. Transparency. Measures may include requesting transparency from the developer about mitigating measures to insulate decisions against particular risk factors.For example, seek tools that do not weigh factors posing particular risks of discrimination in the scoring process so heavily that they disqualify candidates. Transparency is also useful in preparing risk assessments which may be required by state and local regulations when using AMDT. 2. Human Involvement. Employers may also consider assessing the degree of human involvement in the decision-making process to see if the applied use qualifies for an exception from the regulation. If seeking an exception, a certain degree of human involvement may be required. Examples of insufficient degrees of human involvement may include situations where the decision-maker:
  • Is tasked with merely reviewing AI output
  • Lacks authority to change the decision
  • Lacks access necessary to make an independent decision
  • Operates under time constraints insufficient for substantive review
  • Only intervenes for obvious mistakes
In general, businesses should not recommend that the human decision-maker follow the AI’s decision by default in policy or in practice and should encourage independent human review. 3. Preparation. When using AI to assist in employment decisions, businesses may want to consider:
  • Conducting and submitting a risk assessment evaluating the risks of potential discrimination or data privacy balanced against the benefit to the business
  • Disclosing use of an AI tool in the applicant selection process before an applicant submits their application
  • Consulting state and local regulations to confirm compliance with required procedures and components. For example, CA, NY, IL, and CO are among the states that mandate some type of pre-disclosure when using ADMT or similar tools. Depending on the jurisdiction, it may be helpful for employers to consult relevant statutes to determine specific compliance requirements and timelines for disclosure.
  • Maintaining alternative processes to ADMT for selecting qualified candidates and allow potential applicants to opt-out of its use in evaluating their application. For candidates with disabilities, this may also include providing candidates with reasonable accommodations, including specialized equipment or extended timing or other modifications for timed skill assessments.
  • Establishing an appeal process for employment decisions made using AI tools.
  • Anticipating possible requests for deletion of personal data in response to evolving privacy rights across various jurisdictions. For example, in California, applicants may have existing privacy protections that include the rights to:
    • Be notified regarding a business’s use of AI in making employment decisions
    • Know what data is being collected, its purpose, and with whom it will be shared
    • Request deletion of personal information
    • Correct inaccurate personal information
    • Stop or limit the sale of sensitive personal information
    • And non-discrimination for exercising the rights provided.
What’s Next? The recent Executive Order suggests that national policy may soon tend away from allowing applicants and/or employees to bring claims based on an AI tool’s disproportionate effect on a protected group. (Executive Order, Ensuring a National Policy Framework for Artificial Intelligence, Sections 6 & 9, issued December 11, 2025). However, as state and local-level protections take effect and as federal minimum standards continue to be fleshed out, some caution is required as these standards are interpreted by relevant state and federal agencies.
0
Flag of California, depicting a large brown bear beside a red star, above the words "California Republic."

California: New AI laws in California – roundup of the 2025 legislative session

AI & Algorithms, California, Children, Employment Law, Healthcare, Social Media , , , , , , , ,
This article was originally published by OneTrust DataGuidance on November 24, 2025 and can be found on the DataGuidance website here.

California introduces comprehensive AI laws focusing on transparency, children’s safety, healthcare, antitrust, and law enforcement.

California has taken an aggressive stance towards artificial intelligence (AI) legislation and will likely set the standard for other US states. Back in 2024, Governor Newsom vetoed comprehensive AI safety legislation under bill SB 1047 and advised caution on regulations for this nascent and important technology. This year, Governor Newsom pressed ahead with a full slate of new AI laws. The reasons for this change in approach are many, including but not limited to the lack of federal AI legislation, the growing concern over children’s interactions with AI, especially sexualized content, and harmonization with more stringent requirements in the EU and elsewhere.

This year’s legislative session set records for the number and scope of new AI laws. For the roundup this year, Lily Li, of Metaverse Law Corporation, breaks down the new AI laws by scope and sector, noting where this may add on to existing California legislation and rulemaking from 2024-2025.

General AI safety, transparency, and risk assessments

  • SB 53: Transparency in Frontier Artificial Intelligence Act (Wiener) – Starting in January 2026, California will require large frontier AI developers to publish a framework detailing how they incorporate safety, security, and testing standards into their AI models. SB 53 also creates a mechanism for AI developers and the public to report critical safety incidents, and protects internal whistleblowers who report risks posed by frontier AI models. The law establishes significant penalties for companies that fail to comply, with fines of up to $1 million per violation.
  • AB 316: Artificial Intelligence defenses (Krell) – This amends California’s Civil Code. If a party to a lawsuit develops, modifies, or uses AI, this law prohibits them from asserting as a defense that the AI autonomously caused the harm.
  • AB 853: California AI Transparency Act (Wicks) – This bill expands the existing AI Transparency Act and modifies the effective date from January 1, 2026, to August 2, 2026. The California AI Transparency Act requires covered generative AI developers to provide an AI-detection tool to assess whether image, video, or audio content is created or altered by generative AI. This bill adds to the existing law by requiring large online platforms to embed provenance data into generated content. Starting January 1, 2028, users will also have the option to include latent disclosures on ‘capture devices’ such as cameras, video recorders, and other recorders.

This new California approach to AI transparency and safety legislation needs to be read in conjunction with the following existing laws.

  • California Privacy Protection Agency’s (CPPA’s) recently approved Cyber, Risk, ADMT, and Insurance Regulations – The CPPA’s most recently updated 127-page regulation package contains requirements governing cybersecurity audits, risk assessments, and automated decision-making technology. AI developers and systems that process personal information and meet certain California privacy thresholds will now face new cybersecurity audit and risk assessment requirements. In addition, automated and significant decisions concerning the provision or denial of financial or lending services, housing, education enrollment or opportunities, employment or independent contracting opportunities or compensation, or healthcare services will trigger significant notice, opt-out, and risk assessment requirements.
  • AB 2013: AI Training Data Transparency Act (Irwin-2024) – Passed last year, this law will require covered generative AI developers to publish online a high-level summary of the datasets used in the development of the generative AI system or service, including but not limited to whether personal information or copyrighted information is included in the training data. The law is scheduled to go into effect on January 1, 2026.

Children’s safety, age verifications, and companion chatbots

  • SB243: Companion Chatbots (Padilla) – This law applies to chatbots that provide human-like interactions and are capable of sustaining relationships across multiple interactions. Beginning July 1, 2027, developers of these ‘companion chatbots’ will need to develop and report protocols addressing suicidal ideation and self-harm to regulators and the public. The law requires AI disclosures, referrals to suicide hotlines or crisis text lines, and break reminders. SB 243 further requires developers to institute reasonable measures to prevent the chatbot from producing visual material of sexually explicit conduct or directly stating that the minor should engage in sexually explicit conduct. The legislation includes a private right of action to individuals who suffer ‘an injury in fact’ with statutory damages of $1,000 per violation, or actual damages if greater.
  • AB 1043 – Digital Age Assurance Act (Wicks) – Starting January 1, 2027, operating systems and covered application stores will be required to obtain age data from users and pass on age bracket data to developers when users download and launch an application.
  • AB 56: Social Media Warning Law (Bauer-Kahan) – Starting January 1, 2027, covered social media platforms will need to display a warning label to minors the first time a user accesses the platform each day, after three hours of active use, as well as once per hour of cumulative active use after that. The warning label must say ‘The Surgeon General has warned that while social media may have benefits for some young users, social media is associated with significant mental health harms and has not been proven safe for young users.’
  • AB 621: Deepfake pornography (Bauer-Kahan) – This amends California’s Civil Code and expands protections against deepfake pornography. The law explicitly provides a cause of action against individuals who create or disclose deepfake pornography if they know, or reasonably should know, that the depicted individual was a minor and also provides a cause of action against individuals who knowingly facilitate or recklessly aid or abet the creation or disclosure of such nonconsensual deepfake pornography. The bill confirms that a minor cannot consent to the creation or distribution of deepfake pornography.

California’s approach to AI and children has a long and complicated history, and these new laws should be read in conjunction with the following laws on the books.

  • California Age Appropriate Design Code (Wicks) – This law was signed on September 15, 2022, and was scheduled to go into effect on July 1, 2024. Modeled after the UK Age Appropriate Design Code, this law requires businesses to conduct impact assessments, provide Privacy by Default, estimate the age of all users, and restrict dark patterns. The law was enjoined in March 2025, but is being appealed by the California Attorney General.
  • Protecting Our Kids from Social Media Addiction Act (Skinner-2024) – This law is scheduled to go into effect on January 1, 2027, and prohibits covered social media platforms from providing addictive feeds to minors without verifiable parental consent. The law has so far escaped a constitutional challenge, but may face other court challenges prior to the effective date.

Healthcare AI and chatbots

  • AB 489: Health care professions: deceptive terms or letters: artificial intelligence (Bonta) – This law prohibits AI systems from falsely indicating or implying possession of a medical license or certificate through advertising, marketing, or other functionality. AB 489 also makes AI developers directly subject to the healthcare professional licensing board or enforcement agency if they develop such a system. Each use of a prohibited term, letter, or phrase shall constitute a separate violation.

California’s approach to AI in healthcare also needs to be read in conjunction with the following laws and guidance.

  • Legal Advisory on the Application of Existing California Law to Artificial Intelligence in Healthcare – In January 2025, California Attorney General Rob Bonta issued this advisory, setting forth California’s existing consumer protection, civil rights, competition, and data privacy laws governing healthcare AI.
  • SB 1120: Physicians Make Decisions Act (Becker-2024) – This law prohibits covered healthcare service plans from denying, delaying, or changing healthcare services based, in whole or in part, on medical necessity using AI, algorithms, or other software tools. Such determinations shall require a physician or licensed healthcare professional and review of individual circumstances. This law also requires written policies and procedures governing such determinations.
  • AB 3030: Artificial Intelligence in Health Care Services (Calderon – 2024) – This law applies to health facilities, clinics, physicians’ offices, or other health group practices that use generative AI for communications about patient clinical information. Under this bill, generative AI, which pertains to clinical information, must include:
    • a disclaimer that indicates the communication was generated by AI at the beginning of the interaction; and
    • clear instructions on how the patient can contact the appropriate person.

Antitrust and pricing discrimination

  • AB 325: Cartwright Act violations (Aguiar-Curry)  This amends California’s existing antitrust law, the Cartwright Act, to explicitly cover ‘common pricing algorithms.’ The law prohibits:
    • the use or distribution of a ‘common pricing algorithm’ as part of a contract, combination in the form of a trust, or conspiracy to restrain trade or commerce; or
    • coercion to set or adopt a recommended price or term, recommended by the common pricing algorithm for the same or similar products or services.

Complaints shall not be required to allege facts tending to exclude the possibility of independent action.

Law enforcement use of AI

  • SB 524 Law Enforcement Agencies (Arreguín) – SB 524 requires law enforcement to disclose if an official report was written either fully or in part using AI, as well as retain the first draft created by AI and an associated audit trail that, at minimum, identifies both the officer who used AI to create a report and the video and audio footage used to create a report, if any. SB 524 also prohibits AI vendors from sharing, selling, or otherwise using information, except as provided in the bill (e.g., troubleshooting, bias mitigation, quality control, legal purposes, etc.).

Employment and bias

While Governor Newsom vetoed SB 7, the No Robo Bosses Act, the Governor’s veto letter pointed to the CPPA’s ADMT regulations as addressing some of the bill’s requirements. Per Governor Newsom, SB 7 is ‘partially covered’ by these regulations, as they ‘allow employees and independent contractors to better understand how their personal data is used by automated decision technology.’ In addition, the California Civil Rights Council’s recently promulgated regulations state that California’s antidiscrimination laws apply to AI workplace tools. These regulations address another concern raised in SB 7, which sought to prohibit ADS systems from inferring a worker’s protected status.

1 2 3 7