0

Privacy Notice Requirements for California State Entities

California, State Privacy Laws, United States
In an era where data privacy concerns are top-of-mind, California has established a robust legal framework to protect personal information – not just for businesses, but for state entities, as well. The California Information Practices Act of 1977 (IPA) sets the foundation for state agencies handling data, while the California Public Records Act provides public access to certain information. Additionally, Government Code Sections 11015.5 and 11019.9 impose restrictions on data collection and require state agencies to implement clear privacy policies. Understanding these laws can help determine how agencies should manage personal information, which in turn, fosters trust between the public and public-serving institutions. This post details these laws, with key requirements for each. Requirements of the Information Practices Act of 1977 The California Information Practices Act (IPA) of 1977 is a law that protects the privacy of individuals by limiting how California state agencies collect, store, and share personal information. This law requires state agencies to collect and keep only the information that is necessary to accomplish their legal purpose. The IPA applies to all state agencies, with limited exemptions for the state legislature, agencies established under Article VI of the California Constitution, the State Compensation Insurance Fund, and local agencies as defined under Section 7920.510 of the Government Code. Under the IPA, each state agency must generally provide a notice with certain information to the individual when collecting information, but this notice is not required if the agency is using information only for the purpose of identification and communication with the individual by the agency. Under the IPA, the notice shall provide:
  • Information about the agency, including the name, division requesting information, and the authority of the agency to collect and maintain information, whether granted by statute, regulation, or executive order.
  • Information about what the records will be used for and contact information for the person responsible for the system records. On request, this person will inform the individual of the location of their records and categories of people who use the individual’s records.
  • Information about submission, including whether submission of the information is mandatory or voluntary, the consequences of not providing any or all of the information, and whether there are any foreseeable disclosures of information.
  • Information about the right of access to the individual’s records containing personal information.
Requirements for the California Public Records Act While it does not pertain specifically to privacy notices, the California Public Records Act (CPRA)—which is not to be confused with the California Privacy Rights Act, an amendment to the California Privacy Protection Act—is similar to the federal Freedom of Information Act (FOIA). These laws work to enhance transparency in the information that is collected by government agencies; a similar goal to laws that promote transparency by requiring privacy notices. As enshrined in the California Constitution, “the people have the right of access to information concerning the conduct of the people’s business.” To this end, the CPRA is designed to help “safeguard the accountability of the government to the public” by promoting prompt public access to government records. Government Code §7920.530 broadly defines a public record as “any writing containing information relating to the conduct of the public’s business prepared, owned, used or retained by any state or local agency regardless of physical form or characteristics.” However, it is essential to note that “electronically collected personal information” is one of the many exemptions from the CPRA. This includes information like the domain name or IP address, and statistical information about the webpages visited, which may not be subject to public inspection and copying if not otherwise protected by federal or state law. When a copy of a record is requested, the agency shall determine within 10 days whether to comply with the request. Upon its determination, it shall promptly inform the requester of the decision and inform them of the reasons for that decision. Requirements of Government Code Section 11015.5 Government Code Section 11015.5 established privacy requirements for state agencies that electronically collect personal information. This provision applies to all California state agencies, defined as every state office, officer, department, division, bureau, board and commission—including the California State University system. When using any means to electronically collect personal information on the internet, agencies must provide users with notice at the initial point of interaction. This notice should include:
  • Information about collection, such as the existence of the gathering method, what type of personal information is being collected and how it will be used. This includes information about the length of time that the gathering device will be in the user’s hard drive, if applicable.
  • Information about deletion and sharing, including that the user has the option of having their personal information discarded without reuse or redistribution, and that state agencies shall not distribute or sell any electronically collected personal information about users to any third party without consent.
  • Information about other laws, including that all information acquired is subject to the limitation of the IPA, as detailed above, and that electronically collected information is exempt from requests made pursuant to the CPRA, discussed above.
These requirements aim to promote transparency in data collection practices and provide individuals with control over their personal information when interacting with state agencies online. Requirements of Government Code Section 11019.9 Government Code Section 11019.9 mandates that every state department along with state agencies maintain and establish a permanent privacy policy in compliance with the IPA, as detailed above. This requirement applies to all state entities, defined the same as in Government Section Code 11015.5 above, but excludes the California State University system. While similar to Government Code Section 11015.5, this requirement applies to a wider number of state-affiliated entities by including both departments and agencies. The required privacy policy must address the following:
  • Information about collection, including that the information is obtained only through lawful means, and the purpose for which the data is collected for. The data collected must be relevant to this purpose.
  • Information about processing, including that personal information will not be disclosed, made available, or otherwise used for purposes other than those in the policy, except by law or with consent of the data subject.
  • Information about security, including the general means by which personal information is protected against loss, unauthorized access, use, modification, or disclosure, unless that would compromise the legitimate purposes of the state department, agency, or law enforcement. Each covered state entity must also designate a position within the organization which is responsible for the privacy policy.
Additionally, state entities covered by Section 11019.9 are required to conspicuously post their privacy policy on their website. The policy must be accessible through a hyperlink labeled “PRIVACY” on the homepage of the website. This link must be in a contrasting color and displayed in capitalized letters equal in size or larger than the surrounding text. Through these laws, California has implemented a comprehensive framework to require that state entities handle personal information responsibly, by providing privacy notices, restricting data usage, and protecting data subjects’ rights. These requirements reflect an ongoing effort to balance transparency, accountability, and protection of personal information, while fostering public trust in governmental data collection and use practices.
0

Data Collection Practices and CCPA Compliance: Key Takeaways from Honda’s CPPA Settlement

California, CCPA, Vehicle Data
On March 12, 2025, the California Privacy Protection Agency (CPPA), one of the enforcement agencies for the California Consumer Privacy Act (CCPA), announced a settlement of over $630,000 with American Honda Motor Co. (Honda) for alleged privacy violations. This is the first time the CPPA has fined an automaker since the CPPA announced in July, 2023 that it was reviewing privacy practices related to connected vehicles. The CPPA’s Order defines four key areas of Honda’s alleged non-compliance:
  1. Verifying information for requests to opt out/limit sensitive information.
  2. Verifying information for requests to opt out/limit sensitive information through agents.
  3. Providing lack of symmetry through the website’s cookie management tool.
  4. Engaging in insufficient contracts with advertising technology vendors.
This post will walk through each of these issues in turn, providing key takeaways to consider based on the CPPA’s Order.

1.    Issue: Verifying Information for Requests to Opt Out/Limit Sensitive Information

The CPPA alleges that Honda’s webform, as depicted in the Order, requires individuals to include information for verification purposes when submitting requests to opt out of sale/sharing or limit the use of sharing sensitive information. Overview: Per §7060(b) of the California Consumer Privacy Act Regulations (Regulations), there is no verification requirement to process requests to opt-out of the sale/sharing of personal information or for requests to limit the use of sensitive personal information. The CPPA alleges that Honda’s “Submit A Privacy Request” webform required eight separate data points for a range of data subject access requests (DSARs), including the right to opt out of sale/sharing of personal information and limit use of sensitive information. Covered entities should not require verification before processing the requests. According to the CPPA’s Order, from July 1, 2023 to September 23, 2023, Honda improperly required at least 119 individuals to provide excessive information and denied at least 20 individuals requests based on unlawful verification standards. Takeaway: Under the CCPA, opt out and limit requests are non-verifiable and covered entities should only collect the minimal data points necessary to fulfill the request. You can learn more about responding to DSARs on our blog.

2.    Issue: Verifying Information for Requests to Opt Out/Limit Sensitive Information through Agents

The CPPA alleges that Honda unlawfully required individuals to confirm with Honda directly that they had authorized an agent to submit requests on their behalf to opt out of sales/sharing or to limit use of sensitive information. Overview: While covered entities may request proof of the individuals’ signed permission for an agent to act on their behalf, this is only permitted by verifiable requests – requests to know, delete or correct information, per §7063(a) of the Regulations. The CPPA alleges that Honda’s direct confirmation requirement for request to opt out and limit goes beyond what is permitted in the CCPA and Regulations. The Agency alleges that these unlawful practices impacted at least 14 consumers during the reviewed period from July to September 2023. Takeaway: The CCPA prohibits covered entities from requiring direct confirmation from consumers for non-verifiable requests – even when using an agent to effectuate this request. Again, as opposed to requiring the same verification standards for all DSARs, covered entities should distinguish which types of requests are verifiable. This may vary between jurisdictions, so be sure to check all applicable laws when building your DSAR playbook. You can refer to our U.S. state privacy law post for relevant jurisdictional thresholds within the US, and covered entities should also consider international laws, like the GDPR, which may impose other DSAR or verification requirements.

3.    Issue: Lack of Symmetry on the Website’s Cookie Management Tool

The CPPA alleges that Honda’s cookie management tool (the cookie banner at the bottom of their webpage) required more steps to opt out of sharing than to opt in, violating the symmetrical choice requirements of the CCPA. Overview: According to the Order, individuals using Honda’s cookie banner needed to complete two steps to disable advertising – a “change” step and a “save” step. However, opting in required a single “change & save” step. Per §7004(a)(2) of the Regulations, “[t]he path for a consumer to exercise a more privacy-protective option shall not be longer or more difficult or more time-consuming than the path to exercise a less privacy-protective option,” because an imbalance in options “would impair or interfere with the consumer’s ability to make a choice.” According to the examples in the Regulations, “[a]n equal or symmetrical choice [in a website banner] could be between ‘Accept All’ and ‘Decline All.’” Takeaway: Entities covered by the CCPA should ensure that the process to submit opt out requests – including those through cookie management tools – is no more difficult than the process to opt in. According to the Regulations, this standard also applies when the individual uses the “Do Not Sell or Share My Personal Information” or “Your Privacy Choices” link. The number of steps for submitting a request to opt out is measured from when the consumer first clicks the link to the completion of the request. Similarly, the number of steps to opt in is measured from the first indication the consumer makes of their interest to opt in to the completion of the request.

4.    Issue: Insufficient Contracts with Advertising Technology Vendors

The CPPA alleges that Honda failed to produce contracts (such as data protection agreements, or DPAs) that required technology vendors to sufficiently protect consumer information. Overview: Under the CCPA §1798.100(d), when a covered entity collects  a consumer’s personal information and discloses it to a service provider or contractor, the covered entity should enter into an agreement with that party, requiring them to protect the consumer’s personal information. According to the Order, Honda lacked proper contractual agreements, despite collecting and disclosing individuals’ information with third-party vendors. These vendors included businesses that conducted targeted advertising, which may constitute “selling” or “sharing” personal information under the CCPA. Without agreements with these third-party vendors in place, the CPPA alleges that individuals’ information may be improperly used or shared without sufficient privacy protections. Takeaway: The CCPA requires covered entities to maintain agreements, such as a DPA, that specify data use limitations, require CCPA compliance, and ensure a certain standard of privacy protection. If a covered entity is disclosing personal information to third-party vendors, it should ensure that these contracts are in place and meet the law’s requirements.

Conclusion

The Order against Honda serves as a cautionary example for covered entities managing individuals’ information under the CCPA. In addition to the fine, the Order requires Honda to “certify its compliance, train its employees, and consult a user experience (UX) designer to evaluate its methods for submitting privacy requests. Honda must also change its contracting process to ensure appropriate mechanisms are in place to protect personal information.” Additionally, the CPPA’s head of the Enforcement Division stated that “[the Agency] won’t hesitate to use our cease-and-desist authority to change business practices,” indicating that the Agency is serious about its enforcement authority. By taking proactive steps, covered entities can better protect against regulatory enforcement actions while working to safeguard individuals’ privacy.
0
Photo of a judges gavel and block next to each other.

CCPA Board Meeting: Key Takeaways from November 8, 2024

Adtech, AI & Algorithms, California, CCPA, Cybersecurity, State Privacy Laws, United States , , , , , , , , , , , , , , , , ,

In a vote of 4-1, the California Privacy Protection Agency (CPPA) has decided to move forward with rulemaking of its draft regulations concerning AI, cyber audits, profiling and risk assessments, despite complaints of regulatory overreach.

 

On Friday, November 8, the CCPA held a public meeting to discuss proposed updates to the California Consumer Privacy Act (CCPA) regulations. The hybrid meeting included public comments from a broad range of stakeholders – nearly 45 public comments were heard from business representatives, privacy advocates, and industry experts. While the passing vote would have typically triggered a 45-day public comment period on the draft regulations, Chairperson Urban requested flexibility, considering the upcoming holidays.

 

Legal Challenges

During the meeting, the CPPA stated that it was sued for failing to promulgate regulations, specifically on opt-out rights of information processed by automated decisionmaking tools (ADMTs). At the same time, commentators argued that the breadth of the proposed rules overstepped the intent of the CCPA.

 

Board Member Alastair Mactaggart–who helped draft the CCPA–voiced concerns about the regulations, arguing that the current proposed regulation is excessively broad to the point of being unworkable. He pointed out that these regulations, as written, apply to nearly all businesses that use any kind of software to generate any type of output–whether it’s AI-powered or not. For example, a simple tool like a spreadsheet or a school admission application could fall under these rules, forcing a large swath of low-risk businesses to conduct risk assessments. Mactaggart referred to this as statutory overreach and claimed that regulations should be focused on issues that genuinely impact privacy or security.

 

Economic Forecasts

The CPPA also issued a Standardized Regulatory Impact Assessment (SRIA) which was discussed during the meeting. In this assessment, the CPPA estimates the total cost of this regulatory initiative to be around $3.5 billion for the first year of implementation, with an average of $1 billion each subsequent year for the first ten years. The CPPA justifies this cost, asserting that the direct benefits to California businesses will be $1.5 billion in 2027, and $66.3 billion in 2036.

 

However, the California Chamber of Commerce states that “[b]usinesses, consumers and governments in California will suffer net losses from the proposed rules pending before the [CPPA] this week.” This statement stems from a report prepared for the Chamber of Commerce by Capitol Matrix Consulting, which concludes that the regulations are likely to “result in a substantial net losses to businesses, consumers, and governments in this state, both in the near and long term.”

 

Industry groups including TechNet, the Civil Justice Association of California, and the Interactive Advertising Bureau voiced concern about the heavy compliance burden that regulations place on businesses–especially small businesses that may not have the recourses to implement the required risk assessments or redesign their services to accommodate opt-out provisions.

 

Behavioral Advertising & Opt-Out Provisions

Another key point of contention during the meeting was the opt-out provision for consumers related to decisions made by AI systems.

 

The draft regulations govern a large range of AI. Under the draft, AI is defined as a “machine-based system that infers, from the input it receives, how to generate outputs that can influence physical or virtual environments.” Additionally, the draft defines ADMTs as “any technology that processes personal information and uses computation to execute a decision, replace human decisionmaking, or substantially facilitate human decisionmaking.”

 

Together, these definitions are more expansive than the definition of the high-risk automated processing addressed in Article 22 of the EU’s GDPR, the source of the original opt-out language. Under Article 22, a consumer has the right to opt out of decisions made by solely automated systems. The intent of this provision is to give consumers the ability to opt out of decisions that may be made on solely automated processes, such as targeted advertising.

 

However, critics argue that including the opt-out language in the draft in combination with an expansive definition of AI and ADMTs could have unintended consequences, especially for small businesses. Mactaggart, for instance, is concerned that applying this opt-out rule too broadly could lead to a breakdown of essential services. For example, online booking services for airlines and automated reservation software for hotels may rely on software that would be categorized as “AI” under this definition. Allowing users to opt out of using AI when asking for these services may be untenable, which could cause friction in these industries and ultimately could cause harm to consumers by limiting access to these services or increasing costs.

 

Risk Assessments

A central component of the draft regulation is for businesses who use AI, as defined above, to conduct risk assessments. While the goal of this requirement is to ensure that businesses are aware of and mitigate any potential privacy risks that arise from these technologies, critics believe the regulations go too far by applying the requirement to low risk, everyday activities.

 

For example, a representative from the California Grocery Association expressed concerns about how the opt-out provision would impact a chain of small rural grocery stores with whom she conducts business. While these AI tools could be used to help consumers save money, the cost of compliance to integrate these tools might not be within reach, especially given the thin profit margins within the grocery industry.

 

Again, Mactaggart questioned the scope of the draft. He and other advocates called for a narrower focus for risk assessments that centers on significant decisions–such as those that deny individuals access to essential goods and services. This could include the denial of a loan application, exclusion from an online platform, or an adverse employment decision. One commenter stated that there have been no public comments against regulating high-risk systems, and by focusing on these issues, the CPPA could better mitigate potential harms. At the same time, this would free low-risk systems from potential overregulation.

 

Additionally, a commentor suggested that risk assessments should be streamlined and aligned with other state standards to reduce compliance costs.  Mactaggart notes that accepting risk standards from other US jurisdictions could help businesses avoid duplicative efforts, cut compliance costs, and reduce the overall regulatory burden.

 

AI Training

The ability to opt out of training for AI datasets was of lesser concern but was still addressed by a number of commentors. For example, a representative from the Software and Data Industry Association argued that requiring an opt-out from consumers from AI dataset training could create a substantial burden on small businesses who already have trouble accumulating representative training data. Other commentors shares concerns that these opt-outs could compromise the quality and effectiveness for AI systems.

 

Ultimately, California faces a delicate balance in regulating AI and ADMT. On one hand, the state must work toward protecting consumers from privacy risks, potential discrimination, and other adverse impacts of AI. At the same time, the CPPA must ensure that rulemaking does not stifle innovation, create excessive compliance costs, or diminish competition between businesses that rely on AI.

 

As formal rulemaking moves forward, it will be crucial for the CPPA to consider feedback from the public comment period and to refine the regulations to ensure that they strike a balance between privacy concerns and costs to consumers and businesses alike.

0
Flag of California, depicting a large brown bear beside a red star, above the words "California Republic."

California: The AI Transparency Act – what you need to know

AI & Algorithms, California, United States ,
The original article can also be found on the OneTrust DataGuidance website by clicking on this link.  

On September 19, 2024, the California AI Transparency Act (the Act) was signed into law by the California Governor. The Act follows in the steps of other US states that have developed laws requiring transparency in the use of artificial intelligence (AI). The Act, however, is unique in that it has specific watermarking requirements. In this Insight article, OneTrust DataGuidance breaks down the key provisions of the Act and who it applies to, with comments provided by Jacob Canter, Counsel at Crowell & Moring LLP, and Lily Li, Founder of Metaverse Law Corporation.

Definitions

The Act provides definitions for key terms such as ‘personal information,’ ‘personal provenance data,’ and ‘metadata.’ Among the notable, ‘artificial intelligence’ is defined as ‘an engineered or machine-based system that varies in its level of autonomy and that can, for explicit or implicit objectives, infer from the input it receives how to generate outputs that can influence physical or virtual environments.’

Under the Act, ‘generative artificial intelligence system’ is defined as ‘an artificial intelligence that can generate derived synthetic content, including text, images, video, and audio, that emulates the structure and characteristics of the system’s training data.’

Scope

The Act applies to covered providers, who must comply with the Act from January 1, 2026, when it becomes operative.

The Act defines ‘covered provider’ as ‘a person that creates, codes, or otherwise produces a generative artificial intelligence system that has over 1,000,000 monthly visitors or users and is publicly accessible within the geographic boundaries of the state.’

Regarding the 1 million monthly visitors or users, Jacob notes “This is a bit ambiguous because it does not explain how to calculate ‘over 1,000,000 visitors or users.’ Is this based on an average number of visitors or users from the prior year? Does your obligation to comply change every month depending on how many users you had in the prior month? Until that ambiguity is clarified, the safer approach may be to prepare for compliance even if your company does not consistently have over 1 million visitors.”

Lily adds that “according to Governor Newsom, California is ‘home to 32 of the world’s 50 leading AI companies,’ many of which will be required to comply with this Act due to the nature of their AI systems and number of monthly users.”

Jacob furthers that “Most of the generative AI laws in the U.S. have been subject-matter specific. Some states have either enacted or passed laws related to transparency and fairness in elections (for example, PA, MA, NC, WA, and CA). Many states have passed laws that seek to limit the dissemination of deepfakes (for example, TX, FL, IL, NY, and CA). And Colorado and New York City have passed laws that seek to limit discriminatory uses of generative AI (for example, CO and NY). In contrast, the AI Transparency Act is general. It covers all generative AI content that a covered company’s product generates. On these terms, the Act is actually quite broad.”

Obligations

Regarding the implications of the Act on businesses, Jacob explains that “California’s AI Transparency Act will have a direct impact on businesses that develop generative AI systems and have over 1 million monthly visitors or users. These businesses must comply with the law’s requirements: to create an ‘AI detection tool,’ to embed ‘latent-disclosure’ data into their AI-generated content, and to make ‘manifest disclosures’ available for the content as well.”

The Act requires covered providers to provide an AI detection tool to users at no extra cost, that:

  • allows users to assess whether an image, video, or audio content has been created or changed by the covered provider’s generative AI tool;
  • outputs any system provenance data detected in the content;
  • does not output any personal provenance data detected in the content;
  • subject to certain exceptions, is publicly accessible;
  • allows users to upload content or provide a URL for online content; and
  • supports an application programming interface that allows users to use the tool without visiting the covered provider’s website.

Under the Act, covered providers should also collect user feedback on the AI detection tool and incorporate this feedback to improve the tool’s efficacy.

In addition, covered providers should not:

  • collect or retain personal information from users of the AI detection tool, except where exceptions apply;
  • retain content provided to the AI detection tool for longer than necessary to comply with the Act; and/or
  • retain personal provenance data from content submitted to the AI detection tool.

Lily adds that “While other AI laws in the US are focused on risk assessment, notice, and disclosure obligations, this is the first major AI law that imposes product requirements on AI developers. Now, AI developers need to code in a digital watermark on generative AI content and provide the tools to detect this watermark. This is different from written disclosures on a browser or app, which can easily get lost or obscured when generative AI content is copied or embedded downstream.”

Covered providers should offer users to option to include a manifest disclosure in image, video, or audio content that has been created or altered by the covered provider’s generative AI system that:

  • identifies the content as being generated by AI;
  • is clear, conspicuous, and appropriate for the content, as well as understandable to a reasonable person; and
  • is permanent or difficult to remove.

Covered providers should also include a latent disclosure in AI-generated image, video, or audio content generated by AI system that:

  • communicates the name of the covered provider, the name and version number of the generative AI system used, the time and date the content was created or altered, and a unique identifier – to the extent technically feasible and reasonable, the disclosure should be direct or through a link to a permanent internet website;
  • is detectable by the covered provider’s AI detection tool;
  • is consistent with industry standards; and
  • is permanent or extraordinarily difficult to remove.

Lily explains that “Additionally, the Act includes a requirement that these covered providers enter contracts with their licensees that contain specific provisions. (22757.3(c).) This means that businesses that incorporate AI or are considering implementing AI systems from covered providers may want to ensure the appropriate contracts are in place.”

If covered providers license their generative AI systems to third parties, they must ensure that licensees maintain these disclosure requirements. If covered providers know that a third-party licensee is no longer capable of including such disclosures, they will be required to revoke their license within 96 hours of discovering this fact. Following the revocation of the license, the third party must cease using a licensed generative AI system.

Enforcement

The Act will be enforced by the Attorney General, a city attorney, or a county counsel and provides that violations of the Act are liable for civil penalties.

Lily notes that “Under this Act, fines can add up quickly: A covered provider found in violation of this Act will be liable for $5,000 per violation – and each day the provider is in violation of the Act counts as a new violation. (22757.4(a-b).) For those who contract with covered providers, a violation may result in an injunction along with reasonable attorney’s fees and costs (22757.4(c).).”

Next steps

Jacob states that “Indirectly, the Act may create opportunities. Technical know-how is required to develop the AI detection tools, and both the latent and manifest disclosures. As often happens, companies can use this change in policy as an opportunity to build a product that facilitates compliance.”

Lily adds that “This Act goes into effect on January 1, 2026, but covered providers should act now given the significant technology requirements of the Act. Covered providers need to:

  • make an AI detection tool;
  • include both an optional and a latent disclosure in all AI generated content; and
  • enter contracts with licensees to ensure such latent disclosures.”

Victoria Prescott

Team Lead – Editorial vprescott@onetrust.com With comments provided by:

Jacob Canter

Counsel jcanter@crowell.com Crowell & Moring LLP, San Francisco

Lily Li

Founder lily@metaverselaw.com Metaverse Law Corporation, Newport Beach
0
Photo of American flag and California flag on a flagpole with a palm tree in the background.

California Wraps Its 2024 Legislative Session with Data Privacy & AI Bills

AI & Algorithms, California, CCPA, State Privacy Laws, United States , , , , ,
California’s legislative session closed on August 31, 2024 with a series of data privacy and AI bills. Over the course of September, Governor Newsom signed 17 bills covering AI technologies. This wave of legislation comes a year after Governor Newsom signed an Executive Order to help ensure California is ready for next wave of AI technologies.   Below is an overview of new and noteworthy AI and data privacy bills, beginning with six amendments to the California Consumer Privacy Act (CCPA) followed by a range of signed and vetoed AI-related bills.   Passed CCPA Amendments  
  1. SB 1223and AB 1008: Neural Data, Personal Information and AI Systems
What Does the CCPA Require? Currently, the CCPA requires a business collects that collection personal information about a consumer to limit its use of the consumer’s sensitive personal information. “Sensitive personal information” includes biometric information for the purposes of identifying a consumer, but not neural data. Additionally, the CCPA does not specify if personal information can exist in various formats.   What Changes? Under SB 1223, the CCPA’s definition of “sensitive personal information” would be expanded. It would include consumer’s neural data, or “information that is generated by measuring the activity of the consumer’s central or peripheral nervous system, and that is not inferred from nonneural information.”   Under AB 1008, the CCPA would also specify that “personal information can exist in various formats,” including physical, digital or abstract information, which may be in the form of encrypted files, metadata, or AI systems capable of outputting personal information.   Governor Newsom signed SB 1223 and AB 1008 into law on September 28, 2024. Both laws will become applicable on January 1, 2025.  
  1. AB 1824: Opt-Out Right, Mergers
What Does the CCPA Require? The CCPA states that consumers shall have the right to opt out of a business selling or sharing their personal information. However, the Act does not specify the requirements for honoring those requests upon a merger or acquisition.   What Changes? Under this bill, if a business transfers personal information to another business as part of a merger, acquisition, bankruptcy or other transaction, they must comply with the original opt-out requests of the transferring business.   Governor Newsom signed AB 1824 into law on September 29, 2024. This law takes effect on January 1, 2025.  
  1. AB 3286: Monetary Thresholds, Grants
What Does the CCPA Require? The CCPA grants the Attorney General rights to adjusting monetary thresholds to reflect an increase in the Consumer Price Index.   What Changes? This bill removes the responsibility of adjusting monetary thresholds from the Attorney General and places it on the California Privacy Protection Agency, among other minor changes.   Governor Newsom signed AB 3286 on July 15, 2024, and the law goes into effect on January 1, 2025.     Vetoed CCPA Amendments  
  1. AB 1949: Collection of Personal Information of a Consumer Less than 18 Years of Age
What Does the CCPA Require? The CCPA provides a consumer with specific rights regarding their personal information. Currently, the CCPA prohibits a business from selling or sharing personal information of a consumer if the business has actual knowledge that the consumer is less than 16 years old, unless they or their parent or guardian have properly consented.   What Changes? This bill would raise that age from 16 to 18 years old, meaning that a business shall not sell or share the personal information of one who is between 13 and 18 years old unless the consumer or their parent or guardian consents. A business shall not share or sell information of a child younger than 13 years old unless their parent or guardian consent.   Additionally, this bill would require a business to treat a consumer as younger than 18 years old if the consumer transmits a signal indicating they are younger than 18. The bill retains the CCPA’s “actual knowledge or willful disregard” standard for violations.   Finally, the bill requires California’s Attorney General to adopt regulations that include technical specifications for an opt-out preference signal that allows the consumer to specify if they are less than 13 years old, or between 13 and 18 years old.   Governor Newsom vetoed AB 1949 on September 28, 2024.  
  1. AB 3048: Opt-Out Preference Signals
What Does the CCPA Require? The CCPA states that consumers shall have the right to opt out of a business selling or sharing their personal information. To send opt-out preference signals now, users have to download plugins for major browsers which may vary by browser type.   Currently, the only opt-out preference signal recognized by the CCPA per Attorney General Rob Bonta’s FAQ page and supporting resources by the California Privacy Protection Agency (CPPA)  is the Global Privacy Control (GPC). However under the CCPA, the GPC is intended only to communicate with Do Not Sell requests for a global privacy control. Still, this is an enforced area of privacy law: In 2022, a Final Judgment and Permanent Injunction against Sephora ordered the company to pay $1.2 million to resolve claims that Sephora did not process opt-out requests set through privacy controls.    What Changes? This bill is targeted at businesses who develop or maintain browsers, mandating that they must include settings that enable consumers to send an opt-out preference signal to businesses they interact with on the browser. After rulemaking and agency adoptions, the bill would also prohibit a business from developing or maintaining a mobile operating system that does not include opt-out preference signal settings. These provisions would go into effect beginning January 1, 2026.   Governor Newsom vetoed AB 3048 on September 20, 2024.   Passed AI Bills  
  1. SB 2013: Generative Artificial Intelligence, Training Data Transparency
Who Does This Apply to? This bill applies to “generative artificial intelligence” systems or services, which is defined as AI that can “generate derived synthetic content…that emulates the structure and characteristics of the [AI’s] training data.” There is no consumer use or monetary threshold, such that this definition seems to be far-reaching.   What Changes? This bill requires that the developers of all covered generative AI systems available to Californians must post information on their website. This information must include the data used to train the AI system or service, and a high-level summary of the datasets used in the system.   Bill SB 2013 was signed by Governor Newsom on September 28, 2024. This law will go into effect on January 1, 2026.  
  1. AB 2885: Artificial Intelligence, Definition
Who Does This Apply to? According to the preamble of the bill, the definition applies to actions taken by the Department of Technology, local agencies, the California Online Community College, and social media companies, under requirements of existing laws.   What Changes? The term “artificial intelligence” for these purposes would be altered to include an “engineered or machine-based system that varies in its level of autonomy” and can generate output based on inferences made from its input.   Bill AB 2885 was signed by Governor Newsom on September 28, 2024. Provisions of this law will go into effect on January 1, 2025.  
  1. SB 942: California AI Transparency Act
Who Does This Apply to? This bill applies to “covered providers,” which includes persons that create, code or otherwise produce generative AI systems with over 1 million monthly visitors and are within California state.   What Changes? Under this bill, covered providers would be required to make publicly accessible AI detection tools. They would also be required to provide the user an option to include a disclosure, as well as provide a latent disclosure in content created or altered by the generative AI system.   Governor Newsom signed SB 942 into law on September 19, 2024, along with other bills addressing concerns around AI:  
  • SB 926prohibits creating and distributing sexually explicit realistic images of a person when those images are intended to cause serious emotional distress of the person. This bill is targeted at AI-generated sexually explicit content. Similarly, AB 1831 expands the existing child pornography statutes to include content created or altered by generative AI.
 
  • SB 981requires social media platforms to provide Californians with a mechanism to report digital identity theft on platform. Following the aim of Bill 926, this would include reporting AI images of a certain person whose identity has been stolen appearing to be engaged in certain sexual acts.
 
  1. AB 3030: Health Care Services, Artificial Intelligence
Who Does This Apply to? This bill applies to health facilities, clinics, physician’s offices, or other health group practices that use generative AI for communications about patient clinical information. “Patient clinical information” is defined as information relating to the health status of a patient, and specifically excludes administrative matters, such as appointment scheduling, billing, or “other clerical or business matters.”   What Changes? Under this bill, generative AI which pertains to clinical information must include: 1) a disclaimer that indicates the communication was generated by AI at the beginning of the interaction, and 2) clear instructions on how that patient can contact the appropriate person.   Governor Newsom signed AB 3030 into law on September 28, 2024. The law goes into effect immediately.   Similarly, SB 1120 was passed on September 28, 2024 and provides specific restrictions for health care service places or disability insurers who use AI in their decisionmaking. Under this law, health service plans must have specific policies and procedures in place, and must be overseen by a medical director with an unrestricted license to practice medicine in the state of California.  
  1. AB 1836: Use of Likeness, Digital Replica
Who Does This Apply to? This bill is intended to protect intellectual property, and applies to those creating digital replicas of another’s likeness. A “digital replica” means a “computer-generated, highly realistic electronic representation” that one can readily identify as a likeness of the person being replicated.   What Changes? This bill makes a person who makes or distributes a digital replica of a deceased personality’s voice or likeness, without that person’s consent, liable for the greater of $10,000 or the amount actually suffered.   Governor Newsom signed AB 1836 into law on September 17, 2024. The law goes into effect immediately.   Similarly, Governor Newsom also signed AB 2602 into law on the same date. This law prohibits personal or professional service contracts that contain provisions for the use of a digital replica or likeness for a general purpose, unless the individual is represented by legal counsel. Instead, the contract must contain a reasonably specific description of the intended uses of the digital replica.  
  1. SB 2355: Political Advertisements, Artificial Intelligence
Who Does This Apply to? This bill applies to committees who create, publish or otherwise distribute political advertisements. These advertisements include all political ads that contain any image, audio, or video that is “generated or substantially altered” using AI.   What Changes? Under this bill, there are specific requirements for each format of ad. For example, a video advertisement shall include disclosures at the beginning or end of the advertisement and must be displayed for five or ten seconds, depending on the length of the ad.   Governor Newsom signed AB 2355 into law on September 17, 2024. The law goes into effect immediately.   Similarly, Governor Newsom also signed AB 2655 and AB 2839 into law on September 17, 2024.   AB 2655, known as the Defending Democracy from Deepfake Deception Act of 2024, requires large online platforms (those with at least 1 million California users) to: 1) remove deceptive and digitally modified election content from their platforms, or 2) to label that content before and after the election if the content has been reported to the platform.   AB 2839 prohibits the knowing distribution of advertisements or other election communication that contains materially deceptive content within 120 days of an election in California, and in some cases, 60 days after an election.   Vetoed AI Bills
  1. SB 1047: Safe and Secure Innovation for Frontier Artificial Intelligence Models Act
Who Does This Apply to? This bill is directed toward high-complexity AI models, such as those whose floating operations exceed $100,000,000. Other than requirements in state data privacy laws and the Colorado AI Act, there are no AI laws of this scale enacted in the U.S.   What Changes? For these covered models, the bill has various requirements, including a written safety and security protocol, submission of that protocol to the Attorney General, and implementing the ability to promptly enact a shutdown.   Under this bill, the Attorney General may bring a civil action for a violation that causes death or harm to people or property, or that constitutes an imminent risk to public safety. Notably, this penalty is calculated by computing power. For the first violation, the penalty will be no more than 10% of the cost of the quantity of computing power used to train the covered model, and subsequent violations may not exceed 30% of that value.   Governor Newsom vetoed SB 1047 on September 29, 2024. In his decision, Governor Newsom considered that “California is home to 32 or the world’s 50 leading AI companies.” He noted that the bill applies only to these extensive and large-scale models, while “[s]maller, specialized models may emerge as equally or even more dangerous than the models targeted by SB- 1047 – at the potential expense of curtailing the very innovation that fuels advancement in the favor of public good” by these large-scale models.
1 2 3 4