Category Archives: State Privacy Laws

California’s legislative session closed on August 31, 2024 with a series of data privacy and AI bills. Over the course of September, Governor Newsom signed 17 bills covering AI technologies. This wave of legislation comes a year after Governor Newsom signed an Executive Order to help ensure California is ready for next wave of AI technologies.   Below is an overview of new and noteworthy AI and data privacy bills, beginning with six amendments to the California Consumer Privacy Act (CCPA) followed by a range of signed and vetoed AI-related bills.   Passed CCPA Amendments  

1. SB 1223and AB 1008: Neural Data, Personal Information and AI Systems

What Does the CCPA Require? Currently, the CCPA requires a business collects that collection personal information about a consumer to limit its use of the consumer’s sensitive personal information. “Sensitive personal information” includes biometric information for the purposes of identifying a consumer, but not neural data. Additionally, the CCPA does not specify if personal information can exist in various formats.   What Changes? Under SB 1223, the CCPA’s definition of “sensitive personal information” would be expanded. It would include consumer’s neural data, or “information that is generated by measuring the activity of the consumer’s central or peripheral nervous system, and that is not inferred from nonneural information.”   Under AB 1008, the CCPA would also specify that “personal information can exist in various formats,” including physical, digital or abstract information, which may be in the form of encrypted files, metadata, or AI systems capable of outputting personal information.   Governor Newsom signed SB 1223 and AB 1008 into law on September 28, 2024. Both laws will become applicable on January 1, 2025.  

2. AB 1824: Opt-Out Right, Mergers

What Does the CCPA Require? The CCPA states that consumers shall have the right to opt out of a business selling or sharing their personal information. However, the Act does not specify the requirements for honoring those requests upon a merger or acquisition.   What Changes? Under this bill, if a business transfers personal information to another business as part of a merger, acquisition, bankruptcy or other transaction, they must comply with the original opt-out requests of the transferring business.   Governor Newsom signed AB 1824 into law on September 29, 2024. This law takes effect on January 1, 2025.  

3. AB 3286: Monetary Thresholds, Grants

What Does the CCPA Require? The CCPA grants the Attorney General rights to adjusting monetary thresholds to reflect an increase in the Consumer Price Index.   What Changes? This bill removes the responsibility of adjusting monetary thresholds from the Attorney General and places it on the California Privacy Protection Agency, among other minor changes.   Governor Newsom signed AB 3286 on July 15, 2024, and the law goes into effect on January 1, 2025.     Vetoed CCPA Amendments  

1. AB 1949: Collection of Personal Information of a Consumer Less than 18 Years of Age

What Does the CCPA Require? The CCPA provides a consumer with specific rights regarding their personal information. Currently, the CCPA prohibits a business from selling or sharing personal information of a consumer if the business has actual knowledge that the consumer is less than 16 years old, unless they or their parent or guardian have properly consented.   What Changes? This bill would raise that age from 16 to 18 years old, meaning that a business shall not sell or share the personal information of one who is between 13 and 18 years old unless the consumer or their parent or guardian consents. A business shall not share or sell information of a child younger than 13 years old unless their parent or guardian consent.   Additionally, this bill would require a business to treat a consumer as younger than 18 years old if the consumer transmits a signal indicating they are younger than 18. The bill retains the CCPA’s “actual knowledge or willful disregard” standard for violations.   Finally, the bill requires California’s Attorney General to adopt regulations that include technical specifications for an opt-out preference signal that allows the consumer to specify if they are less than 13 years old, or between 13 and 18 years old.   Governor Newsom vetoed AB 1949 on September 28, 2024.  

2. AB 3048: Opt-Out Preference Signals

What Does the CCPA Require? The CCPA states that consumers shall have the right to opt out of a business selling or sharing their personal information. To send opt-out preference signals now, users have to download plugins for major browsers which may vary by browser type.   Currently, the only opt-out preference signal recognized by the CCPA per Attorney General Rob Bonta’s FAQ page and supporting resources by the California Privacy Protection Agency (CPPA)  is the Global Privacy Control (GPC). However under the CCPA, the GPC is intended only to communicate with Do Not Sell requests for a global privacy control. Still, this is an enforced area of privacy law: In 2022, a Final Judgment and Permanent Injunction against Sephora ordered the company to pay $1.2 million to resolve claims that Sephora did not process opt-out requests set through privacy controls.    What Changes? This bill is targeted at businesses who develop or maintain browsers, mandating that they must include settings that enable consumers to send an opt-out preference signal to businesses they interact with on the browser. After rulemaking and agency adoptions, the bill would also prohibit a business from developing or maintaining a mobile operating system that does not include opt-out preference signal settings. These provisions would go into effect beginning January 1, 2026.   Governor Newsom vetoed AB 3048 on September 20, 2024.   Passed AI Bills  

1. SB 2013: Generative Artificial Intelligence, Training Data Transparency

Who Does This Apply to? This bill applies to “generative artificial intelligence” systems or services, which is defined as AI that can “generate derived synthetic content…that emulates the structure and characteristics of the [AI’s] training data.” There is no consumer use or monetary threshold, such that this definition seems to be far-reaching.   What Changes? This bill requires that the developers of all covered generative AI systems available to Californians must post information on their website. This information must include the data used to train the AI system or service, and a high-level summary of the datasets used in the system.   Bill SB 2013 was signed by Governor Newsom on September 28, 2024. This law will go into effect on January 1, 2026.  

2. AB 2885: Artificial Intelligence, Definition

Who Does This Apply to? According to the preamble of the bill, the definition applies to actions taken by the Department of Technology, local agencies, the California Online Community College, and social media companies, under requirements of existing laws.   What Changes? The term “artificial intelligence” for these purposes would be altered to include an “engineered or machine-based system that varies in its level of autonomy” and can generate output based on inferences made from its input.   Bill AB 2885 was signed by Governor Newsom on September 28, 2024. Provisions of this law will go into effect on January 1, 2025.  

3. SB 942: California AI Transparency Act

Who Does This Apply to? This bill applies to “covered providers,” which includes persons that create, code or otherwise produce generative AI systems with over 1 million monthly visitors and are within California state.   What Changes? Under this bill, covered providers would be required to make publicly accessible AI detection tools. They would also be required to provide the user an option to include a disclosure, as well as provide a latent disclosure in content created or altered by the generative AI system.   Governor Newsom signed SB 942 into law on September 19, 2024, along with other bills addressing concerns around AI:  

• SB 926prohibits creating and distributing sexually explicit realistic images of a person when those images are intended to cause serious emotional distress of the person. This bill is targeted at AI-generated sexually explicit content. Similarly, AB 1831 expands the existing child pornography statutes to include content created or altered by generative AI.

 

• SB 981requires social media platforms to provide Californians with a mechanism to report digital identity theft on platform. Following the aim of Bill 926, this would include reporting AI images of a certain person whose identity has been stolen appearing to be engaged in certain sexual acts.

 

4. AB 3030: Health Care Services, Artificial Intelligence

Who Does This Apply to? This bill applies to health facilities, clinics, physician’s offices, or other health group practices that use generative AI for communications about patient clinical information. “Patient clinical information” is defined as information relating to the health status of a patient, and specifically excludes administrative matters, such as appointment scheduling, billing, or “other clerical or business matters.”   What Changes? Under this bill, generative AI which pertains to clinical information must include: 1) a disclaimer that indicates the communication was generated by AI at the beginning of the interaction, and 2) clear instructions on how that patient can contact the appropriate person.   Governor Newsom signed AB 3030 into law on September 28, 2024. The law goes into effect immediately.   Similarly, SB 1120 was passed on September 28, 2024 and provides specific restrictions for health care service places or disability insurers who use AI in their decisionmaking. Under this law, health service plans must have specific policies and procedures in place, and must be overseen by a medical director with an unrestricted license to practice medicine in the state of California.  

5. AB 1836: Use of Likeness, Digital Replica

Who Does This Apply to? This bill is intended to protect intellectual property, and applies to those creating digital replicas of another’s likeness. A “digital replica” means a “computer-generated, highly realistic electronic representation” that one can readily identify as a likeness of the person being replicated.   What Changes? This bill makes a person who makes or distributes a digital replica of a deceased personality’s voice or likeness, without that person’s consent, liable for the greater of $10,000 or the amount actually suffered.   Governor Newsom signed AB 1836 into law on September 17, 2024. The law goes into effect immediately.   Similarly, Governor Newsom also signed AB 2602 into law on the same date. This law prohibits personal or professional service contracts that contain provisions for the use of a digital replica or likeness for a general purpose, unless the individual is represented by legal counsel. Instead, the contract must contain a reasonably specific description of the intended uses of the digital replica.  

6. SB 2355: Political Advertisements, Artificial Intelligence

Who Does This Apply to? This bill applies to committees who create, publish or otherwise distribute political advertisements. These advertisements include all political ads that contain any image, audio, or video that is “generated or substantially altered” using AI.   What Changes? Under this bill, there are specific requirements for each format of ad. For example, a video advertisement shall include disclosures at the beginning or end of the advertisement and must be displayed for five or ten seconds, depending on the length of the ad.   Governor Newsom signed AB 2355 into law on September 17, 2024. The law goes into effect immediately.   Similarly, Governor Newsom also signed AB 2655 and AB 2839 into law on September 17, 2024.   AB 2655, known as the Defending Democracy from Deepfake Deception Act of 2024, requires large online platforms (those with at least 1 million California users) to: 1) remove deceptive and digitally modified election content from their platforms, or 2) to label that content before and after the election if the content has been reported to the platform.   AB 2839 prohibits the knowing distribution of advertisements or other election communication that contains materially deceptive content within 120 days of an election in California, and in some cases, 60 days after an election.   Vetoed AI Bills

1. SB 1047: Safe and Secure Innovation for Frontier Artificial Intelligence Models Act

Who Does This Apply to? This bill is directed toward high-complexity AI models, such as those whose floating operations exceed $100,000,000. Other than requirements in state data privacy laws and the Colorado AI Act, there are no AI laws of this scale enacted in the U.S.   What Changes? For these covered models, the bill has various requirements, including a written safety and security protocol, submission of that protocol to the Attorney General, and implementing the ability to promptly enact a shutdown.   Under this bill, the Attorney General may bring a civil action for a violation that causes death or harm to people or property, or that constitutes an imminent risk to public safety. Notably, this penalty is calculated by computing power. For the first violation, the penalty will be no more than 10% of the cost of the quantity of computing power used to train the covered model, and subsequent violations may not exceed 30% of that value.   Governor Newsom vetoed SB 1047 on September 29, 2024. In his decision, Governor Newsom considered that “California is home to 32 or the world’s 50 leading AI companies.” He noted that the bill applies only to these extensive and large-scale models, while “[s]maller, specialized models may emerge as equally or even more dangerous than the models targeted by SB- 1047 – at the potential expense of curtailing the very innovation that fuels advancement in the favor of public good” by these large-scale models.