0
Robotic hand and human hand pointing toward each other with the letters "AI" in between them.

Comparing EU and US AI legislation: déjà vu to 2020

AI & Algorithms, Biometrics, Employment Law, United States , , , ,
This article was initially published in Reuters and Thomson Reuters Westlaw Today.   Lily Li of Metaverse Law discusses the landscape for AI legislation, with the passage of the European Union’s AI Act while states pass AI bills with differing thresholds, coverage and subject matter.   The landscape for EU and US AI legislation feels like a rinse and repeat of data privacy legislation in 2020. Back then, the General Data Protection Regulation (GDPR) was in full force and effect, while California and other states were developing privacy laws at breakneck speed. Many companies were caught unaware by GDPR, only to face a new onslaught of US state-by-state privacy laws.   Now, companies face the same problem. The EU has just passed a comprehensive AI law, the EU AI Act, which imposes significant compliance obligations and antitrust-style mega fines.   In the United States, state legislatures are passing AI bills at a breakneck speed, with differing thresholds, coverage and subject matter. Do global companies bite the bullet and comply with the EU AI Act globally, or should there be a more nuanced jurisdiction-by-jurisdiction approach?   Comprehensive and imposing   The EU AI act is a comprehensive law that has been in development for years by EU regulators. One of its unique features, not seen in US legislation, is a complete ban on certain “prohibited AI practices” (Article 5, https://bit.ly/4gQHfe8). Some of these prohibited practices include assessing whether an individual is likely to commit a crime and real-time biometric identification by law enforcement (think Minority Report), as well as social scoring of individuals.   In addition to setting forth prohibited practices, the EU AI Act designates a list of high-risk AI practices. This includes, but is not limited to, use of AI in employment decisions, credit scores, insurance and access to services. For these high-risk AI practices, AI providers need to implement a full risk management program that considers the following factors:  
  • Data governance
  • Technical documentation
  • Recordkeeping
  • Human oversight
  • Accuracy, robustness, and cybersecurity management
  • Quality management
  Like the GDPR, the EU AI Act imposes significant fines. This can be up to $35,000,000 or 7% of total worldwide revenue, whichever is higher, for engaging in prohibited AI practices (Article 99, https://bit.ly/3XRewgl), and up to $15,000,000 Euros or 3% of the total worldwide annual turnover, whichever is higher for other violations (Article 99, https://bit.ly/3XRewgl). The law requires each EU country to designate at least one independent and impartial body to monitor and enforce the EU AI Act’s requirements.   In contrast, the US is following a patchwork approach. Instead of comprehensive federal legislation, we are seeing a state by state and agency approach. To date, these laws generally fall into four main categories: (i) consumer protection; (ii) employment rights; (iii) image and likeness rights; and (iv) transparency/ risk assessment requirements for high-risk AI processing.   Consumer protection   For state consumer protection laws governing AI, Utah is one of the first movers. In May of 2024, it added requirements governing AI to its consumer protection statutes. Utah’s AI Policy Act requires businesses in Utah to disclose the use of generative AI tools, and also makes businesses liable for any consumer protection violations by these generative AI tools.   At the federal level, the FTC has used its consumer protection authority under Section 5 of the FTC Act, in order to regulate against unfair and deceptive practices in commerce concerning AI. In 2022, Weight Watchers agreed to pay a $1.5 million civil penalty in a settlement with the FTC, in part over allegations that the company improperly collected children’s data to train its models and algorithms. This settlement included “algorithmic disgorgement” — i.e., Weight Watchers was required to delete any models trained on such data.   More recently, on Sept. 25, 2024, the Federal Trade Commission (FTC) has cracked down on companies that make misleading or fraudulent claims about their use of AI tools. This included taking action against DoNotPay (https://bit.ly/3BtSWXW), a company that claimed to offer an AI service that was “the world’s first robot lawyer.”   DoNotPay agreed to a $193,000 settlement with the FTC, pursuant to a consent order. The consent order (https://bit.ly/4dNyjmN) also requires DoNotPay to refrain from “representing that its Service or any other internet-enabled product or service that it offers operates like a human lawyer or any other type of professional, unless that representation is not misleading and DoNotPay possesses competent and reliable evidence to substantiate the representation.” In addition, DoNotPay is required to notify consumers of the order and to submit compliance reports to the FTC.   AI in employment decisionmaking   At the employment level, Illinois recently enacted a law that prohibits the use of AI systems from discriminating against employees or job applicants based on any protected classes.   In addition, this amendment explicitly bans the use of race or zip code when used as a proxy for race in AI systems making employment decisions. Illinois’ requirements join New York City Local Law 144 (https://on.nyc.gov/3zHlSva) in regulating automated employment decision-making tools. While Local Law 144 does not include an explicit ban on the use of race or zip code in AI systems, it has very stringent notice and audit rights.   Where employers use AI systems “to substantially assist or replace discretionary decision making,” Local Law 144 requires publicly available third-party bias audits of automated employment decision-making tools.   Image and likeness rights   Generative AI is also regulated by state laws and cases governing image and likeness rights. Following the actors and writers strike in Hollywood, and high-profile litigation by Sarah Silverman and others, California has acted. In the last week, Governor Gavin Newsom signed two AI bills designed to protect entertainers.   AB 2602 requires contracts with actors and other performers to specify whether generative AI will be used to create a replica of the performer’s voice or likeness. AB 2836 bans the use of digital replicas for deceased performers, without the consent of the performer’s estate.   Transparency and risk assessment   The majority of US state comprehensive data privacy laws require transparency concerning the use of AI to process personal data and make decisions that impact important rights, such as employment, housing, and access to services. In addition, these laws generally give consumers the right to opt out of such processing.   Colorado’s AI Act, slated to go in effect in 2026, goes even further. It imposes risk assessment and bias assessment requirements for any “high-risk artificial intelligence system” that makes or is a substantial factor in making a consequential decision.   For purposes of the law, “consequential decision” means a decision that has a material or similarly significant effect on the provision or denial to any consumer of, or the cost or terms of:  
  • Education
  • Employment
  • Financial or lending services
  • Essential government services
  • Health-care services
  • Housing
  • Insurance
  • Legal service
  The Colorado AI Act has even more substantial transparency and notification obligations. As just one example, developers and deployers of “high-risk” AI systems are required to publicly post on their websites a description of the high-risk systems, as well as describe how the AI system manages the risks of bias. This includes further reporting to the Attorney General of “any known or reasonably foreseeable risks of AI discrimination arising from the intended use of the system.” Section §6-1-1702(5).   Where to go from here?   The trend lines are clear, and AI legislation is here to stay. While the US has not enacted federal AI legislation of the same scope as the EU AI Act, we already see significant risk assessment and transparency requirements. As a result, AI companies need to go global with their AI risk management strategies and not get left behind.   Lily Li is the founder and president of Metaverse Law. She advises global clients on their AI risk assessments and data protection impacts assessments, and supports her clients’ overall governance, risk, and compliance (GRC) programs. In addition, she holds the GIAC Certified Forensic Analyst (GCFA) certification for advanced incident response and digital forensics and certifications in information privacy such as the FIP, CIPP/US/E/M. She is based in Newport Beach, California, and can be reached at info@metaverselaw.com.
0
Flag of California, depicting a large brown bear beside a red star, above the words "California Republic."

California: The AI Transparency Act – what you need to know

AI & Algorithms, California, United States ,
The original article can also be found on the OneTrust DataGuidance website by clicking on this link.  

On September 19, 2024, the California AI Transparency Act (the Act) was signed into law by the California Governor. The Act follows in the steps of other US states that have developed laws requiring transparency in the use of artificial intelligence (AI). The Act, however, is unique in that it has specific watermarking requirements. In this Insight article, OneTrust DataGuidance breaks down the key provisions of the Act and who it applies to, with comments provided by Jacob Canter, Counsel at Crowell & Moring LLP, and Lily Li, Founder of Metaverse Law Corporation.

Definitions

The Act provides definitions for key terms such as ‘personal information,’ ‘personal provenance data,’ and ‘metadata.’ Among the notable, ‘artificial intelligence’ is defined as ‘an engineered or machine-based system that varies in its level of autonomy and that can, for explicit or implicit objectives, infer from the input it receives how to generate outputs that can influence physical or virtual environments.’

Under the Act, ‘generative artificial intelligence system’ is defined as ‘an artificial intelligence that can generate derived synthetic content, including text, images, video, and audio, that emulates the structure and characteristics of the system’s training data.’

Scope

The Act applies to covered providers, who must comply with the Act from January 1, 2026, when it becomes operative.

The Act defines ‘covered provider’ as ‘a person that creates, codes, or otherwise produces a generative artificial intelligence system that has over 1,000,000 monthly visitors or users and is publicly accessible within the geographic boundaries of the state.’

Regarding the 1 million monthly visitors or users, Jacob notes “This is a bit ambiguous because it does not explain how to calculate ‘over 1,000,000 visitors or users.’ Is this based on an average number of visitors or users from the prior year? Does your obligation to comply change every month depending on how many users you had in the prior month? Until that ambiguity is clarified, the safer approach may be to prepare for compliance even if your company does not consistently have over 1 million visitors.”

Lily adds that “according to Governor Newsom, California is ‘home to 32 of the world’s 50 leading AI companies,’ many of which will be required to comply with this Act due to the nature of their AI systems and number of monthly users.”

Jacob furthers that “Most of the generative AI laws in the U.S. have been subject-matter specific. Some states have either enacted or passed laws related to transparency and fairness in elections (for example, PA, MA, NC, WA, and CA). Many states have passed laws that seek to limit the dissemination of deepfakes (for example, TX, FL, IL, NY, and CA). And Colorado and New York City have passed laws that seek to limit discriminatory uses of generative AI (for example, CO and NY). In contrast, the AI Transparency Act is general. It covers all generative AI content that a covered company’s product generates. On these terms, the Act is actually quite broad.”

Obligations

Regarding the implications of the Act on businesses, Jacob explains that “California’s AI Transparency Act will have a direct impact on businesses that develop generative AI systems and have over 1 million monthly visitors or users. These businesses must comply with the law’s requirements: to create an ‘AI detection tool,’ to embed ‘latent-disclosure’ data into their AI-generated content, and to make ‘manifest disclosures’ available for the content as well.”

The Act requires covered providers to provide an AI detection tool to users at no extra cost, that:

  • allows users to assess whether an image, video, or audio content has been created or changed by the covered provider’s generative AI tool;
  • outputs any system provenance data detected in the content;
  • does not output any personal provenance data detected in the content;
  • subject to certain exceptions, is publicly accessible;
  • allows users to upload content or provide a URL for online content; and
  • supports an application programming interface that allows users to use the tool without visiting the covered provider’s website.

Under the Act, covered providers should also collect user feedback on the AI detection tool and incorporate this feedback to improve the tool’s efficacy.

In addition, covered providers should not:

  • collect or retain personal information from users of the AI detection tool, except where exceptions apply;
  • retain content provided to the AI detection tool for longer than necessary to comply with the Act; and/or
  • retain personal provenance data from content submitted to the AI detection tool.

Lily adds that “While other AI laws in the US are focused on risk assessment, notice, and disclosure obligations, this is the first major AI law that imposes product requirements on AI developers. Now, AI developers need to code in a digital watermark on generative AI content and provide the tools to detect this watermark. This is different from written disclosures on a browser or app, which can easily get lost or obscured when generative AI content is copied or embedded downstream.”

Covered providers should offer users to option to include a manifest disclosure in image, video, or audio content that has been created or altered by the covered provider’s generative AI system that:

  • identifies the content as being generated by AI;
  • is clear, conspicuous, and appropriate for the content, as well as understandable to a reasonable person; and
  • is permanent or difficult to remove.

Covered providers should also include a latent disclosure in AI-generated image, video, or audio content generated by AI system that:

  • communicates the name of the covered provider, the name and version number of the generative AI system used, the time and date the content was created or altered, and a unique identifier – to the extent technically feasible and reasonable, the disclosure should be direct or through a link to a permanent internet website;
  • is detectable by the covered provider’s AI detection tool;
  • is consistent with industry standards; and
  • is permanent or extraordinarily difficult to remove.

Lily explains that “Additionally, the Act includes a requirement that these covered providers enter contracts with their licensees that contain specific provisions. (22757.3(c).) This means that businesses that incorporate AI or are considering implementing AI systems from covered providers may want to ensure the appropriate contracts are in place.”

If covered providers license their generative AI systems to third parties, they must ensure that licensees maintain these disclosure requirements. If covered providers know that a third-party licensee is no longer capable of including such disclosures, they will be required to revoke their license within 96 hours of discovering this fact. Following the revocation of the license, the third party must cease using a licensed generative AI system.

Enforcement

The Act will be enforced by the Attorney General, a city attorney, or a county counsel and provides that violations of the Act are liable for civil penalties.

Lily notes that “Under this Act, fines can add up quickly: A covered provider found in violation of this Act will be liable for $5,000 per violation – and each day the provider is in violation of the Act counts as a new violation. (22757.4(a-b).) For those who contract with covered providers, a violation may result in an injunction along with reasonable attorney’s fees and costs (22757.4(c).).”

Next steps

Jacob states that “Indirectly, the Act may create opportunities. Technical know-how is required to develop the AI detection tools, and both the latent and manifest disclosures. As often happens, companies can use this change in policy as an opportunity to build a product that facilitates compliance.”

Lily adds that “This Act goes into effect on January 1, 2026, but covered providers should act now given the significant technology requirements of the Act. Covered providers need to:

  • make an AI detection tool;
  • include both an optional and a latent disclosure in all AI generated content; and
  • enter contracts with licensees to ensure such latent disclosures.”

Victoria Prescott

Team Lead – Editorial vprescott@onetrust.com With comments provided by:

Jacob Canter

Counsel jcanter@crowell.com Crowell & Moring LLP, San Francisco

Lily Li

Founder lily@metaverselaw.com Metaverse Law Corporation, Newport Beach
0
Image containing the United States flag, Illinois state flag, and city of Chicago flag.

The Illinois Human Rights Act Addresses the Use of AI In Employment Decisions

AI & Algorithms, Employment Law, State Privacy Laws, United States , , , ,
Artificial intelligence (AI) is becoming an integral part of business operations, including hiring and managing employees. As these systems become more involved in our daily lives, legislators are taking note.   On August 9, 2024, Illinois Governor J.B. Pritzker signed Bill 3773 into law, regulating the use of AI in employment decisions. This law joins New York City Local Law 144 and the Colorado Artificial Intelligence Act in addressing the use of AI in employment contexts.   This law goes into effect on January 1, 2026.   Key Takeaways of Bill 3773     Who is protected? The Illinois Human Rights Act prohibits discrimination for protected classes in Illinois, including discrimination based on “race, color, religion, sex, national origin, ancestry, age, order of protection status, marital status, mental or physical disability, military status, sexual orientation, pregnancy or unfavorable discharge from military service.”   Bill 3773 amends the Act by expanding its scope to include employment discrimination resulting from the use of AI.   What are the requirements? Building on the rights of the Illinois Human Rights Act, this amendment provides that employers may not use AI systems that have a discriminating effect on employees or job applicants based on any protected characteristics under the Act. Additionally, this amendment explicitly bans the use of race or zip code when used as a proxy for race in AI systems making employment decisions.   The amendment also contains a notice requirement: The employer must provide notice to the employee or applicant that the employer is using AI in their decisionmaking. This notice must be included if AI is used in the “employment-related activities” defined below, and the Illinois Department of Human Rights is tasked with providing rules on the means and time periods for providing notices.   What employers and systems does this impact? The law applies to an employer that:
  1. Employs one or more employees within Illinois for 20 or more weeks per year;
  2. Uses artificial intelligence systems such as generative AI models or any machine-based systems that use an input to infer how to generate outputs; and,
  3. Uses those artificial intelligence systems in employment-related activities – including recruitment, selection, hiring, promotion, and more – for employees, interns, and applicants.
  If an employer satisfies these thresholds of applicability, then the law most likely applies and the employer should review whether they are complying with the law’s requirements.   Similar Laws Regulating AI in Employment   Illinois follows Colorado and New York City with legislation that restricts the use of AI in employment decisions.   Colorado Artificial Intelligence Act In May 2024, Colorado enacted the Colorado Artificial Intelligence Act, which includes parameters around “high-risk” systems. These systems include those which make “consequential decisions,” including decisions related to employment or employment opportunities. If a company is using a high-risk system, they must also adhere to specific notice, risk management, and impact assessment requirements. Additionally, they must also provide additional disclosures if the high-risk system makes an adverse decision. This includes adverse employment decisions.   New York City Local Law 144 The Illinois legislation also joins New York City Local Law 144. Signed in 2021, this law was the first legislation enacted by any state or local government that regulated the use of AI tools for employment decisions.   New York City Law 144 applies to employers and employment agencies in New York City that use “automated employment decision tools” to screen candidates or employees for employment decisions.   It requires a mandatory independent bias audit conducted within one year of using the AI tools, a summary of which must be disclosed on the employer’s website. Additionally, the employer must notify the candidate or employee that the AI system is used in connection with the decision, and shall allow a candidate to require either an accommodation or alternative selection process. The notice must disclose the job qualifications and the characteristics that the AI tool is using, and all notices must be given no less than 10 days before use.
0
Flyer for the Risk Digital UK/EU global livestream featuring an image of Lily Li, Founder/President of Metaverse Law Corporation.

Metaverse Law Presents at #RISK DIGITAL UK/EU

AI & Algorithms, United States , , , , , , , , ,

Metaverse Law’s Lily Li recently spoke at the #Risk Digital UK/EU global livestream last week
for two sessions: “A New Era of AI Governance” and “The Role of
Technology in Modern Governance, Risk and Compliance.”

Lily’s presentations included an overview about artificial
intelligence risks and discussed the latest developments in European
Union and United States AI legislation and regulations. Major
developments in the US include:
— NY and Illinois AI bias legislation in employment
— Colorado comprehensive AI legislation
— California AI bills that have recently passed the legislature.

Lily also touched on how the results of the U.S. presidential election
could impact the AI landscape, either through changes in FTC priority
and state legislation, and the need for AI risk management and
governance programs.

The law in this area is developing very quickly and will affect
businesses in almost every industry. Keeping up with these changes is
critical as businesses deploy and integrate AI into everyday operations.

You can learn more about #Risk Digital and watch on-demand content by clicking on the link: https://www.grcworldforums.com/risk/risk-digital

#Risk Digital is one of a number of conferences organized by GRC World
Forums, a producer of in-person and livestream educational events for
governance, risk and compliance professionals.

0
Photo of American flag and California flag on a flagpole with a palm tree in the background.

California Wraps Its 2024 Legislative Session with Data Privacy & AI Bills

AI & Algorithms, California, CCPA, State Privacy Laws, United States , , , , ,
California’s legislative session closed on August 31, 2024 with a series of data privacy and AI bills. Over the course of September, Governor Newsom signed 17 bills covering AI technologies. This wave of legislation comes a year after Governor Newsom signed an Executive Order to help ensure California is ready for next wave of AI technologies.   Below is an overview of new and noteworthy AI and data privacy bills, beginning with six amendments to the California Consumer Privacy Act (CCPA) followed by a range of signed and vetoed AI-related bills.   Passed CCPA Amendments  
  1. SB 1223and AB 1008: Neural Data, Personal Information and AI Systems
What Does the CCPA Require? Currently, the CCPA requires a business collects that collection personal information about a consumer to limit its use of the consumer’s sensitive personal information. “Sensitive personal information” includes biometric information for the purposes of identifying a consumer, but not neural data. Additionally, the CCPA does not specify if personal information can exist in various formats.   What Changes? Under SB 1223, the CCPA’s definition of “sensitive personal information” would be expanded. It would include consumer’s neural data, or “information that is generated by measuring the activity of the consumer’s central or peripheral nervous system, and that is not inferred from nonneural information.”   Under AB 1008, the CCPA would also specify that “personal information can exist in various formats,” including physical, digital or abstract information, which may be in the form of encrypted files, metadata, or AI systems capable of outputting personal information.   Governor Newsom signed SB 1223 and AB 1008 into law on September 28, 2024. Both laws will become applicable on January 1, 2025.  
  1. AB 1824: Opt-Out Right, Mergers
What Does the CCPA Require? The CCPA states that consumers shall have the right to opt out of a business selling or sharing their personal information. However, the Act does not specify the requirements for honoring those requests upon a merger or acquisition.   What Changes? Under this bill, if a business transfers personal information to another business as part of a merger, acquisition, bankruptcy or other transaction, they must comply with the original opt-out requests of the transferring business.   Governor Newsom signed AB 1824 into law on September 29, 2024. This law takes effect on January 1, 2025.  
  1. AB 3286: Monetary Thresholds, Grants
What Does the CCPA Require? The CCPA grants the Attorney General rights to adjusting monetary thresholds to reflect an increase in the Consumer Price Index.   What Changes? This bill removes the responsibility of adjusting monetary thresholds from the Attorney General and places it on the California Privacy Protection Agency, among other minor changes.   Governor Newsom signed AB 3286 on July 15, 2024, and the law goes into effect on January 1, 2025.     Vetoed CCPA Amendments  
  1. AB 1949: Collection of Personal Information of a Consumer Less than 18 Years of Age
What Does the CCPA Require? The CCPA provides a consumer with specific rights regarding their personal information. Currently, the CCPA prohibits a business from selling or sharing personal information of a consumer if the business has actual knowledge that the consumer is less than 16 years old, unless they or their parent or guardian have properly consented.   What Changes? This bill would raise that age from 16 to 18 years old, meaning that a business shall not sell or share the personal information of one who is between 13 and 18 years old unless the consumer or their parent or guardian consents. A business shall not share or sell information of a child younger than 13 years old unless their parent or guardian consent.   Additionally, this bill would require a business to treat a consumer as younger than 18 years old if the consumer transmits a signal indicating they are younger than 18. The bill retains the CCPA’s “actual knowledge or willful disregard” standard for violations.   Finally, the bill requires California’s Attorney General to adopt regulations that include technical specifications for an opt-out preference signal that allows the consumer to specify if they are less than 13 years old, or between 13 and 18 years old.   Governor Newsom vetoed AB 1949 on September 28, 2024.  
  1. AB 3048: Opt-Out Preference Signals
What Does the CCPA Require? The CCPA states that consumers shall have the right to opt out of a business selling or sharing their personal information. To send opt-out preference signals now, users have to download plugins for major browsers which may vary by browser type.   Currently, the only opt-out preference signal recognized by the CCPA per Attorney General Rob Bonta’s FAQ page and supporting resources by the California Privacy Protection Agency (CPPA)  is the Global Privacy Control (GPC). However under the CCPA, the GPC is intended only to communicate with Do Not Sell requests for a global privacy control. Still, this is an enforced area of privacy law: In 2022, a Final Judgment and Permanent Injunction against Sephora ordered the company to pay $1.2 million to resolve claims that Sephora did not process opt-out requests set through privacy controls.    What Changes? This bill is targeted at businesses who develop or maintain browsers, mandating that they must include settings that enable consumers to send an opt-out preference signal to businesses they interact with on the browser. After rulemaking and agency adoptions, the bill would also prohibit a business from developing or maintaining a mobile operating system that does not include opt-out preference signal settings. These provisions would go into effect beginning January 1, 2026.   Governor Newsom vetoed AB 3048 on September 20, 2024.   Passed AI Bills  
  1. SB 2013: Generative Artificial Intelligence, Training Data Transparency
Who Does This Apply to? This bill applies to “generative artificial intelligence” systems or services, which is defined as AI that can “generate derived synthetic content…that emulates the structure and characteristics of the [AI’s] training data.” There is no consumer use or monetary threshold, such that this definition seems to be far-reaching.   What Changes? This bill requires that the developers of all covered generative AI systems available to Californians must post information on their website. This information must include the data used to train the AI system or service, and a high-level summary of the datasets used in the system.   Bill SB 2013 was signed by Governor Newsom on September 28, 2024. This law will go into effect on January 1, 2026.  
  1. AB 2885: Artificial Intelligence, Definition
Who Does This Apply to? According to the preamble of the bill, the definition applies to actions taken by the Department of Technology, local agencies, the California Online Community College, and social media companies, under requirements of existing laws.   What Changes? The term “artificial intelligence” for these purposes would be altered to include an “engineered or machine-based system that varies in its level of autonomy” and can generate output based on inferences made from its input.   Bill AB 2885 was signed by Governor Newsom on September 28, 2024. Provisions of this law will go into effect on January 1, 2025.  
  1. SB 942: California AI Transparency Act
Who Does This Apply to? This bill applies to “covered providers,” which includes persons that create, code or otherwise produce generative AI systems with over 1 million monthly visitors and are within California state.   What Changes? Under this bill, covered providers would be required to make publicly accessible AI detection tools. They would also be required to provide the user an option to include a disclosure, as well as provide a latent disclosure in content created or altered by the generative AI system.   Governor Newsom signed SB 942 into law on September 19, 2024, along with other bills addressing concerns around AI:  
  • SB 926prohibits creating and distributing sexually explicit realistic images of a person when those images are intended to cause serious emotional distress of the person. This bill is targeted at AI-generated sexually explicit content. Similarly, AB 1831 expands the existing child pornography statutes to include content created or altered by generative AI.
 
  • SB 981requires social media platforms to provide Californians with a mechanism to report digital identity theft on platform. Following the aim of Bill 926, this would include reporting AI images of a certain person whose identity has been stolen appearing to be engaged in certain sexual acts.
 
  1. AB 3030: Health Care Services, Artificial Intelligence
Who Does This Apply to? This bill applies to health facilities, clinics, physician’s offices, or other health group practices that use generative AI for communications about patient clinical information. “Patient clinical information” is defined as information relating to the health status of a patient, and specifically excludes administrative matters, such as appointment scheduling, billing, or “other clerical or business matters.”   What Changes? Under this bill, generative AI which pertains to clinical information must include: 1) a disclaimer that indicates the communication was generated by AI at the beginning of the interaction, and 2) clear instructions on how that patient can contact the appropriate person.   Governor Newsom signed AB 3030 into law on September 28, 2024. The law goes into effect immediately.   Similarly, SB 1120 was passed on September 28, 2024 and provides specific restrictions for health care service places or disability insurers who use AI in their decisionmaking. Under this law, health service plans must have specific policies and procedures in place, and must be overseen by a medical director with an unrestricted license to practice medicine in the state of California.  
  1. AB 1836: Use of Likeness, Digital Replica
Who Does This Apply to? This bill is intended to protect intellectual property, and applies to those creating digital replicas of another’s likeness. A “digital replica” means a “computer-generated, highly realistic electronic representation” that one can readily identify as a likeness of the person being replicated.   What Changes? This bill makes a person who makes or distributes a digital replica of a deceased personality’s voice or likeness, without that person’s consent, liable for the greater of $10,000 or the amount actually suffered.   Governor Newsom signed AB 1836 into law on September 17, 2024. The law goes into effect immediately.   Similarly, Governor Newsom also signed AB 2602 into law on the same date. This law prohibits personal or professional service contracts that contain provisions for the use of a digital replica or likeness for a general purpose, unless the individual is represented by legal counsel. Instead, the contract must contain a reasonably specific description of the intended uses of the digital replica.  
  1. SB 2355: Political Advertisements, Artificial Intelligence
Who Does This Apply to? This bill applies to committees who create, publish or otherwise distribute political advertisements. These advertisements include all political ads that contain any image, audio, or video that is “generated or substantially altered” using AI.   What Changes? Under this bill, there are specific requirements for each format of ad. For example, a video advertisement shall include disclosures at the beginning or end of the advertisement and must be displayed for five or ten seconds, depending on the length of the ad.   Governor Newsom signed AB 2355 into law on September 17, 2024. The law goes into effect immediately.   Similarly, Governor Newsom also signed AB 2655 and AB 2839 into law on September 17, 2024.   AB 2655, known as the Defending Democracy from Deepfake Deception Act of 2024, requires large online platforms (those with at least 1 million California users) to: 1) remove deceptive and digitally modified election content from their platforms, or 2) to label that content before and after the election if the content has been reported to the platform.   AB 2839 prohibits the knowing distribution of advertisements or other election communication that contains materially deceptive content within 120 days of an election in California, and in some cases, 60 days after an election.   Vetoed AI Bills
  1. SB 1047: Safe and Secure Innovation for Frontier Artificial Intelligence Models Act
Who Does This Apply to? This bill is directed toward high-complexity AI models, such as those whose floating operations exceed $100,000,000. Other than requirements in state data privacy laws and the Colorado AI Act, there are no AI laws of this scale enacted in the U.S.   What Changes? For these covered models, the bill has various requirements, including a written safety and security protocol, submission of that protocol to the Attorney General, and implementing the ability to promptly enact a shutdown.   Under this bill, the Attorney General may bring a civil action for a violation that causes death or harm to people or property, or that constitutes an imminent risk to public safety. Notably, this penalty is calculated by computing power. For the first violation, the penalty will be no more than 10% of the cost of the quantity of computing power used to train the covered model, and subsequent violations may not exceed 30% of that value.   Governor Newsom vetoed SB 1047 on September 29, 2024. In his decision, Governor Newsom considered that “California is home to 32 or the world’s 50 leading AI companies.” He noted that the bill applies only to these extensive and large-scale models, while “[s]maller, specialized models may emerge as equally or even more dangerous than the models targeted by SB- 1047 – at the potential expense of curtailing the very innovation that fuels advancement in the favor of public good” by these large-scale models.
1 2 3 4 5 8