Last month, the California legislative session came to an end when California Governor Gavin Newsom signed more than a dozen of the approximately 38 bills sent to his desk relating to privacy and artificial intelligence (AI). Also notable are other bills that the Governor vetoed, which are often instructive signals for the broader policy and regulatory community and may return in some form during the 2025 session.
The recent flurry of legislation highlights California’s continued efforts to regulate the quickly evolving areas of AI, data privacy and consumer protection across industries. As seen in many regulated spaces, California’s status as the world’s fifth-largest economy and the progressive supermajority in its state legislature means that California’s policy successes and failures are often bellwethers for the rest of the nation (if not the world). In the below summary, we focus on the key developments in the state:
The New Laws
Governor Newsom signed the following privacy-and AI-related bills into law:
- SB 1223 – Neural data. Part of a recent trend among states to regulate neural data, SB 1223 expands the California Consumer Privacy Act’s (CCPA) definition of “sensitive personal information” to include neural data, which refers to brainwave activity and other forms of data collected from the brain in connection with neurological and cognitive technologies. This means the collection and sharing of such data must be specifically disclosed and subject to a right to limit uses. The law takes effect January 1, 2025.
- AB 1008 – CCPA coverage of AI systems. AB 1008 amends the CCPA to attempt to articulate its applicability to personal information that may be processed by AI systems “that are capable of outputting personal information,” referred to as “abstract digital formats.” The implications of this clarification are not clear. The CCPA can already be seen as agnostic as to format, but it is not clear what use cases an AI system—most notably generative AI—might be considered to include personal information in its outputs. The law takes effect January 1, 2025.
- AB 1824 – Data in M&A. AB 1824 amends the CCPA to address consumer opt-outs in mergers and acquisitions and other changes of control. If a business transfers a consumer’s personal information as part of a merger, acquisition, bankruptcy or other change-of-control deal, the acquiring company must honor the original opt-out preferences set by the consumer with the acquired business. The law takes effect January 1, 2025.
- AB 2013 – Generative AI disclosures. AB 2013 requires that developers of generative AI systems provide documentation on their website containing basic disclosures concerning the datasets used to train them before the system is made available to Californians. The law takes effect January 1, 2026, but grandfathers in systems that were released prior to January 1, 2022.
- AB 2655 – Deepfakes and elections. The “Defending Democracy from Deepfake Deception Act of 2024” focuses on preventing the use of AI-generated deepfakes in elections. It requires that “large online platforms” remove or label election-related deepfakes. The law also creates legal pathways for candidates and elected officials to seek relief if platforms fail to take action against misleading AI-generated content. The law takes effect immediately.
- SB 1394 – Connected vehicles. SB 1394 was developed in response to cases of domestic abusers misusing connected vehicle technologies—such as GPS tracking and remote control features—to intimidate, monitor or otherwise control victims. The new law will require a vehicle with connected vehicle service to clearly indicate to a person who is inside the vehicle when a person who is outside the vehicle has accessed the connected vehicle service or connected vehicle location access. Additionally, car manufacturers who receive a request from a survivor to disable abuser access to connected vehicle technologies must do so within two business days. Portions of the law take effect January 1, 2025, with other portions taking effect on January 1, 2026 and January 1, 2028.
In addition, the following laws were also passed by the legislature and chaptered without Governor Newsom’s signature:
- SB 942 – AI transparency. The California AI Transparency Act, AB 942 will require developers of generative AI systems with at least one million monthly users to provide tools that allow consumers to detect whether content such as images, audio or videos are AI-generated. Further, AI-generated content must include embedded metadata (called a “latent disclosure”) that identifies it as being AI-created. The law takes effect January 1, 2026.
- AB 2885 – Definition of AI. AB 2885 offers a statutory definition of AI as an “engineered or machine-based system that varies in its level of autonomy and that can, for explicit or implicit objectives, infer from the input it receives how to generate outputs that can influence physical or virtual environments.” The legal definition of “AI” has been hotly debated, and the purpose of the bill is to establish a clear framework for AI regulation in the state, allowing lawmakers to address AI-related issues more effectively. The law takes effect January 1, 2025.
What Was Vetoed: The Notable Failed Attempts
Governor Newsom vetoed several privacy- and AI-related bills, including:
- SB 1047 – AI developer regulations. The “Safe and Secure Innovation for Frontier Artificial Intelligence Act” generated considerable national and international attention in its proposal to impose strict safety regulations on the development of large-scale AI models. Under SB 1047, developers would have been required to perform safety assessments and implement safeguards to prevent potential harms caused by AI, all of which would be policed by a new state agency known as the “Board of Frontier Models.” Governor Newsom vetoed the bill, citing concerns that it could stifle innovation among the considerable existing California-based AI companies. The Governor’s veto message also expressed concern that the bill overly targeted large AI models while neglecting risks posed by smaller, specialized models.
- AB 1949 – Children’s data. Designed to enhance privacy protections of children, AB 1949 would have prohibited businesses from collecting, selling or sharing personal information of children under 18 without affirmative consent. The bill would have removed the existing condition that a business have actual knowledge that the consumer is less than 16 years of age before requiring such consent. It also would have required the California Privacy Protection Agency to issue regulations regarding age verification and technical specifications for opt-out preference signals for consumers among the under 13 and under 18 age groups.
- AB 3048 – Default opt-out signals. AB 3048 sought to expand the impact of the CCPA’s current requirement that websites honor opt-out preference signals in internet browsers by requiring developers to include opt-out preference signal capabilities in all browsers and mobile operating systems.
What’s Next?
This year’s wave of approved legislation underscores California’s position as a leader in setting standards for new technology and frontier uses of data. For both developers and deployers of AI, these new regulatory requirements underscore the need for a comprehensive governance program and related controls, including impact assessments and human oversight and intervention.
Equally important is what is on the horizon. For example, several high-profile bills stalled in the legislature are sure to be introduced again early next year, including AB 2930, which proposed impact assessments for uses of automated decision tools designed to prevent algorithmic discrimination. As another example, California’s privacy regulator, the California Privacy Protection Agency, is currently finalizing proposed regulations governing uses of artificial decision-making technologies, as well as more comprehensive related privacy impact assessments and cybersecurity audits.
Manatt will continue to monitor this space closely as lawmakers across the country introduce legislation designed to regulate uses of personal data and AI technologies, and will provide additional guidance along the way.