Author
Amanda Anderson
4A's VP, Government Relations
Topic
- Government Relations
- Privacy Law
This month, California Governor Gavin Newsom (D) signed a series of AI and privacy-related bills passed by the state’s legislature but vetoed several controversial measures, including those that impact advertisers and users of consumer data. It’s unlikely the California legislature will attempt to override any of the vetoes, as the state has not overridden a Governor’s veto since 1980.
After expressing concern about the bill ahead of his decision, Newsom vetoed CA Senate Bill 1047 that would have required makers of large AI models to conduct safety tests to reduce the risks of “catastrophic harm” from their technology. Developers would have also had to ensure a human can shut down their AI system if it starts behaving dangerously. The bill, which many AI startups and tech giants have opposed, is seen by companies and AI developers as a bellwether for how AI will be regulated across the country.
In his veto message for SB 1047, Newsom said, “While well-intentioned, SB 1047 does not take into account whether an AI system is deployed in high-risk environments, involves critical decision-making or the use of sensitive data. Instead, the bill applies stringent standards to even the most basic functions — so long as a large system deploys it. I do not believe this is the best approach to protecting the public from real threats posed by the technology.”
A Mixed Bag for Privacy Legislation
The enactment of privacy legislation in California this year was a mixed bag, with some surprise Governor vetoes happening at the 11th hour.
Gov. Newsom vetoed privacy legislation (CA AB 3048) that would have prohibited a business from developing or maintaining a browser or mobile operating system that does not allow a California consumer to send a signal to opt out sale and sharing of their personal data effective The California Governor returned CA Assembly Bill 3048 without a signature. The 4As and other advertising industry groups sent letters to Newsom urging the legislation’s veto. Newsom’s veto message cited concerns about placing a mandate on operating system (OS) developers “because no major mobile OS incorporates an option for an optout signal”; he also noted that, “most internet browsers either include such an option or, if users choose, they can download a plug-in with the same functionality.” He believes “it is best if design questions are first addressed by developers, rather than by regulators.”
Newsom also vetoed CA Assembly Bill 1949 that would have amended the California Privacy and Protection Act (CCPA) to ban the collection, sale, sharing, use or disclosure of personal information related to minors under the age of 18, unless prior affirmative opt-in consent is obtained. Under the current provisions in the CCPA, businesses must secure affirmative opt-in consent before selling or sharing the personal information of consumers who are under 16 years of age. For consumers younger than 13, businesses are obligated to obtain consent from a parent or guardian. AB 1949 would have raised this age limit from 16 to 18 and prohibited businesses from selling or sharing the personal information of consumers if they are aware that the consumer is under 18 without affirmative opt-in consent. In his veto message, Gov. Newsom was concerned that AB 1949 would “fundamentally alter the structure of the CCPA to require businesses, at the point of collection, to distinguish between consumers who are adults and minors. [He was] concerned that making such a significant change to the CCPA would have unanticipated and potentially adverse effects on how businesses and consumers interact with each other, with unclear effects on children’s privacy.”
In an effort to bolster children’s privacy, Newsom signed CA Senate Bill 976 into law, which bars social media companies from deploying feeds that children and teenagers would find addicting, while also prohibiting companies from sending them notifications at night and during school hours. This is similar to a bill passed by New York earlier this year.
CA Assembly Bill 1824 was also signed into law requiring recognition of a California consumer’s prior opt-outs for sale and sharing in mergers, acquisitions or bankruptcy. The bill removes the ambiguity in the CCPA about what happens to consumers’ opt-out preferences when businesses combine, by requiring the business that acquires personal consumer information from the original business to honor the preferences of those consumers. Limiting access to consumer data in this way could impact the valuation of the business deals.
Additionally, CA Assembly Bill 1223 was signed into law stemming from policymaker concerns about the emergence of consumer neurotechnologies such as neuromonitoring devices, cognitive training applications, neurostimulation devices, mental health apps, and so called “brain wearables”. This new law defines sensitive personal information, for purposes of the CCPA, to additionally include a consumer’s neural data, and would define neural data to mean information that is generated by measuring the activity of a consumers central or peripheral nervous system, and that is not inferred from nonneural information.
A Bundle of AI Bills Signed into Law
Governor Newsom signed into law a series of AI bills which set new precedents that other states are likely to mimic in 2025 legislation; absent federal legislative action, we could see states soon start imposing new requirements on AI developers and social media platforms that are intended to ensure responsible technology development while protecting individuals from harmful use of AI-generated content.
CA Senate Bill 942 requires AI developers with more than a million monthly California users to create and make available to consumers a AI detection tool that allows a user to assess whether content has been created or altered by a AI developer’s GenAI system. In the law, AI-generated images or video must include machine-readable disclosures with information such as the provider’s name, the GenAI system version, creation date, and a unique identifier. This requirement ensures that the origin of the content can be traced back to the specific GenAI system responsible for its creation. These latent and invisible “disclosures” are required to be included in content produced by GenAI systems. The measure envisions two means to implement disclosures required by the law – manifest (visible), and latent (imperceptible to the human eye). Disclosures should be permanent or difficult to remove and detectable by the provider’s own systems. This measure ensures that even if visible labels are removed, the content can still be identified as AI-generated through technical means and the use of the latent disclosure. Providers must also offer users the option to include visible disclosures in AI-generated content, indicating it was created by AI. Visible manifest disclosures provide immediate transparency, allowing users to easily recognize AI-generated content. The bill describes the minimum information that these disclosures must convey 1) the name of the covered provider; 2) the name and version number of the GenAI system used; 3) the time and date of the content’s creation or alteration, 4) which parts of the content were created or altered by the GenAI system; and 4) a unique identifier. If a AI developer knows that a third-party licensee modified a licensed GenAI system such that it is no longer capable of including a disclosure the covered provider shall revoke the license within 72 hours of discovering the licensee’s action. A covered provider that violates these provisions is liable for a civil penalty in the amount of $5,000 per violation to be collected in a civil action filed by the California Attorney General, city attorney, or county counsel.
Two noteworthy watermarking/content provenance bills did not advance out of the California Senate after passing the state’s Assembly earlier this year that were opposed by the industry – CA Assembly Bill 3211 and CA Assembly Bill 1791; these bills are likely to come back in some form next year or could inform other states’ approaches.
Governor Newsom signed into law CA Assembly Bill 1008, which amends the CCPA’s definition of “personal information” to include, among other things, “abstract digital formats, including artificial intelligence systems that are capable of outputting personal information.” The new law extends California privacy law obligations to AI models, requiring businesses to address consumer requests for access, deletion, correction, or information sharing. This poses challenges due to the current limitations of AI models in retroactively modifying their learned data.
Enacted CA Assembly Bill 2885 clarifies the state’s legal definition of “artificial intelligence” to mean “an engineered or machine-based system that varies in its level of autonomy and that can, for explicit or implicit objectives, infer from the input it receives how to generate outputs that can influence physical or virtual environments.” It effectively removes unnecessary AI references to the California code.
Other notable AI laws signed by Governor Newsom include CA Senate Bill 926 and CA Senate Bill 981 which address deepfakes and sexually explicit content.
Ahead of the 2024 U.S. election, 26 states have passed or are considering passing bills to regulate AI. As such, there will be mounting pressure on Congress to enact a federal action that covers the entire country. California is currently home to 32 of the world’s 50 leading GenAI companies, high-impact research and education institutions, and a quarter of the technology’s patents and conference papers. Like data privacy issues, these California legislative precedents will weigh heavily in that debate.
Learn more about the privacy and AI bills mentioned above and other related bills that did not advance out of the legislature this year.
Have questions about the California privacy and AI bills mentioned above? Please contact Amanda Anderson, 4As VP of Government Relations.
