Keypoint: Of the ten privacy- and AI-related bills passed by the California legislature in the 2024 legislative session, Governor Newsom signed seven into law and vetoed three by the September 30 deadline.
Throughout the 2024 legislative session, we have been tracking numerous privacy- and AI-related bills pending in California. Ten of those bills passed the state legislature before the legislative session ended on August 31 (nine of which passed in the final week of August). Governor Newsom had a deadline of September 30 to sign or veto the bills that passed. Of the ten total bills, he signed seven into law and vetoed three bills. Those seven bills scheduled to go into effect consist of four laws related to privacy and three laws related to AI.
The below article provides a summary of the ten bills that Governor Newsom either signed into law or vetoed.
1. Bills Signed Into Law
Privacy Bills
AB 1008 (Personal Information and AI Systems) – Among other things, the bill amends the CCPA to specify that personal information can exist in various formats, including artificial intelligence systems that are capable of outputting personal information. Its amendments to the CCPA go into effect on January 1, 2025.
SB 1223 (Neural Data) – The bill amends the CCPA’s definition of sensitive personal information to include neural data. Its amendments to the CCPA go into effect on January 1, 2025.
AB 1824 (Recognition of Prior Opt-Outs in M&A Deals) – The bill amends the CCPA to require a business to which another business transfers the personal information of a consumer as an asset that is part of a merger, acquisition, bankruptcy, or other transaction in which the transferee assumes control of all or part of the transferor to comply with a consumer’s opt-out direction to the transferor. The bill would have also incorporated provisions from AB 1949 but that bill was vetoed (see below). Its amendments to the CCPA go into effect on January 1, 2025.
AB 3286 (Monetary Thresholds) – The bill authorizes the California Privacy Protection Agency (CPPA) to make changes to certain CCPA monetary thresholds. The bill also makes changes to the CCPA’s consumer privacy fund. The bill was signed into law on July 15, and the monetary threshold adjustments are set to begin January 1, 2025 and annually thereafter.
AI Bills
AB 2013 (Generative AI Training Data Transparency) – The bill requires developers of generative AI systems or services to post a high-level summary of the datasets used in the development of the system or service on their website, with certain details described in the bill. The bill also requires developers to disclose whether the system uses “synthetic data generation.” The bill goes into effect on January 1, 2026.
AB 2885 (Definition of AI) – The bill incorporates a new definition of “artificial intelligence” into existing California law. The bill goes into effect January 1, 2025.
SB 942 (California AI Transparency Act) – Among other provisions, the bill requires a covered provider (a business that provides generative AI systems with one million monthly users on average) to create an AI detection tool that a person can use to identify what image, video, or audio content (or combination thereof) was created or altered by the provider’s generative AI system. Additionally, a covered provider is required to include a latent disclosure in such AI-generated content created by its system. The bill goes into effect on January 1, 2026.
2. Bills Vetoed
Privacy Bills
AB 3048 (Opt-Out Preference Signals) – The bill would have prohibited businesses from developing or maintaining a browser that does not include a setting that enables a consumer to send an opt-out preference signal to a business with which the consumer interacts through the browser. The bill would have also prohibited businesses from developing or maintaining a mobile operating system through which a consumer interacts with a business that does not include a setting that enables the consumer to send an opt-out preference signal to that business.
The bill was vetoed on September 20. In his veto statement, Governor Newsom expressed concerns “about placing a mandate on operating system (OS) developers.” He highlighted the commonality of internet browsers to feature an extension which sends an opt-out preference signal, but that such an option does not exist for any major mobile OS. In an effort to preserve the usability of mobile devices, Newsom concluded that design issues should first be addressed by developers instead of regulators.
AB 1949 (Kid’s Privacy) – The bill would have amended the CCPA to prohibit businesses from collecting, selling, sharing, using or disclosing the personal information of kids under the age of 18 without the kid’s consent or, for children under 13, without parental/guardian consent. A business would need to have actual knowledge that the consumer is below 18 or 13. However, a business that willfully disregards the consumer’s age would have been deemed to have actual knowledge of the consumer’s age. In addition, a business would have needed to treat a consumer as under 18 years of age if the consumer, through a platform, technology, or mechanism, transmitted a signal indicating that the consumer is less than 18 years of age.
The bill was vetoed on September 28. While the bill has received bipartisan support since its introduction, Governor Newsom explained that it “would fundamentally alter the structure of the CCPA… (and that) making such a significant change would have unanticipated and potentially adverse effects on how businesses and consumers interact with each other, with unclear effects on children’s privacy.”
AI Bills
SB 1047 (“Safe and Secure Innovation for Frontier Artificial Intelligence Act”) – The bill would have required developers of large AI models to implement safeguards as a precaution against critical harm.
While supporters classified it as having a “light touch,” the bill proved to be rather controversial and was vetoed on September 29. The bill’s author, Senator Wiener, released a statement describing the veto as a “setback… (and) a missed opportunity for California.” On the other hand, Governor Newsom said in his veto statement that the bill “could give the public a false sense of security about controlling this fast-moving technology” by focusing specifically on large-scale AI models while neglecting the threats posed by smaller models and stifling innovation. While the bill ultimately failed, both Newsom and Wiener agree that the debates over the bill have raised awareness over the risk of AI and has helped lawmakers take a step in the right direction in developing an effective framework for AI in the future.