The dust is beginning to settle from the raft of AI-related bills Governor Newsom signed last month in California. (See for example, our post about neural data.) Most of the provisions will not go into effect for another few months. Before they do, it is worth examining the impact they will have on companies’ privacy and data security practices. Most, as we outline below, may not change fundamental practice, but instead serve as a reminder to take into account privacy and data security considerations when assessing and implementing AI tools:

  • AI Definition(s): AB 2885 establishes a legal definition of artificial intelligence across California laws. AI is defined as “an engineered or machine-based system that varies in its level of autonomy and that can, for explicit or implicit objectives, infer from the input it receives how to generate outputs that can influence physical or virtual environments.” In addition, Newsom signed an amendment to CCPA (AB 1008) which clarifies that consumers’ “personal information” may exist in AI systems that output personal information. The change to CCPA is effective January 1, 2025.
  • Health Care Services Disclosures: Similar to Utah’s law earlier this year, AB 3030 will put disclosure requirements on health facilities, clinics, physician’s offices, or offices of a group practice. Beginning January 1, 2025, if these entities use GenAI to create patient-facing communication, they must take certain steps. These include both (1) a disclaimer that indicates to the patient that a communication was generated by GenAI, and (2) clear instructions describing how a patient may contact a human health care provider, employee, or other appropriate person.
  • AI and Entertainment: California will join Tennessee on January 1, 2025 in regulating “digital replicas” of voices and likenesses. First, AB 2602 holds contracts to be unenforceable if an employer uses a computer-generated “digital replica” of a performer’s voice or likeness in lieu of the performer’s in person performance. Second, AB 1836 gives beneficiaries of a deceased celebrity a cause of action to recover damages for the unauthorized use of AI-created digital replicas.
  • AI and Robocalls: AB 2905 amends California’s current automatic dialing-announcing laws. It requires telling call recipients if the prerecorded message uses an AI-generated voice.
  • Transparency: Beginning January 1, 2026, GenAI developers will need to give certain notices to consumers as provided for in AB 2013. This includes telling people the sources of GenAI data, how the data is used, the number of data points, and a description of the types of data points within datasets. Notice must also include whether there is any personal information within the datasets and list other protected information in the datasets. A similar requirement goes into effect on the same day. The law (AB 942) requires that AI system providers offer a free tool that lets the public determine whether content was generated or modified by AI. Among other things, they must also clearly and conspicuously disclose that content was generated by AI.

Putting it into Practice: These recent laws are a reminder to companies to consider privacy and data security compliance when adopting AI tools. We anticipate similar developments from other states. Having an adaptable approach will be key as companies identify and adopt new uses of GenAI.