Ranking California's New AI & Privacy Laws by Impact
California stands out in the American data privacy landscape as a trail blazer. The state holds the distinction of being the first to pass a comprehensive data privacy law, remains the only state with a dedicated privacy enforcement agency–the California Privacy Protection Agency–and continues to be exceedingly active on the legislative front even as other states that passed data privacy laws have gone quiet.
This year is no exception, as California has been grappling with how to approach AI regulation in these nascent stages of the technology. The state legislature just wrapped up its scheduled annual session on September 1, and in the final days the state representatives pushed through a mountain of policy on data privacy and AI.
Although not every proposed privacy or AI-related bill made it through alive, California was able to pass five privacy bills and four AI bills in the final days of the session. For those nine bills, Governor Gavin Newsom now has until the end of September to sign or veto them.
While there’s been plenty of coverage over what is included in these bills, it’s also important to put proper expectations on what kind of impact this group of bills will have. With that in mind, here’s a good old fashioned ranking of the nine by the long-term and clear effect they are likely to have on the industry:
1. SB 1047 Safe and Secure Innovation for Frontier Artificial Intelligence Models Act
What it does: Regulates the largest AI models on the market, as defined as models trained with a quantity of computing power exceeding one hundred million dollars ($100,000,000) using the average market prices of cloud compute at the start of training. This virtually limits the bill to regulating Big Tech, as Apple, Google, Meta, and Microsoft have raced out to capture the AI market.
The potential impact: This one is a big “if,” given many believe Governor Newsome will veto it.
The campaign against this bill has been loud and fierce, with politicians as high up as California’s own Nancy Pelosi vocalizing her support against it, saying “The view of many of us in Congress is that SB 1047 is well-intentioned but ill informed … While we want California to lead in AI in a way that protects consumers, data, intellectual property and more, SB 1047 is more harmful than helpful in that pursuit. “
This comes down to the (very) American argument of how regulation can stifle innovation, which should be avoided as much as possible.
This belief and the lobbying against SB 1047 have already resulted in some of the stronger sections being ripped out of the bill, but what remains still stands as a guardrail specifically against Big Tech. Given the head start and near limitless resources companies like Apple and Meta have in the race to develop AI, a law like this could have real impact on pushing those companies towards safer and more privacy-conscious development.
The score: 4 out of 5
2. AB 3048 Opt-out Preference Signal
What it does: Prohibits businesses from developing or maintaining internet browsers or mobile operating systems that lack the ability for an individual to send an opt-out preference signal to businesses.
The potential impact: Given more and more state laws include language that organizations must honor universal opt-out mechanisms, the technology is already likely to be widespread by the end of the decade.
Laws like AB 3048 will help facilitate the acceptance of this user right, both from the public and businesses by making the right easier to exercise and significantly more widespread.
Google may have ditched its plan to phase out third-party cookies on Chrome, but there is little downside in the company adding a setting for people to signal out-opt preferences. Given browsers like Firefox and DuckDuckGo already feature privacy-oriented settings, this bill feels like a logical win for people and privacy, even if the scope is somewhat limited.
The score: 4 out of 5
3. AB 2013 Generative artificial intelligence: training data transparency
What it does: Requires developers of AI systems to provide clear and accessible documentation on their website regarding the data used to train the AI, including
- The sources/owners of datasets
- The number of data points in the complete dataset
- A description of the types of data used for training
- Relevant copyright or licensing information on data used
- Whether the dataset contains any personal data
- Whether there was any modification or use in synthetic data in the dataset
- The time period of data collection and training
The potential impact: Transparency is always a good thing in the privacy industry, and this law will go a long way towards informing people about how AI is trained as well as making it clear if any personal data is within systems.
However, there is quite a bit of information that needs to be disclosed, and in all likelihood, most people will never go through it.
The score: 3.5 out of 5
4. SB 942 California AI Transparency Act
What it does: Requires covered generative AI providers to make AI detection tools easily accessible to the public, as well as to create and include disclosures for any AI-generated content.
The potential impact: This is something that is sorely needed as more and more AI-generated content floods the internet, but how it will be applied across the US and not just California remains to be seen.
The other issue? A large percentage of AI-generated images and text already have clear signs that they were AI-generated. While including a disclosure is helpful, it won’t be a complete revelation given the current state of AI.
The score: 3 out of 5
5. SB 1223/AB 1008 Neural Data & Personal Information on AI Systems
What they do: Amends the CCPA to add neural data as an element of sensitive personal information, defining it as “information that is generated by measuring the activity of a consumer’s central or peripheral nervous system, and that is not inferred from nonneural information.”
AB 1008 amends the CCPA’s definition of personal information to specify that personal information can exist in various formats, including “artificial intelligence systems that are capable of outputting personal information.”
The potential impact: Tangibly speaking, both of these bills are just amendments to how CCPA defines several elements, so they are not gigantic changes.
It is relevant however, that given the expansion of AI and biometric data usage, neural data be added to enable its protection and wording be clarified to declare that AI systems can contain personal information.
This stance is counter to how Europe is tackling AI, as the EU has taken the stance that AI systems cannot contain personal information–which is a large reason why ChatGPT has not been hit with a GDPR fine, despite the Italian DPA’s insistence on the product’s noncompliance.
Right now this difference is on paper only, but it is something to watch in the next few years as AI regulation further unfolds.
The score: 3 out of 5
6. AB 1949 On Children’s Data
What it does: Requires a form of consent before a business can conduct any data collection, data use, or sale or sharing of personal information of minors under age 18. Children aged 13-to-18 will be able to give consent, while those under 13 will require consent from a parent or guardian.
The potential impact: Many believe this to be a significant bill both in California and nationwide, but consider me a skeptic. Given the way the internet works in reality, I have a hard time believing children between the ages of 13 and 18 are going to care much about data collection practices.
Most children are just going to click away their consent within a millisecond no matter what site they are on, so these added protections will only apply to children under 13, who are already covered by the federal Children’s Online Privacy Protection Act (COPPA).
Since COPPA 2.0 is likely on the way at a national level, AB 1949 will not be a complete game-changer in my opinion, even if it has added protections against data sales and sharing.
The score: 2 out of 5
7. AB 1824 CCPA Recognition of Opt-outs in Mergers
What it does: Amends the CCPA so that any entity merging with or acquiring another entity must respect and comply with all previous consumer opt-out requests.
The potential impact: This law is straightforward and makes it so consumers do not need to go through opt-out requests again if an organization is part of a merger or acquisition. It’s a win for data rights and closes a loophole, but it’s minor across the board even in an age of frequent M&As.
The score: 1.5 out of 5
8. AB 2885 Defining Artificial Intelligence
What it does: Amends existing California law to define AI as “an engineered or machine-based system that varies in its level of autonomy and that can, for explicit or implicit objectives, infer from the input it receives how to generate outputs that can influence physical or virtual environments.”
The potential impact: Definitions most certainly matter in data privacy and AI regulation (as was evidenced by the rounds of changes to the EU AI Act in early 2024 as it sought to carve a path for comprehensive AI regulation), but this is just a change on paper as of now.
It is not as directly applicable as SB 1223 or AB 1008, which both have more pointed changes to definitions, nor is it part of a comprehensive AI law like Colorado was able to pass earlier this year.
This might be part of getting things in order for a future bill, but right now it’s hard to see how this will be more directly impactful on AI or data privacy than the bills listed above.
The score: 1.5 out of 5
As noted, we will need to see how many of these bills actually enter into law, so check back here at the end of September for pass/veto updates.