The 16 Feb. deadline for California legislators to introduce bills for the current legislative session saw state senators and assembly members introduce more than 2,100 bills intended to address topics ranging from bingo to reparations and everything in between. Relevant to the work of privacy and artificial intelligence governance professionals, legislators largely focused on laying ground rules for the use of AI while also supplementing California's maturing regulatory framework for consumer and children's privacy.
Although the majority of proposed bills will never pass, they provide insight into how elected California officials think about issues of privacy and AI and the trends privacy and AI governance professionals may see across the nation. Golden State lawmakers have led the way in U.S. privacy regulation dating back to the early aughts, when the California Online Privacy Protection Act helped drive mass adoption of privacy policies. Other jurisdictions have largely caught up, but California has nonetheless continued to produce innovative approaches to regulating online activity. The IAPP Resource Center's California Privacy Legislation Tracker provides a comprehensive look at these bills and others not discussed below.
AI regulation: New technology, new frameworks?
Where, in 2023, the tidal wave of AI technology caught many by surprise, 2024 thus far has seen legislators work diligently to establish workable regulatory frameworks for the emerging technology. Demonstrating this legislative exigency, roughly twice as many bills focusing on AI, compared to on data privacy, were introduced this session. Although presently few may comprehend all the technical intricacies of AI, lawmakers are certainly trying: the two legislative chambers proposed creating a total of three working groups and a research hub to evaluate and provide recommendations on the impacts of AI.
While awaiting comprehensive private-sector AI legislation in the U.S., AI governance professionals can discern some patterns from the bills introduced by California legislators, who have largely derived frameworks for regulating AI from existing regulatory models in privacy. Those grappling with AI should thus look to apply many foundational privacy principles to their work. In this vein, seven bills proposed to mandate some form of transparency, risk assessment or both:
- The AI Accountability Act requires state agencies to disclose whether individuals are interacting with AI and to evaluate the risk presented by automated decision-making systems before adoption.
- Assembly Bill 1824 establishes the legislature's intent to require disclosures for AI-generated content.
- AB 2013 requires disclosures on AI system developers' websites regarding the training data used.
- Senate Bill 942 empowers consumers by establishing a mechanism to detect AI-generated content.
- AB 1971 leans on content credentials, making the Coalition for Content Provenance and Authenticity's technical open standards mandatory for companies in the generative AI business.
- SB 1047 targets frontier models, requiring positive safety determinations that developers must report to a newly established Frontier Model Division of the Department of Technology.
- AB 2930 requires impact assessments for automated decision-making tools and notification to subjects of consequential decisions.
Perhaps the bill with the most momentum, AB 2930 — a reintroduction of Assembly Member Rebecca Bauer-Kahan's 2023 AB 331 — appears likely to provide a template for state legislation on private-sector AI, alongside Connecticut's SB 2. Both bills lean heavily on notice, transparency and impact assessments as tools to mitigate algorithmic discrimination and other AI-related harms. However, Connecticut employs a risk-based taxonomy akin to the EU AI Act, whereas AB 2930 aligns instead with the California Consumer Privacy Act's draft automated decision-making technology regulations.
The CCPA, ever-changing
Since its passage, California legislators have tinkered with the CCPA each year, often in response to nationwide trends and emerging technologies. This year six bills related to the state's flagship privacy law were introduced.
Following the California Privacy Protection Agency's legislative proposal, Assembly Member Josh Lowenthal proposed AB 3048, requiring all browsers to include settings enabling consumers to send opt-out preference signals like the Global Privacy Control. Currently, none of the three most-used browsers — Chrome, Safari or Edge — offer such signals. Universal opt-out mechanisms have been one of the CCPA's more influential exports; currently eight comprehensive state bills include language requiring businesses to honor opt-out preference signals. Wary that opt-out preference signals will go the way of similar choice signals in the past, legislators mandating that all browsers act as a conduit for consumer opt-outs would go a long way toward easing the ability of consumers to express their privacy rights at a mass scale.
Elsewhere, Bauer-Kahan — chair of the Committee on Privacy and Consumer Protection — put forth AB 2877 to amend the CCPA by heightening the requirements for membership on the CPPA board to include qualifications, experience and skills in consumer rights. This proposal follows the announced departure of board member Lydia de la Torre, the only consumer privacy practitioner to have served on the CPPA board to this point.
One further noteworthy amendment: AB 2426 revises the legislature's intent to include a provision for consumer protection for online digital content in enacting the CCPA. Although it is likely to undergo plenty of revision given its current limited substance, such a bill could expand the CPPA's authority beyond the regulation of consumer privacy and into regulation of online activity more generally, including content moderation.
California kids
With each successive year comes a spate of legislation to add to the conversation around children's online safety. California's top law enforcement official, Attorney General Rob Bonta, has consistently prioritized this area. This year he has thrown his support behind two bills in particular.
AB 1949, another CCPA amendment, aims to prohibit businesses from selling or sharing the personal information of consumers under 18 years old — up from 16 — without affirmative authorization. If passed, this bill would give California the oldest opt-in requirement for sale of personal data among the states with comprehensive privacy legislation. Note that, while not considered comprehensive, Florida's Digital Bill of Rights also requires affirmative authorization for minors under 18.
AB 1949 also removes the requirement for businesses to have actual knowledge that a child is below age, instead imposing what resembles a strict liability standard on businesses when processing children's personal information.
The bill further requires the CPPA to promulgate regulations on opt-out preference signals for age verification. Operationalizing online age verification while maintaining user privacy has long been an intractable problem. With this proposal, children's online safety advocate Assembly Member Buffy Wicks hopes browser mechanisms offer a workable resolution.
Alongside Wicks' bill, Sen. Nancy Skinner, D-Calif., introduced the Social Media Youth Addiction Law to prohibit social media platforms from providing an "addictive feed" to users under 18 without verifiable parental consent. This bill parallels proposed rules from the Federal Trade Commission on the Children's Online Privacy Protection Act, which also require verifiable parental consent for use of a site or service for purposes of maximizing engagement but apply only to children under 13.
Clear comparisons have been drawn between this bill and the presently enjoined California Age-Appropriate Design Code. The bill's proponents hope, if passed, it avoids the constitutional challenges that have plagued the California act.
Additional proposals
Several other proposed bills deserve mention:
- Registering digesters. Bauer-Kahan also proposed AB 3204, requiring "data digesters," or businesses that train AI with personal information, to register with the CPPA. One more term for your privacy glossary.
- ChatGPT, esq. Although anecdotes of attorneys falling trap to generative AI's propensity to cite to nonexistent caselaw appear to have slowed, AB 2811 aims to nip the trend in the bud by mandating disclosure from legal professionals when AI assists in preparing court-filed documents.
- Driving privacy. Following the lead of the CPPA's investigative sweep and 2023's new law regulating in-vehicle cameras, the legislature again has honed in on vehicular privacy. Although lacking text for now, AB 3139 states the legislature's intent to enact legislation that would enhance the privacy of consumers in vehicles.
- Every day is data privacy day when you're a privacy pro. The last Sunday and last week of January are officially now Data Privacy Day and Week in California, respectively, deviating from the 28 Jan. date honored elsewhere throughout the world. Around this time, expect the attorney general's office to continue its annual tradition of California privacy law enforcement.