New laws in California look to the future of privacy and AI

The 2023-24 legislative session in California saw a flurry of privacy and artificial intelligence bills signed into law, ranging in scope from amending a single definition to creating broad legislative provisions in areas like student privacy, dataset transparency and more. However, one thread connects these new laws: increasing privacy protection for all Californians. California has a long history of leading legislative efforts at a state level, especially in the privacy and technology realms; it was the first to enact an omnibus privacy-related law with the California Consumer Privacy Act and the first to create an entirely privacy-focused agency with the California Privacy Protection Agency.

Expanding definitions

One way California is expanding privacy protection is by broadening the scope of its existing laws. To that end, Gov. Gavin Newsom signed two bills that amended the definition of personal information in the CCPA, as amended by the California Privacy Rights Act.

Assembly Bill 1008 adds that personal information can exist in multiple formats, which include abstract digital formats like AI systems "that are capable of outputting personal information." It also clarifies that biometric information collected without a consumer's knowledge is not publicly available, and thus falls into the definition of personal information. Senate Bill 1223, which follows in the footsteps of Colorado's SB 21-190, states sensitive personal information includes a consumer's neural data.

Both new laws have received a mixed response — AB 1008 has raised serious questions among industry professionals about, for example, whether AI models themselves contain personal information. Some commentators praised SB 1223 for safeguarding consumers' brains from enterprising new technologies, while others stated its ambiguous phrasing did not go far enough to protect consumer data.