California’s 2024 legislative session has been marked with exciting developments and a clear focus on setting the rules of the road for artificial intelligence (AI), with some measures becoming law and others stalling out along the way. Last month, Governor Newsom signed 17 bills regulating AI in the Golden State. Notably, Governor Newsom vetoed SB 1047, which would have imposed safety requirements on developers of large models to avoid certain harms. In vetoing the bill, Governor Newsom noted that it was not comprehensive or precise enough, improperly focused on large models even though small ones could present similar risks, and did not take into account whether an Al system is deployed in high-risk environments, involves critical decision-making, or uses sensitive data. Newsom’s veto also represents a big win for the numerous industry members, politicians, and academics who lobbied against the bill, arguing that its passage would stifle innovation in the space. Nevertheless, the AI bills Newsom did sign are expected to have wide-ranging impacts on the AI industry. A summary of those bills is below.

AB 2013–Generative Artificial Intelligence: Training Data Transparency

On September 28, 2024, Governor Newsom signed AB 2013, which requires developers of generative artificial intelligence (genAI) systems to publicly disclose certain information about the system’s training data. For systems released on or after January 1, 2022, such disclosures must be made on or before January 1, 2026. After that time, developers must make the disclosures before a genAI system or a substantial modification to a genAI system, is made publicly available. The required information includes a high-level summary of training data sets, including the number of data points within the datasets; whether the datasets include protected intellectual property or personal information; and whether the datasets were purchased or licensed.

Certain genAI models would be excluded from the disclosure requirement, such as those solely focused on security and integrity; those focused on the operation of an aircraft in national airspace; and those developed for national security, military, or defense purposes and only available to a federal entity.

SB 942–California AI Transparency Act

On September 19, 2024, Governor Newsom signed SB 942 into law, requiring developers of genAI systems that average over one million monthly visitors or users (covered providers) to provide a free “AI detection tool” that would confirm whether content was generated or altered by the system; and provide any available provenance data detected in the content, i.e., data that can be used to verify the content’s authenticity. Covered entities must also:

• allow users to upload the AI-generated content or provide a URL linking to the content, presumably allowing consumers to directly ask a genAI provider if they created the content; and
• support an API that allows users to use the detection tool without visiting the AI-system provider’s website. The API could, for example, allow third parties to build tools that would let consumers simultaneously query multiple genAI providers to help them figure out if a video, image, or audio file was created by any of these providers.

The law prohibits the output of any personal provenance data, i.e., information relating to a person that’s included in the digital content’s metadata.

Finally, the law requires covered providers to include a disclosure that content is AI-generated. To the extent technically feasible and reasonable, the disclosure must name the covered provider and genAI system that created the content; provide the time and date of the content’s creation; and provide a unique identifier for the content. The disclosure must be detectable by the covered provider’s AI detection tool. The covered provider must also give users the option to have the disclosure appear visible to a natural person.

AB 3030–Artificial Intelligence in Health Care Services

On September 28, 2024, Governor Newsom signed AB 3030, requiring health clinics, health facilities, and physician’s offices to provide a disclaimer to patients for written or verbal communications generated by genAI pertaining to “patient clinical information.” Patient clinical information is defined to mean information relating to the health status of a patient and does not include administrative matters, such as appointment scheduling, billing, or other clerical or business matters. The required disclaimer varies by the mode of communication used, for instance:

• written communications involving physical and digital media, such as letters or email, must include a disclaimer at the beginning of each communication;
• written and video communications involving continuous online interactions, such as chat-based telehealth services, must display a disclaimer throughout the interaction; and
• audio communications must include a verbal disclaimer at the start and end of the communication.

Such providers are also required to provide patients with instructions on how they can communicate with a human healthcare provider. And notably, communications read and reviewed by “a human licensed or certified health care provider” would be exempt from this law’s requirements.

AB 3030 will most clearly impact AI-powered clinical documentation tools and digital health and telehealth companies that utilize genAI as part of the patient-provider interaction.

AB 3030 adds to other states already regulating the disclosure of use of genAI in patient communications, including Utah, which similarly places heightened obligations on healthcare professionals to proactively disclose the use of genAI tools.

AB 1008–CCPA Definition of Personal Information Amended

On September 28, 2024, Governor Newsom signed AB 1008, which amends the California Consumer Privacy Act (CCPA) to specify that “personal information” can exist in various formats, including physical, digital, and abstract digital formats. Most notably, “abstract digital formats” are defined to include “artificial intelligence systems that are capable of outputting personal information.” This amendment has potentially far-reaching implications for any AI system that includes personal information in its training data. While data contained in publicly accessible sources does not constitute “personal information” under the CCPA because it is “publicly available,” there are many ways that personal information can make its way into AI systems, particularly when they are trained using proprietary data sets. Note, however, that even if personal information was used to train an AI system, the AB 1008’s modification applies only if the system is “capable of outputting personal information.” Thus, a path forward for complying with CCPA deletion requests would be to prevent the AI system from outputting personal information related to the consumer making the deletion request.

More Notable AI Bills Passed

Below we highlight additional noteworthy AI-related bills that Governor Newsom has signed.

• Protecting digital likeness.
  • AB 1836 prohibits a person from producing, distributing, or making available “the digital replica of a deceased personality’s voice or likeness in an expressive audiovisual work or sound recording without prior consent,” except when used:
    • in connection with any news, public affairs, or sports broadcast or account;
    • for purposes of comment, criticism, scholarship, satire, or parody;
    • in a fleeting or incidental manner;
    • in a self documentary or in a “historical or biographical manner, including some degree of fictionalization, unless the use is intended to create, and does create, the false impression that the work is an authentic recording in which the individual participated”; or
    • in an advertisement or a commercial announcement of any of the above uses.
  • AB 2602 requires that contracts for the use of a computer-generated copy of a person’s voice or likeness must describe the intended uses of the copy, and the person whose voice or likeness is to be copied must be represented by a lawyer or labor union when signing the contract.
• Combatting unconsented, AI-generated sexually explicit imagery.
  • SB 981 requires social media platforms to establish a mechanism to report and remove sexually explicit images or video of an identifiable person, created or altered through digitization, where the person did not consent to the use of their likeness.
  • SB 926 makes it a crime for an adult to create and distribute unconsented sexually explicit deepfakes that cause serious emotional distress.
• Protecting against deepfakes in elections.
  • AB 2355 requires political committees to disclose in any political advertisement whether the advertisement contains content that has been altered using AI.
  • AB 2655 requires “large online platforms with at least one million California users to remove materially deceptive and digitally modified or created content related to elections, or to label that content, during specified periods before and after an election, if the content is reported to the platform.”
  • AB 2839, which has been preliminarily enjoined by a federal judge on First Amendment grounds, would prohibit the distribution of election communications that contain media that has been digitally altered in a deceptive way, and would allow any recipient of such content to sue the distributor for injunctive relief and damages, subject to certain exceptions.

Conclusion

These developments represent unprecedented legal obligations, highlighting the increased legislative and regulatory focus on AI and its impact on the public. Businesses should be keenly aware of these laws as they come into force. Wilson Sonsini Goodrich & Rosati routinely helps companies navigate complex issues related to novel compliance frameworks and AI issues. For more advice on your compliance efforts, please contact Maneesha Mithal, Chris Olsen, Andrea Linna, Eddie Holman, Boniface Echols, or any member of the firm’s data, privacy, and cybersecurity or regulatory health practices.

Seamus Taylor contributed to the preparation of this Alert.