Analyzing critical legal trends and developments across data, cyber, AI and digital regulations from around the world and beyond borders

No US state has been more active in AI regulation than California — home to 32 of the world’s 50 leading AI companies, along with countless other companies racing to implement AI enhancements. In a whirlwind legislative session, California lawmakers passed no fewer than 17 AI-related bills in 2024, though one of the most significant laws, Senate Bill 1047, was vetoed by Governor Gavin Newsom.

The new California legislation covers a wide gamut of uses and sectors, with many of California’s new laws coming into effect as soon as 1 January 2025. In this alert, we provide summaries of some of the key laws and their requirements.

CCPA revisions
  • Clarifying CCPA definition of personal information: AB 1008 amends the definition of “personal information” in the California Consumer Privacy Act of 2018 (CCPA) to confirm that personal information can exist in various formats, including as “[a]bstract digital formats, including compressed or encrypted files, metadata, or artificial intelligence systems that are capable of outputting personal information.” (Effective 1 January 2025)
Performers’ rights and rights of publicity
  • Restrictions on contracts for performers’ digital replicas: AB 2602 makes contract provisions unenforceable if they relate to a performance by a digital replica of the contracting individual; the provisions provide specific conditions relating to the use of a digital replica of an individual’s voice or likeness in lieu of that individual’s work. (Relates to new performances fixed on or after 1 January 2025)
  • New cause of action for using a deceased person’s digital replica: AB 1836 establishes liability for producing, distributing or making available the digital replica of a deceased personality’s voice or likeness in an expressive audiovisual work or sound recording without prior consent. (Effective 1 January 2025)
  • Further information on AB 2602 and AB 1836 can be found in our earlier analysis.
Health care
  • Required disclosures for AI chatbots for patient communications: AB 3030 requires certain health care providers to disclose the use of AI to generate patient communications pertaining to patient clinical information. (Effective 1 January 2025)
  • Use of AI for health insurance decisions: SB 1120 requires health care service plans or disability insurers that use AI for utilization review and utilization management decisions to ensure that these decisions are based on a patient’s medical or other clinical history and individual clinical circumstances, that they do not supplant health care provider decision-making, and that they are fairly and equitably applied. The new law also mandates periodic review of the AI to maximize accuracy and reliability. (Effective 1 January 2025)
Social media and online platforms
  • Reporting sexually explicit digital identity theft on social media: SB 981 requires social media platforms to establish mechanisms for reporting and removing “sexually explicit digital identity theft,” meaning an image or video digitally created or altered to appear to be an image or video of an identifiable person engaged in certain sexual acts. (Effective 1 January 2025)
Elections and misinformation
  • Requirement to remove or identify synthetic election content: AB 2655requires online platforms with at least one million California users to remove or label deceptive and digitally modified or created election content that is reported to the platform. (Operative from 1 January 2025)
  • Prohibition on deceptive election materials: AB 2839 prohibits the distribution of advertisements or other election material containing deceptive AI-generated or manipulated content. (Operative from 1 January 2025)
Other areas
  • Promoting AI literacy in California schools: AB 2876 requires that the Instructional Quality Commission consider ways to include AI literacy in mathematics, science and history-social science curriculum frameworks and instructional materials. (Applies to materials adopted by the state board after 1 January 2025)
  • State use of generative AI: SB 896 requires the California Office of Emergency Services to perform a risk analysis of potential threats posed by the use of generative AI to California’s critical infrastructure. It also requires state agencies or departments that use generative AI to communicate regarding government services and benefits to include a disclaimer that the communication was generated by AI along with information describing how the person may contact a human employee of the state agency or department. (Effective 1 January 2025)

AI’s impact on the commercial and technology landscape over the past couple of years has been comprehensive and transformative, and lawmakers have followed suit by introducing new legislation touching almost every imaginable area. Businesses should assess the impact of the incoming legislation and take necessary compliance steps, especially with further legislative activity expected throughout 2025.

Author

Brian provides advice on global data privacy, data protection, cybersecurity, digital media, direct marketing information management, and other legal and regulatory issues. He is Chair of Baker McKenzie's Global Data Privacy and Security group.

Author

Adam Aft helps global companies navigate the complex issues regarding intellectual property, data, and technology in product counseling, technology, and M&A transactions. He leads the Firm's North America Technology Transactions group and co-leads the group globally. Adam regularly advises a range of clients on transformational activities, including the intellectual property, data and data privacy, and technology aspects of mergers and acquisitions, new product and service initiatives, and new trends driving business such as platform development, data monetization, and artificial intelligence.

Author

Cynthia J. Cole is Chair of Baker McKenzie’s Global Commercial, Tech and Transactions Business Unit, a member of the Firm’s global Commercial, Data, IP and Trade (CDIT) practice group steering Committee and Co-chair of Baker Women California. A former CEO and General Counsel, just before joining the Firm, Cynthia was Deputy Department Chair of the Corporate Section in the California offices of Baker Botts where she built the technology transactions and data privacy practice. An intellectual property transactions attorney, Cynthia also has expertise in AI, digital transformation, data privacy, and cybersecurity strategy.

Author

Rachel Ehlers is a partner in Baker McKenzie's Intellectual Property and Technology Practice Group, based in the Firm's Houston office. Rachel's practice focuses on technology transactions, data privacy and cybersecurity. She has extensive experience advising clients on data incidents and breach response, cross-border transfers, and data privacy and cybersecurity issues related to mergers and acquisitions.

Author

Keo McKenzie is a partner in Baker McKenzie's Intellectual Property and Technology Practice Group (IPTech), based in the Firm’s DC office. Keo has significant experience advising multinational technology, life sciences, and healthcare companies with complex matters related to regulatory and transactional issues presented by digital health technologies.

Author

Avi Toltzis is a Knowledge Lawyer in Baker McKenzie's Chicago office.