On October 13, 2025, California concluded a busy legislative term by enacting a slew of key privacy and AI-related bills, aimed at enhancing consumer protection and regulating emerging AI technology applications. These measures address a range of critical issues, including consumer opt-out signals, data broker transparency requirements, age assurance, minors’ safety, companion chatbots, and AI development. We summarize some of the most significant of these privacy and AI bills that were signed into law by California Governor Gavin Newsom, below.

Privacy Laws

  • AB 45 (Reproductive Health and Location Data Privacy): This law prohibits the collection, use, disclosure, sale, sharing, or retention of personal information from individuals physically located at or near “family planning centers,” except as necessary to provide services or goods requested by the individual or as otherwise required by law or in a collective bargaining agreement. The law allows for affected individuals and entities, including family planning centers, to pursue civil action against violators. The law also prohibits geofencing around entities providing in-person “health care services” (broadly defined) in California for purposes such as identifying or tracking individuals seeking or providing “health care services,” collecting their personal information, or sending certain notifications and ads. Among other provisions, the law also prohibits the sale or sharing of personal information with third parties for the purpose of violating these privacy provisions. Further, the law prohibits the release of personally identifying research records related to individuals seeking “health care services” in response to subpoenas, law enforcement, and other requests based on other states’ laws that conflict with Californians’ rights under the Reproductive Privacy Act, which enshrines California’s fundamental right of privacy with respect to personal reproductive decisions.
  • AB 566 (California Opt Me Out Act): This law requires web browser developers to include universal opt-out preference signal options. Opt-out preference signals allow users to broadcast their choice to opt out of selling or “sharing” their personal information to all websites they visit through a single step rather than having to make individualized requests to opt out on each website. Existing California Consumer Privacy Act regulations state that covered businesses must honor these opt-out signals. State privacy regulators, including the California Privacy Protection Agency (CPPA), have been active in enforcing business compliance with consumer opt-out requests in recent years. See our earlier client alert on multi-state investigative sweep around consumer opt-out signals. The law’s effective date is January 1, 2027.
  • AB 56 (Social Media Warning Law): This law requires certain online services that provide an “addictive feed” to users to display a “black box warning” to all minor users that states: “The Surgeon General has warned that while social media may have benefits for some young users, social media is associated with significant mental health harms and has not been proven safe for young users.” The warning must be clearly displayed each day the user initially accesses the platform, then again after three hours of cumulative active use, and thereafter at least once per hour of cumulative active use. The law’s effective date is January 1, 2027.
  • AB 656 (Social Media Account “Delete” Button): This law requires large “social media platforms” that generate over $100 million in annual gross revenues to provide “a clear and conspicuous button that enables the user to delete” their social media account. Upon clicking the delete button, social media platforms are required to guide users through the account deletion process, which must include deletion of the user’s personal information. Platforms may seek verification before deletion, but the verification must be done in “a cost-effective and easy-to-use manner.” Further, platforms may not use dark patterns or other practices to obstruct account deletion.
  • AB 1043 (Digital Age Assurance Act): This law requires operating system providers for computers, mobile devices, or other general purpose computing devices to collect age range information from users during accounts set up to be used by applications in covered application stores. The law also requires app developers to request the age range from operating system providers or covered app stores when their app is downloaded and launched. Notably, the law imputes actual knowledge of the age range on app developers across all platforms of the application, not just the platform where the app developer received the age range signal, unless the developer has “clear and convincing” internal information that a user’s age is different than the age range signal. The law prescribes steep penalties of $2,500 for each negligent violation per affected child and $7,500 for each intentional violation per child. The law’s effective date is January 1, 2027.
  • SB 361 (Expanded Data Broker Transparency Requirements): This law amends California’s existing data broker registration law to require data brokers to provide more detailed information to the CPPA upon annual registration. The new disclosure requirements include whether the data broker collects consumers’ names, dates of birth, zip codes, email addresses, phone numbers, login or account information, various identification numbers, citizenship data, union membership status, sexual orientation status, gender identity and gender expression data, biometric data, and precise geolocation. Data brokers must identify one-to-three of the most common types of personal information that the data broker collects if it does not collect certain contact information or identification numbers. The law also requires data brokers to provide information regarding whether, in the past year, the data broker shared or sold consumers’ data to a foreign actor, the federal government, other state governments, law enforcement, or a developer of a GenAI system or model, as defined by the statute. The law’s effective date is January 1, 2026.
  • SB 446 (Data Breach Notification Timing): This law amends California’s existing data breach notification law to require that notices to affected consumers be made within 30 calendar days of discovery or notification of the data breach. This changes the existing law, which currently requires notices be made “in the most expedient time possible and without unreasonable delay,” but does not mandate a specific time period. As under current law, notices may be delayed to accommodate the legitimate needs of law enforcement or as necessary to determine the scope of the breach and restore the reasonable integrity of affected data systems. The law also requires that existing Attorney General notifications be made within 15 days of notifying 500 or more California residents.

AI Laws

  • AB 325 (Algorithmic Price Fixing): This law amends California’s antitrust law, the Cartwright Act, to prevent the use of algorithms to coordinate pricing among competitors, creates liability for efforts to coerce compliance with pricing tool recommendations, and clarifies the bar for plaintiffs pleading conspiracies under the Cartwright Act. See our previous client alert on AB 325 for more information.
  • AB 853 (Amendment to the California AI Transparency Act): This law amends the California AI Transparency Act by delaying its implementation until August 2, 2026, and incorporating new provisions focused on offering users the choice to embed a latent (i.e., hidden) disclosure within their captured content (i.e., photos, videos, and audio) that provides specific provenance information (i.e., a watermark that can be used to convey the content’s authenticity, origin, or history of modification). Under the existing California AI Transparency Act, large online platforms are required to detect provenance data embedded into or attached to content distributed on their platforms and to provide a mechanism for users to inspect and retrieve provenance data associated with distributed content. In his signing message, Governor Newsom acknowledged the bill’s implementation challenges, including user privacy and stated, “I encourage the Legislature to enact follow-up legislation in 2026, before the law takes effect, to address these technical feasibility issues.”
  • SB 53 (Transparency in Frontier AI Act): This law is a first-of-its-kind AI legislation in the U.S. that requires large AI developers to publicly disclose how they plan to mitigate potentially “catastrophic risks” posed by advanced frontier AI models (i.e., foundation models trained using a quantity of computing power greater than 1026 integer or floating-point operations). The law builds on recommendations from the June 2025 report from the Joint California AI Policy Working Group and is a pared-back successor to last year’s unsuccessful SB 1047, which was vetoed amid industry opposition. See our previous client alert on SB 53 for more information.
  • SB 243 (Companion Chatbots): This law requires operators of “companion chatbot” platforms to notify users that the chatbot is not human if a reasonable user would be misled into thinking otherwise. The statute defines “companion chatbot” as an “artificial intelligence system with a natural language interface that provides adaptive, human-like responses to user inputs and is capable of meeting a user’s social needs, including by exhibiting anthropomorphic features and being able to sustain a relationship across multiple interactions.” Covered operators are obligated to implement and publish a protocol to prevent the chatbot’s generation of content related to suicidal ideation, suicide, and self-harm and to direct users to crisis service providers, suicide hotline, or crisis text line if the user expresses suicidal ideation, suicide, or self-harm. Operators are also required to inform users known to be minors that they are interacting with AI and not a human and remind minor users every three hours to take breaks. Operators must also implement measures to prevent the chatbot from generating sexually explicit visual content or suggesting that minors engage in such conduct. Finally, operators must report annually to the California Office of Suicide Prevention on the number of crisis referrals made in the preceding year and the protocols implemented by the operator related to suicidal ideation. The law’s effective date for the Office of Suicide Prevention reporting requirements is July 1, 2027.

The 2025 legislative session makes clear that California is taking an aggressive approach to regulating the tech sector on a number of key issues, including AI-generated content, social media, children and teens’ safety, and consumer data privacy. As the emerging AI and maturing privacy landscape further takes shape in the Golden State, businesses are advised to closely monitor these legislative and policy developments.

Wilson Sonsini Goodrich & Rosati routinely helps companies navigate complex privacy and AI regulatory issues and will be closely tracking legislative developments in this space. For more information or advice concerning your privacy and/or AI practices, please contact Eddie HolmanTracy ShapiroDoo Lee, or any member of the firm’s Data, Privacy, and Cybersecurity and AI and Machine Learning practices at Wilson Sonsini.