California’s 2024 legislative session has been marked with exciting developments and a clear focus on setting the rules of the road for artificial intelligence (AI), with some measures becoming law and others stalling out along the way. Last month, Governor Newsom signed 17 bills regulating AI in the Golden State. Notably, Governor Newsom vetoed SB 1047, which would have imposed safety requirements on developers of large models to avoid certain harms. In vetoing the bill, Governor Newsom noted that it was not comprehensive or precise enough, improperly focused on large models even though small ones could present similar risks, and did not take into account whether an Al system is deployed in high-risk environments, involves critical decision-making, or uses sensitive data. Newsom’s veto also represents a big win for the numerous industry members, politicians, and academics who lobbied against the bill, arguing that its passage would stifle innovation in the space. Nevertheless, the AI bills Newsom did sign are expected to have wide-ranging impacts on the AI industry. A summary of those bills is below.Continue Reading Governor Newsom Signs (and Vetoes) Major California AI Legislation
California
Ninth Circuit Ruling Paves the Way for California Age-Appropriate Design Code to Partially Come into Effect


On August 16, 2024, the U.S. Court of Appeals for the Ninth Circuit issued an opinion partially upholding—and partially vacating—the District Court for the Northern District of California’s preliminary injunction preventing the California Age-Appropriate Design Code Act (CAADCA or the Act) from going into effect. Specifically, the Ninth Circuit upheld the district court’s injunction related to Data Protection Impact Assessment (DPIA) provisions while the district court further considers whether the remaining portions of the law are likely to be severable or unconstitutional on their own. Although the Ninth Circuit’s decision has not yet gone into effect, businesses subject to the CCPA may soon find themselves on the hook for complying with many provisions in the CAADCA.Continue Reading Ninth Circuit Ruling Paves the Way for California Age-Appropriate Design Code to Partially Come into Effect
Substantial New CCPA Regulations Inch Closer to Reality: A Detailed Overview of the New Requirements and Their Projected $4 Billion Cost to California Businesses



On July 16, 2024, the California Privacy Protection Agency (CPPA) Board met to discuss advancing its over 200-page draft rulemaking package to formal proceedings.[1] The proposed regulations include 37 pages of significant new obligations spanning cybersecurity audits, automated decision-making technology (e.g., artificial intelligence, (AI)), privacy risk assessments, and 72 pages of other updates to existing regulations. Together, these regulations would create new compliance obligations for tens of thousands of California businesses and are preliminarily estimated to generate a staggering $4.2 billion in compliance costs for those businesses in their first year alone. Critically, these estimates do not include the many businesses that are based outside of California, yet subject to the California Consumer Privacy Act (CCPA) because they do business in California, meaning the real economic burden is likely to be far more significant.Continue Reading Substantial New CCPA Regulations Inch Closer to Reality: A Detailed Overview of the New Requirements and Their Projected $4 Billion Cost to California Businesses
California Appeals Court Moves Up Enforcement Date for Latest CCPA Regulations



On February 9, 2024, the California Third District Court of Appeals in Sacramento overturned a lower court order that postponed enforcement of the California Privacy Protection Agency’s (CPPA) newest rules. The decision restores the authority of the CPPA and California Attorney General to enforce the latest regulations under the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA) (“updated CCPA regulations”).Continue Reading California Appeals Court Moves Up Enforcement Date for Latest CCPA Regulations
Draft California AI Regulations Become One Step Closer to Reality: An Analysis of Requirements on the Horizon


On December 8, 2023, the California Privacy Protection Agency (CPPA) Board discussed a draft of its forthcoming artificial intelligence (AI) regulations on automated decision making technology (ADMT). The proposed regulations, published earlier on November 27, 2023, would impose significant new requirements on businesses subject to the California Consumer Privacy Act (CCPA) that use ADMT for certain use cases. The ADMT draft rules are expected to be part of the Agency’s larger rulemaking package alongside rules governing cybersecurity audits and risk assessments under the CCPA, as amended by the California Privacy Rights Act. While the draft ADMT regulations currently have no legal effect and are likely to undergo further revision before formal rulemaking begins, the current draft nonetheless provides an important preview of the rigorous new compliance requirements that could later take effect. Notable items put forth for public discussion include:Continue Reading Draft California AI Regulations Become One Step Closer to Reality: An Analysis of Requirements on the Horizon
California Enacts One-Stop Mechanism for Data Broker Deletion Requests


California residents may soon be able to click “backspace” on data brokers doing business in the state. On October 10, 2023, California Governor Gavin Newsom signed Senate Bill 362, colloquially known as the Delete Act, into law. The statute amends the state’s existing data broker registration law and builds on the state’s primary privacy law, the California Consumer Privacy Act (CCPA), by adding to residents’ ability to exercise their personal information deletion rights. Most notably, the law establishes a one-stop mechanism where state residents will be able to request—in one verifiable request—that all data brokers delete their personal information.Continue Reading California Enacts One-Stop Mechanism for Data Broker Deletion Requests
Sacramento Superior Court Delays Enforcement of CPRA Implementing Regulations


In a shocking turn of events, a Superior Court for the County of Sacramento issued a ruling on June 30, 2023, enjoining the enforcement of the California Privacy Protection Agency’s (the “Agency’s”) California Privacy Rights Act (CPRA) modifications to the California Consumer Privacy Act (CCPA) regulations until one year after the regulations have been finalized. We previously issued an alert reminding businesses that the CPRA amendments to the CCPA become enforceable starting July 1, 2023, but, in accordance with the court’s ruling, the Agency’s recent modifications to the CCPA regulations to account for the CPRA’s changes to the CCPA now will not become enforceable until March 29, 2024. Per the court’s ruling, the prior CCPA regulations will remain in effect until the new regulations become enforceable.Continue Reading Sacramento Superior Court Delays Enforcement of CPRA Implementing Regulations