As the dust settles on California's 2025 legislative session, it's clear the Golden State is forging ahead, not just in privacy but in charting the course for artificial intelligence. Lawmakers have been busy, and the results are significant: a wave of new laws, including the nation's first "frontier AI" legislation, are set to redefine how we interact with technology and how our data is handled.
It's been a period of intense activity. Out of at least 33 bills introduced concerning privacy and AI, 16 have made it through, with Governor Gavin Newsom signing seven AI-specific bills and four privacy-focused ones into law. This isn't just a minor tweak; it signals a deliberate move to position California as a leader in regulating these rapidly evolving fields. You might recall the privacy trends from 2023 and 2024 – well, they've continued, with amendments to the California Consumer Privacy Act (CCPA), stronger protections for children's privacy and age verification, and enhanced rules for data brokers.
But the real headline-grabber is the adoption of the first frontier AI law. This, alongside companion legislation for chatbots, underscores a commitment to transparency. It's about making sure we know when we're interacting with AI and understanding how our information is being used. The legislature is clearly interested in making other areas of law AI-compatible, which is a pretty big undertaking.
Let's dive into some of the specifics. On the privacy front, the "California Opt Me Out Act" is a game-changer. Come 2025, web browser companies will need to offer a universal opt-out preference signal. Imagine a flood of opt-out requests hitting businesses – it's expected to significantly impact web marketing efforts. Interestingly, browser companies themselves are shielded from liability if businesses don't honor these requests, though the exact implementation details are still a bit fuzzy.
Children's privacy continues to be a major focus. Assembly Bill 1043 shifts the compliance burden for children's safety. Instead of operating system providers being solely responsible, application developers now bear more of the weight. They'll need "clear and convincing" age information, or they'll have to rely on age signals provided by the OS. This approach differs from states like Texas and Utah, placing direct liability on developers.
Data brokers are also under a brighter spotlight with Senate Bill 361. They'll have to disclose more about the personal information they collect, including sensitive categories like sexual orientation, citizenship status, and biometric data. Plus, they'll need to report if they've sold or shared data with foreign actors, government agencies, or generative AI developers to the California Privacy Protection Agency. The DELETE Act also got a boost, with doubled daily fines for non-compliance and making failure to process deletion requests a sanctionable offense.
And then there's Assembly Bill 45, reinforcing protections for health and location data. It introduces specific prohibitions on geofencing, especially around clinics and reproductive health care centers. This means companies can't just "fence off" areas with precise geolocation data for identification or advertising purposes. It also adds a layer of protection for research records, preventing disclosure to law enforcement if the data is personally identifiable and related to seeking or obtaining medical services.
These new laws are more than just regulatory updates; they're a statement of intent. California is not just reacting to the rise of AI and data privacy concerns; it's actively shaping the future. What happens here often sets a precedent, so it's worth watching how these developments unfold and potentially influence other states.
