As the dust settles on California's 2025 legislative session, it's clear the Golden State is doubling down on its role as a regulatory leader, particularly in the rapidly evolving landscapes of privacy and artificial intelligence. By the October 12th deadline, Governor Gavin Newsom had signed a significant number of bills, ushering in what many are calling a new era for AI governance.
It wasn't just a few minor tweaks; lawmakers tackled at least 33 bills touching on privacy and AI, ultimately passing 16. Of those, seven were specifically focused on artificial intelligence, a clear signal of the legislature's intent to get ahead of the curve. This proactive approach is particularly evident in the adoption of the nation's first "frontier AI" law and companion legislation for chatbots. The focus here is transparency – making sure consumers understand how AI is being used and how their data might be involved.
Beyond AI, privacy protections received a substantial boost. Several bills amended the California Consumer Privacy Act (CCPA), shoring up protections for children's data, enhancing age verification processes, and reinforcing safeguards for location data. Data brokers, those companies that collect and sell personal information, are also facing new disclosure requirements. They'll need to be more upfront about what they collect, including sensitive categories like sexual orientation and citizenship status, and crucially, whether they've shared data with foreign actors, government agencies, or generative AI developers. The DELETE Act also saw its enforcement tools strengthened, with daily fines doubled and a clearer path for sanctioning failures to process consumer deletion requests.
One of the more intriguing privacy developments is the "California Opt Me Out Act." This law mandates that web browser developers provide a universal opt-out preference signal. Imagine a single switch that tells all websites you visit that you don't want your browsing activity tracked for marketing. While this could significantly impact web marketing efforts, browser companies are shielded from liability if businesses don't honor these requests. The practical implementation details, however, are still a bit of a question mark.
Children's privacy continues to be a major concern. Assembly Bill 1043 shifts the compliance burden for children's safety from operating system providers to application developers. Essentially, app developers will be on the hook for verifying a user's age, rather than the OS itself. This is a departure from models seen in other states and places a direct responsibility on those building the apps we use every day.
And then there's Assembly Bill 45, signed in late September, which adds specific prohibitions around geofencing and data handling related to health care services. This means stricter rules on collecting, using, or sharing personal information within sensitive locations like reproductive health clinics, and a ban on geofencing for identification and advertising purposes by healthcare providers. It also introduces a prohibition on disclosing personally identifiable research records to law enforcement if the research relates to seeking or obtaining health services.
Taken together, these legislative actions paint a picture of California not just reacting to technological change, but actively shaping its future. The state is clearly reinforcing its position as a pioneer in digital regulation, and it's likely that other states will be watching – and perhaps following – these developments closely.
