The results of California's 2024 legislative session could go down as one of the most consequential for the state's artificial intelligence governance and privacy landscapes. Gov. Gavin Newsom, D-Calif., set those impacts into motion in the days leading up to the 30 Sept. deadline to enact 2024 bills.
Most notable among the sweeping action on privacy and AI bills was Newsom's last-minute veto of Senate Bill 1047, a much-discussed landmark AI safety proposal that could have set the legislative bar for other states and U.S. Congress if enacted.
"While well-intentioned, SB 1047 does not take into account whether an AI system is deployed in high-risk environments, involves critical decision-making or the use of sensitive data," Newsom wrote in his veto message to the California Legislature. "Instead, the bill applies stringent standards to even the most basic functions — so long as a large system deploys it. I do not believe this is the best approach to protecting the public from real threats posed by the technology."
SB 1047 would have required covered entities to screen and audit their AI models for potential cybersecurity and infrastructure risks. It also proposed empowering the California attorney general to seek injunctive relief and sue in the event a company's AI created mass harm.
State Sen. Scott Wiener, D-Calif., the author of SB 1047, issued a statement noting the veto creates "a missed opportunity" and a "troubling reality" as the state and the nation continue to advance AI with "no binding restrictions."
"The companies developing advanced AI systems acknowledge that the risks these models present are real and rapidly increasing," Wiener added. "While large AI labs have made admirable commitments monitor and mitigate these risks, the truth is that voluntary commitments from industry are not enforceable and rarely work out well for the public."
AI startup Anthropic, which grew to support aspects of SB 1047 through the legislative process, ultimately argued the bill's core objectives would cut into AI innovation. In a post on the social platform X, Anthropic co-founder Jack Clark said SB 1047 was "a promising first step" toward needed risk mitigation, but it will "require lots of people to work together to figure out the right rules of the road for AI systems."
"Anthropic will talk to people in industry, academia, government, and safety to find a consensus next year and do our part to ensure whatever policy we arrive at appropriately balances supporting innovation with averting catastrophic risks," Clark added.
While Newsom balked at SB 1047, he did enact a separate AI governance bill, Assembly Bill 2013, that will assuredly change the AI governance landscape. The bill is focused on training data transparency, setting unprecedented requirements summaries and other required documentation about the datasets fueling generative AI models. AB 2013 takes effect 1 Jan. 2026 and applies to any defined generative AI system or service created after 1 Jan. 2022.
Proposed CCPA amendments
Newsom had a range of bills aimed at amending the California Consumer Privacy Act on his desk this year. Some of those bills were tended to earlier in Newsom's signing period, including the veto on AB 3048, which would have barred businesses from maintaining web browsers that do not enable consumers to utilize a universal opt-out signal for targeted advertising.
However, Newsom left a couple notable CCPA amendment bills to the final days before his deadline.
Notably, Newsom opted to veto AB 1949 and its proposal to have the CCPA cover all minors. As currently written the CCPA covers minors under 17, and the bill sought to move the range to under 18.
In his veto message, Newsom said the bill would "fundamentally alter the structure of the CCPA."
"I am concerned that making such a significant change to the CCPA would have unanticipated and potentially adverse effects on how businesses and consumers interact with each other, with unclear effects on children's privacy."
Meanwhile, Newsom did enact a bill addressing a clearer inclusion of neural data under the CCPA. SB 1223 adds neural data as a category of sensitive personal data under California law, which provides heightened protections for such data under certain circumstances.
"The importance of protecting neural data in California cannot be understated," state Sen. Josh Becker, D-Calif., told The New York Times. "It's important that we be up front about protecting the privacy of neural data — a very important set of data that belongs to people.”
CPPA Board meeting on tap
In the face of all the legislative action — and lack thereof — around privacy and AI, the California Privacy Protection Agency is hoping to advance its regulatory agenda around both topics.
The CPPA has a 4 Oct. board meeting scheduled with familiar agenda items, including potential action on a formal rulemaking process for a updated package of draft regulations on automated decision-making technology, risk assessments and cybersecurity audits.
Those draft rules have been stuck in the prerulemaking stage in recent months as the CPPA Board grapples with the right tact for the ADMT rules. Additionally, board members have been weighing whether the agency should take up the ADMT rulemaking at all or if state lawmakers should handle rules via legislative proposal.
The board will also discuss potential action to finalize rules around data broker registration under the Delete Act. Under the law, the agency assumed oversight of the state's data broker registry from the attorney general's office and was given rulemaking authority over registration requirements. The agency is also working toward its obligation to create a broker opt-out mechanism by 1 Jan. 2026.
Joe Duball is the news editor for the IAPP.