California Tech Legislation Roundup: Numerous Privacy and AI Laws Enacted and Six Vetoed 

The California Legislature once again passed numerous tech-focused bills this legislative session, including bills on both privacy and AI. Governor Gavin Newsom signed many of these bills into law during the past month, but he also vetoed six major tech bills that would have offered increased protections to Californians. California just wrapped up the first year of a two-year legislative session, so several relevant bills were also held for further consideration next year. 

Below is a rundown of the major privacy and AI bills that were signed into law this session and a brief explanation of what each law does. Following that is a summary of each of the vetoed bills along with Gov. Newsom’s reasoning for returning these bills without his signature.  

Signed

Browser opt out requirement (AB 566)
Effective date: January 1, 2027

AB 566, or the Opt Me Out Act, requires browsers to support opt-out preference signals like Global Privacy Control that offer users the ability to opt out of the sale and sharing of their personal data from every site they visit in one click rather than forcing users to opt out on each site individually. This landmark bill will make it significantly easier for Californians to exercise their privacy rights. 

Algorithmic pricing (AB 325)
Effective date: January 1, 2026

AB 325 amends the Cartwright Act, a California antitrust law, to cover algorithmic pricing. The law prohibits 1) the use or distribution of a “common pricing algorithm” as part of a contract or conspiracy to restrain trade or 2) coercion to set or adopt a recommended price or term for the same or similar goods or services.

Data broker obligations (SB 361)
Effective date: January 1, 2026

SB 361 builds on the 2023 DELETE Act by requiring data brokers to 1) disclose more information when they register with the state and 2) use the Data Removal and Opt-Out Platform (DROP) mechanism to make it easier for Californians to request that data brokers delete their data. Starting on January 1, 2028, this law will also require data brokers to undergo audits by independent third parties every three years to ensure compliance with the law.  

Deletion of social media accounts (AB 656)
Effective date: January 1, 2026

AB 656 requires certain social media platforms to offer users a clear way to delete their accounts and all personal information associated with their account. The law prohibits social media companies from using any deceptive or manipulative tactics, including dark patterns, to make deleting an account more difficult. 

Companion chatbots (SB 243)
Effective date: July 1, 2027

SB 243 is one of two bills the Legislature passed this session to regulate chatbots (Gov. Newsom vetoed the other bill, AB 1064, which contained more substantial limits on chatbots.). However, SB 243 does place some limits on companion chatbots, including requiring 1) providing notice that the user is interacting with a chatbot if a reasonable person may be led to believe they are interacting with a human; 2) implementing a protocol for “preventing production of suicidal ideation, suicide, or self-harm content;” and 3) disclosing that the chatbot may not be suitable for minors. If the operator of a companion chatbot knows a user is a minor, the operator must 1) disclose that the user is interacting with artificial intelligence; 2) provide a notice every three hours reminding the user that the chatbot is not human and encouraging the user to take a break; and 3) implement reasonable measures to prevent the chatbot from producing sexually explicit content. The law contains a private right of action. 

Transparency requirements for frontier model developers (SB 53)
Effective date: January 1, 2026

SB 53 is a pared down version of last year’s SB 1047, a bill by the same author that received massive amounts of attention from both proponents and opponents before Gov. Newsom ultimately vetoed it. 

This year’s version, the Transparency in Frontier Artificial Intelligence Act, requires developers of the largest AI models to develop, implement, and publish safety protocols and report critical safety incidents to the state’s Office of Emergency Services. The law also contains whistleblower protections for employees of covered companies who report risks of critical safety incidents. 

Several testing and safety requirements were removed from this year’s version of the bill. 

Artificial intelligence defenses (AB 316)
Effective date: January 1, 2026

AB 316 bars businesses that developed, modified, or used artificial intelligence from blaming AI for harms they caused by asserting that the AI autonomously caused the harm. AI harms can include misdiagnosis of a patient’s illness or generating defamatory content. This law prevents defendants who used AI from pointing to the AI system’s independence to shirk liability.  

Age assurance (AB 1043)
Effective date: January 1, 2027

AB 1043, or the Digital Age Assurance Act, requires device operators and app stores to require users to input their age when setting up new devices. Existing users will also be required to input their age after the law goes into effect. Device operators will then be required to group users into one of four age ranges: under 13, at least 13 but under 16, at least 16 but under 18, and at least 18. Device operators will then make this age designation available to app developers, which will be required to ask for an age range, when users go to download an app.

Unlike similar proposals or laws in other states, AB 1043 does not require users to upload sensitive information, such as photos of government IDs, to prove their age. This law also does not require parental consent for minors to download apps. 

Driver unionization (AB 1340 & SB 271)
Effective date: January 1, 2026 

In August 2025, California lawmakers struck a deal with Uber and Lyft to allow the app-based drivers to unionize, in exchange for allowing the companies to pay drastically reduced insurance coverage. AB 1340gave the drivers the ability to unionize, representing a significant win for the drivers who were classified as contractors and thus ineligible for collective bargaining under Prop 22, a measure that Lyft and Uber spent over $200 million to pass. SB 371 will significantly reduce the coverage that Uber and Lyft are required to provide for accidents caused by uninsured or underinsured drivers. 

Health data (AB 45)
Effective date: January 1, 2026

AB 45 prevents reproductive health information collected during health research from disclosure to out-of-state law enforcement requesting the information in relation to laws that interfere with a person’s rights to choose or obtain an abortion. The law also prohibits the collection, use, disclosure, sharing, selling, or retention of geolocation data of a person at a family planning center, except only as necessary to perform the services or provide the goods requested by the person. It also prohibits geofencing to collect data, track or identify individuals, target ads, or send notifications to people obtaining health care near these facilities. This law contains a limited private right of action. 

AI transparency (AB 853)
Effective date: various, see below

AB 853 delays the effective date of the California AI Transparency Act until August 2, 2026, from January 1, 2026. The California AI Transparency Act requires generative AI developers with a large number of users within California to provide a tool to assess whether image, video, or audio content are created or altered by generative AI. This bill also builds on the California AI Transparency Act in two ways using provenance data, which signals whether content depicts reality or is fully or partially created with AI. First, at the point of content creation, it requires recording devices sold in California to include the option to embed provenance information showing that it is authentic, human-generated content (effective Jan. 1, 2028). Second, at the point of content dissemination, the bill requires social media and online platforms to display the source of content shared on their platforms, leveraging provenance data (effective Jan. 1, 2027).

Social media warning labels (AB 56)
Effective date: January 1, 2027

AB 56, or the Social Media Warning Law, requires covered social media platforms to display a warning label the first time a user accesses the platform each day and after three hours of active use as well as once per hour each hour after that. The warning label must say: “The Surgeon General has warned that while social media may have benefits for some young users, social media is associated with significant mental health harms and has not been proven safe for young users.” 

Gender-affirming health care (AB 82 & SB 497)
Effective date: Immediately (SB 497), January 1, 2026 (AB 82)

AB 82 and SB 497 aim to protect healthcare providers and patients from potential interstate legal actions that might seek to penalize them for providing or receiving gender-affirming care and reproductive healthcare, which are legally protected healthcare services. The law expands the address confidentiality program to healthcare service providers, employees, volunteers, and patients of gender-affirming health care to prevent disclosure of addresses under public records requests. Under existing law, the confidentiality program covers reproductive health care service providers, employees, volunteers, and patients. In addition, the law restricts how state and local agencies can share information about gender-affirming care and reproductive care with out-of-state entities and prohibits law enforcement from arresting or cooperating with investigations targeting activities related to such legally protected healthcare services. SB 497 prohibits disclosure of medical information related to gender-affirming health care in response to another state’s law that interferes with an individual’s right to seek or obtain gender-affirming health care.

Deepfake pornography (AB 621)
Effective date: January 1, 2026

AB 621 expands California’s legal protections against deepfake pornography, including by defining “digitized sexually explicit material” to cover a broader scope of situations, increasing the available statutory damages, and granting enforcement authority to certain public prosecutors. The bill also makes clear that a minor cannot consent to the creation or distribution of digitized sexually explicit material. 

Law enforcement use of AI (SB 524)
Effective date: January 1, 2026

SB 524 creates stronger transparency for law enforcement use of AI in creating police reports. The law requires police to disclose if AI was used to fully or partially author a police report, to retain the first draft created by AI as long as the official report is retained, and to create an audit trail that, at minimum, identifies the officer who used AI to create a report. This addresses a serious issue in AI police reporting software from Axon that does not retain first drafts created by AI by design, which makes distinguishing which part of a report is AI-produced difficult. Further, it bans AI vendors from selling or sharing the information a police agency provided to the AI system.

AI deceptive healthcare outputs (AB 489)
Effective date: January 1, 2026

AB 489 prohibits generative AI technologies’ use of certain terms and phrases that indicate or imply that its outputs are provided by a natural person with the appropriate health care license or certificate in advertising or in functionality. This law aims to address the issue of generative AI chatbots that produce outputs incorrectly stating that the chatbot is a real, licensed human therapist certified to provide mental health care, with fabricated state license numbers, which puts the users’ health at risk.

Data center energy use (SB 57)
Assessment due date: January 1, 2027 

SB 57 directs the California Public Utilities Commission to conduct a study of data center expansion and its impact on the power grid. However, Governor Newsom vetoed a separate bill, AB 93, to increase oversight and transparency of water usage at data centers (see below). 

Vetoed

Automated decision systems in employment (SB 7)

SB 7, or the No Robo Bosses Act, would have put basic guardrails in place around the use of automated decision systems in the employment context. These measures would have included requiring employers to 1) provide a pre-use notice to employees and prospective employees that an automated decision system (ADS) would be used in the workplace; 2) maintain a list of ADSs in use at the workplace; 3) provide a post-use notice explaining that the employer used an ADS to make a decision and what the employee’s rights are related to the decision; and 4) give workers access to their own data used by an ADS to make a discipline, termination, or deactivation decision, upon worker request.  

The bill would also have prevented employers from using an ADS in certain particularly invasive ways, including to violate laws; infer a worker’s protected status; “identify, profile, predict, or take adverse action against a worker for exercising their legal rights;” or collect worker data for an undisclosed purpose. Employers would also have been prohibited from using an ADS as the sole basis for a discipline, termination, or deactivation decision. 

Finally, the bill contained a non-retaliation provision preventing employers from punishing workers for exercising their rights under the bill. 

In his veto letter, Gov. Newsom called the notice requirements “unfocused” and cited concerns that the bill contained “overly broad restrictions.” He also pointed to the recently finalized CPPA regulations on automated decision-making technology as a potential solution for the issues SB 7 was trying to solve and said lawmakers should assess the efficacy of those regulations before legislating on this topic. 

Companion chatbots (AB 1064)

AB 1064, or the Leading Ethical AI Development (LEAD) for Kids Act, would have prohibited companion chatbots from being made available to children if they were “foreseeably capable” of certain specific harms. The identified harms were chatbots that encouraged self-harm, suicidal ideation, violence, drug or alcohol consumption, or disordered eating; offered mental health therapy; encouraged harming others or engaging in illegal activity; engaged in sexually explicit interactions; or optimized engagement over preventing the preceding types of harm. The bill included a private right of action. 

In his veto message, Gov. Newsom pointed to the other chatbot bill passed this year, SB 243, which he signed into law, as a better vehicle for addressing the harms chatbots pose to children. He said that AB 1064 “imposes such broad restrictions on the use of conversational AI tools that it may unintentionally lead to a total ban on the use of these products by minors,” which he said would cause future problems for minors in a world where AI is “ubiquitous.” 

Social media platform liability (SB 771)

SB 771 would have allowed social media platforms to be held liable for their use of algorithms to display violent and discriminatory content to users. The bill would have allowed fines of up to $1 million on social media platforms that used algorithms to promote content that violated California civil rights and hate crime laws. 

The bill had sparked concern and threats of lawsuits from the tech industry over possible First Amendment and Section 230 questions. Gov. Newsom called the bill “premature” in his veto message and said that lawmakers should instead determine whether existing civil rights laws can effectively address algorithmic harms. 

Automated license plate readers (AB 274)

AB 274 would have required automated license plate reader (ALPR) data to be deleted after 60 days. This bill was proposed amidst reporting that California officers had on more than 100 occasions violated state law that prohibits sharing ALPR data with federal and out-of-state authorities. Another reporting also showed that a Texas Sheriff’s office used ALPR data from throughout the United States, not just Texas, to track down a woman who had allegedly self-administered an abortion while considering charging her with a crime and lied to reporters that the aim was to ensure the woman’s safety. 

Governor Newsom, in his veto message, stated that the bill “does not strike the delicate balance between protecting individual privacy and ensuring public safety,” and it may impede investigations for cases such as missing persons when the 60-day period has passed. The message further cited the additional cost from the compliance audit that the bill would require as an additional cost pressure not accounted for in the budget. 

Deepfake technology disclosure (SB 11)

SB 11 would have required entities that make AI capable of producing synthetic content that impersonate or appropriate a person’s likeness available to consumers to provide a warning that unlawful use of the technology to depict another person without prior consent may result in civil or criminal liability for the user. This would have allowed people who are the subjects of deepfakes to sue.

Governor Newsom vetoed this bill, citing uncertainty over “whether a warning would be sufficient to dissuade wrongdoers from using AI to impersonate others without their consent.”

Data center water usage (AB 93)

AB 93 would have required data centers applying for a business license to disclose expected water usage and annual data usage when applying for renewal. This bill was proposed amid increasing development of data centers across the country, with significant demand for potable water to cool such data centers and lack of transparency on water usage. 

Governor Newsom’s veto message stated that as “the global epicenter of the technology sector, California is well positioned to support the development of this critically important digital infrastructure in the state” and that he is “reluctant to impose rigid reporting requirements about operational details on this sector without understanding the full impact on businesses and the consumers of their technology.”