Imagine you’re the head of marketing at a mid-sized tech firm in San Francisco. You’ve spent the last two years building an AI-powered hiring tool that screens resumes, scores applicants, and even predicts cultural fit. It works beautifully fast, consistent, and scalable. Your HR team loves it.
Then January 1, 2026 arrives. And suddenly, that same tool is a liability.
You never documented where the training data came from. There’s no human review step built into the workflow. And you definitely haven’t given candidates a heads-up that an algorithm is making decisions about their careers.
Welcome to the new California.
Why California Moved First and Fast
California didn’t stumble into AI regulation. It sprinted there deliberately.
With the federal government still struggling to agree on basic AI guardrails, California decided it wasn’t going to wait. Building on the foundation it already laid with the California Consumer Privacy Act (CCPA) and its successor, the CPRA, the state moved to extend those same principles transparency, accountability, human oversight into the world of artificial intelligence.
Governor Newsom set the tone in 2023 with an executive order directing state agencies to assess AI risks. What followed was a wave of legislation that privacy advocates had long been pushing for, and that industry insiders had long hoped to avoid.
The result? A set of laws that are reshaping how AI is built, deployed, and governed in the world’s fifth-largest economy. If your business operates in California or serves Californians, this affects you.
The Laws You Need to Know
Assembly Bill 2013 – Show Your Work
Think of AB 2013 as the nutrition label for AI. Officially called the Generative AI Training Data Transparency Act, it requires developers of generative AI systems to publicly disclose detailed information about the data used to train their models.
And here’s the part that catches many companies off guard: it’s retroactive. If you released or significantly updated a generative AI model any time after January 1, 2022, you need to be in compliance by January 1, 2026.
What does disclosure actually look like? You’ll need to document and publish information including:
- The types and sources of data used in training
- Whether copyrighted material or personal information was included
- Whether data was collected with consent or scraped from public sources
- The general scale of the dataset
A real-world example: Say you’re a startup that built a customer service chatbot trained on a mix of your internal support tickets, public Reddit threads, and licensed content from a third-party data vendor. Under AB 2013, you’d need to clearly disclose all of that — what came from where, and on what basis you collected or licensed it.
This isn’t just a bureaucratic checkbox. Buyers, partners, and regulators are going to start using these disclosures to make decisions about which AI products they trust. Getting ahead of it is a competitive advantage, not just a compliance chore.
Senate Bill 53 – Big Players, Big Accountability
Not every company will feel the full weight of SB 53, but if you’re one that does, you’ll feel it significantly.
The Transparency in Frontier Artificial Intelligence Act targets large AI developers, specifically those with over $500 million in annual revenue. These are the companies building what regulators call “frontier models”: the most powerful, capable AI systems on the market.
Under SB 53, these companies must:
- Publish a comprehensive safety framework on their website, openly accessible to the public
- Align that framework with recognized standards, like the NIST AI Risk Management Framework
- Conduct third-party audits to assess the risk of catastrophic outcomes, things like mass harm, critical infrastructure failures, or large-scale discrimination
- Face penalties of up to $1 million per violation if they fall short
Think of it this way: If you were a pharmaceutical company about to release a new drug, regulators would expect you to prove it’s safe before it hits shelves. SB 53 applies that same logic to frontier AI. The burden of proof now sits with the developer.
For smaller companies below the revenue threshold, take note: sector-specific rules, particularly in healthcare and employment may still apply to you.
CPPA’s Automated Decision-Making Rules – The Human in the Loop
The California Privacy Protection Agency (CPPA) has finalized its regulations on automated decision-making technology (ADMT) and this one casts the widest net.
Effective in phases starting 2026 through 2030, these rules apply to any business that uses automated systems to make consequential decisions about people. That includes decisions related to employment, credit, housing, education, healthcare access, and more.
Here’s what compliance looks like in practice:
1. Pre-use notices. Before you use an automated system to evaluate someone, you have to tell them. Plain language. No fine print buried in a 40-page privacy policy.
2. Opt-out rights. In many cases, individuals have the right to request human review instead of or in addition to an automated decision.
3. Audit trails. You need to be able to show how a decision was made. Not just the outcome, but the logic behind it.
4. Risk assessments. Businesses must proactively assess whether their automated systems could produce discriminatory outcomes and document that assessment.
A practical example: A bank using an AI model to approve or deny loan applications must now inform applicants that AI is involved, give them the option to request a human review, and be able to explain in clear terms – why the algorithm reached its conclusion. Gone are the days of “the computer said no” with no further explanation.
SB 942 – Watermarks and Detectors for AI Content
If your platform generates content at scale articles, images, video, audio SB 942 requires you to provide AI detection tools and apply watermarks to AI-generated content. This goes into effect in August 2026 for large platforms.
The goal is straightforward: people deserve to know when they’re consuming something created by a machine, not a human. In a world of deepfakes, synthetic media, and AI-written news, that distinction matters.
SB 1120 – A Doctor Must Have the Final Word
For anyone operating in healthcare, SB 1120 is already in effect as of January 1, 2025 and it draws a clear line. If an AI tool is being used to approve or deny healthcare services, a licensed physician must supervise that process.
Insurance companies and health tech platforms using AI for prior authorizations, treatment approvals, or coverage denials must ensure a qualified human clinician has meaningful involvement in the decision not just rubber-stamping whatever the algorithm spits out.
This is a direct response to documented cases of AI systems denying medically necessary care at scale, without adequate human review.
AB 316 and AB 2602 – Your Likeness Is Your Own
Two bills worth flagging for anyone in media, entertainment, or consumer-facing tech:
AB 2602 requires explicit consent before an AI system can replicate someone’s voice, image, or likeness. This has major implications for anyone building synthetic media tools, voice cloning applications, or digital avatars.
AB 316 extends this protection further and introduces imputed liability, meaning if you deploy a third-party AI tool that causes harm through unlawful use of someone’s likeness, your company can be held responsible too. Vetting your vendors just became a legal obligation.
The Employment Angle – Civil Rights Council Steps In
California’s Civil Rights Council has quietly introduced some of the most consequential AI rules for employers. If you use AI in any part of the hiring, evaluation, or termination process, you must:
- Conduct regular non-discrimination assessments of your AI tools
- Retain records for a minimum of four years
- Be prepared to demonstrate that your AI-assisted decisions don’t disproportionately harm protected classes
These rules began phasing in from October 2025. If you haven’t started your documentation process yet, you’re already behind.
Who’s Enforcing All of This?
Enforcement is distributed – which means the risk comes from multiple directions.
The CPPA handles privacy and ADMT violations. The California Attorney General can pursue civil penalties. Sector regulators like the Civil Rights Council oversee employment AI. And in some cases, individuals have a private right of action – meaning they can sue directly, not just file a complaint and wait.
Penalties aren’t symbolic either. Up to $1 million per violation under SB 53. $7,500 per child for age assurance failures. Civil damages for unlawful use of a person’s likeness or data.
Regulators have signaled they want to encourage compliance over punishment – but they’re not afraid to use the tools they have.
A Practical Compliance Roadmap
So what does a responsible company actually do right now? Here’s how to approach it:
Step 1: Take inventory. Map every AI system in your organization. Customer-facing, internal, third-party. You can’t manage what you haven’t identified.
Step 2: Trace your training data. For every generative AI system you’ve built or deployed since January 2022, document where the training data came from. This is the foundation of your AB 2013 compliance.
Step 3: Build or update your safety framework. If you’re a large frontier developer, this isn’t optional — but even smaller companies benefit from having a documented AI governance policy.
Step 4: Add human oversight. Wherever your AI makes consequential decisions, build in a human checkpoint. It doesn’t have to be a full manual review every time – but there must be a meaningful mechanism for human involvement.
Step 5: Update your notices. Privacy policies and consent forms need to reflect what your AI actually does. Plain language. Specific disclosures. No vague boilerplate.
Step 6: Train your people. Compliance isn’t just a legal team issue. HR, engineering, product, marketing — anyone who touches AI systems needs baseline training on what the rules require.
Step 7: Audit, then audit again. Run a mock audit before regulators do. Test your systems for bias. Review your data practices. Identify gaps before they become violations.
Step 8: Watch the CPPA. Regulations are still evolving. The CPPA’s website is your best source for updates. Assign someone in your organization to monitor it.
The Bigger Picture
California’s AI rules aren’t a surprise. They’re the predictable outcome of a society grappling with technology that moves faster than the institutions meant to govern it.
The companies that will struggle most are the ones that treat compliance as a burden something to minimize, delay, or route around. The companies that will thrive are the ones that see it for what it is: a signal that AI governance is now a core business function, not an afterthought.
Transparency builds trust. Human oversight catches errors. Accountability creates better products. These aren’t regulatory constraints on innovation they’re the foundations of AI that people will actually rely on.
The clock started ticking. The question is whether your organization is ready.
FAQ
1. Which businesses must comply with AB 2013 training data disclosures?
Ans: Developers of generative AI systems released or modified since January 1, 2022, regardless of size, face retroactive disclosure requirements starting January 1, 2026.
2. What are the penalties for non-compliance with SB 53?
Ans: Violations carry up to $1 million fines, with regulators able to adjust based on federal deference and adaptive definitions for frontier AI.
3. How do CPPA ADMT rules affect automated hiring tools?
Ans: Employers must provide pre-use notices, ensure human oversight, prove no discriminatory outcomes, and retain records for four years, effective phased from 2026-2030.
4. Do small AI developers need to publish safety frameworks?
Ans: No, SB 53 targets large frontier developers with over $500 million revenue, but smaller firms may face sector rules like healthcare or employment AI.
5. What steps should companies take for data broker transparency under SB 361?
Ans: Register annually with CPPA, disclose collection of sensitive categories like biometrics and sexual orientation, and report sales to AI developers or agencies.
6. How does California handle AI in healthcare decisions?
Ans: SB 1120 requires licensed physicians to supervise AI tools for approvals or denials, effective January 1, 2025, ensuring human accountability.