California Continues to Lead in Privacy, Cybersecurity, and AI Regulation
California's reputation as a pioneer in data protection and artificial intelligence (AI) regulation has been further solidified with the recent enactment of several new laws and regulations. These developments not only impact businesses operating within the state but also signal a shift in the broader regulatory landscape. The California Privacy Protection Agency (CPPA) has been at the forefront of these efforts, issuing new regulations and imposing significant fines on non-compliant businesses.
Key Takeaways:
- **New ADMT Regulations**: The CPPA has approved regulations concerning automated decision-making technology (ADMT), requiring businesses to provide pre-use notices to consumers and offer opt-out options for certain decisions made by ADMT.
- **Cybersecurity Audits and Risk Assessments**: Businesses deemed to present significant risks to consumers' security must undergo annual cybersecurity audits and submit written certifications to the CPPA.
- **Tractor Supply Company fined $1.35M**: The CPPA has imposed a significant fine on Tractor Supply Company for multiple privacy violations, including failing to honor consumer opt-out requests and providing inadequate notice to consumers and job applicants.
- **Transparency in Frontier AI Act (SB 53)**: This law requires frontier model developers to publish information about their AI systems, including release dates, intended uses, and restrictions.
- **California's Opt Me Out Act (AB 566)**: Web browser developers must include configurable functionality to send universal opt-out preference signals to opt-out of the "sale" or "sharing" of personal information on websites visited.
- **Updated Requirements for Data Brokers (SB 361)**: Data brokers must provide details about new categories of personal information they collect and indicate whether they have shared or sold consumers' data to specified third parties.
Statistics:
- The CPPA has imposed a $1.35 million fine on Tractor Supply Company for multiple privacy violations.
- The fines for non-compliance with cybersecurity audits and risk assessments will start on a rolling basis, with larger businesses required to comply first, beginning on April 1, 2028.
- The TFAIA requires large frontier developers to publish and comply with an AI framework and periodically provide reports on their assessment of catastrophic risks resulting from internal use of their frontier models.
Sources:
- [1] This memorandum provides only a high-level summary of these laws and developments. For a more detailed discussion, please consult one of the authors of this memorandum.
- [2] This applies if, in the prior calendar year, (i) the business met the revenue threshold (currently $26,625,000), and processed the personal information of 250,000+ consumers or households, or processed the sensitive personal information of 50,000+ consumers; or (ii) derives 50+% of annual revenues from "selling" or "sharing" consumers' personal information (as defined in the CCPA).
- [3] Beginning on April 1, 2028, if the business's annual gross revenue was more than $100,000,000 in 2026, April 1, 2029, if the business's annual gross revenue was between $50 million and $100 million in 2027, and April 1, 2030, if the business's annual gross revenue was less than $50 million in 2028.
- [4] The relevant computing power threshold is 10^26 integer floating-point operations (or "FLOPs"). FLOPs represent, generically, the number of calculations performed, in this case, to train the AI model.
- [5] Defined under existing law as a business that knowingly collects and sells to third parties the personal information of a consumer with whom the business does not have a direct relationship, subject to specified exceptions.