Coblentz Press Room

With the End of the 2024 Legislative Term, Governor Gavin Newsom Takes a Measured Approach To Data Privacy Legislation

By Sabrina Larson and Amber Leong

In a significant move that has drawn both praise and criticism, California Governor Gavin Newsom recently vetoed Senate Bill 1047, the Safe and Secure Innovation for Frontier Artificial Intelligence Models Act (SB 1047), a highly publicized and debated AI bill, and Assembly Bill 1949 (AB 1949), a bill expanding data privacy rights for California minors. Both bills aimed to enhance data privacy protections for consumers, highlighting the ongoing efforts to balance technological advancement with individual privacy rights in an increasingly digital world.

At the same time, Governor Newsom signed into law nearly a dozen targeted bills concerning AI, including a law governing transparency when consumer data is used for training AI models (AB 2013), and a law requiring AI-generated content to contain a “manifest disclosure” in its metadata to signal that such material is AI generated (SB 942). Governor Newsom also signed into law stricter requirements aimed at prohibiting social media companies from directing addictive feeds toward minors (SB 976).

These noteworthy vetoes, paired with legislation signed into law by Governor Newsom, signal how California strives to be both at the helm of technological innovations and the leader in consumer data privacy protections in America.

Generative AI

Governor Newsom vetoed SB 1047, the Safe and Secure Innovation for Frontier Artificial Intelligence Models Act, which many commentators viewed as the country’s first state-level comprehensive law regulating generative AI. SB 1047 was divisive and polarizing—with the tech industry and AI advocates championing for or against the bill. Absent a national law, states, and municipalities have been stepping in to fill the void and address growing concerns about the use of AI as it develops at an exponential rate. To date, enacted laws have been targeted toward specific uses of AI, including deep fakes and other specific scenarios.

SB 1047 would have regulated and imposed various safety restrictions on AI systems, which would have had significant implications on the AI industry given that the majority of the world’s leading AI companies are headquartered in California. SB 1047 had passed the Legislature with overwhelming support and was seen as the blueprint for the nation. SB 1047 included a required “kill switch” for AI technology and required safety tests to be conducted by AI companies.

Opponents of SB 1047, including Andreessen Horowitz, OpenAI, Google, and Meta, expressed concern that over-regulation would overburden and stifle a nascent and developing industry.

Ultimately, in his veto statement for SB 1047, Governor Newsom expressed a “critical” need for “adaptability” as states race to “regulate a technology in its infancy.” This reflects a desire to avoid imposing overly burdensome regulations on a growing technology. His administration stated that while the intentions behind the bill were commendable, the potential consequences for businesses—especially small and medium-sized enterprises—could be detrimental. Governor Newsom emphasized the need for a balanced approach that fosters innovation while ensuring consumer protection, signaling that he is committed to working toward that approach. At the same time, he highlighted his signing into law over a dozen bills regulating specific, known risks of AI. For example, Governor Newsom signed AB 2013, which requires businesses using generative AI to make certain disclosures on their websites including providing high-level summaries of the datasets. Governor Newsom also signed into law SB 942, the California AI Transparency Act, which governs various methods of disclosing AI-generated content. The law requires AI companies to provide an “AI-detecting” tool and a “manifest” to accompany AI-generated content.

Children’s Data

Currently, there is a patchwork of laws governing the data of minors nationwide. To add more confusion for businesses, “minors” (which are generally understood as all individuals under the age of 18) and “children” (which has historically meant both individuals below the age of 13 and between the ages of 13 to 17) are defined differently under various federal and state laws. There are currently two general buckets of laws governing minors: laws governing data of children (those under the age of 13) and a new and developing regime for teenagers (those between the ages of 13 and 17).

The federal Children’s Online Privacy Protection Act (COPPA) governs data for minors under the age of 13, and requires parental consent if a business has actual knowledge that it is collecting, using, or disclosing personal information of individuals under the age of 13. Recently, state data privacy laws have started regulating the collection, processing, sale, and sharing of minors’ data. The exact requirements differ from state to state.

Comparatively, for example, California’s laws governing minors’ data are more nuanced than COPPA. California’s regulations governing minors’ data are found in its overall privacy act, the California Consumer Privacy Act (CCPA). California has an opt-in requirement for “minors” before a business can sell or share personal data. But how opt-in consent is obtained differs depending on the age of the minor. For individuals under the age of 13, affirmative parental consent must be obtained before a business sells or shares the data (notably, unlike COPPA, the CCPA does not require opt-in consent for collecting or processing such data). For teenage minors ages 13 to 16, affirmative consent from the teenager must be obtained before a business can sell or share the teenager’s personal information. The CCPA considers 16- to 17-year-olds as “adults” for CCPA purposes.

The goal of AB 1949, the Kid’s Privacy Bill, was to “close the gap” on teenagers’ data under the CCPA. AB 1949 also sought to establish stricter regulations regarding the collection and usage of minors’ data by businesses. Specifically, the bill would have required businesses to obtain opt-in consent prior not only to selling or sharing data of all minors including teenagers, but also prior to collecting and processing data of all minors.

Governor Newsom vetoed AB 1949, stating that it would be unduly burdensome on businesses.   At the same time, however, Governor Newsom signed into law a separate bill, SB 976, The Protecting Our Kids from Social Media Addiction Act. SB 976 prohibits social media companies from knowingly providing addictive feeds to minors (defined here as individuals under the age of 18) without parental consent. Governor Newsom’s veto of AB 1949 combined with signing into law SB 976 and other bills signals a measured approach to imposing data protections.

Conclusion

Governor Newsom’s veto of AB 1949 and SB 1047, while signing into law AB 2013, SB 942, and SB 976, among other laws, shows a thoughtful approach as California balances its role as a state fostering innovation while also maintaining its place as a leader in regulations protecting consumers’ privacy rights. The Governor’s decisions are at a complex intersection of consumer rights, business interests, and the evolving landscape of data privacy.

As the demand for stronger data privacy regulations continues to rise, particularly for minors, stakeholders will need to engage in constructive dialogue to find a balance that protects consumers without stifling innovation. The outcome of this debate will be pivotal in shaping California’s—and potentially the nation’s—approach to data privacy in the years to come.

For assistance navigating the ever-proliferating and changing landscape of data privacy laws, please contact the Coblentz Data Privacy Team.