AI & Digital Marketing
California’s New AI Privacy Laws
California’s New AI Privacy Laws
AI security and compliance
California’s New AI Privacy Laws
What small businesses must disclose
California’s CCPA regulations now require businesses using automated decision-making technology for hiring, lending, housing, or healthcare to provide pre-use notices starting January 2026. Companies meeting the $26.6 million revenue threshold must disclose how AI makes significant decisions, offer opt-out rights, and conduct risk assessments. AB 2013 separately mandates AI developers reveal their training data sources. Non-compliance carries penalties up to $7,500 per violation.
What California Law Actually Requires (And What Got Vetoed)
Many business owners worry about SB 1047, the bill that proposed strict rules for large AI models. Governor Newsom vetoed that bill on September 29, 2024. It never became law. Small businesses do not face restrictions on AI model sizes or safety testing requirements. The veto removes that regulatory burden entirely.
What actually takes effect are new CCPA regulations about automated decision-making technology. The California Privacy Protection Agency finalized these rules on July 24, 2025. The Office of Administrative Law approved them on September 23, 2025. They become enforceable on January 1, 2026. ADMT-specific compliance phases in beginning January 1, 2027.
These regulations target businesses using AI for significant decisions affecting consumers. They do not regulate the AI models themselves. They regulate how you communicate with consumers about AI-driven outcomes. The rules focus on transparency rather than restricting technology.
AB 2013 also passed and requires AI developers to disclose their training data sources. This law applies to companies building generative AI systems, not necessarily to businesses using off-the-shelf AI tools. However, if you develop proprietary AI systems, this applies to your development process.
The confusion between vetoed bills and enacted laws creates compliance anxiety. Business owners hear about strict AI regulations and assume they face impossible requirements. In reality, the current law focuses on specific disclosure requirements for automated decision-making rather than broad AI restrictions.
Who Must Comply and What Triggers Disclosure
CCPA compliance thresholds determine whether these rules apply to your business. You must comply if your annual gross revenues exceed $26.6 million. The threshold also applies if you buy, sell, or share personal information of 100,000 or more California consumers annually. Small businesses below these thresholds face fewer requirements.
The regulations apply to automated decision-making technology used for significant decisions. A significant decision affects a consumer’s financial situation, housing, employment, education, healthcare, or insurance. Using AI to screen job applicants triggers the requirements. Using AI to evaluate loan applications triggers them. Using AI for tenant screening or health insurance decisions triggers them.
ADMT includes any system that processes personal information using machine learning, statistical modeling, or other automated techniques. Spreadsheets with complex formulas do not count. Simple database queries do not count. Systems that learn from data and make predictions do count.
The law distinguishes between profiling and fully automated decision-making. Profiling involves analyzing consumer behavior or characteristics. If you use AI to profile customers for marketing, different rules apply. The strict disclosure requirements target consequential decisions affecting individuals’ life opportunities.
Businesses must map their AI usage to identify which tools make significant decisions. HR departments using AI resume screeners must comply. Financial services using AI credit scoring must comply. Landlords using AI tenant screening services must comply. Healthcare providers using AI diagnostic tools for insurance decisions must comply.
Quick Wins: AI Compliance Checklist
Does your business exceed $26.6M annually?
List systems used for hiring, lending, or housing
Prepare plain language disclosures
Design human review alternatives
Calendar review for high-risk ADMT
Pre-Use Notice Requirements for ADMT
California law requires clear notice before using ADMT for significant decisions. You must inform consumers that you use automated technology. The notice must explain the decision-making process in plain language. Technical jargon violates the accessibility requirements.
Pre-use notices must include specific elements. They must state that automated technology makes or contributes to the decision. They must describe the logic used by the system in terms consumers understand. They must explain the role of human oversight if any exists. They must provide contact information for questions about the ADMT.
Notices require specific formatting for accessibility. You must provide large print upon request. You must ensure notices are readable by screen readers. You must offer alternative formats for consumers with disabilities. The law treats accessibility as a core compliance requirement, not an optional add-on.
Timing matters significantly. You must provide notice before collecting personal information used in the automated decision. You cannot notify consumers after the decision occurs. Job applicants must receive notice before you run their resumes through AI screening tools. Loan applicants must receive notice before AI evaluates their creditworthiness.
The regulations recognize layered notices for complex systems. You can provide a short initial notice with a link to detailed information. However, the short notice must contain the essential facts. It cannot bury critical information in links or footnotes. Consumers must understand that AI participates in decisions affecting their opportunities.
AB 2013 and Training Data Transparency
AB 2013 adds another layer of disclosure requirements specifically for AI developers. This law requires companies developing generative AI systems to document and disclose their training data sources. It takes effect January 1, 2026, the same day as the CCPA ADMT regulations.
The law targets companies building AI models, not businesses using third-party AI services. If you license AI tools from vendors, your vendor bears the training data disclosure burden. If you build proprietary AI systems in-house, you must comply directly. The distinction matters for determining your compliance obligations.
Documentation requirements include listing the types of sources used in training. Developers must identify whether they used publicly available datasets, purchased data, or scraped information. They must disclose whether personal information appeared in training data. They must reveal whether they filtered or modified datasets before training.
The law aims to prevent unauthorized use of copyrighted or private data in AI training. Developers face liability if they cannot demonstrate legitimate data sourcing. This creates new risks for companies building AI with unclear data provenance. Auditing training data sources becomes a legal necessity rather than a best practice.
For small businesses using AI tools, this law affects vendor selection. You should verify that your AI vendors comply with AB 2013. Your contracts should require vendors to indemnify you for data sourcing violations. You need documentation trails showing you selected compliant vendors. This protects you from secondary liability if vendors used unauthorized training data.
Risk Assessments and Consumer Rights
CCPA regulations require risk assessments for high-risk ADMT systems. You must evaluate whether the ADMT presents substantial risks to consumer privacy. The assessment examines data minimization practices. It reviews whether the system processes more personal information than necessary for the decision.
Assessments must occur before deploying new ADMT systems. They must also occur periodically for existing systems. The California Privacy Protection Agency recommends annual reviews. Documentation must be available for regulatory inspection. You cannot simply conduct the assessment and file it away.
Consumer rights under the new regulations include the right to opt out of ADMT processing in certain circumstances. Consumers can request human review of automated decisions. They can demand explanations of the logic behind AI-driven outcomes. They can request information about the data sources used in their specific evaluation.
Businesses must establish procedures for handling these consumer requests. You need systems to identify which data affected a specific decision. You must be able to explain how the AI reached its conclusion in understandable terms. You must provide mechanisms for human review when consumers request it.
The regulations require businesses to verify that third-party ADMT vendors comply with these consumer rights. Your contracts must ensure vendors can provide the necessary explanations and data access. You remain responsible for compliance even when using external AI services. This means selecting vendors with robust transparency features.
Preparing Your Business for January 2026
Compliance preparation starts with auditing your current AI usage. List every system that contributes to hiring, lending, housing, or healthcare decisions. Identify which systems meet the ADMT definition. Determine which consumer interactions trigger the significant decision requirements.
Document your current notice practices. Review whether you inform consumers about automated processing before it occurs. Check if your notices use plain language accessible to average readers. Verify that you provide alternative formats for consumers with disabilities. Identify gaps between current practices and legal requirements.
Review your vendor contracts for ADMT tools. Ensure contracts require vendors to support your disclosure obligations. Verify that vendors can provide explanations of AI logic when consumers request them. Confirm that vendors indemnify you for compliance failures related to their technology.
Develop opt-out procedures for consumers who object to automated processing. Design workflows for human review of AI decisions. Train staff to handle consumer questions about ADMT. Create template responses for common inquiries about automated decision-making.
Calendar your risk assessment schedule. Plan annual reviews of high-risk ADMT systems. Assign compliance responsibility to specific team members. Budget for potential legal consultation on complex AI deployments. The January 2026 deadline approaches quickly for businesses still mapping their AI usage.
Industry Insight: Most businesses overestimate their AI compliance burden because they confuse proposed legislation with enacted law. SB 1047 dominated headlines but never took effect. The actual regulations focus on transparency for consequential decisions, not technical AI restrictions. Smart businesses use this clarity to prepare targeted compliance rather than panicking about impossible model-testing requirements. The businesses that thrive will be those that treat these disclosures as consumer trust-building opportunities rather than regulatory burdens. Sarah Chen, Privacy Compliance Strategist
Automated decision-making regulations take effect
Full ADMT compliance phased in by this date
Per intentional violation of CCPA ADMT rules
The Myth vs The Reality
MYTH
SB 1047 passed and now all California businesses face strict AI model size restrictions and safety testing requirements.
FACT
SB 1047 was vetoed by Governor Newsom on September 29, 2024. It never became law. Current regulations focus on transparency and disclosure for automated decision-making affecting consumers, not technical AI restrictions on model sizes.
MYTH
Only tech companies and AI developers need to worry about California’s new AI privacy laws. Small businesses using third-party tools are exempt.
FACT
Any business using AI for hiring, lending, housing, or healthcare decisions meeting CCPA thresholds ($26.6M revenue or 100,000+ CA consumers) must comply. This includes businesses using third-party AI tools, not just developers. You remain responsible for consumer disclosures even when using vendor technology.
Common Questions About California AI Disclosure
Q: Does SB 1047 affect my small business?
A: No. Governor Newsom vetoed SB 1047 on September 29, 2024. This bill would have regulated large AI models but never became law. Small businesses face no restrictions on AI model sizes or safety testing requirements from this legislation.
Q: What counts as a “significant decision” requiring ADMT disclosure?
A: Significant decisions affect a consumer’s financial situation, housing, employment, education, healthcare, or insurance. Examples include AI-driven hiring decisions, loan approvals, tenant screening, health insurance coverage determinations, and educational admissions. Marketing personalization and routine customer service do not trigger the requirements.
Q: Do I need to conduct a risk assessment for my AI tools?
A: Risk assessments are required for high-risk ADMT systems before deployment and periodically thereafter. High-risk systems involve consequential decisions with significant consumer impact. The assessment evaluates privacy risks, data minimization practices, and compliance with consumer rights. Document your assessment process and results.
Q: What if I use third-party AI vendors for HR decisions?
A: You remain responsible for CCPA ADMT compliance even when using third-party AI tools. Your contracts must require vendors to support your disclosure obligations and provide explanations of AI logic when consumers request them. Verify that vendors can deliver the transparency required by California law before deploying their tools for hiring or other significant decisions.
Unsure Which AI Tools Trigger California Disclosure Requirements?
Get clarity on CCPA ADMT compliance before January 2026
Brief Summary
California’s CCPA automated decision-making technology regulations take effect January 1, 2026, requiring businesses exceeding $26.6 million revenue to provide pre-use notices when AI affects hiring, lending, housing, or healthcare decisions. Companies must explain AI logic in plain language, offer accessible formats, and establish opt-out procedures. AB 2013 separately requires AI developers to disclose training data sources beginning January 2026. Risk assessments are required for high-risk ADMT systems with documentation available for regulatory inspection. SB 1047 was vetoed in September 2024 and never became law, meaning businesses face transparency requirements rather than technical AI restrictions. Penalties reach $7,500 per intentional violation.
About the Author
Kent Mauresmo is an SEO and Web Design Consultant based in Los Angeles, California. Kent founded Read2Learn in 2010 and has helped thousands of businesses achieve first page Google rankings through practical, results driven strategies. He is the author of multiple best selling books including How To Build a Website With WordPress…Fast! and SEO For WordPress: How To Get Your Website On Page #1 of Google…Fast!
His additional titles include How I Hit Page 1 of Google in 27 Days! and SEO Guide 2017 Edition. Available at:
Disclaimer: This article provides general information about California AI privacy laws and CCPA regulations. It does not constitute legal advice. AI regulations continue evolving, and specific compliance requirements depend on your business circumstances. Consult with a qualified privacy attorney for guidance on your specific ADMT compliance obligations.
Contact Us Now
We’re very fortunate to work with these amazing partners to optimize, manage and maintain your digital assets
