What is AI regulation in California?
AI regulation: countries and regions
AI regulation in California is not one single state AI Act. It is a layered mix of existing consumer protection, privacy, civil rights and content laws, plus targeted AI statutes and regulations. As of 4 June 2026, organisations dealing with Californians may need to comply with CCPA and CPPA rules on automated decisionmaking, training data transparency, synthetic media disclosure, digital replica restrictions, and a narrower frontier model transparency regime enforced by the Attorney General.
What this means
California regulates AI through a patchwork. Longstanding laws on unfair or misleading business practices, privacy, discrimination, elections and publicity rights already apply to AI use. On top of that, California has passed several AI-specific laws since 2024 and brought in new privacy regulations that directly address automated decisionmaking.
That means the practical question is usually not "does California have an AI law?" It is "which California rules apply to this AI use case?" A hiring tool, a public chatbot, an image generator, a synthetic voice campaign, and a frontier model release can each trigger different duties.
As of 4 June 2026, the California position is more developed than a simple proposal stage. Several targeted laws are enacted and in force or have operative dates now reached, while some election-related rules have also faced litigation, so organisations need point-in-time checking for those areas.
Why it matters
California matters because it combines a huge consumer market, aggressive privacy enforcement, strong publicity rights, and a legislature willing to pass AI-specific rules without waiting for a single omnibus statute. For many organisations, a California compliance decision becomes a default national product decision, especially for notices, data governance, content labelling, and model release documentation.
The practical stakes are broad. AI can trigger privacy duties when personal information is collected, used, retained, shared or inferred. It can trigger consumer law risk when a company overclaims accuracy, hides synthetic content, or markets an AI feature in a misleading way. It can trigger employment, housing, lending or healthcare governance when automated tools help make significant decisions. It can also create likeness and media risk if a company uses synthetic voices, cloned faces, or digital replicas of performers or deceased personalities.
California's newer AI statutes add operational duties that are concrete enough to affect product design. Some public GenAI providers must offer detection tools and provenance disclosures. Developers making public GenAI systems available to Californians must publish training data documentation. Large frontier developers now face a separate transparency and incident-reporting track. This is not abstract governance. It affects launch checklists, vendor terms, product notices, content pipelines, and internal review records.
How it works
California uses a layered model, not one omnibus act
California does not regulate AI through one economy-wide AI code. Its model is cumulative. Existing laws continue to apply, and targeted AI statutes add specific duties where lawmakers think ordinary law is not enough. For operators, that means California compliance is use-case based. A company may face privacy duties for one system, synthetic media duties for another, and frontier model duties only in a much narrower part of its stack.
This is why summaries that describe "the California AI Act" are misleading. California's actual model is a mix of state consumer law, privacy law, content and likeness rules, election and bot rules, and newer AI-specific obligations. The Attorney General's January 2025 legal advisories make that enforcement stance explicit: AI does not sit outside ordinary California law.
Existing consumer, privacy and civil rights law already applies
The Attorney General's position is that AI developers and deployers are already subject to California's Unfair Competition Law, False Advertising Law, consumer remedies law, privacy law, and civil rights law. In plain terms, a business can still be liable if it exaggerates what an AI system can do, markets a feature as fully AI when humans are doing the work, markets a feature as human when AI is doing the work, or presents an AI system as unbiased or reliable without a defensible basis.
Privacy is central. If an AI system uses Californians' personal information, the CCPA applies where the business is in scope. That means rights to know, delete, correct, opt out of sale or sharing, and limit the use of sensitive personal information still matter. The Attorney General's advisory also stresses that personal information can include AI-derived inferences, and that AI systems capable of outputting personal information do not escape the CCPA just because the information appears during generation.
The CPPA's final regulations, effective from 1 January 2026, make California's privacy regime much more operational for AI and automated decisionmaking. They define ADMT, define "significant decision", and create notice, access and opt-out mechanics. For significant decisions in lending, housing, education, employment, compensation and healthcare, businesses using ADMT must provide pre-use notice and consumer rights to opt out of, and access information about, the use of ADMT. Existing significant-decision uses that were already in place before 1 January 2027 have a transition period, but they must be compliant by 1 January 2027. The same regulatory package also adds risk assessment and cybersecurity audit duties for certain high-risk personal information processing.
Civil rights law still matters even where no AI-specific statute exists. If an AI screening or scoring system has discriminatory effects in employment, housing or services, the use of a vendor tool does not make the issue disappear. California's anti-discrimination rules, including FEHA and the Unruh Act, still frame the risk.
Targeted AI statutes now add disclosure and content duties
California has enacted two particularly practical public-facing GenAI laws.
First, AB 2013, the Generative Artificial Intelligence Training Data Transparency Act, requires a developer to post training-data documentation on its website by 1 January 2026, and before each later public availability or substantial modification of a covered GenAI system or service released on or after 1 January 2022. The documentation must include a high-level summary of datasets, their sources or owners, the types and scale of data used, whether copyrighted material is included, whether data were purchased or licensed, whether personal information is included, and when the data were collected and first used. This is a disclosure law, not a licensing law, but it creates a public documentation duty that many developers did not previously face.
Second, SB 942, the California AI Transparency Act, became operative on 1 January 2026. It applies to covered providers, meaning publicly accessible GenAI systems with over 1,000,000 monthly visitors or users in California. Covered providers must offer a free AI detection tool for certain media, offer users a visible disclosure option for AI-generated or AI-altered image, video or audio content, and include latent provenance disclosures in AI-generated media where technically feasible and reasonable. Violations can be enforced through civil penalties, and city attorneys and county counsels can play a role alongside the Attorney General.
California also still has older but relevant bot disclosure law. The B.O.T. Act makes it unlawful to use a bot to communicate with a person in California online, without clear bot disclosure, when the intent is to mislead about artificial identity in order to drive a commercial transaction or influence a vote. That is not a general chatbot law, but it remains part of California's synthetic and automated communication toolkit.
Digital replicas and likeness rights are a live compliance issue
California's content and likeness rules are especially important for media, advertising, entertainment, gaming, talent, brand and platform work.
AB 2602, effective from 1 January 2025, makes certain contract terms about new performances by a digital replica unenforceable unless the clause contains a "reasonably specific description" of intended uses and the individual is represented by legal counsel or a relevant union arrangement. In practice, this is a contract-governance rule. It does not ban digital replicas, but it makes vague, broad or under-negotiated replica clauses risky.
AB 1836, also effective from 1 January 2025, expands protection for the digital replica of a deceased personality. A person who produces, distributes, or makes available a deceased personality's digital replica in an expressive audiovisual work or sound recording without the required prior consent can face liability, subject to statutory exceptions such as news, commentary, scholarship, satire, parody, documentary-style uses, and incidental uses. This sits alongside California's broader right of publicity framework rather than replacing it.
These laws matter well beyond Hollywood. Brand campaigns, voice cloning, memorial experiences, virtual influencers tied to real people, dubbing workflows, performance localisation and archive remastering can all raise replica and consent questions.
California now has a separate frontier model transparency regime
Since September 2025, California has also had a more targeted frontier-model statute, SB 53. This does not create a general AI code for every developer. It focuses on "frontier models" above a compute threshold, and adds extra duties for "large frontier developers" above a revenue threshold.
The law requires public transparency reporting when a frontier developer deploys a new frontier model or a substantially modified one. Large frontier developers must also write, implement and publish a frontier AI framework. That framework must explain how the developer assesses catastrophic risk, applies mitigations, uses third-party assessment, secures unreleased model weights, identifies and responds to critical safety incidents, and embeds internal governance. The law also requires critical safety incident reporting to the Office of Emergency Services, creates whistleblower protections for covered employees, and allows Attorney General enforcement with civil penalties of up to $1 million per violation for specified failures by large frontier developers.
Some parts of SB 53 are paced over time. Annual state assessments and certain public reporting duties begin in 2027. The CalCompute consortium provisions are also tied to budget appropriation. So the law is enacted, but not every part of it works on the same timetable. It is also narrower than the model many observers expected from California's 2024 debate over frontier AI risk. The live California position is therefore a targeted transparency and reporting regime, not a single sweeping safety code for all advanced AI.
Institutions and enforcement are split across several bodies
The California Attorney General remains central. The office has published formal advisories on how existing law applies to AI, and it enforces parts of the newer AI statute book, including the frontier model regime. For some disclosure and content duties, local public enforcers also matter. Under SB 942, city attorneys and county counsels can sue. Under privacy law, the CPPA is now a major operational actor because its regulations define large parts of the compliance picture for automated decisionmaking, risk assessments and cybersecurity audits, while the Attorney General still remains relevant in the CCPA ecosystem.
This split matters operationally. California AI compliance is not just one regulator, one filing, or one register. Product teams need to know which agency's rule set is being triggered, which rights or notices are attached to that use, whether the issue is public enforcement only or can also affect private contracts and damages claims, and whether the law is already operative or only enacted with a later compliance date.
Where the near-term uncertainty sits
California's direction of travel is clear, but some edges are still moving. Election-related AI and deepfake laws have already faced constitutional challenges, so campaign-period rules should be checked at the point of use rather than assumed from an older summary. The Attorney General's advisories are also guidance, not a complete code, and they explicitly say they are not exhaustive.
The privacy picture is clearer than it was in 2024 because the CPPA's ADMT regulations are now final, but even there the details matter. They do not apply to every AI feature. They are keyed to defined uses, especially significant decisions, and include carve-outs and exceptions. California therefore continues to reward detailed use-case mapping rather than broad claims that a company is either "AI compliant" or "not in scope".
Examples
A California-facing image, video or audio generator that has more than 1,000,000 monthly visitors or users in the state now has a specific public-content workflow problem to solve. From 1 January 2026, if it falls within SB 942, it needs a free detection tool, a visible disclosure option for AI-generated or AI-altered media, latent provenance disclosures where technically feasible and reasonable, and a process to manage licensees that strip those disclosures.
A developer making a public GenAI system or substantial modification available to Californians must now think about release documentation, not just model cards or marketing copy. Under AB 2013, the developer has to post training-data documentation that covers the high-level composition of datasets, where they came from, whether protected material or personal information is included, whether data were licensed or purchased, and the data collection period. That changes launch governance, because the disclosure must exist by 1 January 2026 and before later qualifying public releases or substantial modifications.
An employer, lender, housing provider, educator or healthcare business using ADMT for a significant decision now has a California privacy workflow, not just an ethics issue. Under the CPPA regulations, these uses can trigger pre-use notice and rights to opt out of, and access information about, the business's use of ADMT. Existing significant-decision uses in place before 1 January 2027 have a transition window, but the compliance deadline still lands on 1 January 2027.
A studio, brand or talent company cannot treat synthetic performance rights as boilerplate. Since 1 January 2025, a contract for a new performance by a digital replica needs a reasonably specific use description and the right representation structure under AB 2602, or the clause can become unenforceable. If the project uses the digital replica of a deceased personality, AB 1836 adds a separate consent and damages analysis.
Common misunderstandings
Misunderstanding: California has one general AI Act.
Correction: It does not. California uses a layered mix of ordinary law, privacy regulation, targeted AI statutes and sector overlays.
Misunderstanding: Only AI-specific statutes matter.
Correction: Existing law is often the first compliance layer. California's consumer protection, privacy and civil rights laws apply even where no AI-specific statute exists.
Misunderstanding: The CPPA's ADMT rules cover every AI feature.
Correction: They are targeted. The most direct ADMT rights attach to defined uses, especially significant decisions in specified areas.
Misunderstanding: If the model was built outside California, California law does not matter.
Correction: It can still matter if the system is made available to Californians, uses Californians' personal information, or affects Californians in regulated contexts.
Misunderstanding: California's frontier AI law is the same thing as a general safety code for all advanced models.
Correction: SB 53 is narrower. It focuses on covered frontier models, adds extra duties for large frontier developers, and does not replace the rest of California law.
Risks and boundaries
The biggest boundary is scope. Many California AI duties are context-specific or threshold-based. SB 942 only hits certain public GenAI providers over a user threshold. AB 2013 is a disclosure rule tied to public availability in California. The CPPA's ADMT framework is tied to defined significant decisions and other regulatory triggers. SB 53 is aimed at frontier-model governance and is especially important for large frontier developers, not ordinary software teams building routine AI features.
Another boundary is legal status. California's Attorney General advisories are important because they show enforcement direction, but they are guidance, not standalone legislation. They help explain how existing law will be applied, yet they are not exhaustive and they do not answer every edge case.
Some California AI fields are also still unstable. Election and campaign deepfake rules have already been litigated, and that area has moved quickly. For campaign-related content, it is not safe to rely on a static summary lifted from a 2024 or early 2025 source. The right approach is to check the live state of enforceability for the specific medium, actor and election window.
Even where duties are clear, California does not tell organisations exactly how to design a compliant governance programme. The law creates obligations, rights, disclosure duties and enforcement risk, but it still leaves room for judgement on screening, documentation, testing, vendor controls, appeal processes, and internal accountability.
Finally, state-government AI orders and procurement guidance should not be confused with general private-sector law. They are important if you sell to the state or work inside California government, but they do not automatically bind every private organisation in the same way a statute or regulation does.
What to do next
Start with an AI use-case register. Separate public GenAI products, internal decision tools, employee and applicant screening, customer service bots, model development, synthetic media, and marketing claims. California duties attach differently to each.
Map each use case to the California trigger that is most likely to bite first. For many businesses that will be CCPA and the CPPA's ADMT rules. For public GenAI providers it may be SB 942 and AB 2013. For media, entertainment and brand work it may be replica and likeness law. For frontier developers it may be SB 53.
Review notices, public claims and documentation now. Check whether you are overstating accuracy, obscuring AI involvement, or missing required disclosures. For significant-decision ADMT, build or confirm pre-use notices, access response processes, opt-out handling, and human appeal workflows where you want to rely on an exception.
Tighten contract language. Vendor terms, talent agreements, model licences, and content-production contracts should address training data disclosures, provenance features, digital replica permissions, incident escalation, audit support, and who carries California-specific compliance duties.
Treat California as a governance design input, not just a legal exception. If your business serves the US generally, California often becomes the easiest place to set a defensible baseline for transparency, personal-data handling, synthetic media controls and release review.
FAQs
Does California have a single AI law like the EU AI Act?
No. California's system is fragmented by design. It combines existing law with targeted statutes and regulations for privacy, synthetic content, training-data transparency, digital replicas and frontier models.
Which California body matters most for AI compliance?
Usually more than one. The Attorney General matters for consumer protection and several AI-specific statutes. The CPPA matters for privacy, ADMT, risk assessments and cybersecurity audits. In some areas, city attorneys, county counsels, courts and sector regulators also matter.
Do the CPPA's ADMT rules apply to every chatbot or recommendation feature?
No. The most direct ADMT duties are tied to defined uses, especially significant decisions in lending, housing, education, employment, compensation and healthcare. Many ordinary AI features will still be governed by privacy and consumer law, but not every feature will trigger the same ADMT rights.
What changed on 1 January 2026?
Several things. The CPPA's final ADMT, risk assessment and cybersecurity audit regulations became effective. SB 942 became operative. AB 2013's public training-data disclosure deadline also arrived.
If we already had an automated hiring or lending tool before 2026, do we need to comply immediately?
The CPPA regulations give existing significant-decision ADMT uses a transition period, but the key deadline is 1 January 2027. That does not remove other California law in the meantime.
What if we only use AI-generated media for marketing?
You still need to think about California law. Misleading synthetic content can raise consumer law issues, and if your product falls within SB 942 you may need detection and provenance features. Likeness rights also matter if real people, performers or deceased personalities are implicated.
Are digital replica rules only for film studios?
No. They are especially important in entertainment, but the same issues can appear in advertising, gaming, memorial products, localisation, brand campaigns, creator tools and voice cloning.
Does California regulate frontier models separately from ordinary AI tools?
Yes. SB 53 creates a narrower frontier-model transparency and incident-reporting regime, especially for large frontier developers. It does not replace the wider California patchwork that still governs ordinary business AI use.