Key point: The California legislature closed its 2025 legislative session by passing 14 privacy and AI-related bills.

The California legislature closed for the year by passing numerous privacy and AI-related bills. The bills will next head to Governor Gavin Newsom, who will have 30 days to sign, approve without signing, or veto the bills. That is still a significant hurdle for the bills to clear, as last year, Newsom vetoed multiple privacy and AI bills. Below, we identify which of the bills passed and failed, and provide a summary for each of the bills that passed.

Bills That Passed

Privacy Bills

AB 566 (Opt-out Preference Signal)

Effective January 1, 2027, the California Opt Me Out Act mandates that a business “shall not develop or maintain a browser that does not include functionality configurable by a consumer that enables the browser to send an opt-out preference signal to businesses which the consumer interacts with the browser.” An opt-out preference signal communicates the consumer’s choice to opt out of the sale or sharing of the consumer’s personal information. The functionality must be easy for a reasonable person to locate and configure, and businesses that develop or maintain browsers must make public disclosures about how the opt-out preference signal works. The California Privacy Protection Agency (CPPA) is given permissive rulemaking authority. The bill does not require that the signal be turned on by default.

A similar bill passed the legislature last year and was vetoed by Newsom.

AB 1043 (Age Verification Signals)

Effective January 1, 2027, the Digital Age Assurance Act requires operating system providers to collect age information from account holders to provide a signal of the user’s age bracket to apps in a covered app store. An operating system provider is a “person or entity that develops, licenses, or controls the operating system software on a computer, mobile device, or any other general purpose computing device.” A covered app store is “an online service or platform that distributes extensions, plug-ins, add-ons, or other software applications that run exclusively within a separate host application.”

Developers (i.e., the persons that own, maintain, or control apps) are required to request the signal from operating system providers or covered app stores when an app is downloaded and launched. When the developer receives the signal, it is deemed to have actual knowledge of the user’s age range.

The bill contains further provisions regarding the treatment of pre-existing accounts, exceptions, and exemptions.

The bill would be enforced by the attorney general. Violations would be subject to fines of $2,500 per affected child for each negligent violation and $7,500 per child for each intentional violation.

SB 361 (Data Brokers)

The bill amends California’s existing data broker registration law to require data brokers to make significantly more disclosures as to their processing activities when annually registering with the CPPA. For example, data brokers will need to disclose if they collect sensitive personal information and whether they have sold or shared consumers’ data to a foreign actor, the federal government, other state governments, law enforcement, or to developers of GenAI systems or models. The CPPA is required to make this information publicly available on its website. The bill does not have a delayed effective date such that, if signed by the governor, it would go into effect on January 1, 2026.

SB 771 (Social Media)

Effective January 1, 2027, the bill creates a private right of action against a social media platform that violates certain provisions in California’s Civil Code through its algorithms that “relay content to users or aids, abets, acts in concert, or conspires in a violation of any of those sections, or is a joint tortfeasor in a violation of any of those sections.” Penalties are capped at $1 million for intentional, knowing, or willful violations and $500,000 for reckless violations. The violations can be doubled if the platform knew the plaintiff was a minor.

AI Bills

SB 7 (Employment: Automated Decision Systems)

SB 7 is a complicated bill but, in general, it requires employers to provide a written notice to employees and job applicants when using automated decision systems (ADS) for employment-related decisions. It also creates a right to access certain data used by an ADS to make discipline, termination, or deactivation decisions, and for employees to receive a post-use ADS notice for such activities. The bill is enforceable by the labor commissioner.

If signed by the governor, the bill will require extensive analysis, including its relationship and overlap with the California Consumer Privacy Act (CCPA) regulations on automated decision-making technologies, which also cover employment-related decisions.

SB 53 (AI Models: Large Developers)

SB 53, the Transparency in Frontier AI Act, is the successor to last year’s vetoed SB 1047 (the Safe and Secure Innovation for Frontier AI Models Act). As explained in the Senate floor analysis: “This bill requires large artificial intelligence (AI) developers, as defined, to publish safety frameworks, disclose specified transparency reports, and report critical safety incidents to the Office of Emergency Services (OES), as specified. Additionally, this bill creates enhanced whistleblower protections for employees reporting AI safety violations and establishes a consortium to design a framework for ‘CalCompute,’ a public cloud platform to expand safe and equitable AI research, as specified.”

AB 853 (California AI Transparency Act)

The bill amends last year’s California AI Transparency Act to add provisions relating to large online platforms and capture devices (i.e., a device that can record photographs, audio, or video content). The bill requires large online platforms to develop a method for users to access provenance data of uploaded content. Capture devices must provide users with an option to include a latent disclosure in content captured by the capture device that conveys certain provenance data.

SB 243 (Companion Chatbots)

The first of two companion chatbot bills that passed, this bill requires an operator of companion chatbots to:

• Notify persons interacting with the chatbot that it is not human if a reasonable person interacting with the chatbot would be misled into believing it is human;
• Disclose that companion chatbots may not be suitable for minors;
• Maintain and publish on its website a protocol for preventing the production of suicidal ideation, suicide, or self-harm content to users, including by providing a notification to the user that refers the user to crisis service providers, including a suicide hotline or crisis text line, if the user expresses suicidal ideation, suicide, or self-harm;
• For users the operator knows are minors, disclose that the user is interacting with AI, provide a notice every three hours that reminds the user to take a break and that the companion chatbot is not human, and institute reasonable measures to prevent the chatbot from producing visual material of sexually explicit conduct or directly stating that the minor should engage in sexually explicit conduct; and
• Make annual disclosures to the Office of Suicide Prevention.

The bill creates a private right of action with statutory damages of $1,000 per violation.

AB 1064 (Leading Ethical AI Development (LEAD) for Kids Act)

The second companion chatbot bill that passed, this bill, among other provisions, prohibits operators of companion chatbots from making them available to children (individuals under 18) unless the companion chatbot is not foreseeably capable of:

• Encouraging the child to engage in self-harm, suicidal ideation, violence, consumption of drugs or alcohol, or disordered eating.
• Offering mental health therapy to the child without the direct supervision of a licensed or credentialed professional, or discouraging the child from seeking help from a qualified professional or appropriate adult.
• Encouraging the child to harm others or participate in illegal activity, including, but not limited to, the creation of child sexual abuse materials.
• Engaging in erotic or sexually explicit interactions with the child.
• Prioritizing validation of the user’s beliefs, preferences, or desires over factual accuracy or the child’s safety.
• Optimizing engagement in a manner that supersedes the companion chatbot’s required safety guardrails described in paragraphs (1) to (5), inclusive.

SB 11 (AI Technology)

Among other provisions, the bill requires, by December 1, 2026, any person or entity that makes available to consumers any AI technology that enables a user to create a digital replica to provide a disclosure to consumers stating: “Unlawful use of this technology to depict another person without prior consent may result in civil or criminal liability for the user.” Violations are subject to a $10,000-a-day penalty.

AB 325 (Cartwright Act: Violations)

The bill makes it unlawful for a person to use or distribute a common pricing algorithm as part of a contract, combination in the form of a trust, or conspiracy to restrain trade or commerce in violation of the Cartwright Act. It also is unlawful for a person to use or distribute a common pricing algorithm if the person coerces another person to set or adopt a recommended price of commercial term recommended by the common pricing algorithm for the same or similar products or services in California. A common pricing algorithm is defined as “any methodology, including a computer, software, or other technology, used by two or more persons, that uses competitor data to recommend, align, stabilize, set, or otherwise influence a price of commercial term.”

AB 682 (Health Care Coverage Reporting)

Among other provisions, the bill requires health insurers to include in an annual plan claims payment and dispute resolution report, or in another report as prescribed by the director, the number of claims denied that at any point were processed, adjudicated, or reviewed with AI or other predictive algorithms.

AB 723 (Real Estate: Digitally Altered Images: Disclosure)

The bill creates disclosure obligations for real estate developers that digitally alter images in an advertisement or other promotional material for the sale of real property.

AB 316 (AI: Defenses)

The bill states that “[i]n an action against a defendant who developed, modified, or used artificial intelligence that is alleged to have caused a harm to the plaintiff, it shall not be a defense, and the defendant may not assert, that the artificial intelligence autonomously caused the harm to the plaintiff.”

Finally, as we noted last week, AB 489 (health care professions: deceptive terms or letters: AI) passed the legislature earlier this month.

Bills That Failed to Pass

Privacy Bills

SB 435 (sensitive personal information), AB 302 (data brokers: elected officials and judges), SB 354 (Insurance Consumer Privacy Protection Act of 2025), AB 322 (precise geolocation information), and SB 690 (amendment to California Invasion of Privacy Act) did not pass.

AI Bills

Two broader ADS bills failed to pass. Assemblymember Rebecca Bauer-Kahan’s AB 1018 advanced to a third reading in the Senate but faced significant pushback and did not make it out of the chamber prior to the deadline. SB 420 passed the Senate but never advanced in the Assembly.

In addition, four of the five pricing-related bills did not pass: SB 259 (Fair Online Pricing Act), SB 295 (California Preventing Algorithmic Collusion Act of 2025), SB 384 (Preventing Algorithmic Price Fixing Act), and AB 446 (surveillance pricing).

Both of the workplace surveillance bills we tracked also did not pass. AB 1331 made it to a third reading in the Senate but was placed on the inactive file. SB 238 passed the Senate but never advanced in the Assembly.

The other bills that did not pass were AB 410 (bots: disclosures), AB 412 (generative AI: training data), SB 503 (health care services: AI), and SB 52 (housing rental terms: algorithmic devices).