Blog

California AI Compliance 2025–2026: What Your Business Must Do Now

Posted by Pavel Kolmogorov | Aug 27, 2025 | 0 Comments

California is establishing practical guardrails around the use of artificial intelligence and data through a combination of new regulations, targeted statutes, and robust enforcement. If your company builds or deploys AI, uses automated decision‑making in hiring or lending, or relies on data brokers, your obligations are changing.

This guide breaks down the three pillars you need to track right now:

  1. CPPA's AI/ADMT, risk assessment, and cybersecurity audit rules (Board‑adopted; pending administrative approval).

  2. AB 2013 (Generative AI training data transparency) with a January 1, 2026, documentation deadline.

  3. The Delete Act and the state's one‑stop DROP system rolling out toward 2026.


1) CPPA's New AI/ADMT, Risk Assessment & Cybersecurity Audit Rules (Board‑Adopted; Effective Upon OAL Approval)

On July 24, 2025, the California Privacy Protection Agency (CPPA) Board voted to adopt a package of CCPA regulations covering automated decision‑making technology (ADMT), risk assessments, and cybersecurity audits. These regulations are not effective until they complete review by the Office of Administrative Law (OAL). The CPPA confirms adoption and OAL review on its website. California Privacy Protection Agency

What that means now:

  • Status & Timing. After OAL files the regs, they will take effect on the next quarterly date. If filed by August 31, 2025, they take effect October 1, 2025; if filed between September 1 and November 30, they take effect January 1, 2026. (Projected timelines summarized by leading practitioners following the CPPA process.) Alston & Bird Blog

  • Scope. The rules (as adopted) establish consumer access and opt‑out rights for ADMT, mandate privacy risk assessments for certain processing, and require annual cybersecurity audits for covered businesses. (See CPPA's materials and modified rule text for definitions, thresholds, and detailed requirements.) California Privacy Protection

  • Compliance cadence (emerging timelines). Commentators anticipate that risk assessments for existing high-risk processing may be due by December 31, 2027, with attestations due by April 1, 2028, while new activities require assessments before launch (subject to OAL approval of the rules as adopted). Treat these as planning markers until OAL finalizes. JD Supra Wilson Sonsini

Context from Sacramento: Governor Newsom has urged caution about the breadth and cost of AI rules (e.g., projected first‑year compliance impacts) while acknowledging the need for consumer protections; the Board nevertheless advanced the package now under OAL review. Politico, California Privacy Protection Agency


2) AB 2013: Generative AI Training Data Transparency (Effective Jan. 1, 2026)

Signed in September 2024, AB 2013 requires developers who make generative AI systems or substantial modifications available to Californians (publicly, free or paid) to post training‑data documentation on their websites by January 1, 2026, and again before each subsequent public release. Documentation must include a high‑level summary of datasets (sources/owners, types of data points, date ranges), and whether datasets include copyrighted works, personal information, were licensed/purchased, and whether synthetic data was used, among other items. LegiInfo

Takeaway: Even if you don't publish exact dataset titles, you must disclosecategories, provenance, and treatment of training data at a meaningful level—plan your “model documentation” workflow now (legal + engineering + comms). LegiInfo


3) The Delete Act & DROP: A One‑Stop Consumer Deletion Mechanism Targeting Data Brokers

California's Delete Act (SB 362) expands data‑broker obligations and funds a Delete Request and Opt‑Out Platform (DROP)—a single portal through which consumers can direct all registered data brokers to delete their personal information. CPPA says DROP is expected to be available in 2026; rulemaking on the platform continued through summer 2025. California Privacy Protection Agency

What businesses should do:

  • If you are a data broker, ensure registration is current and systems can ingest DROP signals at scale.

  • If you rely on brokers, revisit contracts and vendor management; you'll need assurances that your partners can honor DROP requests. California Privacy Protection Agency


Enforcement Climate: Existing Laws Already Apply to AI

In January 2025, the California Attorney General issued a Legal Advisory reminding developers and deployers that existing California laws—consumer protection, civil rights, competition, data protection, and election‑misinformation statutes—already apply to AI. Translation: you don't need a brand‑new AI statute to face risk. Coalition of State  Attorneys General.

And enforcement pressure is building. In August 2025, AG Rob Bonta joined a bipartisan coalition of 44 state attorneys general warning major AI companies that exposing children to sexualized content or similar harms will trigger accountability. Expect heightened scrutiny of chatbot safety, age‑appropriate design, and content controls. NAAG


What Did Not Pass: SB 1047 (Frontier AI “Kill Switch” Bill)

California's SB 1047, the much‑debated “frontier model” safety bill, was vetoed on September 29, 2024. The Governor's veto message cited concerns about scope and approach; the administration has pursued other AI policy avenues since. Governor of California


A Practical Compliance Checklist (Start Now)

Data & Model Inventory

  • Map all AI/ADMT uses (hiring, credit, insurance, content moderation, customer scoring, safety monitoring, etc.). Identify high‑risk contexts. California Privacy Protection Agency

Governance & Documentation

  • Draft an AB 2013 Training‑Data Disclosure template: dataset sources/owners; data types/labels; copyright/personal‑information indicators; licensing; synthetic data use; collection timeframes. Coordinate with engineering to substantiate claims. LegiInfo

  • Prepare ADMT notices and consumer request flows (access + opt‑out), aligned to CPPA definitions. California Privacy Protection Agency

Risk Management

  • Stand up a risk assessment program that can scale to recurring updates and event‑driven reviews after material model changes. (Target end‑of‑2027 for initial coverage based on current practitioner guidance; confirm upon OAL filing.) JD Supra

  • Schedule annual cybersecurity audits with independence criteria and board‑level visibility. California Privacy Protection Agency

Vendor & Data‑Broker Controls

Safety & Child‑Protection

  • Implement content safeguards for chatbots and generative systems; test for age‑gating failures and unsafe prompts. Document mitigations in your risk assessment file. (AGs have placed platforms on notice.)

Public‑Facing Disclosures

  • Publish plain‑English AI notices, including training‑data documentation for generative systems (AB 2013). Ensure updates are synchronized with releases. LegiInfo


Key Dates to Watch

  • By August 31, 2025: If OAL files the CPPA regulations by this date, they will likely take effect on October 1, 2025; if filed between September and November. 2025, effective Jan. 1, 2026. Alston & Bird Blog

  • Jan. 1, 2026: AB 2013 training‑data transparency documentation due for covered generative AI systems and substantial modifications. LegiInfo

  • 2026: DROP platform expected to be available to consumers under the Delete Act; build compliance pathways now. California Privacy Protection Agency


Frequently Asked Questions

Q1: Does AB 2013 force me to list every dataset by name?
A: No. It requires a “high‑level summary” of datasets and specific disclosures (e.g., sources/owners, types of data points, whether personal information or copyrighted works are included, licensing, time ranges), not necessarily dataset‑by‑dataset publication. LegiInfo

Q2: Are the CPPA's ADMT rules already enforceable?
A: Not yet. The Board adopted the package on July 24, 2025, but the rules take effect only after OAL approval and filing on a quarterly schedule. Plan for compliance now, and update timelines when OAL acts. California Privacy Protection Agency Alston & Bird Blog

Q3: How does the Delete Act affect a company that uses brokers rather than being one?
A: You'll need to contractually require brokers to honor DROP requests and flow down deletion signals to you when applicable. Reevaluate vendor due diligence, audit rights, and data‑flow maps. California Privacy Protection Agency

Q4: Didn't California already pass a sweeping “frontier AI” law?
A: No. The prominent SB 1047 proposal was vetoed in September 2024. California instead advanced targeted measures like AB 2013 and the CPPA rulemaking. Governor of California


How Kolmogorov Law, P.C. Can Help

We advise California businesses on AI governance, privacy, employment screening, and platform compliance. We can:

  • Build anAB 2013 training‑data disclosure that is accurate, defensible, and minimally sensitive.

  • Design ADMT notices, consumer request workflows, and risk‑assessment templates that satisfy CPPA expectations.

  • Update contracts (vendors, data brokers) for DROP and other deletion/opt‑out signals.

  • Conduct readiness reviews ahead of OAL approval to fast‑track compliance.

Contact us today by filling out our online form or calling us directly at (909) 235-6116 to schedule a free 15-minute initial consultation.

We look forward to creating a productive business relationship.

About the Author

Pavel Kolmogorov

Senior Litigation Counsel │ [email protected]

Comments

There are no comments for this post. Be the first and Add your Comment below.

Leave a Comment

Kolmogorov Law Is Here for You

At Kolmogorov Law, we focus on Business Litigation, Civil Litigation, Real Estate Litigation, Employment Litigation, Judgment Enforcement, Product Liability, Construction Litigation and Professional Liability and we are here to listen to you and help you navigate the legal system.

Contact Us Today

Kolmogorov Law is committed to answering your questions about Business Litigation, Civil Litigation, Real Estate Litigation, Employment Litigation, Judgment Enforcement, Product Liability, Construction Litigation and Professional Liability issues in Irvine, California. We'll gladly discuss your case with you at your convenience. Contact us today to schedule an appointment.