California is establishing practical guardrails around the use of artificial intelligence and data through a combination of new regulations, targeted statutes, and robust enforcement. If your company builds or deploys AI, uses automated decision‑making in hiring or lending, or relies on data brokers, your obligations are changing.
This guide breaks down the three pillars you need to track right now:
-
CPPA's AI/ADMT, risk assessment, and cybersecurity audit rules (Board‑adopted; pending administrative approval).
-
AB 2013 (Generative AI training data transparency) with a January 1, 2026, documentation deadline.
-
The Delete Act and the state's one‑stop DROP system rolling out toward 2026.
1) CPPA's New AI/ADMT, Risk Assessment & Cybersecurity Audit Rules (Board‑Adopted; Effective Upon OAL Approval)
On July 24, 2025, the California Privacy Protection Agency (CPPA) Board voted to adopt a package of CCPA regulations covering automated decision‑making technology (ADMT), risk assessments, and cybersecurity audits. These regulations are not effective until they complete review by the Office of Administrative Law (OAL). The CPPA confirms adoption and OAL review on its website. California Privacy Protection Agency
What that means now:
-
Status & Timing. After OAL files the regs, they will take effect on the next quarterly date. If filed by August 31, 2025, they take effect October 1, 2025; if filed between September 1 and November 30, they take effect January 1, 2026. (Projected timelines summarized by leading practitioners following the CPPA process.) Alston & Bird Blog
-
Scope. The rules (as adopted) establish consumer access and opt‑out rights for ADMT, mandate privacy risk assessments for certain processing, and require annual cybersecurity audits for covered businesses. (See CPPA's materials and modified rule text for definitions, thresholds, and detailed requirements.) California Privacy Protection
-
Compliance cadence (emerging timelines). Commentators anticipate that risk assessments for existing high-risk processing may be due by December 31, 2027, with attestations due by April 1, 2028, while new activities require assessments before launch (subject to OAL approval of the rules as adopted). Treat these as planning markers until OAL finalizes. JD Supra Wilson Sonsini
Context from Sacramento: Governor Newsom has urged caution about the breadth and cost of AI rules (e.g., projected first‑year compliance impacts) while acknowledging the need for consumer protections; the Board nevertheless advanced the package now under OAL review. Politico, California Privacy Protection Agency
2) AB 2013: Generative AI Training Data Transparency (Effective Jan. 1, 2026)
Signed in September 2024, AB 2013 requires developers who make generative AI systems or substantial modifications available to Californians (publicly, free or paid) to post training‑data documentation on their websites by January 1, 2026, and again before each subsequent public release. Documentation must include a high‑level summary of datasets (sources/owners, types of data points, date ranges), and whether datasets include copyrighted works, personal information, were licensed/purchased, and whether synthetic data was used, among other items. LegiInfo
Takeaway: Even if you don't publish exact dataset titles, you must disclosecategories, provenance, and treatment of training data at a meaningful level—plan your “model documentation” workflow now (legal + engineering + comms). LegiInfo
3) The Delete Act & DROP: A One‑Stop Consumer Deletion Mechanism Targeting Data Brokers
California's Delete Act (SB 362) expands data‑broker obligations and funds a Delete Request and Opt‑Out Platform (DROP)—a single portal through which consumers can direct all registered data brokers to delete their personal information. CPPA says DROP is expected to be available in 2026; rulemaking on the platform continued through summer 2025. California Privacy Protection Agency
What businesses should do:
-
If you are a data broker, ensure registration is current and systems can ingest DROP signals at scale.
-
If you rely on brokers, revisit contracts and vendor management; you'll need assurances that your partners can honor DROP requests. California Privacy Protection Agency
Enforcement Climate: Existing Laws Already Apply to AI
In January 2025, the California Attorney General issued a Legal Advisory reminding developers and deployers that existing California laws—consumer protection, civil rights, competition, data protection, and election‑misinformation statutes—already apply to AI. Translation: you don't need a brand‑new AI statute to face risk. Coalition of State Attorneys General.
And enforcement pressure is building. In August 2025, AG Rob Bonta joined a bipartisan coalition of 44 state attorneys general warning major AI companies that exposing children to sexualized content or similar harms will trigger accountability. Expect heightened scrutiny of chatbot safety, age‑appropriate design, and content controls. NAAG
What Did Not Pass: SB 1047 (Frontier AI “Kill Switch” Bill)
California's SB 1047, the much‑debated “frontier model” safety bill, was vetoed on September 29, 2024. The Governor's veto message cited concerns about scope and approach; the administration has pursued other AI policy avenues since. Governor of California
A Practical Compliance Checklist (Start Now)
Data & Model Inventory
-
Map all AI/ADMT uses (hiring, credit, insurance, content moderation, customer scoring, safety monitoring, etc.). Identify high‑risk contexts. California Privacy Protection Agency
Governance & Documentation
-
Draft an AB 2013 Training‑Data Disclosure template: dataset sources/owners; data types/labels; copyright/personal‑information indicators; licensing; synthetic data use; collection timeframes. Coordinate with engineering to substantiate claims. LegiInfo
-
Prepare ADMT notices and consumer request flows (access + opt‑out), aligned to CPPA definitions. California Privacy Protection Agency
Risk Management
-
Stand up a risk assessment program that can scale to recurring updates and event‑driven reviews after material model changes. (Target end‑of‑2027 for initial coverage based on current practitioner guidance; confirm upon OAL filing.) JD Supra
-
Schedule annual cybersecurity audits with independence criteria and board‑level visibility. California Privacy Protection Agency
Vendor & Data‑Broker Controls
-
Refresh DPAs and broker contracts for DROP compliance and downstream deletion signal handling. Document enforcement mechanisms. California Privacy Protection Agency
Safety & Child‑Protection
-
Implement content safeguards for chatbots and generative systems; test for age‑gating failures and unsafe prompts. Document mitigations in your risk assessment file. (AGs have placed platforms on notice.)
Public‑Facing Disclosures
-
Publish plain‑English AI notices, including training‑data documentation for generative systems (AB 2013). Ensure updates are synchronized with releases. LegiInfo
Key Dates to Watch
-
By August 31, 2025: If OAL files the CPPA regulations by this date, they will likely take effect on October 1, 2025; if filed between September and November. 2025, effective Jan. 1, 2026. Alston & Bird Blog
-
Jan. 1, 2026: AB 2013 training‑data transparency documentation due for covered generative AI systems and substantial modifications. LegiInfo
-
2026: DROP platform expected to be available to consumers under the Delete Act; build compliance pathways now. California Privacy Protection Agency
Frequently Asked Questions
Q1: Does AB 2013 force me to list every dataset by name?
A: No. It requires a “high‑level summary” of datasets and specific disclosures (e.g., sources/owners, types of data points, whether personal information or copyrighted works are included, licensing, time ranges), not necessarily dataset‑by‑dataset publication. LegiInfo
Q2: Are the CPPA's ADMT rules already enforceable?
A: Not yet. The Board adopted the package on July 24, 2025, but the rules take effect only after OAL approval and filing on a quarterly schedule. Plan for compliance now, and update timelines when OAL acts. California Privacy Protection Agency Alston & Bird Blog
Q3: How does the Delete Act affect a company that uses brokers rather than being one?
A: You'll need to contractually require brokers to honor DROP requests and flow down deletion signals to you when applicable. Reevaluate vendor due diligence, audit rights, and data‑flow maps. California Privacy Protection Agency
Q4: Didn't California already pass a sweeping “frontier AI” law?
A: No. The prominent SB 1047 proposal was vetoed in September 2024. California instead advanced targeted measures like AB 2013 and the CPPA rulemaking. Governor of California
How Kolmogorov Law, P.C. Can Help
We advise California businesses on AI governance, privacy, employment screening, and platform compliance. We can:
-
Build anAB 2013 training‑data disclosure that is accurate, defensible, and minimally sensitive.
-
Design ADMT notices, consumer request workflows, and risk‑assessment templates that satisfy CPPA expectations.
-
Update contracts (vendors, data brokers) for DROP and other deletion/opt‑out signals.
-
Conduct readiness reviews ahead of OAL approval to fast‑track compliance.
Contact us today by filling out our online form or calling us directly at (909) 235-6116 to schedule a free 15-minute initial consultation.
We look forward to creating a productive business relationship.
Comments
There are no comments for this post. Be the first and Add your Comment below.
Leave a Comment