High-Level Overview

What are the core concepts of AB 1008?

1) Generative AI systems can contain personal information

AB 1008 amends the California Consumer Privacy Act to clearly state that personal information can be contained in “abstract digital formats” such as “artificial intelligence systems that are capable of outputting personal information.”

2) Ambiguities remain about whether CCPA covers model contents or just model outputs…

Several aspects of the language in the amendment leave room for disagreement about whether the CCPA’s provisions now cover model content such as weights and training data, or merely model output. The Future of Privacy Forum has an excellent rundown, but clarity will have to come from the California Privacy Protection Agency and Attorney General.

3) …but lawmakers seem most concerned with where and how LLMs might output personal information.

Although there is ambiguity about whether the CCPA covers training data, one aspect that is certainly in-scope is any output from generative AI systems. Developers and deployers must have governance and risk management processes in place to anticipate and handle any rights consumers may have related to AI system outputs.

California Consumer Privacy Act Scope

Who does the CCPA apply to?

The California Consumer Privacy Act covers any for-profit organization doing business in California with any of the following: annual revenue over $26M; personal information of over 100,000 California residents to buy, sell, or share; 50% or more of their annual revenue from selling California residents’ personal information.

The CCPA gives residents of California the right to know what personal information a company has about them, and the right to access, delete, opt-out, or correct any personal information, which now includes data generated or output by AI systems.

Non-Compliance Penalties

What are the non-compliance penalties for the CCPA?

Depending on the severity of the violation, companies may be subject to fines, lawsuits, and other enforcement actions from both the state and individual consumers. Unlike the GDPR, there is no overall maximum fine.

Depending on the severity of the violation, the California Privacy Protection Agency may choose first to send a notification of noncompliance, after which businesses have 30 days to cure that noncompliance. However, this cure period is at the CPPA’s discretion. They may also opt to move directly to enforcement.

Violations of the CCPA are subject to fines of up to $2,500 per violation (per consumer), or $7,500 for violations deemed either intentional or to involve the personal information of consumers under the age of 16.

Businesses that fail to comply with the CCPA may also be subject to civil lawsuits from harmed consumers in certain circumstances, up to $799 or the value of the damage caused, per consumer.

Status

When does AB 1008 amending the CCPA go into effect?

The amendment was signed into law on September 28, 2024 and went into effect on January 1, 2025.

Steps To Compliance

How can organizations comply with the CCPA’s requirements for AI systems?

The amendment passed to the CCPA has created some uncertainty about whether the CCPA is primarily concerned with an AI system’s outputs, or also with any personal information that may have been ingested as part of an AI system’s training data, requirements for compliance may change based on future guidance from and actions taken by regulators. That said, certain governance practices seem necessary:

Drawing from our extensive work in AI governance and compliance, we’ve identified five best practices to ensure compliance:

1. Adopt an AI Governance or Risk Management program. Although specific requirements differ across jurisdictions, the basic principles in frameworks such as the NIST AI RMF or ISO 42001 will be broadly useful around the world.
2. Build an inventory of your AI applications, starting with a risk assessment that can help determine whether your products and services will qualify as high-risk and therefore be subject to greater scrutiny and documentation requirements.
3. Begin standardizing documentation such as model cards, testing, and risk management. Although the California Attorney General and California Privacy Protection Agency will release further guidance, so far their efforts appear broadly aligned with other regulators around the world, such as the GDPR and EU AI Act.
4. Ensure you have documentation and controls around the content of any training data in AI models, especially for generative AI. Make particular note of what kinds of personal information may be included, and if it could be output by the model. Although it is unclear at this time if training data content is covered by the CCPA, it will be important to prepare for this possibility.

Staying informed and engaged will be key to ensuring compliance with the AI provisions of the California Consumer Privacy Act.