California sets global standards with new landmark AI and data privacy laws

As a reminder, on Tuesdays and Thursdays, the bulk of our daily newsletter is available exclusively to paid subscribers.

Please consider upgrading your subscription so that you can enjoy Metacurity's original analysis and unparalleled cybersecurity news round-ups free of pesky firewalls. Plus, you will gain unfettered access to our archives and earn my undying appreciation for helping to keep Metacurity going. Thank you!

Want to bundle your premium subscription with a Metacurity sponsorship option? Gain exposure for your announcement, product, whitepaper, or event, and we'll toss in a paid subscription at no cost. Find out more about how you can reach an elite audience of cyber decision-makers.

About a year ago, California Governor Gavin Newsom dramatically vetoed a landmark bill, SB-1047, the Safe and Secure Innovation for Frontier Artificial Intelligence Models Act, that would have laid out strict regulations of AI in a US state that represents the world’s fourth-largest economy.

Newsom said back then he was worried that the popular bill would stifle innovation and that California needed to be “informed by an empirical trajectory analysis of AI systems and capabilities. Ultimately, any framework for effectively regulating AI needs to keep pace with the technology itself.”

One year later, Newsom’s fear of stifling innovation has obviously dissipated, given that over the past month, he has signed into law a flurry of bills dealing with AI regulation, along with several pieces of legislation that create new data breach law requirements, establish “delete account” UX requirements for social media platforms, mandate browser requirements that allow consumers to opt out of sharing their data with third parties, impose online age disclosure requirements and make stricter data broker regulations and disclosures.

Any laws in California, given the state’s size and economic might, almost always set the high bar standards for technology providers not only across the United States but around the world. Any company or organization providing or relying on digital services must comply with California laws, or else they risk running afoul of what, in essence, is a significant global power.

Given that federal news has dominated the cybersecurity and technology scene leading up to and through the current US government shutdown, the bills that Newsom has signed have captured less attention from the media than they would likely otherwise generate.

So here, in a nutshell, are the new California laws that cybersecurity and other technology professionals should know:

CA SB446 - Data breaches: customer notification – This bill requires businesses and other entities doing business in California to notify affected California residents of a data breach within 30 calendar days of discovery, and to submit a copy/sample of the notice to the California Attorney General within 15 calendar days of notifying consumers (with limited exceptions for law enforcement or to investigate/restore system integrity).

SB 361 — Data Broker Registration & Disclosure Strengthening – This bill expands disclosures data brokers must make in the California Data Broker Registry (what types of personal info they collect, whether they sell to foreign actors or to GenAI developers, adds audit/penalty provisions).

AB 566 — “California Opt Me Out Act” (browser / OS opt-out signal) – This bill requires browsers (and later mobile OS) to include an easy-to-find setting to send a single opt-out preference signal to websites (so users can opt out of third-party sale/sharing without repeated site-by-site toggles).

AB 656 — Account deletion / “Delete Account” UX requirements for social platforms – This bill requires social media platforms to provide a clear, conspicuous “Delete Account” control and to delete a user’s personal data upon confirmed deletion entirely; prohibits dark patterns designed to obstruct deletion.