All About California’s New AI Transparency Act

n September 19, 2024, the California AI Transparency Act (CA S.B. 942) was signed into law by the governor adding Chapter 25 to Division 8 of the Business and Professions Code effective January 1, 2026. The bill creates a host of compliance requirements for covered providers of generative AI including the creation of an AI detection tool, a manifest disclosure option, and latent disclosure information.

Covered Provider

The bill defines a “covered provider” as anyone who creates, codes, or produces a GenAI that has over one million monthly visitors and that is publicly accessible within the geographic boundaries of California. This means that many online GenAI systems, even outside of California will likely have to comply with the law as it would be difficult for a large-scale provider to try to restrict anyone in California from using its system. Furthermore, although the monthly user requirement means that smaller providers may not be covered immediately, it may be prudent for them to be compliant to avoid any issues if their user base grows enough to meet that requirement.

AI Detection Tool

Functionality Requirements:

The first major compliance requirement of the creation of an AI detection tool that must be made available at no cost to the users of the provider’s GenAI. The functionality of this AI detection tool must include the following:

1. It must allow a user to assess if a given image, audio, video, or multimedia content was created by or altered by the GenAI of the covered provider.
2. It must be able to give out any “system provenance data.”

Defined as provenance data that is not reasonably capable of being associated with any specific user and includes either of the following types of information 1) either the kind of device/system/service used to generate a piece of content, or b) information relating to the authenticity of the content.

3. The tool must not output any “personal provenance data” that might exist within the content being assessed.

Defined as anything that falls into one of the following two categories. 1) anything that falls under the definition of personal information in Section 1798.140 of the Civil Code. Or 2) any unique device/system/service data that is reasonably capable of being associated with a specific user.

4. The tool must be publicly accessible barring the specific exception listed here.

The only applicable exception to this requirement in the bill is the allowance for covered providers to place reasonable access limitations on their tool to prevent or respond to demonstrable risks to the security or the integrity of their GenAI.

5. The tool must allow a user to upload content or provide a URL that links to the content online.
6. The tool must support an API that allows users to use the tool without having to visit the website of the covered provider.

Other Requirements:

Beyond the functionality requirements for the AI detection tool, covered providers must also comply with a few other requirements. This includes the gathering of feedback about their tool and incorporating that feedback into improving their tool. There are also specific prohibitions that covered providers need to be wary of.

They cannot collect or retain any personal information from users of their AI detection tool outside of specific exceptions.

Covered providers can collect and retain user contact information that is collected as part of the requirement to gather user feedback if that user opts in to the possibility of being contacted by the covered provider.

However, the contact information collected and retained this way can only be used to try to help improve the detection tool.

They cannot hold onto any content submitted to their tool for longer than is needed to ensure compliance with the section.

They cannot retain any personal provenance data contained in any content submitted to their AI detection tool.

These requirements mean that covered providers must give their users the necessary tools to discern between human-generated and AI-generated content. It also makes sure that in doing so the covered providers cannot gain additional access to any personal user information.

The Manifest Disclosure Option

The bill requires covered providers to include a toggleable option to users of their AI detection tool that will include a manifest disclosure in any content that they create with that tool. The manifest disclosure must also meet certain requirements to be valid. First, it must identify the content as AI-generated. Second, it must be clear, conspicuous, medium appropriate, and understandable by a reasonable person. Third, the disclosure must either be impossible or at least as difficult as is technically feasible to remove. This makes sense since if a manifest disclosure were a sticker that could easily be peeled off with no trace left behind then the disclosure would be effectively pointless to add on.

The Latent Disclosure Requirement

In addition to the manifest disclosure option, covered providers are also required to include latent disclosures in any content created by their GenAI.

1. It must include the name of the covered provider.
2. It must have the name and the version number of the GenAI that was used to create/alter the content in question.
3. It must have the specific time and date that the content was created/altered at.
4. It must have some sort of unique identifier.

This information can be either directly in the disclosure or via a link to a permanent website with all the required information. There are also a few additional requirements that the latent disclosure must meet.

First, the latent disclosure must be detectable by the AI detection tool that covered providers are also required to create. Second, the latent disclosure must be in line with the generally accepted industry standards. Third, it also must be impossible or as difficult as technically feasible to remove. This is crucial, as if these latent disclosures can easily be removed, it defeats their purpose and makes the aim of the bill far harder to achieve.

There are even requirements concerning third-party licensees related to these latent disclosures. First, the license must include a requirement that the licensee maintains the latent disclosure capabilities of the GenAI that they are licensing. Second, the covered provider must revoke the license of any licensee that somehow disables the latent disclosure abilities of the licensed GenAI within 96 hours of learning that it has been disabled. Third, licensees are required to stop using that GenAI system after the license has been revoked because of disabling latent disclosures.

These latent disclosures are arguably one of the most significant aspects of the bill. Unlike manifest disclosures, anything created/altered by a GenAI from a covered provider must include a latent disclosure. Combined with the requirements that the latent disclosure be detectable by the AI detection tool and follow industry standards, it means that there will be an obvious way for the public to discern if any given content was made by or with the help of a GenAI.

Exception

There is one exception to this bill that exempts the entertainment industry as it “does not apply to any product, service, internet website, or application that provides exclusively non-user-generated video game, television, streaming, movie, or interactive experiences.”  This is aimed to prevent game developers and TV/movie studios from having to comply with these requirements when they regularly use AI in the creative process and consumers of the fictional products have been custom to scenes with special effects and fantasy that are not presented as reality.

Enforcement

Covered providers that violate these requirements can have a civil action brought against them by either the Attorney General, a city attorney, or a county counsel. It can impose a civil penalty of $5,000/violation, and every day that a covered provider is in violation also counts as a violation. Furthermore, a prevailing plaintiff can also be awarded any reasonable attorney’s fees and costs.

A third-party licensee that is in violation can also have a civil action brought against them by the same authorities. The authorities can seek injunctive relief and the award of reasonable attorney’s fees and costs.

What is unclear from this bill is how violation instances will be counted and if multiple days spent with multiple unresolved violations stack. Depending on how those calculations work out, larger companies could choose to pay the penalty costs instead of complying and consider it a cost of doing business. However, once the bill comes law, this issue may be one of the first questions answered. In addition to the costs, the bad optics of going to court combined with the time, money, and energy that can get tied up in a lawsuit means that many companies will comply anyway.

Conclusion

The California AI Transparency Act is a major step towards greater transparency in the greater AI landscape. With the proliferation of AI-generated content and the rise of current issues such as deepfakes, people are increasingly concerned about the ability to know when they are engaging with content made with an AI. By requiring the creation of detection tools and the inclusion of latent disclosures for those tools to detect, not to mention the option for manifest disclosures, this bill takes a strong step towards helping to ensure that people understand they are engaging with content made with AI.

The California AI Transparency Act is also not the only bill aiming to introduce greater transparency into the AI landscape. The bill was passed at roughly the same time as California A.B. 2013, which involves placing transparency requirements on the datasets that go into training an AI. Taken together, they represent a shift towards trying to have greater transparency into both what goes into an AI and the output produced by the AI. Despite both bills being California state bills, their potential reach is far greater. California is a major market that companies would not want to carve out. This means that these bills could represent a shift towards greater transparency in AI on a greater scale than it might seem at first glance.