On February 16, 2024, Assembly Bill 3204 adding Title 1.81.8 (commencing with Section 1978.321) to Part 4 of Division 3 of the Civil Code, relating to data digesters was introduced to the California State Assembly.

Scope of the bill

The bill, if enacted, would apply to data digesters which are defined as businesses that uses personal information to train artificial intelligence (AI). 

What are the requirements under the bill?

The bill would require data digesters to register with the California Privacy Protection Agency (CPPA) on or before January 31 following each year in which a business meets the definition of 'data digester.' When registering, data digesters must provide the following information:

• name of the data digester and its primary physical, email, and internet website addresses;

• each category of personal information that the data digester uses to train AI;
• each category of sensitive personal information that the data digester uses to train AI;
• each category of information related to consumers' receipt of sensitive services that the data digester uses to train AI;
• whether the data digester trains artificial intelligence (AI) using minors' personal information;
• whether and to what extent the data digester or any of its subsidiaries is regulated by:
  • the Fair Credit Reporting Act (FCRA);
  • the Gramm-Leach-Bliley Act (GLBA);
  • the Driver's Privacy Protection Act;
  • the Insurance Information and Privacy Protection Act;
  • the Confidentiality of Medical Information Act;
  • the privacy, security, and breach notification rules issued by the U.S. Department of Health and Human Services under the Health Insurance Portability and Accountability Act (HIPAA); or
  • Article 5 of Chapter 6.5 of Part 27 of Division 4 of Title 2 of the Education Code relating to the privacy of pupil records; and
• any additional information or explanation the data digester chooses to provide relating to its AI training practices.

Furthermore, the bill would require the CPPA to create a page on its website where registration information is accessible to the public (the informational website).

Penalties

Should data digesters fail to register with the CPPA, the bill provides that the CPPA must provide notice of failure to the data digester and publish such notice on the informational website. The bill also states that the CPPA may bring an administrative action against the data digester and such data digesters may be liable for the following penalties:

• an administrative fine of $200 for each day the data digester fails to register, prior to the date on which the notice is posted, or an administrative fine of $5,000 for each day the data digester fails to register beginning on the 15th day after notice is posted;
• an amount equal to the fees that were due during the period it failed to register; and
• expenses incurred by the CPPA in the investigation and administration of the action as the court deems appropriate.

You can read the bill here and track its progress here.

Update: March 20, 2024

Bill referred to the Committee on Privacy and Consumer Protection 

On March 11, 2024, the bill was referred to the California Assembly Committee on Privacy and Consumer Protection.