California's 2025 Privacy and AI Legislative Landscape: Eight Bills Navigate Complex Path Forward

TL;DR: California's legislature is considering eight privacy-focused bills that could significantly reshape how companies handle consumer data, with three bills having stalled while five continue advancing. The legislation targets precise geolocation tracking, data broker practices, age verification systems, and opt-out preference signals—representing the state's continued push to strengthen consumer privacy protections.

California Consumer Privacy Act (CCPA)

Introduction The California Consumer Privacy Act (CCPA) is a state statute intended to enhance privacy rights and consumer protection for residents of California, United States. The bill was passed by the California State Legislature and signed into law by Jerry Brown, the Governor of California, on June 28, 2018, and

Compliance Hub WikiCompliance Hub

Overview: A Legislative Session in Transition

California's 2025 legislative session presents a pivotal moment for privacy and cybersecurity regulation. The California legislature is currently in its summer recess, returning on August 18. Once it returns, it will have approximately five weeks to pass bills prior to closing for the year on September 12. This compressed timeline has intensified focus on eight critical privacy bills that successfully crossed chambers at the legislative deadline.

We are currently tracking 23 private sector AI-related bills and eight privacy-related bills that crossed chambers at the legislature's deadline. If passed and signed into law, these bills could significantly impact companies doing business in California.

Of the eight privacy bills under consideration, three have encountered significant roadblocks, while the remaining five continue progressing through the legislative process. This legislative package represents California's ongoing effort to maintain its position as the nation's privacy regulation leader, building upon the foundation established by the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA).

Active Bills Moving Forward:

• AB 322 (precise geolocation) - requires companies that collect precise geolocation information to notify consumers and not retain the information for longer than is necessary
• AB 302 (data brokers/officials) - protects elected officials and judges from data broker collection
• AB 1043 (age verification) - requires device manufacturers to implement age verification signals
• AB 566 (opt-out signals) - prohibits businesses from developing or maintaining a browser or browser engine that does not include a setting that enables a consumer to send an opt-out preference signal
• SB 361 (data broker disclosure) - expands disclosure requirements for data brokers

Stalled Bills:

• SB 435 - failed to pass out of the Assembly Privacy & Consumer Protection Committee on July 15 due to First Amendment concerns
• SB 690 - the bill's sponsor indicated that the bill will not advance further this year
• SB 354 - insurance privacy standards that haven't been scheduled for hearings

Active Bills: Five Measures Advancing Through the Process

AB 322: Precise Geolocation Information Protection

What it does: The bill adds to the California Consumer Privacy Act (CCPA) to require companies that collect precise geolocation information to notify consumers and not retain the information for longer than is necessary to provide the goods or services requested by the consumer or one year after the consumer's last interaction with the business, whichever is earlier. Businesses also cannot sell, trade, or lease to a third party and are limited in their disclosure of such information to government entities.

The State of California Leads the Way in AI and Privacy Legislation: A Comparative Look at Global AI Regulation Efforts

As artificial intelligence (AI) continues to evolve at an unprecedented rate, governments around the world are working tirelessly to keep up with the technological revolution. From data privacy concerns to ethical dilemmas, AI regulation has become a top priority for many nations. Among the frontrunners in this race to regulate

Compliance Hub WikiCompliance Hub

Current status: The bill passed the Senate Judiciary Committee on July 15 by an 11-2 vote. It is now with the Appropriations Committee where it is scheduled for an August 18 hearing.

Industry impact: This bill directly addresses growing concerns about location tracking by requiring explicit consumer notification and implementing strict data retention limits. Companies in the ride-sharing, delivery, fitness tracking, and mobile advertising sectors would face new compliance requirements around geolocation data handling.

AB 302: Data Broker Protections for Public Officials

What it does: The bill charges the California Privacy Protection Agency with obtaining lists of elected officials and judges and uploading those lists to the accessible deletion mechanism under the state's data broker law. Entities would then have five days to delete the information. The bill creates a private right of action.

Current status: The bill passed the Senate Judiciary Committee on July 15 by an 11-0 vote (2 nonvoting). It is now with the Appropriations Committee where it is scheduled for an August 18 hearing.

Industry impact: Data brokers would face expedited deletion requirements for public officials' information, potentially creating operational challenges and requiring new automated systems to identify and remove protected individuals' data.

The Reality of CCPA Compliance: What a UC Irvine Study Reveals About Data Broker Non-Compliance

A groundbreaking study exposes widespread violations and the “privacy paradox” plaguing consumer rights When a UC Irvine PhD student decided to exercise her basic consumer rights under the California Consumer Privacy Act (CCPA), she unknowingly embarked on what would become the most comprehensive study of data broker compliance ever conducted.

Compliance Hub WikiCompliance Hub

AB 1043: Age Verification Signal Requirements

What it does: This bill requires covered manufacturers to provide an accessible interface at account setup that requires an account holder to indicate the birth date, age, or both, of the user of that device for the purpose of providing a signal regarding the user's age bracket to applications available in a covered application store. It also requires covered manufacturers to provide developers with a digital signal via a real-time API regarding whether a user is in any of several age brackets.

Current status: The bill unanimously passed the Senate Judiciary Committee on July 15 and was referred to the Appropriations Committee where it is scheduled for an August 18 hearing.

Industry impact: Device manufacturers and app store operators would need to implement new age verification infrastructure, potentially affecting companies like Apple, Google, and other mobile ecosystem players operating in California.

Unmasking Data Privacy: California Appeals Court Greenlights CPRA Regulations

Landmark legislation set to transform the landscape of consumer data protection Introduction: A game-changing verdict from the California State Appeals Court has reignited the conversation about data privacy rights. In a move celebrated by advocates, the court’s approval to enforce regulations prescribed by the California Privacy Rights Act (CPRA)

Compliance Hub WikiCompliance Hub

AB 566: Opt-Out Preference Signal Mandate

What it does: The bill prohibits businesses from developing or maintaining a browser or browser engine that does not include a setting that enables a consumer to send an opt-out preference signal.

Current status: The bill was ordered to a third reading in the Senate. The bill requires browsers and mobile operating systems to give consumers a one-step option to limit the sharing of their information with opt-out preference signals.

Industry impact: Browser developers would be required to implement opt-out preference signals, potentially affecting major companies like Google (Chrome), Apple (Safari), Microsoft (Edge), and Mozilla (Firefox). If this bill is passed, California would become the first state to require browser vendors to directly support these signals, which would have sweeping benefits.

SB 361: Enhanced Data Broker Disclosure Requirements

What it does: The bill amends the state's data broker law to require data brokers to provide the California Privacy Protection Agency with additional information about their data collection activities, including whether they collect sensitive data such as biometric data and precise geolocation. Data brokers also would be required to disclose whether they shared or sold consumers' data to a foreign actor, the federal government, other state governments, law enforcement, or a developer of an AI system or model.

Current status: The bill was ordered to a third reading in the Assembly.

Industry impact: Data brokers face expanded disclosure requirements that could reveal previously opaque business practices, particularly regarding relationships with government entities and AI companies.

In Addition to COPPA and KOSA for Child Safety Bills

In the digital era, the safety of children on the internet has become a paramount concern, prompting significant legislative and policy-driven conversations. The recent move by the US Senate Judiciary Committee to summon top tech CEOs for a hearing on their platforms’ child safety measures highlights the urgency and complexity

Compliance Hub WikiCompliance Hub

Stalled Legislation: Three Bills Face Obstacles

SB 435: Publicly Available Information Controversy

What it attempted: The bill amends the CCPA to remove the provision stating that sensitive personal information that is publicly available is not considered sensitive personal information or personal information.

Why it stalled: The bill failed to pass out of the Assembly Privacy & Consumer Protection Committee on July 16. However, the bill sponsor indicated that she will work with opponents on revising the bill. Opponents have raised concerns that the bill violates the First Amendment.

This bill represents one of the session's most contentious privacy measures, with opponents arguing it could infringe on First Amendment rights by treating publicly available information as sensitive personal data.

US State AI Laws 2025: Colorado, Texas & California Comparison

Navigate the complex landscape of US state-level AI regulations with comparative analysis of Colorado, Texas, and California frameworks and strategic compliance approaches for organizations.

Compliance Hub WikiCompliance Hub

SB 690: Cookie Litigation Reform

What it attempted: The bill amends the California Invasion of Privacy Act to address the avalanche of cookie and pixel litigation lawsuits.

Why it stalled: The bill passed the Assembly Public Safety Committee on July 1 and was referred to the Privacy & Consumer Protection Committee. However, the bill's sponsor indicated that the bill will not advance further this year and will be revisited next session.

The withdrawal of this bill suggests continued disagreement about how to address the surge in privacy-related litigation that has emerged under California's existing laws.

SB 354: Insurance Privacy Standards

What it does: This bill creates new standards for the collection, processing, retaining, and sharing of consumers' personal information by insurance licensees and their third-party service providers.

Current status: The bill passed the Senate in early June and was referred to the Assembly committees on Insurance and Privacy & Consumer Protection. It has not been set for a committee hearing.

The lack of scheduled hearings suggests this bill may struggle to advance through the remaining weeks of the session.

Industry and Policy Implications

Technology Sector Impact

The advancing bills create significant compliance obligations for technology companies. Browser manufacturers face mandatory opt-out signal implementation, while device makers must build age verification systems. Data brokers encounter expanded disclosure requirements and expedited deletion processes for public officials.

Enforcement Landscape

These bills strengthen the California Privacy Protection Agency's regulatory authority and create new private rights of action. The combination of expanded agency powers and individual enforcement mechanisms signals California's commitment to robust privacy enforcement.

National Precedent Setting

California's privacy legislation often influences other states' regulatory approaches. The success or failure of these bills could shape national conversations about precise geolocation tracking, data broker regulation, and age verification systems.

Looking Ahead: September Deadline Approaches

With the legislature returning August 18 and facing a September 12 closure deadline, the coming weeks will determine which bills become law. The five advancing bills have demonstrated sufficient legislative support to navigate committee processes, while the three stalled measures highlight ongoing tensions between privacy advocates and industry opponents.

The compressed timeline may force compromise on contentious provisions, particularly regarding First Amendment concerns in SB 435 and technical implementation challenges in AB 566. Companies operating in California should prepare for potential new compliance requirements, especially those handling precise geolocation data, operating data broker services, or developing browser technologies.

California's continued privacy leadership through this legislation reflects the state's determination to strengthen consumer protections in an increasingly digital economy. Whether these bills successfully navigate the final legislative hurdles will significantly impact how businesses handle consumer data and privacy rights across the nation's largest state economy.