California Moved 11 AI Bills in One Week. Is Your Compliance Program Paying Attention?
If your enterprise AI compliance programs is like most, you likely don't know what happened in Sacramento last week. Ten California AI bills cleared key committees, with another major AI displacement bill moving on a parallel track. Compliance should probably know that.
California isn't waiting for Congress, and lets be honest, Congress has made that easy - by doing nothing. That leaves California writing the de facto national standard for AI compliance, and whether you're headquartered in Austin or Atlanta, if you deploy AI to California employees or sell AI-enabled products to California residents, you're likely already in scope.
Here's what just moved, and why it matters.
The chatbot cluster
Four chatbot bills passed out of committee last week, and they cover meaningfully different ground.
AB 1609 targets customer service deployments at large private businesses. The core requirement: disclose when a customer is talking to a chatbot if the interaction could mislead a reasonable person into thinking they're talking to a human, and make a good-faith effort to connect them with a live agent within 15 minutes of a request. That window applies during a business's normal operating hours. If your customer service stack is AI-first, this bill touches your product design, your vendor contracts, and your escalation workflows — not just your compliance checklist.
AB 1988, the PAUSE Act, applies to companion chatbots and takes a different approach. Operators have to implement systems that detect credible crisis expressions — statements indicating intent to harm themselves or others. If a user escalates or makes a subsequent credible crisis expression within 72 hours, the operator must initiate a 20-minute crisis interruption pause before conversation resumes. Operators also have to maintain a public crisis response policy and report incidents annually to the Office of Suicide Prevention starting January 1, 2028. This isn't a disclosure bill. It's an operational requirement with incident tracking obligations attached.
The two children’s safety bills: AB 2023 in the Assembly and SB 1119 in the Senate, both cleared committee last week and cover similar ground from different chambers. AB 2023 requires operators of companion chatbots to annually conduct and document comprehensive child-safety risk assessments, maintain public-facing child-safety policies, and submit to independent audits, with audit reports submitted to the Attorney General. SB 1119 is the Senate companion, carrying similar child-safety obligations, including risk assessments, independent audits, and Attorney General reporting. If your product interacts with minors in any form, both bills are worth reading carefully, especially since the compliance infrastructure they contemplate takes time to build.
The healthcare cluster
Three healthcare AI bills cleared committee in the same week, and together they start to impose a governance structure on clinical AI that most health systems haven't built yet.
AB 1979 amends the Confidentiality of Medical Information Act to extend its protections to businesses operating healthcare chatbots that help consumers manage medical information or support diagnosis and treatment. That's a significant scope expansion for CMIA — businesses that previously weren't covered healthcare entities may find themselves squarely within it. The bill also requires specified healthcare settings to ensure that no clinical decision is based solely on the output of a clinical decision support system, and that a licensed healthcare professional exercises independent professional judgment when reviewing and approving a clinical decision based on that output.And the bill bars AI from directing unlicensed personnel to perform functions that require a license — a provision that has real teeth in settings if/where AI-generated guidance to direct, guide, supervise, or instruct is flowing to staff across a care team.
AB 2575 goes further into the clinical workflow. It requires that health workers receive specific disclosures about the AI tools being used in their care setting — intended use, known risks, inputs, validation status, and maintenance protocols. It protects workers who override AI outputs when the standard of care requires it, creating an explicit right to deviate from AI recommendations without facing retaliation or adverse employment action. It also limits the superseding-cause defense: a defendant that developed, modified, selected, or deployed a clinical decision support system alleged to have caused harm could not avoid liability solely by arguing that a clinician failed to override the system’s output. I've written before about who ends up holding liability when hospital AI fails. This bill is starting to answer that question through statute.
SB 903 focuses specifically on psychotherapy and mental health care. It prohibits offering therapy to California residents unless a licensed professional conducts it — AI can support the process but cannot replace the clinician. Before AI is used to assist with supplementary support in therapy or psychotherapy where the session is recorded or transcribed, the provider must obtain specific written consent. AI cannot make independent therapeutic decisions, deliver direct therapeutic communications unless the tool is FDA-approved and HIPAA-compliant, issue unreviewed treatment recommendations, or perform emotion or mental-state detection. This is a detailed set of operational restrictions, not a general disclosure requirement.
The employment cluster
The employment cluster is the one most enterprise programs aren't built for, and it's getting the least attention.
SB 947 directly regulates the use of automated decision systems in employment. Under the bill, employers cannot rely solely on an automated decision system to discipline, terminate, or deactivate a worker. A human reviewer has to conduct an independent investigation and compile corroborating information before the decision is final. The bill also requires post-decision notice to the affected worker and gives workers access rights to data used by the automated system in making the decision. This matters for any company using AI tools in performance management, workforce optimization, or gig-worker deactivation workflows.
AB 2027 targets a specific practice that's becoming more common: using data generated by workers to train AI systems that would then automate or replace those workers' jobs. The bill bars that outright, and also prohibits employers and their vendors from selling or sharing that worker data to third parties for the same purpose. Vendors handling this data have to implement security safeguards. If you're running any kind of AI training pipeline that draws on employee data, this bill is directly relevant to how those agreements are structured.
SB 951, the California Worker Technological Displacement Act, also moved through committee last week. It requires employers to provide at least 90 days' written advance notice before any technological displacement - technology-driven, including AI or automation - that affects 25 or more workers or 25% of the workforce, whichever is smaller. The notice has to include specific disclosures about the technology being implemented and its expected impact. This is WARN Act logic applied to AI displacement, and the 90-day window is longer than most workforce planning timelines account for.
AB 1883 rounds out the employment picture. It restricts workplace surveillance tools, including prohibiting uses that infer emotional state, make inferences based on gait, collect neural data, interfere with legal rights, or infer protected activity or other sensitive worker information. The enforcement mechanism includes civil penalties of up to $500 per violation.
None of these are signed law, but that's the wrong reason to wait.
Bills that clear committee in April land on the Governor's desk in September. The compliance gap for most enterprise programs - you know, the space between what's currently deployed and what California is building toward - doesn't close overnight. Vendor agreements take time to renegotiate. HR governance programs that weren't designed around automated decision systems don't get fixed in a week.
Four questions worth answering now: 1) What AI are you running, and where are the employees and users it touches? 2) Who carries liability in your vendor contracts when something goes wrong? 3) Does your HR program account for automated decision systems at all? 4) And has anyone explained this to leadership as a compliance exposure, not just a tech roadmap item?
You don't need final signatures to start working those answers. By the time you have them, the window might already be closed. So start now from where you are.
Questions about how this wave of legislation affects your operations? Get in touch.