Blog | 10/18/2024

Navigating AI Compliance: How California’s AB 2013 Reshapes GenAI Operations

Team Contact: John Rondini , Muhammad Siwani

Share

California’s AB 2013 introduces substantial new compliance obligations for companies developing generative AI (GenAI) systems. While just enacted, the bill will require published documentation about the data used to train a GenAI system or service, by a compliance deadline of January 1, 2026. In-house counsel should therefore be prepared to guide their organizations through these requirements, which focus heavily on transparency in GenAI training data and operational practices.

I. Key Impacts on AI Development

AB 2013 requires developers to maintain and post “on the developer’s internet website” records of the data used by the developer for training the GenAI system or service. The record should include a “high-level summary of datasets” used in the development of the GenAI system or service. While not a comprehensive list, the bill states the summary should include: (1) information on the sources/owners of the datasets; (2) a description of the data points used in the datasets; and (3) whether any of the data contains intellectual property (IP) such as copyrighted, patented, or trademarked material.

Of a more significant note, AB 2013 also requires disclosure of any “personal information” as defined by the California Consumer Privacy Act (CCPA). By specifically tying the CCPA to the new bill, counsel will also need to evaluate privacy issues related to the training of the GenAI system or service.

As many GenAI systems utilize large, varied datasets, the bill’s requirements will require significant evaluation especially if the models are continually updated or fine-tuned. Counsel will need to develop and implement processes to catalog the datasets used to train the GenAI models and retain thorough documentation on a periodic basis.

Moreover, for GenAI systems developed or substantially modified after January 1, 2022, companies may need to retrospectively compile documentation about the training data, which could be challenging if prior data records were incomplete. A substantial modification as defined by AB 2013 is a new version, new release, or other update to a GenAI system or service that materially changes its functionality or performance, including the results of retraining or fine tuning. This will require significant efforts to collect the information and address any gaps in historical documentation.

The law also requires disclosures related to synthetic data used during training. For companies using synthetic data to mitigate privacy concerns or improve model performance, this transparency could reveal confidential internal strategies. In-house counsel should advise on how to navigate these disclosures while minimizing the risk to any proprietary material.

II. Compliance Strategies

To comply with AB 2013, companies should develop robust data governance practices. For instance, regular internal audits could be one method used to ensure training data documentation remains up-to-date and meets the legal requirements. Or a reliable record-keeping system that tracks data sources, modifications, and usage history could also help ensure compliance. In-house counsel will not only need to develop such internal methods, but will also need to work closely with technical teams in both establishing these systems and conducting risk assessments.

From a legal perspective, privacy reviews will become even more critical. Counsel should collaborate with privacy and data protection teams to evaluate whether the training datasets include personal information as defined by the CCPA or proprietary intellectual property. Since AB 2013 does not exempt the potential disclosure of trade secret material, companies will need to balance the need for transparency with the protection of this highly sensitive IP. Counsel may therefore need to reassess the structure of data-processing strategies to mitigate risks of disclosing valuable intellectual property.

Another major component of compliance will be the public disclosure requirements of AB 2013. Again, AB 2013 requires companies to publicly post high-level summaries of their training data practices. In-house counsel should oversee the development of these summaries, ensuring they meet legal requirements while avoiding the disclosure of sensitive or competitive business details.

AB 2013 provides specific exemptions from these documentation requirements. GenAI systems used solely for security and integrity purposes, aircraft operation in national airspace, or those developed for national security, military, or defense purposes and available only to federal entities are exempt from the bill’s provisions.

III. Impact on Specific AI Operations

For companies that specialize in retraining or modifying existing GenAI models, AB 2013 introduces additional burdens. For instance, companies would need to document the datasets used in the retraining process, even when they did not originally develop the data. Operational challenges could become complex when companies are working with third-party datasets. Counsel should help negotiate data-sharing agreements with external providers and third-parties to ensure compliance with AB 2013.

In consumer-facing GenAI applications, transparency and disclosure of the training data could affect user trust. Consumers may scrutinize GenAI systems more closely, particularly if the disclosed data sources raise privacy concerns. Counsel should advise on the potential reputational risks and ensure that the company’s communications address these issues proactively.

IV. Strategic Recommendations

To ensure compliance with AB 2013, in-house counsel should emphasize the need for cross-departmental collaboration within its organization. AI development teams, privacy officers, and legal departments will need to work together to prepare all required documentation well before the January 1, 2026, deadline. This collaboration will be essential for maintaining clear lines of responsibility and ensuring a unified approach to compliance.

Additionally, investing in advanced data cataloging systems should be a strategic necessity. These systems will allow the company to track the necessary data at a granular level, logging both current and historical training data.

Lastly, developing public-facing transparency protocols will ensure organizations meet AB 2013’s disclosure requirements without unnecessarily exposing proprietary information or business risks. By balancing compliance with the protection of intellectual property, companies should be able to minimize the risks associated with the new law while maintaining competitive advantage.

In summary, AB 2013 brings significant changes to AI operations in California. In-house counsel should begin working to ensure their organizations adapt to these new requirements by advising on data governance, legal risk assessments, and public disclosures.

 

Keep Reading