California Attorney General Issues Two Advisories on AI and the State’s Consumer Protection Laws

As the federal government signals that it is stepping back from regulating artificial intelligence (AI) to encourage innovation, states like California are taking a more proactive approach. Recently, the California Department of Justice (CA DOJ), led by Attorney General Rob Bonta, issued two legal advisories outlining how existing California laws apply to AI technologies, including their specific impact on healthcare.

These advisories emphasize that organizations developing, selling, or using AI systems must adhere to California’s consumer protection laws. This includes understanding how AI systems are trained, the data used, and the generation of outputs. The CA AG underscores the need for businesses to rigorously test, validate, and audit AI systems to ensure safety, ethics, and legality while minimizing biases and errors. Transparency is key, particularly regarding the use of consumer data and how AI influences decision-making. Healthcare organizations must also inform patients how their information is used in AI training and how AI shapes healthcare decisions.

Key Risks Highlighted by the CA AG

The CA AG identified several risks posed by AI systems:

1. Transparency Failures: Insufficient or misleading disclosures about AI usage.
2. Bias and Discrimination: AI decision-making may create unlawful disparate impacts, exacerbating inequities.
3. Consumer Harm: Deceptive AI-driven practices, such as false advertising or data exploitation, the denial of necessary care, or the generation of misleading medical information.
4. Privacy Violations: Misuse of personal data in AI training, including sensitive patient information.

Consumer Protection Laws Relevant to AI

The advisories highlight the following laws as examples of those applicable to AI systems:

1. Unfair Competition Law: This law prohibits unlawful, unfair, or fraudulent practices, including deceptive marketing, price fixing, and fraudulent billing. AI-generated misrepresentations, such as deepfakes or misleading chatbots, also fall under this law.
2. False Advertising Law: Prohibits false or misleading claims about AI tools’ capabilities or accuracy.
3. Privacy Laws: The California Consumer Privacy Act (CCPA) governs the collection, use, and sale of personal data, including AI training data. Healthcare-specific laws, such as the Confidentiality of Medical Information Act (CMIA), provide additional protections for sensitive health and genetic data.
4. Education Laws: The Student Online Personal Information Protection Act (SOPIPA) restricts educational technology providers’ sale or misuse of student data.
5. Credit and Tenant Screening Laws: The Unruh Civil Rights Act and other laws prohibit discriminatory practices, such as biased credit scoring or tenant screening.
6. Healthcare Laws: The Knox-Keene Act and California Insurance Code limit AI’s role in healthcare decisions, requiring that:
   • AI does not override licensed providers’ decisions.
   • AI decisions are based on individual clinical circumstances.
   • AI tools prevent discrimination and promote equitable treatment.
7. Recent AI-Specific Legislation:
   • AB 2013: Mandates transparency in AI training data.
   • AB 2602: Regulates digital replicas and likenesses.
   • SB 1120: Requires healthcare AI tools to be supervised by licensed physicians.

CA AG Recommendations for Businesses

The CA AG advises organizations to adopt best practices to mitigate legal risks:

1. Conduct Rigorous Testing: Validate AI systems for accuracy and fairness before deployment.
2. Ensure Transparency: Disclose how AI is used and how data is collected.
3. Protect Consumer Privacy: Comply with CCPA and related privacy laws.
4. Prevent Discrimination: Regularly audit AI systems to identify and address biases.
5. Stay Informed: Monitor legal updates and adapt to evolving regulations.

Specific Recommendations for Healthcare Entities

Healthcare organizations face additional responsibilities to ensure compliance:

1. Validate and Audit AI Systems: Align AI tools with clinical standards and eliminate bias.
2. Communicate Transparently: Disclose AI’s role in patient care and data use.
3. Respect Patient Autonomy: Obtain informed consent for AI-assisted care.
4. Safeguard Patient Privacy: Comply with CMIA, HIPAA, and other laws to protect data.
5. Prevent Discriminatory Outcomes: Proactively address biases and disparate impacts.
6. Avoid Unlawful Practices:
   • Denying care based on AI overrides physician decisions.
   • Generating misleading or biased medical records.
   • Engaging in discriminatory or exploitative AI-driven practices.

Enforcement and Liability

The CA AG warns organizations cannot evade liability by blaming AI systems for harmful outcomes. Violations of California law, including misuse of AI, can result in severe penalties and reputational damage. Healthcare entities, in particular, must comply with state and federal laws, including FDA regulations, FTC guidelines, and executive orders from the Biden administration.

Expert Guidance on AI Compliance

Navigating California’s AI regulatory landscape requires experienced legal counsel. The CommLaw Group, in collaboration with the Law Offices of Julia A. Clayton, specializes in data privacy, consumer protection, and AI compliance to help businesses mitigate risks and meet legal obligations. Transparent, ethical, and compliant AI deployment is critical to maintaining public trust and adhering to California’s robust legal standards.

Contact Us

• E. Brian Alexander:703-791-1050 | bal@commlawgroup.com
• Julia Clayton: 510-519-7605 | jac@lawofficejac.com
• Susan Duarte: 703-714-1318 | sfd@commlawgroup.com
• Diana James: 703-663-6757 | daj@commlawgroup.com

Special thanks to Julia A. Clayton, who contributed her insights about the California DOJ and consumer protection enforcement to this article.