Client Insight: California AI Transparency Act

Print
PDF
Share this page

Insights

April 23, 2025

On September 19, 2024, California Governor Gavin Newsom signed SB 942, the California Artificial Intelligence Transparency Act (“CAITA”)^[1], into law. As previewed in our Client Insight: Artificial Intelligence Insights the Current Regulatory Landscape, CAITA is one of several laws passed in California to increase transparency with respect to the use and deployment of artificial intelligence (“AI”) systems and technology and the creation of synthetic and “deepfake” content. CAITA will become effective on January 1, 2026 and will impact both providers of generative AI systems and companies that license and integrate generative AI technology into their offerings. Please read on to learn more about whether CAITA may apply to your business and applicable requirements.

What is CAITA?

CAITA is a forthcoming regulation that will require certain Covered Providers of Generative AI Systems accessible in California to incorporate AI detection and disclosure features on their websites and mobile applications. The Covered Providers will be required to offer tools to users to help them access Provenance Data and determine whether content is generated or altered through the use of AI technology. Third-party licensees of these Generative AI Systems will be required to preserve these disclosures and tools, and be restricted from making changes to Generative AI Systems that remove disclosure tools made available by Covered Providers.

What is the Key Compliance Deadline Under CAITA?

CAITA will go into effect on January 1, 2026.

What is a Generative Artificial Intelligence System?

CAITA defines a “generative artificial intelligence system” or “GenAI system” as an artificial intelligence that can generate derived synthetic content, including text, images, video, and audio, that emulates the structure and characteristics of the
system’s training data.

“Artificial intelligence” or “AI” is defined as an engineered or machine-based system that varies in its level of autonomy and that can, for explicit or implicit objectives, infer from the input it receives how to generate outputs that can influence physical or virtual environments.

In practice this definition is expected to cover AI-powered systems that can be used to produce synthetic content as an output based on an input, including, for example, systems like Dall-E, Llama, Copilot and Midjourney.

What is a Covered Provider?

A “Covered Provider” is a person that meets all of the following requirements:

1. The person creates, codes, or otherwise produces a GenAI System;
2. The GenAI System has over 1,000,000 monthly visitors or users; and
3. The GenAI System is publicly accessible within the geographic boundaries of the state of California.

What is Provenance Data?

“Provenance Data” is data that is embedded into digital content, or that is included in the digital content’s metadata, for the purpose of verifying the digital content’s authenticity, origin, or history of modification.

Are there any Carve Outs?

Yes, CAITA does not apply to any product, service, internet website or application that provides exclusively non-usergenerated video game, television, streaming, movie or interactive experiences.

What is a Third-Party Licensee?

A third-party licensee is a person who licenses a GenAI System from a Covered Provider. Examples of third-party licensees include, for example, companies that integrate features of GenAI Systems that allow customers or end users to generate output.

Could I Still Be Subject If I'm Outside of California?

Yes, Covered Providers and third-party licensees located outside of California may still be subject to CAITA if an applicable GenAI System is publicly accessible from within the state of California. The 1,000,000 monthly visitor or user count is based on all visitors and users, even if located outside of California.

_{Click to expand the below for next steps based on whether your company is a Covered Provider or Third-Party Licensee.}

What are Next Steps if I am a Covered Provider?

1. Offer an AI Detection Tool.

•

The Tool and The Input:The tool must be a no-cost option for GenAI System users that allows users to upload content or provide a URL linking to online content.

•

Access to the Tool: The tool must be publicly accessible and support an application programming interface (API) that allows a user to use the tool without visiting the Covered Provider’s website. Covered Providers may impose reasonable limitations on access to the tool to prevent, or respond to, demonstrable risks to the security or integrity of the GenAI System.

•

Required Output: The tool must allow a user to (a) assess whether image, video or audio content, or content that is any combination thereof, was created or altered by the Covered Provider’s GenAI System; and (b) output Provenance Data that is not reasonably capable of being associated with a particular user regarding the type of device, system or service used to generate a piece of digital content and that otherwise relates to content authenticity.

•

Prohibited Output: The tool cannot output Provenance Data that contains any personal information or identifies any unique device, system or service that is reasonably capable of being associated with a particular user, or retain any such Provenance Data from content submitted to the AI detection tool by a user.

•

Synthetic Text: Although some sources have taken the position that Covered Providers who only create synthetic text are not obligated to provide an AI detection tool, it is more likely that such Covered Providers are only exempt from the requirement that the tool assess whether image, video or audio content was created or altered by the Covered Provider’s GenAI system. Covered Providers who only create synthetic text will likely still have to provide users with an AI detection tool that adheres to the remaining criteria.

•

Retention of Inputs: Covered Providers cannot retain any content submitted to the AI detection tool for longer than is necessary to comply with output requirements.

•

Collection and Retention of Personal Information: A Covered Provider cannot collect or retain any personal information from users of the Covered Provider’s AI detection tool except for contact information of a user who submits feedback and opts in to being contacted by the Covered Provider.

•

Collecting Feedback: Covered Providers are required to collect user feedback regarding the efficacy of the Covered Provider’s AI detection tool and to incorporate relevant feedback into any attempt to improve the efficacy of the tool.

•

The Path Forward: Given the CAITA specifications regarding the format, inputs and outputs of the AI detection tool, creating a compliant version of this tool may be one of the most time-intensive parts of working toward CAITA compliance and that the contours of what industry standard iterations of this tool look like may shift after CAITA’s enforcement begins. Some examples of recent AI detection tools developed by prominent Covered Providers include the C2PA Specification and other detection classifiers, as described further below.

•

Detection Classifiers and the C2PA Specification. The C2PA Specification is a framework created by the Coalition for Content Provenance and Authenticity (“C2PA”) that allows Provenance Data to be bound to media and changes to this media (including changes made by a GenAI System) to be tracked.^[2] C2PA is a non-profit project focused on developing open technical specifications for establishing content provenance and authenticity for different types of media.^[3] OpenAI, Meta Microsoft, Google, Adobe, BBC and others have joined the steering committee for C2PA.^[4]

•

Detection Classifiers and Content Credentials. Detection classifiers are tools that use AI to evaluate the likelihood that a piece of content was created using a GenAI System. An example of a detection classifier is a tool called Content Credentials that users can access to view C2PA Provenance Data in certain media created by participating partners like Adobe, Microsoft and Nikon.^[5] Content Credentials makes this Provenance Data available by allowing users to click on a pin affixed to content that is accessible across the internet. OpenAI is also currently developing a detection classifier that can determine if an image was created using their DALL-E 3 system, and OpenAI is focusing on increasing the accuracy and durability to adversarial activity of this tool.^[6]

•

Detection Classifier Accuracy and Other Compliance Gaps. In recent tests comparing non-AI generated images with those created by DALL-E 3, OpenAI’s detection classifier identified ~98% of the DALL-E 3 generated images and only incorrectly tagged ~0.5% of non-AI generated images as being AI generated, typically recognize images that have undergone certain modifications (like cropping and saturation change) as AI-generated.^[7] That being said, the accuracy of the classifier decreases significantly with other modifications to the image (like hue adjustment and the addition of gaussian noise to the image). Another setback is that while the C2PA Provenance Data made available with content cannot be easily altered once attached to the content, it can be easily removed from the content. The Content Authenticity Initiative (“CAI”), a global community promoting the adoption of the C2PA Specification, has indicated that the use of the C2PA Specification may need to be part of a multi-pronged approach to address these gaps and ensure that tools meet each of the CAITA requirements.^[8]

•

Examples of the Content Credentials Tool and C2PA Provenance Data in Action.^[9]

Figure 1: Content Credentials Upload Screen Example

Figure 2: Adobe C2PA Provenance Data Example

Figure 3: DALL-E C2PA Provenance Data Example

2. Offer a Manifest Disclosure Tool.

•

The Tool and The Content: The tool must be a no-cost option for GenAI System users to include a manifest disclosure in image, video or audio content or any combination of this type of content that is created or altered by the GenAI System. There is no requirement to include a manifest disclosure in synthetic text.

•

The Manifest Disclosure: The manifest disclosure can be thought of as a watermark on content created or altered by the GenAI System, but must (a) be conspicuous and easily understood or recognized by a natural person; (b) clearly identify the content as AI-generated; and (c) be extremely difficult or impossible to remove.

•

The Path Forward: As Covered Providers prepare for compliance with CAITA, coalitions of Covered Providers have started collaborating to create standardized approaches to manifest disclosures, including through use of Content Credentials pins and other tools used to affix C2PA Provenance Data to content, as described further below. Through these tools, some Covered Providers have integrated manifest disclosure options within AI detection tools to avoid the need for two wholly separate tools.

•

The Content Credentials Pin: As flagged above, Content Credentials affixes a pin to content analyzed through the Content Credentials tool that tracks Provenance Data and is accessible across the internet, allowing users to click the pin to access available content, modification and manipulation data. This may be an example of an effective manifest disclosure method depending on how difficult it would be to remove the pin from content.

•

OpenAI’s Approach to Manifest Disclosure: OpenAI is also using C2PA Provenance Data as a form of manifest disclosure for images created by their DALL-E 3 GenAI system^[10] by embedding C2PA metadata into all images that are either created or edited by DALL-E 3, and plans to utilize the C2PA metadata in content created through Sora, OpenAI’s video generation model. This metadata will provide information that includes the app or device that was used to change the image, the AI tool that was used to change the image and a digital signature from the entity providing this information.

•

The Content Credentials Pin in Action:

Figure 4: Content Credentials Pin Example

3. Incorporate a Latent Disclosure in Generated Content.

•

The Content: A latent disclosure is a disclosure embedded within synthetic content that may not be perceptible to the human eye. A latent disclosure must be included in image, video or audio content or any combination of this type of content that is created by the GenAI System. There is no requirement to include a latent disclosure in synthetic text.

•

The Latent Disclosure: The latent disclosure does not need to be conspicuous to a natural person, but must (a) be detectable through the Covered Provider’s AI detection tool (described further below); (b) be consistent with industry standards; (c) be extremely difficult or impossible to remove; and (d) contain or link out to:

•

The name of the Covered Provider;

•

The name and version of the GenAI System that created or altered the content;

•

The time and date of the content’s creation or alteration; and

•

A unique identifier.

•

The Path Forward: While Covered Providers are only required to give users the option to incorporate a manifest disclosure in content, latent disclosures must be incorporated by default. This may include, for example, embedding content generated or altered through GenAI Systems with metadata specifying the name of the Covered Provider and GenAI System, the version of the GenAI System, the time and date of content creation or alteration and other unique identifiers. As with the manifest disclosure requirement, Covered Providers have started to prepare for compliance with CAITA’s latent disclosure requirement, including through use of invisible watermark signals embedded into content by default, as described further below.

•

OpenAI’s Tamper-Resistant Invisible Watermarks. OpenAI is exploring marking audio content created by GenAI systems to include a tamper-resistant invisible watermark signal, for example.^[11] Given the tamper-resistant nature of this signal, OpenAI’s approach may be helpful to meet the latent disclosure obligations of CAITA as long as the signal makes the Covered Provider, GenAI System, creation and alternation and unique identifier information previewed above available to users. This signal would not, however, meet manifest disclosure requirements because it is “invisible” and inconspicuous to a natural person.

4. Require Licensees to Include Latent Disclosures and Revoke Licenses for Misuse.

•

Third-Party Licenses When licensing their GenAI System to a third party, a Covered Provider must contractually require the third-party licensee to maintain the GenAI System’s capability to include latent disclosures in the content that the system creates or alters.

•

License Revocation: If a Covered Provider knows that a third-party licensee has modified a licensed GenAI System such that it is no longer capable of including a latent disclosure in content the GenAI System creates or alters, the Covered Provider must revoke the license to the GenAI System within 96 hours of discovering the licensee’s action.

•

The Path Forward: Covered Providers are required to maintain latent disclosure features in licensing terms and contracts by default, and monitor changes to their GenAI Systems by third-party licensees that may impact the ability to include latent disclosures in generated or altered content.

What are Next Steps if I am a Third-Party Licensee?

To comply with CAITA, third-party licensees must:

1. Maintain Latent Disclosure Capabilities in Licensed GenAI Systems.

•

The Capability: Covered Providers are required to include latent disclosures (i.e., disclosures embedded within synthetic content that may not be perceptible to the human eye) in image, video or audio content or any combination of this type of content that is created by the Covered Providers’ GenAI Systems. There is no requirement to include a latent disclosure in synthetic text. If a licensed GenAI System includes the capability to include a latent disclosure in generated content, the third-party licensee must maintain this capability.

•

The Latent Disclosure: The latent disclosure does not need to be conspicuous to a natural person, but the disclosure must (a) be detectable through AI detection tools; (b) be consistent with industry standards; (c) be extremely difficult or impossible to remove; and (d) contain or link out to:

•

The name of the Covered Provider;

•

The name and version of the GenAI System that created or altered the content;

•

The time and date of the content’s creation or alteration; and

•

A unique identifier.

•

The Path Forward: Covered Providers will be required to specifically flow-through obligations, including with respect to latent disclosure capabilities, to third-party licensees. When considering making modifications to a licensed GenAI System, third-party licensees must ensure that these modifications comply with applicable license restrictions and do not affect the ability of the GenAI System to include latent disclosures in the content that is generated.

2. Promptly Cease Use of GenAI Systems if Licenses are Revoked.

•

License Revocation: A third-party licensee must cease use of a licensed GenAI system if the Covered Provider revokes the license due to the third-party licensee’s use of or modification to a GenAI System that impacts the GenAI System’s ability to include a latent disclosure.

•

The Path Forward: Be on the lookout for GenAI System licensors cracking down on licenses to third parties that may jeopardize the effectiveness of latent disclosures in content produced through GenAI Systems.

What Are the Potential Penalties Under CAITA?

Covered Providers that violate CAITA may be fined $5,000 per violation and attorneys’ costs and fees. Each day that a Covered Provider is in violation of CAITA is considered a discrete violation.

Third-party licensees who violate CAITA may be subject to claims for breaches of applicable contracts with Covered Providers and may also be subject to claims for injunctive relief and attorneys’ costs and fees.

Civil actions against Covered Providers and third-party licensees can be brought by the California Attorney General and city and county-level prosecutors.

How Can GD Help?

Gunderson Dettmer is committed to fostering AI education for the innovation economy and we will continue to monitor and report on issues relating to CAITA that may impact your business, so please stay tuned for further updates. Please refer to the Gunderson Dettmer Generative AI Resources page for additional educational materials and insights.

If you have any questions regarding this client alert, or if your company needs assistance evaluating its obligations under CAITA, please reach out to your Gunderson Dettmer attorney.