California Introduces Landmark Bill Targeting AI Training Data Privacy
Sacramento, California – California State Assembly members have taken a significant step towards regulating the burgeoning field of artificial intelligence, specifically targeting the vast quantities of personal data used to train powerful large language models (LLMs). On February 14, 2025, Assembly Bill 345 (AB 345) was formally introduced, spearheaded by Rep. Lena Chen, a Democrat representing San Francisco. This proposed legislation aims to establish stringent new privacy requirements that could reshape how AI companies collect and utilize data within the state.
At its core, AB 345 addresses growing concerns over the opaque practices often employed in collecting data for AI training sets, particularly the widespread use of web scraping. The bill mandates explicit user consent for the collection of personal data through scraping techniques when that data is intended for training LLMs. This represents a departure from current practices, where data is often collected from publicly available sources without direct individual notification or permission for its specific use in AI training.
Key Provisions and Intent of AB 345
The central tenet of AB 345 is the empowerment of the individual data subject. Beyond the requirement for explicit consent for scraping personal data, the bill includes crucial provisions allowing users to request the deletion of their data from AI training sets. This ‘right to deletion’ for training data is a novel concept in privacy legislation, extending principles typically applied to active databases to the static, often massive, datasets used to build AI models. The process for requesting deletion and the subsequent obligations for companies to comply are expected to be detailed within the bill’s text, though the full scope of technical feasibility and the definition of ‘personal data’ within training sets remain areas of keen interest and potential debate.
Advocates for AB 345 argue that it is a necessary evolution of privacy law in the age of advanced AI. They contend that individuals should have agency over how their personal information, even if publicly available, is used to train technologies that could have significant societal impacts. Rep. Lena Chen and her supporters believe the current legal framework is insufficient to protect individuals from the potential harms of AI trained on their data without their knowledge or consent, such as bias perpetuation or the potential for misuse of inferred information.
The bill defines ‘large language models’ broadly, encompassing the sophisticated AI systems capable of generating human-like text, translating languages, and performing other complex linguistic tasks. The effectiveness and capabilities of these models are directly tied to the diversity and volume of data they are trained on, often comprising billions or trillions of words scraped from the internet, books, and other digital sources. AB 345 seeks to ensure that the ‘personal data’ within this vast corpus is handled with greater respect for individual privacy rights.
Potential Impact on Tech Giants
While AB 345 applies to any company operating within California that uses personal data to train LLMs via scraping, the legislation is expected to have a particularly significant impact on major technology firms with substantial operations on the West Coast. Companies such as Google, OpenAI, and Meta Platforms are prominent players in the development and deployment of LLMs and routinely utilize extensive datasets for training. Their methods for data acquisition and the sheer scale of their training operations mean they would face considerable compliance burdens under the proposed law.
These companies currently rely on diverse data sources, including publicly available web pages, licensed datasets, and user-generated content. AB 345’s requirement for explicit consent specifically for scraped personal data introduces a new hurdle, potentially limiting the readily available pool of data or requiring substantial investment in consent management systems and data pipeline modifications. The right to request deletion further complicates data management, posing technical challenges for removing specific data points from models that have already been trained or are continuously learning.
Observers suggest that compliance could necessitate significant changes in data collection strategies, requiring companies to implement robust mechanisms for identifying personal data within scraped content and obtaining verifiable consent before incorporating it into training sets. Furthermore, they would need to develop processes to locate and potentially ‘unlearn’ or remove specific user data upon request from already-trained models – a technically complex, if not impossible, task depending on the model architecture and the nature of the data.
Opposition and Concerns Over Innovation
The introduction of AB 345 has not been without its critics. Organizations representing the technology sector, including the California Tech Council, have voiced strong opposition to the bill. They argue that while the intent of protecting privacy is valid, the proposed measures could inadvertently stifle innovation in the AI space.
According to opponents, requiring explicit consent for data scraping, particularly from publicly available sources, could drastically reduce the volume and diversity of data available for training, potentially hindering the development of more capable and accurate AI models. They contend that LLMs rely on vast, representative datasets to learn patterns and nuances in language, and restricting access to this data could make models less effective or more prone to errors and biases.
Furthermore, the California Tech Council and others raise concerns about the logistical and financial burden of complying with AB 345. Implementing systems to obtain explicit consent for scraped data, managing consent preferences at scale, and developing methods to handle data deletion requests from training sets are seen as potentially prohibitive costs, particularly for smaller AI startups. They argue that these requirements could disproportionately affect California-based companies, putting them at a competitive disadvantage globally.
Opponents also highlight the technical complexity of removing specific data points from a trained model. Unlike traditional databases where records can be easily deleted, data is deeply embedded within the parameters of a large language model after training. Effectively ‘deleting’ specific user data without retraining the entire model from scratch (which is computationally intensive and expensive) is an open research problem, making the ‘right to deletion’ provision potentially impractical or impossible to fulfill in a meaningful way.
Looking Ahead
AB 345 is now set to navigate the legislative process within the California State Assembly and Senate. The bill is expected to undergo committee hearings, potentially face amendments, and spark significant debate between privacy advocates, civil liberties groups, AI researchers, and the technology industry. The outcome will likely depend on the ability of lawmakers to balance the critical need for individual data privacy in the age of AI with the state’s desire to foster technological innovation.
The discussions surrounding AB 345 reflect a broader global conversation about the ethical implications and regulatory needs surrounding artificial intelligence and its reliance on massive datasets. As AI models become more integrated into daily life, the question of how the data used to build them is collected, protected, and managed will remain at the forefront of policy debates.
