Privacy & Information Security Law Blog

On January 13, 2025, California Attorney General Rob Bonta issued two legal advisories on the use of AI, including in the healthcare context. The first legal advisory (“AI Advisory”) advises consumers and entities about their rights and obligations under the state’s consumer protection, civil rights, competition, and data privacy laws with respect to the use of AI, while the second (“Healthcare AI Advisory”) provides guidance specific to healthcare entities about their obligations under California law regarding the use of AI.

The AI Advisory notes that businesses have existing obligations with respect to their use of AI under existing California law, including the California Consumer Privacy Act of 2018, the California Invasion of Privacy Act, the Student Online Personal information Protection Act and the Confidentiality of Medical information Act.

The AI Advisory also notes the applicability of recently passed AI laws (with effective dates in 2025 and 2026) to businesses’ use of AI, including laws providing:

• disclosure requirements for businesses (e.g., regarding training data used in AI models, AI-generated telemarketing, detection tools for content created by generative AI);
• contractual and consent requirements relating to the unauthorized use of likeness in the entertainment industry and other contexts;
• disclosure and content removal requirements relating to the use of AI in election and campaign materials;
• prohibition of and reporting requirements related to exploitative uses of AI (i.e., child pornography, nonconsensual pornography using deepfake technology, sexually explicit digital identity theft); and
• supervision requirements for use of AI tools in healthcare settings.

The Healthcare AI Advisory provides guidance specific to healthcare providers, insurers, vendors, investors and other healthcare entities about their obligations with respect to their use of AI under California law, including:

• health consumer protection laws (e.g., prohibition on unlawful, unfair or fraudulent business acts or practices; professional licensing standards and other prohibitions relating to the practice of medicine by non-human entities; requirements relating to management of health insurance);
• anti-discrimination laws (e.g., requirements relating to protected classifications); and
• patient privacy and autonomy laws (e.g., use and disclosure of patient data, confidentiality of patient data, patient consent, patient rights).

The Healthcare AI Advisory emphasizes the importance of taking proactive steps to comply with existing California law, even as additional AI laws and regulations are anticipated, given the potential risk of harm to patients, healthcare systems and public health.