What is SB 53 and does it apply to my business?

SB 53 (Transparency in Frontier AI) regulates large frontier AI developers training models above a compute threshold. Effective January 2026. Requires publishing redacted risk evaluations and safety protocols. Penalties up to $1M per unreported incident if not disclosed within 15 days. If you're an AI-shipping startup or AI-using SaaS (not training your own frontier model), SB 53 likely doesn't apply directly — but your AI vendors may be subject, and procurement teams will start asking. If you're training a model with significant compute, you're in scope.

What is AB 853 and when does it affect online platforms?

AB 853 (California AI Transparency Act) requires AI-generated content detection and disclosure mechanisms. Phased rollout: AI providers must comply by August 2026, online platforms (social media, content hosts) by January 2027, device manufacturers (cameras, phones) by January 2028. If you're shipping AI-generated content or operating a platform that hosts user-generated content, you'll need detection tools and disclosure mechanisms. SaaS that uses AI to generate customer-facing content (marketing copy, summarization, image gen) is in scope by August 2026.

What is SB 243 and what does it require chatbot operators to do?

SB 243 (Companion Chatbots) requires clear and conspicuous notification when users — especially minors — are interacting with an AI chatbot. Notification every three hours to minors. Suicide prevention protocols required for any chatbot accessible to minors. Passed October 2024, full reporting requirements by 2027. If you run any consumer-facing chatbot — customer support, mental health, companion AI, retail concierge — you need disclosure language and (if minors might access) safety protocols documented and audited.

What is AB 2013 and what data must I disclose?

AB 2013 (Generative AI Training Data Transparency) requires generative AI companies to disclose data sources, copyright usage, personal information involvement, and dataset origins. Effective January 2026. If you train, fine-tune, or distribute a generative AI model, you need a public data documentation page describing your training corpus. If you only USE generative AI (calling OpenAI, Anthropic, Google APIs), you're not directly subject — but your AI vendors are, and enterprise procurement will ask you to confirm vendor compliance.

What is AB 621 and what's the penalty range?

AB 621 (Deepfake Pornography) targets non-consensual sexualized deepfake content. Effective October 2025. Damages $1,500-$50,000 per violation, up to $250,000 for malicious conduct. Applies to creators and distributors. If you operate a content platform, image-gen API, or AI tool with the technical capacity to produce intimate imagery, you need detection + takedown workflows + user-reporting mechanisms documented and operational.

Which of these 6 laws hit my business first?

The fastest-hitting laws for most California-operating SaaS: (1) SB 243 (chatbots) — already in effect since October 2024 if you have any consumer chatbot. (2) AB 621 (deepfakes) — in effect since October 2025 if your platform can generate intimate imagery. (3) AB 2013 (training data transparency) — January 2026 if you ship or distribute generative AI models. (4) SB 53 (frontier AI) — January 2026 if you train large models. (5) AB 853 (AI content transparency) — August 2026 for AI providers shipping customer-facing AI output. (6) SB 524 (LE) — only if you sell into law enforcement. Run the matcher quizzes below to map your specific situation.

How does SideGuy help with California AI law compliance?

SideGuy is the operator-translation layer between raw legal text and what your business actually has to do. Three engagement shapes: (1) $250 Operator Audit — 3-5 day signal-quality audit on which laws apply to your specific stack, vendor inventory, customer-facing AI surfaces, and where you're already compliant vs gapped. (2) $2K 10-Day Onboarding — full audit + cleanup + disclosure language drafted + reusable Python toolchain for ongoing monitoring. (3) $500/mo Daily Ship-and-Shave — ongoing law-change monitoring + substrate updates as new bills pass. Compare to AI-law consulting firms charging $15K-$50K retainer for boilerplate analysis. Operator-honest. Text PJ direct.

SideGuy Operator Advisory · California AI Laws · Updated 2026-05-26

6 New California AI Laws · Operator Guide 2026

Q: What is SB 524 and how does it affect law enforcement-adjacent SaaS?

SB 524 (AI in Law Enforcement) requires AI disclosure on each page of official police reports — documentation of tools used and changes made by AI to original report content. Direct subject: California law enforcement agencies. Indirect subject: SaaS vendors selling AI-assisted report-writing, transcription, summarization, or evidence analysis to police departments. If you sell into LE/public safety with any AI feature, your product needs to surface and log the AI-assist for the disclosure requirement.

Operator-honest translation of SB 53 · AB 853 · SB 243 · AB 2013 · AB 621 · SB 524 — who's affected, when each takes effect, and what your business actually has to do. Built for the NCSD founder shipping AI features who needs the legal text translated into a punch-list, not another 60-page memo.

📍 California · NCSD · Encinitas-based PJ is an NCSD operator who's bought from the compliance vendor category multiple times. AI-law translation is the next adjacent lane.

✅ Verified 2026-05-26 · Sourced from California legislative text and credible CA news reporting · operator-translated · no kickback structure · Text to scope

Why this page exists: California passed six new AI-targeting laws in the 2024-2025 legislative window. Most coverage is either alarmist headlines or 80-page legal memos. Neither is useful to the founder who actually has to ship a chatbot, train a model, or sell into a regulated buyer. This page is the operator-translation layer — what each law says in 4 sentences, who it actually applies to, when it takes effect, and the punch-list action item for businesses that touch the regulation. No legal advice (PJ is not your lawyer). Pre-purchase signal-quality read so you can scope your actual compliance work or find the right specialized counsel for the laws that hit you.

The 6 laws at a glance · quick reference table

Fastest-hitting at top. Run the matcher quizzes below to map your specific stack against the regulations.

Bill	What it regulates	Who's affected	Effective
SB 243	Companion chatbot disclosure + minor protections	Any consumer-facing chatbot operator	Oct 2024
AB 621	Non-consensual deepfake pornography damages	Image-gen platforms · content hosts	Oct 2025
SB 53	Frontier AI safety reporting + risk disclosure	Large frontier AI developers	Jan 2026
AB 2013	Generative AI training data transparency	Companies training/distributing genAI models	Jan 2026
AB 853	AI-generated content detection + disclosure	AI providers · platforms · device makers (phased)	Aug 2026+
SB 524	AI disclosure in police reports	LE agencies · LE-adjacent SaaS vendors	Per agency

Each law · operator-translation breakdown

4-sentence summary · who's actually in scope · what to do this quarter.

SB 243Companion Chatbots · Disclosure + Minor Safety

Effective: October 2024 (reporting 2027) Penalties: Civil + agency action Industry: All consumer chatbot operators

Any chatbot — customer support, mental health, companion AI, retail concierge — must give clear and conspicuous notification that the user is talking to AI, not a human. For chatbots accessible to minors, the notification must repeat every three hours, and suicide-prevention protocols must be in place. Reporting requirements layer in by 2027.

If you ship a chatbot of any kind to California consumers, you're in scope. B2B-internal chatbots have softer requirements but disclosure is still best practice. "Talk to a human" escalation paths are no longer optional for any consumer surface.

Operator action this quarter: Audit every chatbot interface for visible AI disclosure text on first interaction. If minors might access (your TOS doesn't gate at 18+), document your suicide-prevention escalation flow. Add the 3-hour repeat notification if applicable. Estimated work: 8-20 engineering hours per chatbot surface.

AB 621Deepfake Pornography · Civil Damages

Effective: October 2025 Penalties: $1,500-$50,000/violation · up to $250K malicious Industry: Image-gen platforms · content hosts

Non-consensual sexualized deepfake content triggers statutory damages of $1,500 to $50,000 per violation, with up to $250,000 for malicious conduct. Liability attaches to creators AND distributors of the content, which includes platforms that knowingly host or facilitate generation.

If your platform has any technical capacity to generate intimate imagery — image-gen API, stable-diffusion wrapper, content-hosting with user uploads — you need detection workflows + takedown processes + user-reporting mechanisms documented and operational. "We didn't know" is not a defense once you have notice.

Operator action this quarter: If image gen: ship a safety classifier on the prompt input layer + the output layer. If content hosting: ship a user-report flow + a takedown SLA + a documented review process. Get explicit written safety policy + escalation procedure in place. Estimated work: 40-100 engineering hours + legal review.

SB 53Transparency in Frontier AI

Effective: January 2026 Penalties: Up to $1M per unreported incident (15-day disclosure window) Industry: Frontier AI developers (compute-threshold trigger)

Large frontier-AI developers must publish redacted risk evaluations and safety protocols, and report safety incidents within 15 days. Penalties scale up to $1 million per unreported incident. The "frontier" trigger is compute-based — only the largest training runs are in scope, not every AI-using business.

Direct scope: OpenAI, Anthropic, Google DeepMind, Meta, xAI, and any startup training models above the compute threshold. Indirect scope: if you build on top of these vendors' models, your enterprise customers will start asking for evidence your vendor is compliant. The procurement question shifts upstream — buyers will ask you to prove your AI stack's compliance.

Operator action this quarter: If you're not training a frontier model, you don't need to do much directly — but add a "Vendor AI Compliance" line to your trust center / DPA template so you can answer "is your AI vendor SB-53 compliant" in 30 seconds. If you ARE training large models, you need a published safety doc + incident reporting workflow before January 2026.

AB 2013Generative AI Training Data Transparency

Effective: January 2026 Penalties: Civil enforcement Industry: Generative AI model developers + distributors

Companies that train, fine-tune, or distribute generative AI models must publicly disclose data sources, copyright usage, personal information involvement, and dataset origins. This is a transparency-not-prohibition law — you don't have to use only licensed data, but you must document and disclose what you used.

Direct scope: model trainers, fine-tuners, distributors. Indirect scope: enterprise procurement teams will start requiring AB-2013-style disclosures from vendors as part of vendor onboarding. If you only USE genAI APIs (call OpenAI/Anthropic/Google), you're not directly subject — but your vendor due-diligence questionnaire just got longer.

Operator action this quarter: If you train or fine-tune ANY model (even small LoRA adapters or custom embeddings), draft a public data-sources page covering: dataset origin, license status, presence of personal information, and copyright handling approach. Add it to your trust center or compliance documentation. Estimated work: 8-16 hours for most teams.

AB 853California AI Transparency Act · Phased

Effective: Aug 2026 (AI providers) · Jan 2027 (platforms) · Jan 2028 (devices) Penalties: Civil enforcement Industry: AI providers · platforms · device makers

Phased rollout of AI-content detection + disclosure obligations. AI providers must offer detection tools by August 2026; platforms (social media, content hosts) must surface disclosure mechanisms by January 2027; device manufacturers (cameras, phones) must support detection metadata by January 2028. The goal: a chain-of-custody on AI-generated media that operators downstream can rely on.

Direct scope: anyone shipping AI-generated images, video, audio, text to California users. Indirect scope: anyone hosting user-generated AI content. If your SaaS uses AI to generate customer-facing content — marketing copy, summaries, image gen, voice synthesis — the August 2026 deadline applies to you.

Operator action this quarter: Inventory every customer-facing AI surface (where AI output reaches a user). For each surface, plan the disclosure UX (visible label, metadata embedding, or detection-tool endpoint). Don't ship the disclosure yet — but have the design in your Q3-Q4 2026 roadmap. Estimated planning work: 4-12 hours; build work: 20-60 hours when triggered.

SB 524AI in Law Enforcement Reports

Effective: Per agency adoption schedule Penalties: Agency policy + civil enforcement Industry: Law enforcement · LE-adjacent SaaS vendors

Each page of an official police report must disclose if AI was used in its creation, and document the tools used + changes the AI made to the original content. Direct subject: California law enforcement agencies. Indirect subject: SaaS vendors selling AI-assisted report writing, transcription, summarization, or evidence analysis to police departments.

If you sell into LE/public safety with any AI feature, your product needs to surface and log the AI-assist for the disclosure requirement — visible in the exported report, auditable in your system, traceable back to the model + prompt version. This is product-level scope, not just a policy doc.

Operator action this quarter: If you sell to LE: add per-page AI-disclosure metadata to your report exports + version-pin the AI model used + log the input/output diff. If you don't sell to LE but might in the future, scope this as a 2-3-week feature build before pursuing LE deals. Estimated work: 60-150 engineering hours for full audit-grade implementation.

What operators get wrong · the 5 most common misreads

Patterns SideGuy has seen in conversations with NCSD founders shipping AI features. Honest read of where the law-vs-business gap usually breaks.

Misread #1 · "I just use OpenAI's API so this doesn't apply to me." Mostly true for SB 53 and AB 2013 directly, but enterprise buyers WILL ask you to prove your vendor stack is compliant. Vendor due diligence questionnaires are about to triple in length. Plan to answer "yes our AI vendor is SB-53 compliant" with a real reference, not a guess.
Misread #2 · "Disclosure is just a banner on the page." AB 853 requires detection mechanisms, not just notice. SB 524 requires per-page metadata. SB 243 requires escalation paths for minors. These are product-level changes, not marketing-page changes. Budget engineering hours, not just legal review.
Misread #3 · "We'll address this when the deadline gets closer." The enterprise procurement chain pulls deadlines IN, not pushes them out. Even though AB 853 isn't binding on you until August 2026, your Q4 2025 enterprise prospect's RFP is already asking about it. The market deadline is 12-18 months earlier than the legal deadline.
Misread #4 · "We trained a small LoRA / fine-tune, that doesn't count as training." AB 2013 doesn't carve out small fine-tunes. If you fine-tuned, you trained — and the data-source disclosure obligation applies. The 4-hour fine-tune you ran on internal data is in scope.
Misread #5 · "We're not based in California, so CA laws don't apply." California's laws generally apply to interactions with California users, not just California-headquartered companies. If you have any California customers or California-resident users on your platform, you're in scope. Geo-blocking California is a non-trivial business decision.

NCSD geography · the actual operator scene

Most AI-law coverage is written for the SF-based foundation model company with a 30-person legal team. That's not the Encinitas / Cardiff / Solana Beach founder shipping AI features into a SaaS.

The actual NCSD operator shipping AI is more like: 1-5 person team, half-remote, founder is the CTO + the security questionnaire respondent + the AI-feature owner all at once, working out of Better Buzz on Encinitas Blvd or the SCA WeWork-style spaces, with one or two enterprise prospects in the pipeline that just started asking about CA AI law compliance for the first time.

For that operator, the AI-law question is rarely "should we comply" — it's "which 3 laws actually hit me, what's the punch-list, and can I scope it in a weekend instead of hiring a $50K compliance consultant." The 6 law breakdowns + the 5 misreads above + the matcher quizzes below are the answer.

And the geography matters: PJ is Encinitas-based — coffee at Better Buzz, Lofty, Java Hut, or Dark Horse is a 60-minute thing. Founder to founder, not vendor to prospect.

🛡 Privacy Governance Matcher 📋 Compliance Vendor Matcher ☁️ Cloud Security Matcher 🏥 HIPAA Hosting Matcher 🔒 DataGrail vs Transcend 📍 Encinitas SOC 2 Real Cost 🏛 La Jolla · HIPAA + NIST 📚 Compliance Hub

Free 30-min CA-AI-law scope text · which 3 laws hit you

Tell me your stage, AI surfaces (chatbot · image gen · summarization · genAI training · LE sales), and which enterprise prospects are asking. I'll give you the tight 3-laws-that-actually-apply read for your specific stack + the punch-list. Founder-to-founder, no Calendly.

📲 Text PJ · 858-461-8054