Data Privacy

California Passes Law on AI Companion Chatbot Safety

On Oct. 13, 2025, California Governor Gavin Newsom signed into law Senate Bill 243 – Companion Chatbots. SB 243, authored by Senator Steve Padilla, requires operators of companion chatbot platforms to notify users that the chatbot is AI, provide specific disclosures to minors, and restrict harmful content. The law also includes a private right of action.

The law is in response to mounting public concerns about children’s online interactions with companion chatbots. In his press release following the signing of multiple children’s online safety bills, Newsom highlighted this public concern. “Emerging technology like chatbots and social media can inspire, educate, and connect – but without real guardrails, technology can also exploit, mislead, and endanger our kids. We’ve seen some truly horrific and tragic examples of young people harmed by unregulated tech, and we won’t stand by while companies continue without necessary limits and accountability. We can continue to lead in AI and technology, but we must do it responsibly — protecting our children every step of the way. Our children’s safety is not for sale.”

The law goes into effect January 1, 2026, with reporting requirements starting on July 7, 2027.

Scope

This law applies to operators, which is defined as a person who makes a companion chatbot platform available to a user in California. The law defines companion chatbots as “an artificial intelligence system with a natural language interface that provides adaptive, human-like responses to user inputs and is capable of meeting a user’s social needs, including by exhibiting anthropomorphic features and being able to sustain a relationship across multiple interactions.”

The law excludes the following from the definition of “companion chatbot”:

  • A bot that is used only for customer service, a business’ operational purposes, productivity and analysis related to source information, internal research, or technical assistance.

  • A bot that is a feature of a video game and is limited to replies related to the video game that cannot discuss topics related to mental health, self-harm, sexually explicit conduct, or maintain a dialogue on other topics unrelated to the video game.

  • A stand-alone consumer electronic device that functions as a speaker and voice command interface, acts as a voice-activated virtual assistant, and does not sustain a relationship across multiple interactions or generate outputs that are likely to elicit emotional responses in the user.

Key Provisions

Notice and Disclosure Obligations

The law outlines specific disclosure requirements for both general users and minors.

General Users

The law requires that if a reasonable person would be misled to believe that they are interacting with a human, operators must issue a clear and conspicuous notification that the companion chatbot is artificially generated and not human.

Minors

For users that operators know are minors they must not only disclose that the user is interacting with artificial intelligence, but they must also provide by default a clear and conspicuous notification to the user at least every three hours for continuing companion chatbot interactions that remind the user to take a break and that the chatbot is artificially generated and not human.

Additionally, the law requires operators to disclose, on the application, the browser, or any other format through which users can access the chatbot platform, that the companion chatbot may not be suitable for some minors.

Safety Protocols and Transparency Measures

In addition to its disclosure requirements, the law mandates that operators implement, and publish on its website, safety protocols and transparency measures.

Under the law, companion chatbots may not engage with users unless the operator maintains a protocol that:

  • prevents the production of content related to suicidal ideation, suicide, or self-harm

  • provides notice to users referring them to crisis services, such as a suicide hotline or crisis text line, if they express suicidal thoughts or self-harm.

Content Restrictions for Minors

The law requires operators to implement reasonable measures to prevent companion chatbots from producing visual material depicting sexually explicit conduct or from directly stating that a minor should engage in such conduct.

Reporting Requirements

Effective July 1, 2027, operators must submit an annual report to California’s Office of Suicide Prevention detailing:

  • The number of times they have issued a crisis service provider referral notification in the preceding calendar year.

  • Protocols put in place to detect, remove, and respond to instances of suicidal ideation* by users.

  • Protocols put in place to prohibit a companion chatbot response about suicidal ideation* or actions with the user.

*The law requires that suicidal ideation be measured using evidence-based methods.

The law specifies that such reports must exclude any user identifiers or personal information. Once compiled, California’s Office of Suicide Prevention will publish data from this report on its website.

Private Right of Action

The law creates a private right of action for any person who suffers injury in fact as a result of a violation of the law and allows them to pursue:

  • Injunctive relief.

  • Damages in an amount equal to the greater of actual damages or one thousand dollars ($1,000) per violation.

  • Reasonable attorney’s fees and costs.

Key Takeaways

Companion chatbot operators should develop protocols to ensure compliance with the law, including:

  • providing required user notification and disclosures,

  • identifying and responding to user expressions of self harm,

  • identifying and restricting content in scope, and

  • compiling and submitted required reporting.

This legislation was signed alongside a broader package of child online safety laws, including the Digital Age Assurance Act (AB 1043), which establishes new online age-assurance requirements. Together, these measures contribute to a growing framework of children’s online safety laws in California.

See our blog post on the Digital Age Assurance Act.

Clara De Abreu E Souza is an Associate at Hintze Law PLLC. She has experience with artificial intelligence, data privacy, and the regulation of emerging technologies, including evolving state and federal privacy laws, algorithmic accountability, and health data governance.

Hintze Law PLLC is a Chambers-ranked and Legal 500-recognized, boutique law firm that provides counseling exclusively on global privacy, data security, and AI law. Its attorneys and data consultants support technology, ecommerce, advertising, media, retail, healthcare, and mobile companies, organizations, and industry associations in all aspects of privacy, data security, and AI law.

California Passes Digital Age-Assurance Act Into Law

California Passes Digital Age-Assurance Act Into Law

By Hansenard Piou

On October 13th, 2025, Governor Newsom signed the Digital Age Assurance Act (AB 1043) into law. Introduced by co-authors Assembly Member Buffy Wicks and Senator Tom Umberg, the law establishes age-assurance requirements for computer and mobile operating system providers and app stores as well as app developers with an aim to protect children’s online safety. The Digital Age Assurance Act enters into effect on January 1, 2027.

Read More

California’s Social Media Account Cancellation Act Signed into Law

California’s Social Media Account Cancellation Act Signed into Law

By Clara De Abreu E Souza

On October 8, 2025, California Governor Gavin Newsom signed into law Assembly Bill 656 — Account Cancellation. AB 656, authored by Assembly member Pilar Schiavo, focuses on social media platforms and requires them to provide users with a clear and accessible way to delete their accounts. This action must also trigger the complete deletion of the user’s personal data.

Read More

California Opt Me Out Act Signed into Law

California Opt Me Out Act Signed into Law

By Cameron Cantrell

On October 8, 2025, California’s Governor Newsom signed AB 566—the California Opt Me Out Act—into law. The California Opt Me Out Act, using the same definitions as the CCPA, requires any business that develops or maintains an internet browser to build in an opt-out preference signal (“OOPS”) functionality. The law takes effect on January 1, 2027.

Read More

California Further Amends its Data Broker Registration Law

California Further Amends its Data Broker Registration Law

By Hansenard Piou

On October 8, 2025, Governor Gavin Newsom signed SB 361 into law. Introduced by Senator Josh Becker, the bill amends California’s Data Broker Registration Law (and amendments to the law under the Delete Act) with additional disclosure requirements for data brokers.

Read More

What is “Bulk U.S. Sensitive Personal Data”?

What is “Bulk U.S. Sensitive Personal Data”?

By Emily Litka

This is the second in a series of blog posts about the DOJ Rule regarding Access To U.S. Sensitive Personal Data and Government-Related Data by Countries of Concern or Covered Persons (the “DOJ Rule”). It provides an overview of one of the categories of data that is in scope under the DOJ Rule: bulk U.S. sensitive personal data.

Read More

Governor Newsom signs Transparency in Frontier Artificial Intelligence Act

Governor Newsom signs Transparency in Frontier Artificial Intelligence Act

By Clara De Abreu E Souza

On September 29, 2025, California Governor Gavin Newsom signed the Transparency in Frontier Artificial Intelligence Act (TFAIA). Authored by Senator Scott Wiener, TFAIA follows the release of the Governor’s California Report on Frontier AI Policy, which was drafted by the Joint California Policy Working Group on AI Frontier Models.

Read More

IAPP Publishes EU Digital Laws Report 2025

IAPP Publishes EU Digital Laws Report 2025

By Hansenard Piou

On September 30th, the IAPP (formerly the International Association of Privacy Professionals) released its EU Digital Laws Report 2025, a comprehensive analysis explaining and synthesizing the requirements of core EU digital laws. The report aims to provide a resource to help the broadest possible class of organizations, platforms, and developers comply with the Data Governance Act, the Data Act, the Digital Markets Act, the Digital Services Act, the EU AI Act, and the NIS2 Directive.

Read More

Does the DOJ Rule Apply?

Does the DOJ Rule Apply?

By Hansenard Piou and Sam Castic

This is the first in a series of blog posts about the DOJ Rule regarding Access To U.S. Sensitive Personal Data and Government-Related Data by Countries of Concern or Covered Persons (the “DOJ Rule”).  It provides a high-level overview of the kinds of cross-border data transfers that are regulated by the DOJ Rule. Future blog posts will more closely examine the DOJ Rule, its requirements, potential impacts, and strategies to address compliance.

Read More

Hintze Lawyers Recognized in 2026’s Best Lawyers in America

Hintze Lawyers Recognized in 2026’s Best Lawyers in America

This year, eight of Hintze Law’s attorneys have been recognized by Best Lawyers® across a variety of categories, marking a significant milestone for the firm. Every one of our associates earned recognition, reflecting both the breadth of talent within our team and the dedication each attorney brings to their practice.

Read More

California Adopts Privacy, Cybersecurity, ADMT Regulations and Amendments

California Adopts Privacy, Cybersecurity, ADMT Regulations and Amendments

By Sam Castic

The California Privacy Protection Agency (CPPA) has adopted final regulations on privacy risk assessments, cybersecurity audits, and automated decisionmaking technology (ADMT), as well as amendments to existing CCPA regulations.  Final publication of the regulations is pending review by the Office of Administrative Law, and depending on when that occurs, the regulations will likely take effect 10/1/2025 or 1/1/2026.  Some key concepts from these regulations, and actions to consider, are below.

Read More

California’s Healthline.com Enforcement Action Shows CCPA’s Teeth – and Sensitive Data Reach

California’s Healthline.com Enforcement Action Shows CCPA’s Teeth – and Sensitive Data Reach

By Mason Fitch and Kate Black

The California Attorney General’s Office (“OAG”) announced an enforcement action against Healthline.com on July 1 that marks a significant development in California Consumer Privacy Act (CCPA) enforcement. This action, accompanied by the largest fine under CCPA yet at $1.55 million, highlights critical areas of consideration for any company engaging in the advertising ecosystem as well as any company that processes sensitive personal information.

Read More

Texas District Court Vacates Majority of HIPAA Reproductive Privacy Rule

Texas District Court Vacates Majority of HIPAA Reproductive Privacy Rule

by Cameron Cantrell and Felicity Slater 

On June 19, 2025, the U.S. District Court in the Northern District of Texas vacated the vast majority of the HIPAA Privacy Rule to Support Reproductive Health Care Privacy (the “HIPAA Reproductive Privacy Rule” or “Rule”). The Department of Health and Human Services (“HHS”) published the Rule in the Federal Register in April 2024 with a compliance date of December 23, 2024. The District Court’s decision to vacate the reproductive privacy aspects of the Rule has an immediate and nationwide effect.

Read More

Hintze & Partners Recognized by Chambers in 2025 USA Rankings

Hintze & Partners Recognized by Chambers in 2025 USA Rankings

Hintze Law PLLC is delighted to announce the Chambers & Partners recognition of Susan Hintze, Mike Hintze, Sam Castic, and Mason Fitch in its USA Guide 2025. These recognitions include the firm’s sixth year being nationally ranked in Privacy and Data Security, and third year in Privacy & Data Security: Healthcare.

Read More

State Privacy Regulators Announce Formation of Collaboratory Consortium

State Privacy Regulators Announce Formation of Collaboratory Consortium

by Felicity Slater and Susan Hintze

On April 16, 2025, the California Privacy Protection Agency (CPPA) and state Attorneys General from California, Colorado, Connecticut, Delaware, Indiana, New Jersey, and Oregon announced the formation of the bipartisan "Consortium of Privacy Regulators." The focus of the Consortium will be to foster multi-state coordination, including sharing of expertise and resources, in investigation of potential violations of and enforcement of their state's respective comprehensive privacy laws.

Read More

Takeaways From the New DOJ Guidance on Its Cross-Border Data Rule

Takeaways From the New DOJ Guidance on Its Cross-Border Data Rule

By Sam Castic

On Friday April 11, 2025, the DOJ released a Compliance Guide and more than 100 FAQs on the Preventing Access to U.S. Sensitive Personal Data and Government-Related Data by Countries of Concern or Covered Persons Rule (the “DOJ Rule”).  It also released an Implementation and Enforcement Policy, which indicates it will not prioritize enforcement against companies making good faith efforts to comply until July 8, 2025. 

Read More

Virginia Governor Signs Reproductive Health Data Restrictions into Law

Virginia Governor Signs Reproductive Health Data Restrictions into Law

by Cameron Cantrell and Felicity Slater 

On March 24, 2025, Governor Youngkin (R) of Virginia signed SB 754—which amends the Virginia Consumer Protection Act (VCPA) to restrict the collection and processing of “reproductive or sexual health information” and is enforceable through a private right of action—into law. The law will take effect July 1, 2025. 

Read More

French Competition Authority Fines Apple €150M Alleging Market Power Abuse of Ad Privacy System

French Competition Authority Fines Apple €150M Alleging Market Power Abuse of Ad Privacy System

By Susan Hintze and Hansenard Piou 

Note that the Autorité has not yet been published the decision in question as it is in process of redacting information relating to trade secrets. Please check back for updates. 

Read More
Don’t Sleep on Maryland: The Maryland Online Data Privacy Act Will Keep Health and Wellness Companies Up at Night — Hintze

Hintze & Partners Recognized by Chambers in 2025 Global Rankings

Hintze & Partners Recognized by Chambers in 2025 Global Rankings

Hintze Law and its lawyers have once again been recognized in Chambers & Partners for expertise in Privacy and Data Security in the 2025 Chambers Global Guide. These recognitions include Hintze Law’s fifth year being ranked as an Elite Law Firm for Privacy and Data Security as well as the firm’s second year receiving recognition for Privacy and Data Security: Healthcare.

Read More