State Law Updates

California Prohibits AI Misrepresentations about Health Care Licenses

By Cameron Cantrell

On October 11, 2025, California’s Governor Newsom signed AB 489, a law designed to address health advice from artificial intelligence (“AI”). It will take effect on January 1, 2026.

California Currently Prohibits Misrepresentations of License to Practice Medicine and Regulates Generative AI in Health Care

Several California laws prohibit a person from using specified words, letters, phrases, and terms to falsely indicate or imply they are authorized to practice health care professions in California. In this article, we’ll refer to these laws as “license misrepresentation laws,” and the words, terms, and phrases that trigger these laws’ prohibitions collectively as “license misrepresentation words.”

For example, the Medical Practice Act (“MPA”) makes it a crime for any person to indicate  they are licensed to diagnose, treat, or otherwise practice in any physical or mental condition, if they are in fact not appropriately licensed under California law. The MPA’s license misrepresentation words include words, terms, and phrases implying a person is appropriately licensed by California to “diagnose” or “treat” a given health condition.

Separately, California has begun regulating use of generative AI (“GenAI”) in health care. In January 2025, a law (AB 3030) took effect that applies to California-licensed health care providers who use GenAI to generate patient communications. Such providers must include in each GenAI-produced communication a disclosure of that use and instructions on how to contact a human health care provider. That same month, the California Attorney General’s office issued two legal advisories on AI in health care with guidance for health care providers, insurers, vendors, and developers, explaining how existing California laws apply to the use of AI and automated decision-making systems in health care settings.

AI and GenAI Developers/Users Will Be In-Scope for License Misrepresentation Laws

AB 489 provides that existing license misrepresentation laws will be enforceable against any person or entity that develops or deploys AI or GenAI that, in the AI’s or GenAI’s advertising or functionalities, uses one or more “terms, letters, or phrases to indicate or imply possession of a license or certificate to practice a health care profession.” For example, after AB 489 takes effect, a person or entity that advertises or describes an AI system as a “doctor,” “physician,” or “M.D.” is likely be directly liable under the MPA restrictions on use of such terms without a proper medical license or certification.

AI and GenAI Output Will Be Subject to AB 489’s New License Misrepresentation Law

AB 489 also directly prohibits the use of “a term, letter, or phrase in the advertising or functionality of an AI or GenAI system, program, device, or similar technology that indicates or implies that the care, advice, reports, or assessments being offered through the AI or GenAI technology is being provided by a natural person in possession of the appropriate license… to practice as a health care professional.” To borrow from the law’s sponsor, this means AI platforms are prohibited from “representing ‘themselves’ as licensed or registered health practitioners.” This will also potentially prevent health care providers from generating advice or assessments using AI without human intervention or, at minimum, without disclosing that the advice or assessments came from an AI system rather than from a licensed or certified human health care professional.

This provision in particular creates serious risk for persons responsible for AI and GenAI output, as each use of AB 489’s license misrepresentation words—any “term, letter, or phrase… that indicates or implies that the care, advice, reports, or assessments being offered through the AI or GenAI… is being provided by” an appropriately licensed or certified human—is a separate violation of the law. Violations are enforceable by “the appropriate health care professional licensing board or enforcement agency,” and may include an injunction, restraining order, or any other remedy authorized by law.

Steps You Can Take to Prepare for AB 489

If you develop AI or GenAI:

  • Ensure there are restrictions in place for each current and future AI and GenAI functionality, to prevent them from indicating or implying that the technology itself, or you as its developer, is licensed or certified to practice health care. For example, if a user prompts your AI platform for health advice, consider adding a disclaimer to any response that includes (1) a statement that neither the AI or its developers can give medical advice or issue medical reports or assessments, and (2) a direction that the user should talk to a licensed or certified health care professional for personalized information.

  • Review AI and GenAI advertising materials and remove any implications that the technology or you as the developer are licensed or certified to give medical care, such as use of terms like “doctor,” “M.D.,” or “physician.”

  • Contractually prohibit your customers and users from utilizing your AI or GenAI for medical care, advice, reports, or assessments unless they are appropriately licensed or certified under applicable law to practice medicine.

If you use AI or GenAI, review each output (e.g., text, image, video, or audio) before sharing it externally, such as to a patient or potential customer.

  • If you aren’t licensed or certified to practice medicine, include appropriate disclaimers that inform anyone receiving the AI/GenAI outputs that those outputs are not medical advice, reports, or assessments and not provided by a licensed or certified health care professional.

  • If you are licensed or certified, do not simply provide patients with, or solely rely on, AI outputs as a substitute for care. Instead, review and analyze AI outputs for accuracy along with other independent information about the patient as part of your treatment plan and include appropriate disclosures about GenAI use as necessary to comply with existing law (see discussion above).

Hintze Law PLLC is a Chambers-ranked and Legal 500-recognized, boutique law firm that provides counseling exclusively on global privacy, data security, and AI law. Its attorneys and data consultants support technology, ecommerce, advertising, media, retail, healthcare, and mobile companies, organizations, and industry associations in all aspects of privacy, data security, and AI law.

Cameron Cantrell is an Associate at Hintze Law PLLC, counseling companies on global data protection issues, including health (consumer, biotech, genetics), business (CCPA, GDPR), and areas of ongoing federal regulation (HIPAA, GLBA, the DOJ Cross-Border Data Transfers Rule, human subject research). 

California Amends Artificial Intelligence Transparency Act and Passes AI Defenses Act

California Amends Artificial Intelligence Transparency Act and Passes AI Defenses Act

By Leslie Veloz

On October 13th, 2025, Governor Gavin Newsom signed into law AB 853, which amends the California Artificial Intelligence Transparency Act (AI Transparency Act (SB 942)), a law placing obligations on makers of generative AI systems aimed at increasing transparency to allow individuals to more easily assess whether digital content is generated or modified using AI.

Read More

California Passes Digital Age-Assurance Act Into Law

California Passes Digital Age-Assurance Act Into Law

By Hansenard Piou

On October 13th, 2025, Governor Newsom signed the Digital Age Assurance Act (AB 1043) into law. Introduced by co-authors Assembly Member Buffy Wicks and Senator Tom Umberg, the law establishes age-assurance requirements for computer and mobile operating system providers and app stores as well as app developers with an aim to protect children’s online safety. The Digital Age Assurance Act enters into effect on January 1, 2027.

Read More

California’s Social Media Account Cancellation Act Signed into Law

California’s Social Media Account Cancellation Act Signed into Law

By Clara De Abreu E Souza

On October 8, 2025, California Governor Gavin Newsom signed into law Assembly Bill 656 — Account Cancellation. AB 656, authored by Assembly member Pilar Schiavo, focuses on social media platforms and requires them to provide users with a clear and accessible way to delete their accounts. This action must also trigger the complete deletion of the user’s personal data.

Read More

California Opt Me Out Act Signed into Law

California Opt Me Out Act Signed into Law

By Cameron Cantrell

On October 8, 2025, California’s Governor Newsom signed AB 566—the California Opt Me Out Act—into law. The California Opt Me Out Act, using the same definitions as the CCPA, requires any business that develops or maintains an internet browser to build in an opt-out preference signal (“OOPS”) functionality. The law takes effect on January 1, 2027.

Read More

Governor Newsom signs Transparency in Frontier Artificial Intelligence Act

Governor Newsom signs Transparency in Frontier Artificial Intelligence Act

By Clara De Abreu E Souza

On September 29, 2025, California Governor Gavin Newsom signed the Transparency in Frontier Artificial Intelligence Act (TFAIA). Authored by Senator Scott Wiener, TFAIA follows the release of the Governor’s California Report on Frontier AI Policy, which was drafted by the Joint California Policy Working Group on AI Frontier Models.

Read More

California Adopts Privacy, Cybersecurity, ADMT Regulations and Amendments

California Adopts Privacy, Cybersecurity, ADMT Regulations and Amendments

By Sam Castic

The California Privacy Protection Agency (CPPA) has adopted final regulations on privacy risk assessments, cybersecurity audits, and automated decisionmaking technology (ADMT), as well as amendments to existing CCPA regulations.  Final publication of the regulations is pending review by the Office of Administrative Law, and depending on when that occurs, the regulations will likely take effect 10/1/2025 or 1/1/2026.  Some key concepts from these regulations, and actions to consider, are below.

Read More

Texas District Court Vacates Majority of HIPAA Reproductive Privacy Rule

Texas District Court Vacates Majority of HIPAA Reproductive Privacy Rule

by Cameron Cantrell and Felicity Slater 

On June 19, 2025, the U.S. District Court in the Northern District of Texas vacated the vast majority of the HIPAA Privacy Rule to Support Reproductive Health Care Privacy (the “HIPAA Reproductive Privacy Rule” or “Rule”). The Department of Health and Human Services (“HHS”) published the Rule in the Federal Register in April 2024 with a compliance date of December 23, 2024. The District Court’s decision to vacate the reproductive privacy aspects of the Rule has an immediate and nationwide effect.

Read More

State Privacy Regulators Announce Formation of Collaboratory Consortium

State Privacy Regulators Announce Formation of Collaboratory Consortium

by Felicity Slater and Susan Hintze

On April 16, 2025, the California Privacy Protection Agency (CPPA) and state Attorneys General from California, Colorado, Connecticut, Delaware, Indiana, New Jersey, and Oregon announced the formation of the bipartisan "Consortium of Privacy Regulators." The focus of the Consortium will be to foster multi-state coordination, including sharing of expertise and resources, in investigation of potential violations of and enforcement of their state's respective comprehensive privacy laws.

Read More

Virginia Governor Signs Reproductive Health Data Restrictions into Law

Virginia Governor Signs Reproductive Health Data Restrictions into Law

by Cameron Cantrell and Felicity Slater 

On March 24, 2025, Governor Youngkin (R) of Virginia signed SB 754—which amends the Virginia Consumer Protection Act (VCPA) to restrict the collection and processing of “reproductive or sexual health information” and is enforceable through a private right of action—into law. The law will take effect July 1, 2025. 

Read More

Hintze Global Privacy and Security Updates

Hintze Law continuously tracks privacy and security updates around the world to bring you a regular update of the latest developments. Below is a snapshot of updates from the last month. If you missed our last round of updates, you can find those here.

Read More