#California

California Focuses on Large AI Models

October 17, 2025 By Dorothy Giobbe

What Happened?

On September 29, 2025, California Governor Gavin Newsom signed Senate Bill 53, the Transparency in Frontier Artificial Intelligence Act (TFAIA), making California the first U.S. state to mandate standardized public safety disclosures for developers of sophisticated AI models that are made available to users in California. The law takes effect January 1, 2026, and it applies to:

Frontier Developers: Developers that train large-scale AI models using extremely high levels of computing power.
Developers: Frontier developers with annual revenue above $500 million (including affiliates), subject to additional reporting and governance obligations.

Key obligations of TFAIA include:

Safety Framework Publication: Large developers must publish (and update annually, as appropriate) a publicly-accessible safety framework describing how the company has incorporated national standards, international standards, and industry-consensus best practices into its frontier AI framework.
Transparency Reports: All developers must issue reports when deploying or materially modifying models, detailing model capabilities, intended/restricted uses, risks identified, and mitigation steps. Large developers must submit quarterly summaries to California Office of Emergency Services (COES).
Critical Incident Reporting: Developers and the public can report safety incidents directly to COES.
Whistleblower Protections: Employees who report substantial public-safety risks are protected from retaliation; large developers must maintain anonymous internal reporting channels.

The California Attorney General may pursue civil actions with penalties up to $1 million per violation. Developers meeting federal AI standards deemed equivalent or stricter by COES may qualify for a safe harbor. TFAIA also creates CalCompute, a public-sector computing consortium under the Government Operations Agency, to advance safe, ethical, and equitable AI research statewide. The California Department of Technology will review and recommend annual updates to the law’s definitions and thresholds.

Why Is It Important?

For the private sector, TFAIA signals that AI risk-governance expectations are maturing beyond voluntary principles. Developers, investors, and enterprises deploying advanced AI should expect heightened scrutiny of model transparency, catastrophic-risk assessment, and cybersecurity practices. Governor Newsom described TFAIA as a “blueprint for balanced AI policy” and the Act positions California as a standard-setter at a time when comprehensive federal AI regulation remains uncertain.

What to Do Now?

As a first step, companies should assess whether TFAIA applies, that is, whether an organization qualifies as a frontier or large frontier developer based on computing thresholds or revenue. In the event it does, companies should update AI safety and governance policies and procedures, including reviewing and aligning internal risk-management, cybersecurity, and third-party assessment frameworks with TFAIA’s requirements. Companies should also plan for transparency reports and establish internal protocols for producing and publishing model-specific transparency documentation. Finally, companies in scope should continue to monitor COES guidance to track additional requirements, safe-harbor determinations, and annual reviews by the Department of Technology.

California Requires Interest on Hazard Insurance Proceeds Immediately to Protect Wildfire Victims

September 24, 2025 By Aldys London, Morey Barnes Yost

What Happened?

Effective immediately upon enactment on August 29 as an urgency measure, California Assembly Bill 493 (2025 Cal. Stat. 103) (the “Bill”) requires financial institutions making or purchasing residential mortgage loans to pay interest on hazard insurance proceeds in a loss draft account pending the rebuilding or repair of property.

Why Does it Matter?

Previously, California law required a financial institution to pay interest on amounts held in escrow for payment of taxes and assessments on the property, for insurance, or for other purposes relating to the property. The Bill’s goal is to provide critical safeguards to protect wildfire victims by extending that requirement to loss drafts.

Specifically, the Bill adds new Section 2954.85 to the Civil Code, which imposes new requirements on financial institutions. The Bill defines the term “financial institution” broadly as “a bank, savings and loan association, or credit union chartered under the laws of [California] or the United States, or any other person or organization making loans upon the security of real property containing only a one- to four-family residence.”

The new section requires any financial institution that makes or purchases such loans and holds hazard insurance proceeds in a loss draft account pending property rebuilding or repair to pay interest on those funds at a rate of at least 2% simple interest per year. The financial institution must credit that amount to the draft account annually or upon termination of the account (whichever is earlier). Further, the financial institution cannot impose any fee or charge for the maintenance or disbursement of hazard insurance proceeds held in a loss draft account pending the rebuilding or repair of the collateral property, if such fee will result in payment of a lower interest rate on such hazard insurance proceeds.

A financial institution may place loss draft funds in an interest-bearing account in a federally insured depository institution, federal home loan bank, federal reserve bank, or similar institution.

For any funds a financial institution holds in a loss draft account as of the Bill’s effective date, interest must begin accruing on such funds as of that date. However, the requirement to pay interest on such accounts does not apply to any hazard insurance proceeds held in a loss draft account required under federal or state law to be placed by a financial institution (other than a bank) in a non-interest-bearing account.

The Bill also amends Section 50202 of the Financial Code, which otherwise governs the maintenance of client trust accounts, to reference the new Civil Code section’s requirements for loss draft accounts.

What To Do Now?

Lenders and purchasers of residential mortgage loans must ensure that any hazard insurance funds held in a loss draft account, pending the rebuilding or repair of the property securing the loan, began accruing interest at a rate of 2% per year as of the effective date of the new law. Further, given that it is common practice for the servicer who is acting as the agent of a “financial institution” to comply with the requirement regarding the payment of interest on escrow accounts, the same may become true for loss draft accounts; accordingly, servicers should be aware of the requirement.

California Quickly Enacts New Mortgage Servicing Standards That Can Affect Foreclosures

July 7, 2025 By Stephen Ornstein, CJ Blaney

What Happened?

On June 30, 2025, California Governor Gavin Newsom signed into law, with an immediate effective date, California Assembly Bill 130, a significant housing bill that, notably renders certain mortgage servicer conduct an unlawful practice in connection with subordinate lien mortgage loans, including, among others, not providing the borrower with any communication regarding the loan secured by the mortgage for at least 3 years and threatening to conduct a nonjudicial foreclosure after providing a form to the borrower indicating that the debt had been written off or discharged.

The legislation appears to be geared toward combatting “zombie mortgages” which are second mortgage debt that homeowners may have believed was discharged or satisfied long ago, only to have it unexpectedly reappear with demands for payment and potential threats of foreclosure years later. These dormant loans are often sold to debt buyers for a small fraction of their value. Borrowers may have received no notices or statements for years, leading them to believe the second mortgage had been forgiven, discharged in bankruptcy, or modified along with their first mortgage.

Why Does It Matter?

Notably, the legislation forbids mortgage servicers from engaging in the following “unlawful practices” while the servicing subordinate lien mortgages:

Not providing written communication to the borrower for at least three years
Failing to provide a transfer of loan servicing notice as required by the Real Estate Settlement Procedures Act (RESPA) or investor/grantor requirements
Failing to provide a transfer of loan ownership notice as required by the Truth-in-Lending Act (TILA) or investor/grantor requirements
Conducting or threatening to conduct a foreclosure sale after providing a form indicating the debt had been written off or discharged
Conducting or threatening to conduct a foreclosure after the statute of limitations expired
Failing to provide a periodic statement as required by TILA or investor/grantor requirements

Failure to comply with these law’s prohibitions could impede or prevent foreclosure of the second lien and expose servicers to liability. For example, borrowers contending that the mortgage servicer engaged in an unlawful practice may seek to enjoin the foreclosure sale until a court renders a final determination of the servicer’s compliance with the new law. Under the new law, it is affirmative defense in a judicial foreclosure proceeding if the court finds the mortgage servicer engaged in any of the unlawful practices enumerated above. Court may also provide equitable remedies that they deem appropriate, depending on the extent and severity of the mortgage servicer’s violations. However, any failure to comply with the provisions of this section does not affect the validity of a trustee’s sale or a sale in favor of a bona fide purchaser.

What Should I Do?

Servicers of subordinate lien mortgage loans in California must ensure that they are fully compliant with federal and California law applicable to the servicing of loans, such as providing borrowers timely notices required by RESPA and TILA, especially with older vintage subordinate lien loans that have been delinquent or sporadically performing. Subordinate lien debt buyers must also ensure that their servicers comply with these laws before foreclosing on these debts. Additionally, servicers should review their foreclosure procedures to ensure they do not run afoul of California’s new standards.

California Attorney General Targets Location Data in New Investigative Sweep

March 13, 2025 By David Keating, Hyun Jai Oh

This week California Attorney General Rob Bonta announced a new investigative sweep under the California Consumer Privacy Act (CCPA). We have anticipated this sweep for some time based on the focus and the direction of a number of inquiries, investigations, and enforcement proceedings initiated by Attorney General Bonta’s office over the past 12-24 months.

The Notices of Violation issued by the Attorney General’s office will give rise to meaningful risks for many of the receiving businesses. We anticipate the Attorney General’s team will focus on granular technical details of data collection via mobile apps including through the third-party SDKs[1] that are ubiquitous across digital mobile products. How these and other digital analytics tools collect and transfer data, including precise location data, is often not well understood even by the internal digital marketing, data analytics, and product development teams that deploy and use the tools. This blind spot has created a zone of risk for many businesses that would not consider themselves a part of the “location data industry” referenced in the Attorney General’s announcement.

The interactions with the Attorney General’s office in these investigations and in enforcement proceedings can also change focus when the Attorney General’s staff suspects compliance gaps in other sensitive areas, such as use of mobile apps by children or in connection with healthcare or other sensitive activities. Careful and detailed internal legal/technical data flow analyses are therefore critical to quickly identifying the full scope of potential risk and framing the strategy for engaging with the Attorney General. For those businesses that have not received notices, this is another opportunity to close the gap between digital advertising, data analytics, and mobile app development and these emerging and increasingly clear legal privacy standards relating to precise location data and use of third-party SDKs in mobile apps.

Alston & Bird’s Privacy, Cyber & Data Strategy Team has extensive experience advising and defending clients who receive inquiries and violation notices from California’s privacy regulators. We will continue to monitor developments in privacy regulatory enforcement in California and other states.

[1] “SDK” refers to a software development kit. These tools, many of which are free, are commonly used by mobile app teams to shorten app development timelines and quickly add features and functions to mobile apps.

_______________________________

Originally published March 12, 2025 on Alston & Bird’s Privacy, Cyber & Data Strategy Blog.

A Friendly Reminder of the Importance of Robust Consumer Complaint Handling Processes

March 4, 2024 By Nanci Weissgold, Anoush Garakani

What Happened?

On February 27, 2024, the California Department of Financial Protection and Innovation (the Department) entered into a public consent order with a company that provides consumer financial services to California residents. The consent order alleges that between January 2020 and September 2022, the Department received complaints from consumers raising concerns about their accounts and customer service interactions with the company, which the Department forwarded to the company for investigation and response. The Department also investigated the company’s handling of those consumer complaints.

The Department found that the company’s complaint handling was deficient in that “occasional mistakes” that occurred in the Company’s responsiveness to consumer complaints were substantial enough to have violated the California Consumer Financial Protection Law (CCFPL). The Department alleged that as between the company and the consumer, the company was in the better position to accurately evaluate the available information in most cases and to respond to consumers’ complaints in a timely manner and while the number of mistakes during the Department’s investigation period was relatively small in comparison to the overall number of consumer complaints received, the Department concluded that the mistakes were important to the affected consumers.

To resolve these allegations, the company agreed to (1) desist and refrain from violating the CCFPL through its complaint handling processes, (2) pay a penalty of $ 2.5 million, (3) enhance existing customer service procedures or processes, (4) establish, implement, enhance, and maintain testing policies, procedures, and standards reasonably designed to, at a minimum, ensure compliance with the law, and (5) report to the Department annually for two years on these standards. These standards require the company to:

Ensure customer service support 24 hours a day, seven days a week;
Ensure sufficient customer service support staffing;
Ensure sufficient customer service support training; and
Investigate and implement policies and procedures to maintain the accurate, prompt and proper handling of consumer complaints.

Why is it Important?

The CCFPL was enacted in September 2020 and grants the Department expanded authority over persons engaged in offering or providing a consumer financial product or service in California and their affiliated service providers. Notably, under the CCFPL, it is unlawful for a “covered person” or “service provider,” to do any of the following:

Engage, have engaged, or propose to engage in any unlawful, unfair, deceptive, or abusive act or practice (UDAAP) with respect to consumer financial products or services.
Offer or provide to a consumer any financial product or service not in conformity with any consumer financial law or otherwise commit any act or omission in violation of a consumer financial law.
Fail or refuse, as required by a consumer financial law or any rule or order issued by the Department thereunder, to do any of the following:
- Permit the Department access to or copying of records.
- Establish or maintain records.
- Make reports or provide information to the Department.

The CCFPL defines a “covered person” to mean, to the extent not preempted by federal law, any of the following:

Any person that engages in offering or providing a consumer financial product or service to a resident of California.
Any affiliate of a person described above if the affiliate acts as a service provider to the person.
Any service provider to the extent that the person engages in the offering or provision of its own consumer financial product or service.

A “servicer provider” includes any person that provides a material service to a covered person in connection with the offering or provision by that covered person of a consumer financial product or service, including a person that either:

Participates in designing, operating, or maintaining the consumer financial product or service.
Processes transactions relating to the consumer financial product or service, other than unknowingly or incidentally transmitting or processing financial data in a manner that the data is undifferentiated from other types of data of the same form as the person transmits or processes.

The term “service provider” does not include a person solely by virtue of that person offering or providing to a covered person either a support service of a type provided to businesses generally or a similar ministerial service, or time or space for an advertisement for a consumer financial product or service through print, newspaper, or electronic media.

Notwithstanding the broad definition of “covered person,” the CCFPL contains numerous exemptions, including for banks; licensed escrow agents; licensees under the California Financing Law; licensed broker-dealers or investment advisers; licensees under the Residential Mortgage Lending Act; licensed check sellers, bill payers, or proraters; and licensed money transmitters, among others.

The Department is authorized to impose civil money penalties for any violation of the CCFPL, rule or final order, or condition imposed in writing by the Department in an amount not to exceed the greater of $5,000 for each day during which a violation or failure to pay continues, or $2,500 for each act or omission. Reckless violations are subject to increased penalties not to exceed the greater of $25,000 for each day during which the violation continues, or $10,000 for each act or omission. For knowing violations, the Department is authorized to assess penalties not to exceed the lesser of one percent of the person’s total assets, $1 million for each day during which the violation continues, or $25,000 for each act or omission.

What Do You Need to Do?

It is always important to take consumer complaints seriously and to respond timely and accurately. Now is the time to review your company’s complaint management procedures to make sure they are robust. It is always important to mine your consumer complaints so that you can learn from them and correct errors timely to ensure mistakes don’t recur, and the Department’s latest settlement is a reminder that companies subject to the CCFPL also have a legal obligation to do so.