SOS: sB 942 compliance for startups

California's SB 942 (the California AI Transparency Act) took effect January 1, 2024 and I'm trying to figure out what this actually means for startups building on top of foundation models.

We're a Series A company with an AI-powered legal document analysis tool. We use GPT-4 and Claude under the hood for summarization and clause extraction. Our product processes contracts and outputs structured summaries from what I've heard, risk flags, and suggested edits.

SB 942 requires "generative AI systems" to disclose when content is AI-generated and provide certain transparency information. But the implementation details are murky at best:

• Do we need to watermark every output our tool generates?
• Do we need to disclose which specific model we're using under the hood?
• What counts as a "generative AI system" versus a tool that happens to use AI internally?
• Our outputs are a mix of AI-generated text and template-based content — how do we handle hybrid outputs?

I've read the bill text three times and I'm still confused. Anyone dealt with this yet?

From an engineering perspective, the "manifest disclosure" requirement is the most concrete obligation and also the most implementable. The standard the law points toward is C2PA (Coalition for Content Provenance and Authenticity) — an open standard for embedding provenance metadata in digital content.

The good news: OpenAI, Google, and Anthropic are all C2PA members and have committed to implementing it. So if you're consuming their APIs, the metadata should be included in responses by default (or will be soon).

The challenge: C2PA was designed primarily for images and video. For text outputs (like OP's legal doc summaries), the standard is less mature. There's no universally adopted method for "watermarking" text in a way that persists through copy-paste. The "latent disclosure" requirement for text content is, frankly, an unsolved technical problem.

My prediction: for text-based AI applications, regulators will initially focus on the manifest disclosure (metadata) and public-facing transparency requirements, not the latent watermark. The technology just isn't there yet for robust text watermarking.

Thanks everyone — this is incredibly helpful. So if I'm understanding correctly, our main obligations as a "deployer" are:

1. Don't strip C2PA metadata from model outputs (easy — we weren't doing this anyway)
2. Disclose to users that our product uses AI (we already do this in our Terms and in-product)
3. Maintain transparency documentation about how we use AI (need to create this)

That's much more manageable than I feared. The watermarking/latent disclosure stuff is on OpenAI and Anthropic as the "covered providers," not on us.

Follow-up question: does anyone know how this interacts with trade secret protection? We have proprietary prompt engineering and fine-tuning that gives us a competitive advantage. If a competitor could use the SB 942 detection tools to reverse-engineer which model we're using and how we're using it, that's a real business concern.

From a business operations standpoint, I want to flag the compliance cost angle. For my startup clients, I'm seeing three categories of SB 942 compliance expense:

• Low cost (deployers under 1M users): Mostly documentation and disclosure updates. $5-15K in legal fees plus minor engineering time. This is where most startups fall.
• Medium cost (deployers approaching 1M users): Need to plan for "covered provider" obligations as you scale. $25-50K for proactive compliance architecture.
• High cost (covered providers 1M+ users): C2PA implementation, detection tool development, ongoing monitoring. $100K+ easily, potentially much more for image/video AI companies.

The threshold matters a lot. If you're at 800K monthly users and growing, you need to be building toward compliance NOW, not scrambling when you cross 1M.

Also worth noting: other states are watching California closely. Colorado's AI Act (SB 24-205) takes effect in February 2024 with different but overlapping requirements. This isn't going to be a California-only obligation for long.

One more thing worth mentioning for the privacy-minded: SB 942 includes a provision that users can request information about whether specific content was generated by a covered provider's AI system. This creates something like a "right to know" for AI-generated content, parallel to CCPA's right to know for personal data.

The practical implication: if a user receives content (say, a customer service email or a marketing message) and suspects it's AI-generated, they can ask the company to confirm. The covered provider must maintain records sufficient to respond to these requests.

This is going to get interesting when people start using it to challenge AI-generated legal documents, medical summaries, or financial analyses. "Was this advice generated by AI?" is about to become a very common question — and companies will need to answer honestly.