California's AI Transparency Act: provenance, watermarking and a free detection tool for generative AI

The third strand of California's AI rulebook is not about model developers or about privacy — it is about content. On 2 August 2026 the California AI Transparency Act (CAITA) becomes operative, requiring the largest providers of generative AI to make machine-readable provenance the default for the images, video and audio their systems produce. Enacted as SB 942 in the 2024 session and substantially amended by AB 853, signed by Governor Newsom on 13 October 2025, the Act is the most concrete US-state answer yet to the question the EU poses in Article 50 of the AI Act: how does a viewer know whether what they are looking at was made by a machine?

This sits alongside California's two other AI routes — the developer-facing Frontier AI Act (SB 53) and the privacy-based CCPA rules on automated decisionmaking — so that the same state now regulates AI through model safety, data protection and content provenance in parallel.

Who is covered, and from when

The core duties fall on a "covered provider": a person that creates, codes or otherwise produces a generative AI system with over 1,000,000 monthly visitors or users that is publicly accessible in California. AB 853 set the operative date in statutory language — "This chapter shall become operative on August 2, 2026" — explicitly to align with the EU AI Act's general application date. That alignment is worth a caveat: the EU's own transparency layer may itself shift to 2 December 2026 under the Digital Omnibus; until that change is published in the Official Journal the EU date formally still reads 2 August 2026, the same day California's regime begins.

AB 853 then phases in two further tiers of obligation:

• From 1 January 2027 — large online platforms (public-facing social

media, file-sharing, mass-messaging platforms or stand-alone search engines exceeding 2,000,000 unique monthly users) must detect and display provenance data on content they distribute, and GenAI hosting platforms must not make available systems that lack the required disclosure capability.

• From 1 January 2028 — manufacturers of capture devices (cameras,

phones with cameras or microphones, voice recorders) must give users the option to embed a latent disclosure in the content they record.

The three core obligations

For covered providers the Act stacks three duties:

1. A free AI detection tool. The provider must make publicly available, at

no cost, a tool that lets anyone upload content or a URL — with API access — and learn whether it was produced by that provider's system, returning system provenance data while protecting personal information.

1. A latent disclosure. AI-generated image, video or audio must carry

embedded provenance metadata: the provider's name, the GenAI system name and version, the time and date of creation or alteration, and a unique identifier. It must be permanent or extraordinarily difficult to remove and detectable by the provider's own detection tool.

1. A manifest disclosure on request. The provider must offer the user the

option to add a visible, "clear and conspicuous" label marking the content as AI-generated, again permanent or extraordinarily hard to remove.

Licensing is policed too: if a third party licenses the GenAI system and removes the disclosure capability, the provider must revoke the licence within 96 hours of discovering it, and the licensee must then stop using the system. Violations carry a civil penalty of \$5,000 per violation — with each day counted as a discrete violation — enforceable by the Attorney General, a city attorney or county counsel.

Why it matters beyond California

CAITA is a watermarking-and-provenance regime built in the same spirit as the EU's marking rules but on a different legal footing. Where the EU AI Act's Article 50 places marking and disclosure duties on providers and deployers across the Union — backed by the Commission's code of practice on marking AI-generated content — California reaches the same outcome through a state consumer-protection statute enforced by fines per violation. It also rhymes with India's synthetic-content rules, which require labelling and provenance metadata for synthetically generated information. For a global generative-AI provider the practical consequence is convergence: a model offered worldwide will increasingly have to embed machine-readable provenance and expose a detection mechanism to satisfy overlapping European, Indian and Californian rules — three jurisdictions, one engineering requirement.

Because California is not an EU jurisdiction and the Act sits outside any EU AI-Act regime, it carries no EU regime label; this entry is analytical context, not a compliance instruction.