Last updated: May 10, 2026

AB 2013 vs GDPR: AI Training Data Transparency Requirements Compared

Both AB 2013 and GDPR address transparency in AI — but they cover different compliance dimensions, apply to different parties, and require different actions. GDPR gives individuals rights over personal data processing; AB 2013 requires companies to publicly disclose the training data used to build their AI. A company can be fully GDPR-compliant and have never created the AB 2013-required public disclosure. The two obligations must be met independently.

Who needs to read this

EU-based AI companies expanding to the California market, US companies with EU data processing operations, and any AI company that has interpreted GDPR compliance as covering all necessary AI transparency obligations. Both GDPR and AB 2013 compliance are likely required simultaneously.

Side-by-Side Comparison

Dimension	GDPR (EU)	AB 2013 (California)
What it covers	Rights of individuals over their personal data processing, including automated decisions	Public disclosure of training data categories used to build generative AI systems
Transparency direction	Company → individual (privacy notices, data subject requests)	Company → public (published on company's domain, accessible to anyone)
Who must comply	Any entity processing personal data of EU residents	Any entity that develops or deploys a generative AI system available to California users
Required action	Privacy notice, data processing agreements, data subject rights management, DPIAs for high-risk processing	Publish a public training data summary page on your domain covering data categories, date ranges, PII handling, and modification history
Individual rights	Yes — access, rectification, erasure, portability, right to object, right to human review of automated decisions (Art. 22)	No individual rights — obligation runs from company to public, not company to individual
Training data disclosure	Not specifically required as a public document. GDPR requires transparency about data sources in some privacy notices.	Explicitly required: public URL on company domain listing data categories, dates, PII handling, modification history
Penalty	Up to €20M or 4% of global annual revenue, whichever is higher	California AG enforcement; potential UCL §17200 civil action, injunctive relief, restitution
Effective since	May 25, 2018	January 1, 2026
Does one satisfy the other?	No	No

What GDPR Covers (That AB 2013 Does Not)

GDPR's AI-relevant provisions center on individual data rights in automated processing:

Article 22: The right not to be subject to solely automated decisions that produce significant effects; the right to obtain human review, express views, and contest the decision
Article 13/14: When personal data is collected for AI processing, data subjects must be informed of "the existence of automated decision-making, including profiling" and "meaningful information about the logic involved"
Data Protection Impact Assessment (DPIA): Required for high-risk AI processing of personal data, including systematic profiling or large-scale processing of sensitive categories
Legal basis: Personal data used to train AI must have a lawful basis (consent, legitimate interest, etc.)

AB 2013 addresses none of these. It has no individual rights provisions, no human review requirement, no DPIA equivalent, and no legal basis framework for data processing.

What AB 2013 Requires (That GDPR Does Not)

AB 2013 requires a single specific artifact: a publicly accessible training data disclosure page on the company's own domain. This page must cover:

The categories of data used to train the generative AI system (licensed text, web scrapes, proprietary datasets, synthetic data, user-generated content, etc.)
The date range of the training data
Whether the training data included personal information or sensitive personal information, and how it was handled or de-identified
A modification history documenting any substantial retraining events

This must be at a public URL — not gated behind a login, not embedded in a privacy policy, not submitted to a regulator. It must be discoverable by anyone searching for it.

GDPR's privacy notices and records of processing activities (RoPAs) do not satisfy this requirement. They are directed at data subjects and supervisory authorities, not the general public. A GDPR-compliant privacy notice does not constitute an AB 2013 training data disclosure.

The EU AI Act vs AB 2013

The EU AI Act, effective August 2024 for high-risk AI categories, imposes transparency requirements that partially overlap with AB 2013's intent. High-risk AI providers must prepare technical documentation of training data and make it available to national competent authorities. GPAI (General Purpose AI) model providers with systemic risk must also produce certain transparency reports.

However, EU AI Act disclosures are directed at regulatory authorities, not the public. AB 2013 specifically requires public accessibility — anyone must be able to view your training data disclosure without authentication or regulatory clearance. EU AI Act compliance does not satisfy this requirement.

Companies Operating Under Both GDPR and AB 2013

For companies building AI products that serve both EU and California users — a common profile for global digital health companies — the compliance requirements stack:

For EU users: Privacy notices about automated decision-making, data subject rights management, DPIA if applicable, lawful basis for training data collection
For California users: Public training data disclosure page on company domain, modification history for model retraining, published at accessible URL

The good news is that GDPR and AB 2013 documentation work supports each other. GDPR records of processing activities document what personal data was used — this information can feed into the AB 2013 disclosure's PII section. The AB 2013 disclosure's comprehensive training data catalog can also provide transparency that reduces DPIA risk under GDPR.

Free tool: Generate your AB 2013 training data disclosure

Use our free AB 2013 Training Data Transparency Generator to create a compliant, ready-to-publish disclosure page. Input your data categories and receive publication-ready HTML — including the PII handling section and modification history. No signup required.

Open Transparency Generator →

Frequently Asked Questions

Does GDPR compliance satisfy AB 2013?

No. GDPR and AB 2013 address different compliance dimensions. GDPR grants individuals rights over their personal data — including the right to explanation of automated decisions. AB 2013 requires a company to publish a public disclosure of the categories of training data used to build their generative AI system, at a publicly accessible URL on their own domain. GDPR compliance does not create or publish this disclosure. A company can be fully GDPR-compliant and never have published the AB 2013-required training data transparency page.

Does AB 2013 apply to EU-based AI companies serving California users?

Yes. AB 2013 applies to any entity that "develops or deploys" a generative AI system that is available to California users. The company's location is irrelevant — the California nexus is triggered by the product reaching California users. An EU-based AI company whose product is used in California must publish an AB 2013 training data disclosure, regardless of its GDPR compliance status.

What does GDPR's Article 22 require that AB 2013 does not?

GDPR Article 22 gives individuals the right not to be subject to solely automated decisions that produce significant effects, and the right to request a human review of such decisions. AB 2013 has no equivalent individual right provision. AB 2013 is purely about company-level public disclosure of training data — it does not grant individuals any right to challenge AI decisions or demand human review.

What does AB 2013 require that GDPR does not?

AB 2013 requires a publicly accessible disclosure on the company's own domain listing: the categories of training data used, the date range of that data, whether it included personally identifiable information and how it was handled, and a modification history for substantial model retraining. GDPR does not require this public disclosure — GDPR transparency requirements are directed at individual data subjects, not the general public.

Does the EU AI Act satisfy AB 2013?

Not fully. The EU AI Act (effective August 2024 for high-risk AI categories) requires providers of high-risk AI systems to document their training data and make certain information available to regulators. However, EU AI Act disclosure obligations are directed at regulatory authorities, not the general public. AB 2013 requires a public disclosure accessible to anyone — no regulatory submission satisfies this requirement.

If we already have a GDPR-compliant privacy notice, can we modify it to satisfy AB 2013?

No. AB 2013 requires a dedicated training data transparency disclosure page on your domain — it is a standalone document, not a section within a privacy policy. Additionally, GDPR privacy notices address how you process individuals' personal data; AB 2013 requires disclosure of the training data used to build your AI model, which is a different and distinct document. You need both.