California's AI Content Provenance Rules in 2026: SB 942, AB 853, the Failed AB 3211, and What Actually Applies

California's operative AI content provenance regime in 2026 is built on SB 942 (the California AI Transparency Act, signed September 19, 2024) as amended by AB 853 (signed October 13, 2025), which set the effective date at August 2, 2026 — not on AB 3211, which was widely covered in 2024 as the imminent provenance law but was placed on the inactive file on August 31, 2024 and consequently failed to pass. If you have read coverage from earlier in this regulatory cycle, you may have absorbed the assumption that AB 3211 is the law. It is not. This article walks through the actual current provenance regime, explains why AB 3211 failed, maps SB 942 to the C2PA technical standard the industry has converged on, and shows how the related laws — AB 2655 for election deepfakes, AB 1836 for deceased personalities, and the broader ecosystem of provenance-adjacent statutes — fit alongside SB 942 to form California's provenance landscape.

The bill that didn't pass: a quick AB 3211 obituary

Understanding California's current provenance regime requires understanding which bills failed alongside the ones that succeeded. AB 3211, the California Provenance, Authenticity and Watermarking Standards Act introduced by Assemblymember Buffy Wicks in February 2024, was the maximalist provenance proposal. It would have required watermarks containing provenance data in all AI-generated content from any generative AI provider — no user threshold — covering image, video, and audio. It would have required regular red-teaming exercises to test whether watermarks could be removed or fabricated. It would have mandated public disclosure of any vulnerability or failure in the AI system within 24 hours. It would have imposed labeling obligations on large online platforms for synthetic content uploaded by users. And it would have required newly manufactured digital cameras and recording devices sold in California to offer authenticity watermarking by default.

AB 3211 had remarkable industry support — OpenAI, Adobe, Microsoft, and the C2PA coalition all backed the bill publicly, recognizing that a clear statutory baseline would advantage their existing investment in provenance infrastructure. It passed the Assembly 62-0 in May 2024. It cleared the Senate Appropriations Committee on August 15, 2024. Then, on August 31, 2024 — the last day of the 2023-2024 legislative session — the bill was placed on the inactive file at the request of Senator Lena Gonzalez, and the session ended without a final vote. The bill is sometimes described in legacy coverage as having been "defeated" or "rejected"; the more precise description is that it ran out of time, in part because the Department of Finance opposed it on appropriations grounds and there were disagreements about the scope of capture-device manufacturer obligations.

The practical consequence is that California's provenance regime is now narrower than AB 3211 envisioned. The maximalist all-providers, all-modalities approach was replaced by SB 942's targeted covered-provider approach. Compliance plans, vendor questionnaires, and procurement reviews still occasionally cite AB 3211 as if it were operative; those documents need updating. The single most useful fact to internalize is that AB 3211 is not, and never became, California law.

What SB 942 (as amended by AB 853) actually requires

SB 942 is the operative California provenance statute. It applies to covered providers — generative AI providers with more than one million monthly Californian users that produce image, video, or audio content. Three core obligations apply. First, every output must carry a manifest disclosure: a human-perceptible label communicating that the content was AI-generated, in a form that travels with the content rather than the rendering UI. Second, every output must carry a latent disclosure: machine-readable metadata embedded in the content itself, conveying the provider name, the AI system name and version, the time of creation or alteration, and a unique identifier — and the latent disclosure must be "permanent or extraordinarily difficult to remove." Third, the covered provider must operate a free, publicly accessible AI detection tool that allows any user to upload an image, video, or audio file and learn whether it was created or altered by the provider's system.

AB 853, signed by Governor Newsom on October 13, 2025, amended SB 942 in three material ways. It pushed the effective date from January 1, 2026 to August 2, 2026, aligning with the EU AI Act's general-purpose AI provisions. It added obligations for large online platforms (more than two million monthly Californian users) to detect, preserve, and surface provenance information on uploaded content, effective January 1, 2027. And it added obligations for capture device manufacturers (cameras, microphones, voice recorders sold in California) to offer authenticity-watermarking options on hardware sold after January 1, 2028. The capture-device piece is what AB 3211 was originally going to do; AB 853 picked it up in narrower form and gave it a longer runway.

Penalties are five thousand dollars per violation, with each day of continuing violation counted as a discrete violation, enforced by the California Attorney General, city attorneys, or county counsels. There is no private right of action against covered providers. For the technical implementation deep dive, see our companion guide on SB 942 manifest vs latent disclosures; for the contractual licensee-revocation mechanics, see the 96-hour rule article; for the post-AB-853 deadline math, see the SB 942 vs AB 853 changelog.

The C2PA convergence: why an unnamed standard became the de facto answer

SB 942 deliberately does not name a technical standard. The statute describes properties — permanent, machine-readable, conveying specific fields, detectable by the provider's public tool — and leaves the implementation choice to providers. In practice, the entire industry has converged on the C2PA specification, the open-source standard developed by the Coalition for Content Provenance and Authenticity (Adobe, Microsoft, BBC, Intel, Truepic, and others). The convergence happened for three reasons that compliance teams should understand, because they shape the defensibility of any non-C2PA implementation.

First, C2PA satisfies the "permanent or extraordinarily difficult to remove" standard better than alternatives. The specification uses cryptographic signing — the manifest is signed by the producer's certificate, so any modification breaks the signature. That self-authenticating property is what gives the latent disclosure real teeth: even if a downstream actor strips the manifest, the absence of a valid manifest on what claims to be authentic content is itself a provenance signal. EXIF metadata, by comparison, can be stripped without leaving a trace.

Second, C2PA is widely deployed. Adobe Photoshop emits C2PA manifests. Microsoft Designer, OpenAI's image-generation tools, Google's SynthID, and most other major AI image providers all support C2PA. Most major social platforms have committed to preserving C2PA manifests on upload. A regulator evaluating a covered provider's compliance posture will see C2PA as the normative reference.

Third, C2PA has open-source toolchains in every major language. Adobe's c2pa-rs is the reference Rust implementation. Microsoft's Content Credentials SDK wraps c2pa-rs for .NET and JavaScript. The c2pa-node package brings it to Node.js. Implementing C2PA at the provider level is a matter of integrating an existing library; building a non-C2PA latent disclosure system from scratch is dramatically more work, and the result has to be defended against the C2PA baseline whenever a regulator or licensee asks.

The provenance landscape beyond SB 942: where the related rules sit

SB 942 is the centerpiece, but it is not the entire California provenance landscape. Three related statutes operate in adjacent territory and create overlapping obligations for any covered provider whose content reaches sensitive contexts.

AB 2655, the Defending Democracy from Deepfake Deception Act, addresses provenance from the election-integrity angle. It imposes labeling and removal obligations on large online platforms for materially deceptive AI-generated content depicting candidates and elected officials during specified pre-election and post-election windows. The statute is not a general provenance law — it is an election overlay that triggers when AI content intersects with electoral speech. A piece of AI-generated content used in a California election can simultaneously be subject to SB 942 (because the generating provider is covered), AB 2655 (because it depicts a candidate in a regulated window), and the platform-distribution amendments AB 853 added to SB 942.

AB 1836, the deceased-personality digital replica law, addresses provenance from the identity angle. Effective January 1, 2026, it amends California Civil Code §3344.1 to prohibit the unauthorized use of a digital replica of a deceased personality's voice or likeness in expressive audiovisual works or sound recordings without consent from the rights-holders. AB 1836 asks "who was depicted" rather than "how was the content made" — it is identity provenance, not content provenance. A digital replica that complies with SB 942's watermarking requirements is still subject to AB 1836's consent requirement if it depicts a deceased personality. Our SAG-AFTRA and California digital replica laws guide covers AB 1836 in depth.

AB 2602, the parallel statute for living performers, sits alongside AB 1836. It does not impose watermarking requirements but addresses the contractual side: it makes contract provisions authorizing digital replica use unenforceable unless the performer was represented and the contract reasonably specifies the intended uses. AB 2602 is about consent, not provenance — but a covered provider whose AI system creates digital replicas needs to comply with AB 2602's contractual rules in addition to SB 942's watermarking rules.

How to operationalize provenance compliance across the regime

For covered providers landing compliance across the full provenance landscape, the practical sequence is a single technical foundation supporting multiple regulatory overlays. The foundation is C2PA-based content signing at the moment of generation, with the manifest containing the SB 942-required fields. The foundation supports SB 942 directly and provides the technical baseline for any future text-content provenance rule, EU AI Act content disclosure, or industry-specific provenance requirement.

The first overlay is the manifest disclosure layer — a human-visible label that travels with the rendered output. For images, a small but legible label baked into the pixel data; for video, an opening-frame disclaimer or persistent corner badge; for audio, a brief disclosure at the start. The second overlay is the public detection tool — a public web endpoint that wraps your C2PA verification logic and returns whether content was generated by your system. The third overlay is the licensee monitoring infrastructure required to operate the SB 942 96-hour revocation rule, which we covered in the licensee article.

For election contexts, the overlay is AB 2655 compliance: tighter labeling, faster removal procedures, and coordination with platform partners during regulated windows. For digital replica contexts, the overlay is AB 1836 and AB 2602 consent verification before the AI system creates content depicting identifiable individuals. The discipline is to build the foundation once and stack the overlays as separate compliance modules, rather than building a separate provenance infrastructure for each statute. Compliance teams who try to build statute-specific provenance regimes end up with overlapping technical systems that are harder to maintain and harder to audit.

What to watch in the next legislative cycle

Three developments are worth tracking. First, the maximalist AB 3211 framework will likely return in some form. Wicks and the bill's coalition supporters have signaled intent to re-introduce a content provenance bill in subsequent sessions, and the federal COPIED Act (the federal counterpart that has been introduced multiple times) provides a national template that California legislators will reference. Second, text-content provenance is the most likely next addition to SB 942's scope. The current statute exempts text, but the legislative committee analysis on AB 853 expressly noted that text disclosure rules may be added in future amendments. Compliance teams should treat text-only generative systems as currently out of scope but plan for inclusion within the next two legislative sessions. Third, the capture-device manufacturer provisions AB 853 added (effective January 1, 2028) are the longest runway in the regime; expect industry standards work and rulemaking activity to accelerate in late 2026 and through 2027 as device manufacturers build the authenticity-watermarking options the statute requires.

Sources

The primary materials are the SB 942 statute on Digital Democracy and the AB 853 amendments on California Legislative Information. For the AB 3211 status, the official California Legislative Information bill status page shows the bill's inactive file disposition, with Digital Policy Alert's tracker providing the timeline of how it failed. For practitioner-grade analysis of the post-AB-853 regime, Hintze Law's analysis is the most current reference. The C2PA specification is published at c2pa.org. For ongoing tracking of the next provenance bill cycle, the California legislature's bill tracker is the most timely public source.