California just passed a law that singles out a specific kind of AI: chatbots built to act like a friend, companion or confidant. California SB 243, signed by Governor Gavin Newsom on October 13, 2025 and in effect since January 1, 2026, is the first state law in the country to impose disclosure, safety and reporting requirements specifically on AI "companion chatbots."
If your business builds or deploys a chatbot that remembers users across sessions, adapts to their emotional state or markets itself as a companion rather than a tool, this law likely applies regardless of where your company is headquartered.
SB 243 (Business and Professions Code, Chapter 22.6) defines a companion chatbot as an AI system with a natural language interface that gives adaptive, human-like responses, exhibits anthropomorphic features and can sustain a relationship across multiple interactions to meet a user's social needs. It excludes chatbots used solely for customer service, chatbots embedded in video games that stay on-topic and voice-activated assistants like smart speakers. For covered operators, it requires AI disclosure, break reminders for minors, crisis-response protocols for self-harm content and, starting July 1, 2027, annual reporting to California's Office of Suicide Prevention.
This article breaks down what the law says, who it applies to, what compliance requires and how de-identifying chatbot conversation data fits into a broader compliance strategy.
What SB 243 actually says
SB 243 was authored by State Senator Steve Padilla and signed into law by Governor Newsom on October 13, 2025, after passing 33 to 3 in the Senate and 59 to 1 in the Assembly (Jones Walker, 2025). The law adds Chapter 22.6 to California's Business and Professions Code and was drafted partly in response to lawsuits and public attention around AI companion chatbots and teen safety, including a widely covered case involving a teenager's suicide after extensive interaction with a companion chatbot (California Lawyers Association, 2025). Its core logic: a chatbot built to form an emotional bond carries a different kind of risk than one that answers billing questions, and the law regulates that category accordingly.
Who does SB 243 apply to?
SB 243 defines a companion chatbot as an AI system with a natural language interface that provides adaptive, human-like responses and is capable of meeting a user's social needs, including by sustaining a relationship across multiple interactions (California Business and Professions Code §22601). The test turns on function, not technology.
An operator is any person or entity that makes a companion chatbot platform available to a user in California, with no headquarters requirement: accessibility to California users is enough to trigger the law.
What's excluded
The statute carves out three categories of systems even if they use conversational AI:
| Excluded category |
Why it's excluded |
| Business and customer service bots |
Bots used solely for customer service, business operations, productivity or technical assistance |
| Video game characters |
Bots embedded in a video game, limited to game-related replies, that cannot discuss mental health, self-harm or sexual content |
| Voice-activated assistants |
Stand-alone devices functioning as a speaker and voice command interface that do not sustain a relationship across interactions |
The line between a purely functional chatbot and a companion chatbot is not always obvious. A virtual assistant that builds rapport over time, a wellness-coaching chatbot that tracks symptoms, or an academic support bot that follows a student across a semester could all plausibly fall inside the statute's scope. Businesses in healthcare, financial services, insurance and contact centers should not assume their conversational AI is automatically excluded just because it has a practical purpose.
Key compliance requirements under SB 243
SB 243 imposes obligations across three areas: disclosure, safety protocols and reporting. Some apply to all users; others apply only when the operator knows the user is a minor.
Requirements that apply to all users:
- AI disclosure when a reasonable person could be misled. If a reasonable person interacting with the chatbot would believe they are talking to a human, the operator must clearly notify them otherwise.
- Suitability warning. Operators must disclose, on the application or access format, that companion chatbots may not be suitable for some minors.
- Crisis prevention protocol. A companion chatbot may not engage with users unless the operator maintains a protocol for preventing suicidal ideation or self-harm content, using evidence-based detection methods and referring at-risk users to crisis service providers.
- Protocol publication. Operators must publish details of their crisis prevention protocol on their website.
Additional requirements when the operator knows the user is a minor:
- Explicit AI disclosure. Operators must disclose to the user that they are interacting with artificial intelligence.
- Three-hour break reminders. Operators must provide, by default, a notification at least every three hours during continuing interactions, reminding the user to take a break.
- Sexually explicit content restrictions. Operators must take reasonable measures to prevent the chatbot from producing sexually explicit material or directly telling a minor to engage in sexually explicit conduct.
"Knowledge" under the statute means whether a company is aware, or reasonably should be aware, that a particular user is under 18 (Gunderson Dettmer, 2025). That standard applies on a user-by-user basis, so age-detection logic needs to flag individual accounts rather than relying on a platform-wide assumption.
Annual reporting, beginning July 1, 2027: operators must annually report to California's Office of Suicide Prevention the number of crisis referral notifications issued in the prior year and the protocols in place to detect and respond to suicidal ideation (Jones Walker, 2025). Reports may not contain user identifiers, and the office publishes aggregated data from these reports.
What data do companion chatbots collect?
Companion chatbots are built to sustain relationships, which means they retain conversation history, inferred emotional state, stated preferences and sensitive disclosures users would not type into a typical customer service form. A wellness-coaching chatbot may capture symptom logs, a financial companion app may capture account details, and a healthcare-adjacent companion may capture protected health information (PHI) under HIPAA on top of whatever SB 243 imposes. (For a fuller framework on how these obligations stack, see Limina's guide to AI chatbot compliance.)
SB 243's disclosure and safety requirements only partially address this risk: the law governs how the chatbot behaves toward the user, not how long conversation logs are retained or what happens to that data if it is used to fine-tune a model.
How to build SB 243-compliant AI products
A practical compliance checklist for teams building companion chatbots accessible to California users:
- Scope assessment. Determine whether your product meets the statutory definition of a companion chatbot, and document whether any exclusion applies.
- Disclosure design. Build clear AI disclosure into the product itself, not the terms of service, so it triggers whenever a reasonable person could be misled.
- Age detection and minor-specific flows. Add age verification or self-attestation at account setup, then route minor accounts into break reminders and content restrictions.
- Crisis prevention protocol. Document a protocol for detecting and responding to suicidal ideation and self-harm content, including a referral pathway, and publish it publicly.
- Data retention and minimization review. Map what conversation data the chatbot stores, and apply minimization and de-identification to logs retained for analytics or model improvement.
- Reporting infrastructure. Build internal tracking for annual aggregate reports on crisis referrals well before July 1, 2027, excluding user identifiers.
- Legal review. Have counsel confirm scope, disclosure language and protocol design against the current statutory text, since this is a new and still-developing area of law.
SB 243 and federal law
SB 243 does not exist in isolation: its duties are cumulative to other law and do not relieve an operator of any other compliance obligation. For regulated industries, this overlap matters in three ways.
First, a companion chatbot deployed in healthcare that processes a user's symptoms, diagnoses or treatment may create PHI subject to HIPAA, independent of SB 243, an overlap worth reviewing alongside guidance for healthcare deployments. Second, California's CPRA automated decision-making technology (ADMT) regulations, effective January 1, 2027, apply when a business uses ADMT to make a "significant decision" about a consumer involving outcomes such as healthcare, employment, credit, housing or education (Skadden, 2025). A companion chatbot whose output replaces human judgment in one of those areas, rather than merely assisting it, falls within scope.
Third, SB 243 sits alongside New York's Artificial Intelligence Companion Models law (General Business Law Article 47), effective November 5, 2025, and disclosure proposals in states like Colorado, Maine, Texas and Utah (New York State Senate). The two flagship laws diverge on enforcement: SB 243 creates a private right of action with damages of the greater of actual damages or $1,000 per violation plus attorneys' fees, while New York authorizes only its attorney general to seek penalties of up to $15,000 per day (Morrison Foerster, 2025).
De-identifying chatbot conversation data: the underlying privacy fix
SB 243's disclosure and safety requirements tell an operator how the chatbot must behave. They do not solve the harder problem most companion chatbot operators face: what to do with conversation logs once they exist.
Conversation transcripts from a companion chatbot routinely contain names, health details, financial information and other personal data, often volunteered by users who feel they are talking to a confidant rather than a database. Retaining that data in identifiable form increases exposure under SB 243's private right of action, under HIPAA if the deployment touches healthcare and under CPRA if outputs feed into automated decision-making.
De-identifying chatbot conversation logs before they are stored or used to improve a model is one of the most direct ways to reduce that exposure. This is the problem Limina's data de-identification platform is built to solve. It identifies, redacts and replaces personally identifiable information, protected health information and payment card information across unstructured text, including chatbot transcripts. In Limina's own published benchmarking, the platform reaches 99.5 percent accuracy on real healthcare data, against 60 to 70 percent for general-purpose cloud tools (Limina, 2026). It deploys in-VPC or on-premises, so conversation data never has to leave a company's own infrastructure, an approach that also supports contact center deployments handling similar conversational data. SB 243 is the first state law of its kind, but it will not be the last, and whether or not your chatbot meets the technical definition of a companion chatbot, de-identifying retained conversation data reduces your exposure under SB 243, HIPAA, CPRA and whatever comes next.
Get ahead of SB 243 compliance
SB 243's disclosure and safety rules tell you how a companion chatbot must behave, but they leave the underlying data problem untouched: conversation logs full of names, health details and financial information that stay exposed under SB 243's private right of action and adjacent laws like HIPAA and CPRA. Limina de-identifies that data in-VPC before it is stored, analyzed or used to train a model, producing expert determination-ready outputs your legal team can stand behind.
Talk to an expert about de-identifying your companion chatbot's conversation data.
See how Limina's data de-identification platform handles chatbot transcripts at scale. For the broader compliance picture beyond SB 243, see Limina's guide to AI chatbot compliance under HIPAA and GDPR.