AB 1977 imposes a state regulatory framework on businesses that provide software platforms enabling remote online notarial acts for individuals who represent they are located in California while the notarial officer is outside the state. The bill defines covered terms, requires platforms to create and secure sequential electronic journals and an audio‑video recording of each remote notarial act, and mandates breach notification and limits on data use.
The measure also creates private and public enforcement tools: a civil right of action with damages and injunctive relief, and authority for the Attorney General and local prosecutors to sue. The statute includes a narrow vicarious‑liability carve‑out for platforms and references NIST standards for identity assurance, signaling a state‑level compliance baseline that will matter to platform providers, title and escrow services, law firms, and privacy compliance teams.
At a Glance
What It Does
The bill governs businesses that host remote online notarization sessions for California principals whose notarial officer is located outside California. It requires platforms to maintain auditable, encrypted records of every transaction, to notify on breaches, and to limit downstream uses of journal entries, recordings, records, and personal information except for narrow operational or legal exceptions.
Who It Affects
Platform providers that enable remote notarizations, out‑of‑state notaries who perform notarial acts for Californians, the Californians (principals) using these services, and downstream users such as title companies, lenders, and counsel that rely on remote notarizations.
Why It Matters
AB 1977 creates a California‑specific operational and privacy regime for remote notarization platforms, including an explicit private right of action and reference to NIST identity standards—raising compliance, litigation, and technical design considerations for vendors and their customers nationwide.
More articles like this one.
A weekly email with all the latest developments on this topic.
What This Bill Actually Does
The bill targets businesses that supply the software and services used to perform remote online notarizations for people who say they are located in California while the notarial officer is physically located outside the state. It defines core terms—audio‑video communication and recording, electronic journal, business, principal, remote online notarial act—and makes the business subject to California court jurisdiction for transactions involving a California principal.
For each remote online notarial act the platform must create a sequential, encrypted electronic journal entry that the notarial officer can access through secure multifactor authentication. The journal must be capable of producing both electronic and physical copies and must record, among other items, the UTC date and time, the principal’s stated physical location and the notary’s physical location, a title or short description of the record notarized, the principal’s electronic signature, the basis the notary relied on to identify the principal, a statement that an audio‑video recording was made, any fee charged, and the platform’s name.The business must also create an audio‑video recording of the live session in an open format and make that recording available to the notarial officer via multifactor authentication; the recording must not include images of the record that was notarized.
Platforms must maintain an audit trail that logs each action, who performed it, the UTC timestamp, and the actor’s IP address. All audio‑video streams and records connected to the notarization must be encrypted and reasonably protected against interception.Before performing the notarization the platform must prompt the user to confirm whether they are located in California; if the user affirms, the platform must append a short document to the notarized record noting the user’s response and the notary’s location, although failing to append this document does not invalidate the notarization under California law.
Platforms must notify law enforcement and affected principals without unreasonable delay after a breach of personal information, journal entries, or audio‑video recordings.The bill tightly restricts a platform’s ability to access, use, sell, or otherwise disclose the journal entries, the notarized record contents, audio‑video recordings, or a principal’s personal information, while carving out necessary exceptions: to facilitate the notarization, to comply with law or lawful process, to process the record for its intended transaction, or to implement fraud‑mitigation measures consistent with NIST SP 800‑63A. For enforcement, the statute creates a private cause of action with the greater of actual damages or $250 per violation, presumption of injunctive relief for the public benefit, recovery of costs and attorney fees, and a four‑year limitations window measured from actual knowledge.
The Attorney General and local prosecutors may also sue and obtain the same remedies, with a separate four‑year window tied to notice from the business. Finally, the bill states that a platform is not vicariously liable for misconduct by the notarial officer or other transaction parties unless the notary is the platform’s employee or agent.
The Five Things You Need to Know
The platform must create an encrypted electronic journal entry for every remote online notarial act and make it accessible to the notary via multifactor authentication; journal entries must be capable of producing physical and electronic copies.
The platform must record the audio‑video communication of each session in an open format, but the recording may not include images of the record that is being notarized.
The audit trail requirement must log action, UTC date/time, actor name, and the actor’s IP address for each transaction‑related action.
The bill limits platforms from using or disclosing journals, recordings, notarized record contents, or personal information except to facilitate the notarization, comply with lawful process or law, process the transaction, or implement NIST SP 800‑63A‑style fraud mitigations.
A private plaintiff may recover actual damages or statutory damages of $250 per violation (whichever is greater), plus injunctive relief and attorney’s fees; government actors may also enforce the law.
Section-by-Section Breakdown
Every bill we cover gets an analysis of its key sections.
Definitions relevant to remote online notarization platforms
This subsection supplies the working vocabulary the rest of the bill uses: what counts as audio‑video communication and recording, who qualifies as a business, what an electronic journal is, who the principal and notarial officer are, and how 'remote online notarial act' is defined (specifically a notarial act performed by a notary located outside California for a person who represents they are in California). That last point is critical: the statute focuses on cross‑jurisdictional sessions rather than in‑state notaries using technology.
Consent to California jurisdiction
The bill requires a covered business to consent to the jurisdiction of California courts for transactions involving a California principal. Practically, that prevents platforms from avoiding California enforcement by pointing to out‑of‑state fora for disputes arising from covered sessions.
Electronic journal and audio‑video recording requirements
Platforms must produce encrypted, sequential electronic journal entries for every remote notarial act and permit notarial officers to access those journals via multifactor authentication. Each journal entry must capture a set list of fields (UTC time, principal and notary locations, record title/description, principal e‑signature, ID method basis, a statement that recording occurred, fee, and platform ID). The bill also requires creation of an audio‑video recording in an open format and expressly bars including images of the notarized record in that recording, which shapes how vendors design record‑capture workflows.
Location prompt, appended location document, and audit trail/encryption
Platforms must prompt users to confirm whether they are located in California; if the user affirms, the platform appends a document to the notarized record noting the response and the notary’s location (but omission does not invalidate the notarization). Separately, the business must maintain an audit trail for transaction actions (action, UTC timestamp, actor name, and IP address) and must encrypt all audio‑video and related records, taking reasonable steps to prevent interception.
Breach notification and limits on data use
The bill requires prompt notification to appropriate law enforcement and affected principals for unauthorized access, loss, or compromise of personal information, journals, or recordings. It generally prohibits platforms from accessing, using, sharing, selling, or disclosing journal entries, record contents, recordings, or personal information, but enumerates exceptions—including facilitating the notarization, complying with lawful process, processing the record for its transaction, or implementing fraud‑mitigation measures in line with NIST SP 800‑63A.
Private and public enforcement, remedies, and limitations
The statute creates a private right of action for injured persons with recovery equal to actual damages or statutory damages of $250 per violation (whichever is greater), injunctive or declaratory relief (presumed to benefit the public), and other relief the court deems proper. Courts must award costs and reasonable attorney’s fees. The limitations period is four years from actual knowledge of the violation; the Attorney General and local prosecutors can bring similar actions with a four‑year window measured from notice by the business.
Vicarious‑liability carve‑out and operative date
The bill shields businesses from vicarious liability for negligence, fraud, or willful misconduct of the notarial officer or other transaction parties unless the notarial officer is the business’s employee or agent. The text sets an operative date of January 1, 2025.
This bill is one of many.
Codify tracks hundreds of bills on Privacy across all five countries.
Explore Privacy in Codify Search →Who Benefits and Who Bears the Cost
Every bill creates winners and losers. Here's who stands to gain and who bears the cost.
Who Benefits
- California principals using remote notarization: the bill requires platforms to create auditable, encrypted journals and open‑format audio‑video recordings and to provide copies quickly, increasing transparency and post‑transaction evidence for consumers.
- Regulators and law enforcement: mandated audit trails, UTC timestamps, IP addresses, and breach notification provide structured data to investigate fraud or misuse and to enforce state rules.
- Entities relying on notarized records in California (title companies, lenders, law firms): clearer standards and an evidentiary record may reduce disputes about whether a remote notarization met procedural safeguards.
Who Bears the Cost
- Platform providers that facilitate remote notarizations: they must implement encrypted journals, open‑format AV recording, secure multifactor access for notaries, audit logging, breach response processes, and comply with disclosure constraints—an operational and compliance cost burden.
- Cloud and storage vendors used by platforms: requirements for encrypted storage, open‑format handling, and retention tied to varying federal, state, or local laws may increase contractual and technical obligations.
- Platform legal and compliance teams: exposure to private litigation with statutory damages per violation and potential government enforcement will increase compliance oversight, policy drafting, and risk monitoring costs.
Key Issues
The Core Tension
The bill balances two legitimate goals—protecting Californians’ privacy and evidence rights in remote notarizations, and enabling cross‑border remote notarial services—but doing so forces trade‑offs: stricter controls on platforms reduce data misuse risk and create auditability, yet they raise operational complexity, increase vendor costs, and may leave injured principals with narrower routes to recover where a notary (not the platform) committed misconduct.
The bill creates a detailed operational floor but leaves implementation questions that matter in practice. 'Open format' and the prohibition on including images of the notarized record in the audio‑video recording can clash: vendors will need a separate evidence chain showing the exact document content while keeping that content out of the recording, which may complicate workflows for identity verification and record integrity. The reference to retaining entries and recordings “in accordance with federal, state, or local law” provides flexibility but creates uncertainty about retention periods and cross‑jurisdictional conflicts where different rules apply.
The statute narrows platforms’ ability to use or monetize journal entries, recordings, or principal data, yet it permits broad exceptions—complying with lawful process or implementing fraud mitigation—without detailing disclosure protocols. The private right of action with per‑violation statutory damages combined with a relatively long four‑year limitations period increases litigation risk, especially around ambiguous practices (for example, timing of breach notices, what constitutes reasonable encryption, or whether a platform’s access to process a transaction exceeds permitted uses).
Finally, the vicarious‑liability carve‑out protects platforms from third‑party notary misconduct except when the notary is an agent or employee, potentially shifting recovery burdens back to victims and complicating claims against out‑of‑state notaries.
Try it yourself.
Ask a question in plain English, or pick a topic below. Results in seconds.