• 2025 Privacy Overview Webinar: How to Ensure Compliance and Reduce Business Risk

    In 2025, privacy and AI regulation have moved from the sidelines to the center of business risk and strategy. U.S. states are rapidly enacting a patchwork of privacy laws, with new AI laws emerging and expected to increase. Meanwhile, regulators are tightening oversight of automated decision making, children’s data, health metrics, and cross-border data transfers. And litigation over online data collection by companies continues to expand under various statutes, including wiretapping and pen register claims under the California Invasion of Privacy Act (CIPA), and claims under the Video Privacy Protection Act (VPPA), resulting in diverging court rulings that send mixed signals to companies regarding privacy compliance.

    In our 2025 Privacy Overview webinar, Scott Hall and members of the Coblentz Data Privacy Team will cover some of the most significant developments shaping the privacy and AI landscape and highlight practical steps businesses can take to navigate an increasingly complex, multi-jurisdictional legal landscape.

    To register, please click here

    Date: Tuesday, October 21, 2025

    Time: 10:00am – 11:15am PDT

    Format: Join us via webinar

    This program is eligible for 1.0 Technology in the Practice of Law California MCLE credit. CLE is earned by both viewing and listening to this program for no less than 50 minutes. Dial-in only participants will not earn credit. Virtual attendance will be tracked and logged. CLE certificates of attendance will be made available via email in the days following the presentation. An application for renewal of California MCLE credit is pending approval.

    Posted on: September 30, 2025 Tags: Categories: Events

  • ABA Forum on Construction Law’s Fundamentals of Construction Law, Third Edition

    Coblentz associate Anita Chu co-authored the Dispute Resolution chapter in the ABA Forum On Construction Law’s Fundamentals of Construction Law, Third Edition. The chapter covers on-site alternative dispute resolution (ADR) techniques, partnering, and traditional and step negotiations. More details are available on the ABA’s website.

    Anita litigates cases involving large-scale and complex construction projects. She has represented owners, public entities, general contractors, and subcontractors in disputes arising out of the construction of public transit, student dormitories, university buildings, hospitals, electrical substations, housing developments, and commercial tenant improvement projects. Anita has successfully resolved disputes involving breach of contract, extra work, delay, warranty, defects, and indemnity.

    Posted on: September 25, 2025 Tags: Categories: News

  • Coblentz Joins Civil Rights Groups to File Class Action Lawsuit Against ICE Challenging Courthouse Arrests and Detention Conditions in San Francisco

    In the wake of the current administration’s policy of courthouse arrests in Northern California and the prolonged detention of immigrants in unsafe and unlawful conditions at U.S. Immigration and Custom Enforcement’s (ICE) San Francisco Field Office, Coblentz has joined a coalition of civil rights groups to file a federal class action lawsuit against ICE.

    Our firm has long forged a path of fairness and justice. As pro bono counsel for this class action, we are providing support to our community members most in need of legal representation.

    “By subjecting immigrants to the inhumane conditions at 630 Sansome, the administration has violated the Fifth Amendment’s core protection against punitive detention without due process. We will call on the court to end these unconstitutional practices,” said Mark Hejinian, litigation partner and co-chair of Coblentz’s Pro Bono Committee.

    To view the Lawyers’ Committee for Civil Rights’ press release, please click here.

    Posted on: September 18, 2025 Tags: Categories: News

  • Regulators Launch Coordinated Enforcement Sweep on Website Opt-Out Mechanisms

    By Scott C. Hall and Mari S. Clifford

    On September 9, 2025, California Attorney General Rob Bonta, together with the California Privacy Protection Agency and the Attorneys General of Colorado and Connecticut, announced a joint enforcement sweep targeting businesses that fail to honor the Global Privacy Control (GPC). Regulators sent and will continue to send warning letters to companies that appear not to be processing consumer requests to opt out of data sales and targeted advertising, signaling heightened scrutiny and a coordinated, nationwide approach to enforcement.

    What Is the GPC and Why It Matters

    The GPC is a browser setting or extension that automatically communicates a consumer’s request to opt out of the “sale” or “sharing” of their personal information. Under laws in California, Colorado, Connecticut, and a growing list of other states (Delaware, Maryland, Minnesota, Montana, Nebraska, New Hampshire, New Jersey, Oregon, and Texas), businesses are required to honor this signal.

    In practice, the GPC means that if a consumer has the setting enabled, your website must block or suppress cookies, pixels, and other tracking technologies that involve data sales or targeted advertising. Examples of technologies commonly used for targeted advertising include Meta Pixel, Google Ads and DoubleClick/Google Marketing Platform, TikTok Pixel, and Microsoft/Bing Ads UET Tag, among others. If these tools remain active when a consumer sends a GPC signal, your company may be out of compliance.

    As detailed in Coblentz’s 2025 Mid-Year Privacy Report, enforcement attention to GPC sits against the backdrop of a growing wave of privacy litigation. Plaintiffs are testing whether modern tracking technologies (such as pixels, session-replay tools, and chat integrations) can be shoehorned into legacy statutes like the California Invasion of Privacy Act (CIPA) and the Video Privacy Protection Act (VPPA). Courts have issued conflicting rulings, and California has even advanced legislation (SB 690) to rein in expansive CIPA theories. The takeaway from this is that regulators view GPC as a clear compliance obligation, while plaintiffs’ lawyers are probing the same ecosystem of cookies and pixels from a different angle. Companies that shore up GPC compliance are addressing not only a regulatory expectation but also reducing exposure to lawsuits.

    Compliance Steps to Take Now

    • Check GPC compliance with your web development/IT team: Confirm your website and cookie management tools detect and honor the GPC signal.
    • Review tracking technologies: Revisit how cookies, pixels, and other technologies are classified, and keep in mind that U.S. “sale” and “targeted advertising” rules do not always map to EU-style categories.
    • Test suppression: Verify that enabling GPC suppresses cookies and pixels used for sales or targeted ads.
    • Validate across states: Test the signal to ensure compliance not only in California but also in the other states requiring GPC recognition.

    If your company uses third-party advertising or analytics tools like Meta Pixel, Google Ads, or DoubleClick, regulators expect you to be honoring GPC signals today. With this coordinated enforcement sweep underway, now is the time to test, document, and shore up compliance across all applicable jurisdictions.

    Please reach out to the Coblentz team for further information or assistance.

    Posted on: September 10, 2025 Tags: Categories: Publications

  • EU-U.S. Data Transfers in 2025

    By Mari S. Clifford and Scott C. Hall

    Cross-border data transfers between the EU and U.S. remain a legal and operational minefield. While the July 2023 adequacy decision ushered in the EU-U.S. Data Privacy Framework (DPF), recent developments have called its long-term stability into question. In parallel, both EU regulators and U.S. authorities have ramped up scrutiny of international data flows—ushering in a more complex, risk-sensitive compliance era for transatlantic businesses.

    The State of the Framework

    The DPF, designed to replace the invalidated Privacy Shield, allows certified U.S. companies to receive EU personal data without standard contractual clauses (SCCs) or transfer impact assessments (TIAs). But its legal foundation—U.S. Executive Order 14086—has come under renewed pressure following:

    • Dismissals of key privacy oversight officials in the U.S.
    • Structural changes to the Data Protection Review Court.
    • Broad access authority granted to a new U.S. intelligence body—the Department of Government Efficiency (DOGE).

    The European Commission has signaled support for maintaining the DPF but acknowledged that ongoing U.S. political developments could impact its sustainability. Legal challenges remain possible, and several supervisory authorities have advised against over-reliance.

    Enforcement is Real: The Uber Case

    In January 2025, the Dutch DPA fined Uber €290 million—the largest penalty issued by the regulator to date—for unlawful transfers of EU driver data to the U.S. without valid safeguards after discontinuing SCCs in 2021. Uber argued that GDPR’s territorial scope negated the need for Chapter V safeguards. The DPA rejected this, reaffirming that data transfers must meet all GDPR conditions regardless of joint controllership claims.

    The decision underscores that even global, well resourced companies cannot afford gaps in transfer compliance.

    New U.S. Restrictions Create Reverse Pressure

    The compliance calculus is also shifting in the other direction. The U.S. Department of Justice’s “Bulk Data Rule,” effective April 2025, imposes strict restrictions on transfers of sensitive personal data from the U.S. to “countries of concern” (including China, Russia, and others). While aimed at national security, the rule applies to any U.S.-based entity—including those acting as processors for EU data—raising novel compliance challenges for onward transfers out of the U.S.

    Implications include:

    • Required audits and risk assessments.
    • CISA-level cybersecurity obligations.
    • Potential delays or restrictions for multinational
      vendor chains.

    Takeaways for Businesses

    To maintain compliant and resilient data transfer programs in this dynamic environment, organizations should:

    • Verify DPF Certifications: Ensure U.S. recipients are currently certified and that the certification covers the specific data and processing purpose.
    • Retain SCCs and TIAs as a Backup: Maintain robust documentation and fallback mechanisms in case the DPF is invalidated or suspended.
    • Monitor U.S. Bulk Data Rules: Assess whether EU data processed in the U.S. is subject to onward transfer restrictions under the DOJ’s new regime.
    • Conduct Ongoing Transfer Risk Reviews: Include recent regulatory, legal, and political developments in third-country assessments.
    • Align Internal Definitions: Ensure data transfer definitions match those used by EU authorities— including for remote access scenarios.
    • Anticipate Regulatory Questions: Regulators may require granular evidence of safeguards, especially for transfers involving sensitive data (e.g., biometrics, employment, location).

    While the DPF provides useful breathing room, it is not a bulletproof shield. EU-U.S. data flows remain structurally fragile, and organizations must layer compliance strategies—technical, contractual, and legal—to minimize exposure. Proactive alignment with evolving expectations on both sides of the Atlantic remains the best defense.

    If your company needs assistance with any privacy issues, Coblentz Data Privacy & Cybersecurity attorneys can help. Please contact Scott Hall at shall@coblentzlaw.com for further information or assistance.

    Posted on: September 5, 2025 Tags: Categories: Publications

  • Updates to U.S. Health-Data Privacy and Wearable Tech

    By Hunter H. Moss and Scott. C Hall

    This year marks a pivotal shift from the era of rapid, unregulated health-tech innovation to one of stringent governance. The proliferation of wearable devices, health applications and remote monitoring tools has led to an unprecedented expansion in legal oversight. New HIPAA regulations, state-level “sensitive health data” laws, and the FTC-broadened breach notification rules collectively underscore a unified message from regulators: safeguard health metrics across all platforms. Organizations handling any health-related data must now navigate an increasingly complex web of overlapping federal and state regulations to avoid significant legal repercussions.

    HIPAA Updates You Must Implement in 2025: Reproductive Health Privacy Rule

    In April 2024, the Department of Health and Human Services (HHS) issued a Final Rule under HIPAA aimed at strengthening privacy protections for reproductive health information. The rule, effective June 25, 2024, and with a compliance deadline of December 23, 2024, would have required covered entities to obtain a signed attestation before disclosing protected health information (PHI) related to lawful reproductive healthcare. It also mandated updates to Notices of Privacy Practices (NPPs) by February 16, 2026.

    However, in a recent development, a federal district court in Texas vacated the rule on July 3, 2025, holding that HHS exceeded its statutory authority and violated the Administrative Procedure Act. The court’s ruling halts enforcement of the reproductive health privacy rule nationwide unless overturned on appeal. As of now, the rule is not enforceable, and covered entities are not obligated to implement its provisions, although legal appeals may follow and some organizations may still voluntarily adopt its safeguards as a best practice.

    For now, entities should monitor ongoing litigation and consider documenting their approach to reproductive-health disclosures in the event the rule is revived or replaced.

    HIPAA Security Rule Notice of Proposed Rulemaking

    On December 27, 2024, the Office for Civil Rights (OCR) at HHS issued an Notice of Proposed Rulemaking (NPRM) proposing significant amendments to the HIPAA Security Rule to bolster cybersecurity protections for electronic protected health information (ePHI). Key proposed changes include mandatory multi-factor authentication (MFA), encryption of ePHI both at rest and in transit, annual technical and non-technical evaluations, and a 24-hour breach notification requirement for business associates. No Final Rule on the matter has been issued.

    FTC Health Breach Notification Rule Now Applicable to Health Apps

    The FTC’s amended Health Breach Notification Rule (HBNR), effective July 29, 2024, expands the scope of entities required to notify consumers and the FTC of breaches involving health information to apps and platforms not covered by HIPAA.

    • Applies to fitness, fertility, mental health, and other apps tracking health data.
    • Requires notification to consumers and the FTC within 60 days of breach discovery.
    • Enforcement actions may include civil penalties.

    State Spotlight – Sensitive Health-Data Laws Beyond HIPAA

    Several states have enacted laws that treat biometric, wellness, geolocation, and inferred health data as sensitive, even when not covered by HIPAA:

    Washington – My Health My Data Act (MHMDA)

    • Effective March 31, 2024 (or June 30 for small businesses).
    • Covers data ”collected, derived, or inferred,” including metrics from wearables.
    • Requires opt-in consent and bans geofencing near reproductive health facilities (1,750 feet).

    California – Privacy Rights Act (CPRA)

    • Classifies wearable-derived metrics (e.g., heart rate, skin temperature, sleep) as “sensitive personal information.”
    • Grants consumers the right to opt out of sale or use and mandates data protection impact assessments (DPIAs).

    Texas – Data Privacy and Security Act (TDPSA)

    • Effective July 1, 2024.
    • Covers biometric identifiers and physical health
      indicators.
    • Entities must offer opt-out rights and adhere to purpose limitation and data minimization.

    Florida – Digital Bill of Rights (FDBR)

    • Effective July 1, 2024.
    • Targets precise geolocation and biometric data, including data collected passively by connected devices.
    • No cure period for violations—raising litigation risk for platform providers and developers.

    Intersections and Blind Spots

    The convergence of federal and state regulations creates complex compliance challenges, particularly for entities operating across multiple jurisdictions. For example, a wearable device used in a healthcare setting may be subject to HIPAA, while the same device used by a consumer falls under state laws like MHMDA or the CPRA. Employers providing wellness programs must navigate HIPAA, the Americans with Disabilities Act (ADA), and state privacy laws, depending on the nature of the data collected and its use.

    Takeaways for Businesses

    To navigate the evolving regulatory landscape, businesses should:

    • Conduct Comprehensive Risk Analyses: Evaluate data flows to identify where health-related data is collected, stored, and shared.
    • Update Policies and Notices: Revise privacy policies and Notices of Privacy Practices to reflect new legal requirements.
    • Enhance Security Measures: Implement MFA, encryption, and other security controls as proposed in the HIPAA Security Rule NPRM.
    • Review and Amend Contracts: Ensure business associate agreements and vendor contracts include provisions for breach notification and data protection.
    • Train Staff: Educate employees on new privacy obligations and procedures for handling health-related data.

    While HIPAA remains a foundational framework for health data privacy, the expanding landscape of state laws and FTC regulations necessitates a more comprehensive approach to compliance. Organizations must proactively assess their data practices, update security measures, and ensure transparency with consumers to navigate the complexities of health data privacy in 2025 and beyond.

    If your company needs assistance with any privacy issues, Coblentz Data Privacy & Cybersecurity attorneys can help. Please contact Scott Hall at shall@coblentzlaw.com for further information or assistance.

    Posted on: September 4, 2025 Tags: Categories: Publications

  • What We’re Reading, Watching, and Listening To: September 2025

    A roundup of news and multimedia from the Unfamiliar Terrain team:

    San Francisco

    San Francisco Family Zoning Plan Updates (SF Planning): As of late July, the Planning Department has updated the draft zoning height maps as part of its proposed Family Zoning Plan, which aims to expand housing affordability and availability by allowing for increased density. Critics of this Plan are ramping up their political pressure. If the rezoning is not completed by January 2026, the City risks losing certification of its Housing Element, which could open the door to “builder’s remedy” projects and other penalties from the State.

    S.F. may soon ban natural gas in homes and businesses undergoing major renovations (SF Chronicle): The City may soon ban natural gas in residential and commercial buildings undergoing major renovations (with carve-outs), a move that builds on the City’s existing ban on natural gas in new buildings.

    Cars will soon return to section of San Francisco’s Market Street (SF Chronicle): Under a new City pilot, commuters once again have the option to hail Waymo robotaxis or summon Uber or Lyft black cars at new locations on Market Street, all scattered along a downtown stretch that is closed to private automobiles.

    Bay Area

    The Bay Area is lagging on lofty housing goals. Here’s how far behind each city is (SF Chronicle): Cities across the Bay Area are lagging behind their state-mandated housing goals as high housing costs force out low-income families and construction slows across the state.

    Bay Area housing production is frozen, forcing developers to take riskier bets (SF Standard): Most market-rate projects remain infeasible to build due to high interest rates and construction costs, despite steady rent growth.

    Financing Climate Adaptation and Hazard Mitigation, Part 1: Federal Cuts Increase Bay Area’s Risks (SPUR): The first in a series of articles examining climate adaptation and hazard mitigation financing at the federal, state, and local levels, including current funding gaps and innovative models to bridge them.

    This Bay Area city bet on warehouses over tech offices. Here’s why it paid off (SF Chronicle): Fremont is now the biggest employment center for advanced manufacturing on the West Coast, home to 900 companies that make physical products.

    Berkeley could OK taller buildings on 3 popular streets (Berkeleyside): In a push to bring more housing to wealthy neighborhoods, the city is looking to raise height limits for new buildings.

    San Jose becomes first California city to allow sale of ADUs as condos (SF Chronicle): San Jose approved the state’s first backyard accessory dwelling unit to be sold as a condominium on Thursday, creating a new path to affordable homeownership under legislation that took effect in 2024.

    California and Beyond

    Will New CEQA Reforms Bring More Housing to California? (KQED): A panel discussion on how much of a difference CEQA reform could make in addressing the Bay Area’s housing shortage and where – and when – we might see new developments.

    California Has a Transit Cost Problem — and a New Appetite to Deal With It (SPUR): California has a reputation for costly and slow transit infrastructure development. But the state is attempting to develop ways to cost-effectively fast-track transit projects without jeopardizing public accountability.

    Homelessness is finally dipping across California. These Bay Area counties saw double-digit declines (SF Chronicle): Across 15 California counties that conducted consecutive counts in 2024 and 2025, all but two reported declines in their overall homeless populations.

    As Natural Disasters Become More Costly, Homeowners Foot the Bill (NY Times): Data from the Federal Emergency Management Agency shows that the average property damage from fires and severe storms is trending upward in many parts of the country, potentially costing homeowners more to recover.

    Climate-Driven Housing Mandates Show Promise, But Face Real-World Barriers (MIT Center for Real Estate): While there is broad support for climate goals and recognition that building decarbonization is essential, many apartment owners and managers are struggling to keep pace with the complexity and cost of implementation.

    The Quintessential Urban Design of ‘Sesame Street’ (NY Times): Over its several decades, the show’s setting has always been both realistic and idealistic. And it has evolved, much like the New York City streets that inspired it.

    Posted on: September 3, 2025 Tags: Categories: Blogs

  • Updates to Children’s Privacy Federal and State Laws

    By Katherine Gianelli and Scott Hall

    Over the past year, the Federal Trade Commission (FTC) has implemented significant updates to the Children’s Online Privacy Protection Act (COPPA) Rule meant to strengthen key protections for children’s privacy online. COPPA applies to children under the age of 13.

    Key Updates to COPPA Rule

    Updated Requirements for Parents to Opt In to Third-Party Advertising: Operators are now required to obtain separate verifiable parental consent before disclosing children’s personal information to third parties for targeted advertising or other purposes. The Rule also expands on the methods on which parents can provide consent, which allows for authentication through (1) knowledge-based authentication through questions that no child under 13 could reasonably answer; (2) face-verification as compared to government-issued identification; or (3) text message to the parent coupled with additional steps for the parent to confirm their identity.

    Limitations Placed on Data Retention: Operators are permitted to retain children’s information for only as long as necessary to fulfill the specific purpose for which it is collected. Operators must establish, implement, and maintain a written data retention policy that specifies (1) the purpose for which the child’s personal information was collected, (2) the specific business need for retaining such information, and (3) a timeline for deleting the information.

    Expanded Definition of “Personal Information”: The Rule updates the definition of personal information to now include biometric identifiers that are used for the automatic or semi-automatic recognition of an individual, including their fingerprints, handprints, retina patterns, genetic data, voice prints, and facial templates. This definition also includes government issued identifiers, such as birth certificate, ID cards, and passport numbers. Notably, the Rule does not include “data derived from voice data, gait data, or facial data,” which is language that was proposed in the 2024 NPRM.

    Enhanced Privacy Notice Requirements: The Rule requires that the Operator’s privacy notice include details about the specific internal operations for which persistent identifiers are collected, and how the operator ensures these identifiers are not used for any unauthorized purposes. Additionally, if audio files containing a child’s voice are collected, the privacy notice must specify such collection is done solely to respond to a child’s request and not for any other purpose, and that such collection will be immediately deleted.

    Written Information Security Program: Operators must establish, implement, and maintain a written information security program that aligns with the sensitivity of the children’s data they collect and their business’s size and complexity. The program must include: (1) designated personnel to oversee it, (2) annual assessments of internal and external security risks to children’s data, (3) implementation of safeguards to address those risks, (4) testing and monitoring of those safeguards, and (5) annual evaluation and updates to the security program.

    State Privacy Laws and Age Appropriate Design Code Laws

    While COPPA is meant to serve as a federal baseline for children’s privacy, some states have adopted the Age Appropriate Design Code (AADC) legislation, which offers a more stringent set of protections. In the past year, several additional states have adopted their own versions, including Vermont and Nebraska. Other states that are considering AADC-style legislation include Connecticut, Illinois, Minnesota, New Mexico, and South Carolina. AADC laws focus on the design aspects of a digital platform to ensure it is designed to protect the well-being and privacy of children, and it applies to all minors under the age of 18. AADC laws require platforms to design products with children’s best interests in mind, using high privacy settings by default, minimizing data collection, and avoiding profiling or geolocation tracking unless strictly necessary. Operators must provide clear, age-appropriate explanations of how data is used and conduct risk assessments to identify and mitigate potential harms. The AADC laws also prohibit the use of dark patterns, which are manipulative design tactics that pressure minors into sharing data or making harmful choice. The AADC laws ensure platforms are built to support, not exploit, young users.

    Takeaways for Businesses

    Business collecting information of minors should be mindful in which state the minors live and what data is being collected so that they can comply with COPPA and AADC laws if applicable. Businesses should review and update their data collection, retention, and security policies to ensure compliance, and implement new practices as required by COPPA’s latest update.

    If your company needs assistance with any privacy issues, Coblentz Data Privacy & Cybersecurity attorneys can help. Please contact Scott Hall at shall@coblentzlaw.com for further information or assistance.

  • 2025 Reduction In Property Taxes (Proposition 8)

    Commercial Property Owners May Qualify for Temporary Tax Reductions

    By Jeff A. Bernstein and H. Jacob Lager

    In many instances, office vacancies have led to a significant decline in the values of Bay Area commercial real property in 2025. The value of real property that is used to determine the property tax assessment for the 2025-2026 fiscal year (which runs from July 1, 2025 to June 30, 2026) is determined as of the January 1, 2025 lien date.

    If the market value of your property as of January 1, 2025, is lower than its current assessed value, you may be eligible for a temporary reduction in your property tax assessment under Proposition 8. In such cases where a property owner requests a reduction, the Assessor has the authority to proactively change the assessed value of a property to recognize a decrease in value (a one-time Proposition 8 reduction). If a property owner disagrees with the Assessor’s determination, the owner can file an Appeal with the Assessment Appeals Board and receive an Administrative Hearing. The deadline for filing an Appeal in most counties is September 15, although a few are December 1.

    Our tax partners Jeff Bernstein and Jacob Lager have extensive experience in property tax assessment matters, and have attained significant reductions in property tax valuations for many commercial and multi-family residential properties. If a reduced valuation can be achieved, the property tax savings could be substantial.

    Please contact Jeff Bernstein (jbernstein@coblentzlaw.com) or Jacob Lager (jlager@coblentzlaw.com) directly if you are interested in discussing your potential for a reduced property tax valuation.

    Posted on: September 2, 2025 Tags: Categories: Publications

  • Reforming the Record: New CEQA Requirements and What They Mean for Litigation Strategy

    Join Coblentz partner KT Van Dusen on Friday, September 5, 2025 as he co-presents the CEB’s Real Property Institute program “Reforming the Record: New CEQA Requirements and What They Mean for Litigation Strategy.” This program will cover new administrative record requirements under CEQA and assess how these reforms may affect litigation strategy, transparency, and the integrity of the public process.

    For more details and to register, please click here.

    Posted on: September 1, 2025 Tags: Categories: Events