By Katherine Gianelli and Scott Hall

Over the past year, the Federal Trade Commission (FTC) has implemented significant updates to the Children’s Online Privacy Protection Act (COPPA) Rule meant to strengthen key protections for children’s privacy online. COPPA applies to children under the age of 13.

Key Updates to COPPA Rule

Updated Requirements for Parents to Opt In to Third-Party Advertising: Operators are now required to obtain separate verifiable parental consent before disclosing children’s personal information to third parties for targeted advertising or other purposes. The Rule also expands on the methods on which parents can provide consent, which allows for authentication through (1) knowledge-based authentication through questions that no child under 13 could reasonably answer; (2) face-verification as compared to government-issued identification; or (3) text message to the parent coupled with additional steps for the parent to confirm their identity.

Limitations Placed on Data Retention: Operators are permitted to retain children’s information for only as long as necessary to fulfill the specific purpose for which it is collected. Operators must establish, implement, and maintain a written data retention policy that specifies (1) the purpose for which the child’s personal information was collected, (2) the specific business need for retaining such information, and (3) a timeline for deleting the information.

Expanded Definition of “Personal Information”: The Rule updates the definition of personal information to now include biometric identifiers that are used for the automatic or semi-automatic recognition of an individual, including their fingerprints, handprints, retina patterns, genetic data, voice prints, and facial templates. This definition also includes government issued identifiers, such as birth certificate, ID cards, and passport numbers. Notably, the Rule does not include “data derived from voice data, gait data, or facial data,” which is language that was proposed in the 2024 NPRM.

Enhanced Privacy Notice Requirements: The Rule requires that the Operator’s privacy notice include details about the specific internal operations for which persistent identifiers are collected, and how the operator ensures these identifiers are not used for any unauthorized purposes. Additionally, if audio files containing a child’s voice are collected, the privacy notice must specify such collection is done solely to respond to a child’s request and not for any other purpose, and that such collection will be immediately deleted.

Written Information Security Program: Operators must establish, implement, and maintain a written information security program that aligns with the sensitivity of the children’s data they collect and their business’s size and complexity. The program must include: (1) designated personnel to oversee it, (2) annual assessments of internal and external security risks to children’s data, (3) implementation of safeguards to address those risks, (4) testing and monitoring of those safeguards, and (5) annual evaluation and updates to the security program.

State Privacy Laws and Age Appropriate Design Code Laws

While COPPA is meant to serve as a federal baseline for children’s privacy, some states have adopted the Age Appropriate Design Code (AADC) legislation, which offers a more stringent set of protections. In the past year, several additional states have adopted their own versions, including Vermont and Nebraska. Other states that are considering AADC-style legislation include Connecticut, Illinois, Minnesota, New Mexico, and South Carolina. AADC laws focus on the design aspects of a digital platform to ensure it is designed to protect the well-being and privacy of children, and it applies to all minors under the age of 18. AADC laws require platforms to design products with children’s best interests in mind, using high privacy settings by default, minimizing data collection, and avoiding profiling or geolocation tracking unless strictly necessary. Operators must provide clear, age-appropriate explanations of how data is used and conduct risk assessments to identify and mitigate potential harms. The AADC laws also prohibit the use of dark patterns, which are manipulative design tactics that pressure minors into sharing data or making harmful choice. The AADC laws ensure platforms are built to support, not exploit, young users.

Takeaways for Businesses

Business collecting information of minors should be mindful in which state the minors live and what data is being collected so that they can comply with COPPA and AADC laws if applicable. Businesses should review and update their data collection, retention, and security policies to ensure compliance, and implement new practices as required by COPPA’s latest update.

If your company needs assistance with any privacy issues, Coblentz Data Privacy & Cybersecurity attorneys can help. Please contact Scott Hall at shall@coblentzlaw.com or Mari Clifford at mclifford@coblentzlaw.com for further information or assistance.

Commercial Property Owners May Qualify for Temporary Tax Reductions

By Jeff A. Bernstein and H. Jacob Lager

In many instances, office vacancies have led to a significant decline in the values of Bay Area commercial real property in 2025. The value of real property that is used to determine the property tax assessment for the 2025-2026 fiscal year (which runs from July 1, 2025 to June 30, 2026) is determined as of the January 1, 2025 lien date.

If the market value of your property as of January 1, 2025, is lower than its current assessed value, you may be eligible for a temporary reduction in your property tax assessment under Proposition 8. In such cases where a property owner requests a reduction, the Assessor has the authority to proactively change the assessed value of a property to recognize a decrease in value (a one-time Proposition 8 reduction). If a property owner disagrees with the Assessor’s determination, the owner can file an Appeal with the Assessment Appeals Board and receive an Administrative Hearing. The deadline for filing an Appeal in most counties is September 15, although a few are December 1.

Our tax partners Jeff Bernstein and Jacob Lager have extensive experience in property tax assessment matters, and have attained significant reductions in property tax valuations for many commercial and multi-family residential properties. If a reduced valuation can be achieved, the property tax savings could be substantial.

Please contact Jeff Bernstein (jbernstein@coblentzlaw.com) or Jacob Lager (jlager@coblentzlaw.com) directly if you are interested in discussing your potential for a reduced property tax valuation.

By Scott C. Hall

The California Privacy Protection Agency (CPPA) is now in its second year with full enforcement powers and has begun to exercise its authority under the California Consumer Privacy Act (CCPA) in significant ways in 2025. With the creation of the CPPA and its recent assumption of enforcement authority, a new chapter of privacy rights enforcement has begun. Two recent enforcement actions against American Honda Motor Co. and menswear retailer Todd Snyder Inc. offer the most valuable insights to date into the CPPA’s priorities and expectations. They also highlight operational privacy gaps of which companies of all sizes and in all industries should take note and work to comply with. And, California’s Attorney General has reminded everyone that it is not to be forgotten in privacy enforcement, announcing the highest CCPA settlement to date in connection with a recent enforcement action involving health data.

Case One: Honda – Verification, Cookies, and Contracts

In March 2025, the CPPA announced its first enforcement order—a $632,500 administrative fine against American Honda Motor Co., one of the largest companies to face a formal enforcement action to date. The action stemmed from the CPPA’s 2023 sweep of connected vehicle manufacturers, aimed at scrutinizing how automakers collect and share consumer data via in-vehicle systems and online platforms.

Summary of Violations

• Oververification for Opt-Outs: Honda required consumers submitting requests to opt out of the sale or sharing of their personal information—and requests to limit the use of sensitive personal information—to provide extensive personal details (including name, full address, phone number, and email). Unlike consumer requests for access, deletion and correction, which require identity verification, the CCPA rules prohibit such verification for opt out and limitation rights.
• Confusing Agent Authorization: The company also required consumers to confirm directly with Honda that they had authorized a third party to submit a request on their behalf, a practice explicitly disallowed by CCPA regulations for opt-out and limit-use requests.
• Asymmetry in Cookie Management: The CPPA found Honda’s cookie consent banner violated design symmetry requirements. Consumers could “Accept All” cookies with a single click, but had to individually toggle off categories and confirm their choices to opt out—an unfair burden deemed to be a “dark pattern” under CCPA guidance.
• Failure to Apply GPC to Known Users: Honda did not extend Global Privacy Control-based opt outs to known users with accounts, limiting the scope of opt-out effectiveness.
• Contractual Failures with Adtech Vendors: Honda disclosed personal information to advertising technology partners without executing contracts that included required CCPA provisions, such as limitations on secondary use and data security commitments.

Case Two: Todd Snyder – Infrastructure Failures and Excessive Data Collection

In May 2025, the CPPA announced its second public enforcement order, this time against Todd Snyder Inc., a New York-based menswear retailer with several California locations. In settling with the CPPA, Todd Snyder agreed to pay a $345,178 fine and undertake numerous remedial steps. The case provides a useful contrast to Honda given that Todd Snyder is a smaller company facing many of the same privacy compliance challenges, but with different technical root causes.

Summary of Violations

• Inaccessible Cookie Preferences: For a period of 40 days in late 2023, a defect in the company’s cookie banner caused it to vanish before users could interact with it. As a result, consumers were effectively unable to opt out of tracking and behavioral advertising. This also meant that GPC signals were not honored during the outage.
• Excessive Verification for Al Requests: Todd Snyder required users to upload a photo ID for all privacy requests—including opt-outs and SPI limitation requests—despite the CCPA’s clear prohibition on identity verification for these types of requests.
• One-Size-Fits-All Request Portal: Like Honda, Todd Snyder used a single webform for all consumer rights requests, failing to distinguish between verified and non-verified request types. This design flaw resulted in systematic overcollection of sensitive data.
• Lack of Internal Oversight: The CPPA emphasized that Todd Snyder failed to monitor its third-party privacy management tools and had no effective alerting system in place to catch or correct the cookie banner malfunction.

Case Three: Healthline – Purpose Limitation and Privacy Expectations

On July 1, 2025, the California Attorney General (AG) announced the largest settlement to date under the CCPA: a $1.55 million fine against Healthline Media LLC, a health and wellness website publisher. Unlike the CPPA-led actions against Honda and Todd Snyder, this enforcement was brought by the AG’s office and underscores the ongoing parallel enforcement powers shared between the two agencies.

The case against Healthline marked the first CCPA enforcement action focused on health-related data, highlighting how regulators are applying the law’s provisions to sensitive data practices even where traditional health privacy laws like HIPAA may not apply.

Summary of Violations

• Failure to Honor Opt-Out Requests: Healthline allegedly sold or shared consumers’ personal information even after receiving opt outs, including Global Privacy Control (GPC) signals. Investigators found that third-party advertising cookies continued to collect and transmit information after consumers attempted to opt out.
• Noncompliant Vendor Contracts: The company shared personal data with advertising partners without including CCPA-mandated contractual provisions, such as purpose limitations and requirements for equivalent privacy protections by the recipient.
• Purpose Limitation Violation: This action is notable for including the CCPA’s ”purpose limitation” requirement—one of the first enforcements to do so. The AG alleged that Healthline’s disclosure of article titles relating to medical conditions (e.g., Crohn’s disease) to third parties for advertising purposes went beyond the purposes reasonably expected by consumers. This was true even if such sharing was technically disclosed in the privacy policy.
• Deceptive Practices: Healthline offered a cookie banner that appeared to allow users to disable advertising cookies but did not effectively do so, a practice characterized as deceptive under California’s Unfair Competition Law (UCL).

Enforcement Themes: Key Areas of CCPA Noncompliance

The enforcement actions against Honda, Todd Snyder, and Healthline reveal a consistent set of compliance failures—and signal where California regulators are focusing their scrutiny.

• Oververification: Honda and Todd Snyder unlawfully required consumers to verify their identity for opt-out and SPI limitation requests. Todd Snyder even demanded photo IDs for all requests, violating the CCPA’s data minimization principle.
• Poor UX and Dark Patterns: Honda’s cookie interface made opting out harder than opting in, while Healthline’s banner failed to function at all. The takeaway: design choices that confuse or burden users undermine valid consent and can lead to enforcement.
• Technical Failures: Todd Snyder’s broken cookie banner and Healthline’s ineffective opt-out tools show that nonfunctional systems—even due to vendor error—are the business’s responsibility.
• Ignoring GPC Signals: All three companies failed to properly process Global Privacy Control (GPC) signals. CCPA requires honoring GPC not only at the browser level, but across known user profiles.
• Missing Vendor Contracts: Honda and Healthline disclosed personal data to ad tech vendors without the required contracts limiting use, a recurring violation with high enforcement risk.
• Purpose Limitation: Healthline broke new ground by triggering enforcement under the CCPA’s purpose limitation rule. Sharing article titles that suggest medical conditions for ad targeting went beyond what a reasonable consumer would expect—even if disclosed. The AG’s action here probes into the subjective expectations of consumers, suggesting that even disclosed practices can be unlawful if they feel inherently invasive or unexpected. It also requires businesses to think hard about seemingly innocuous data like an article title that can become sensitive when tied to consumer identity.

Final Thoughts: Functional Privacy, Not Just Formalities

California regulators have made clear that privacy rights must be real, accessible, and aligned with consumer expectations. Enforcement is no longer just about having a policy—it’s about making privacy work in practice. From broken cookie banners to overbroad data sharing, businesses subject to the CCPA should be proactively and carefully evaluating their practices and making necessary improvements.

If your company needs assistance with any privacy issues, Coblentz Data Privacy & Cybersecurity attorneys can help. Please contact Scott Hall at shall@coblentzlaw.com or Mari Clifford at mclifford@coblentzlaw.com for further information or assistance.