By Hannah Withers and Hannah Jones

In 2025, three federal district courts in California addressed the same open question and reached a similar conclusion: that under California’s Fair Employment and Housing Act (“FEHA”), California employers may be required to engage in the interactive process and potentially provide reasonable accommodations to caretaker employees who are not disabled themselves, but who request accommodations to care for other disabled persons. This requirement goes beyond the prohibition of discriminating against employees because they are associated with disabled individuals and has practical implications for how employers need to evaluate leave requests, schedule modifications, and other accommodations sought by employee caregivers.

This Is Only About Disability Accommodations Under FEHA, Not The Federal ADA

This development is specific to California’s FEHA and it does not arise under the federal Americans with Disabilities Act (“ADA”). The distinction stems from how the two statutes are structured.

Under the ADA, the prohibition relating to discriminating against an employee for “association” with someone who is disabled appears only in the anti-discrimination provision, not in the accommodation provisions. Federal courts have therefore consistently held that the ADA does not require accommodation of a non-disabled employee based on associational disability.

FEHA arguably allows a different approach. California Government Code Section 12926(o) defines the statute’s list of protected characteristics, including “physical disability” and “mental disability,” to encompass “a perception that the person is associated with a person who has, or is perceived to have, any of those characteristics.” Some Courts have interpreted this definition to apply to the entirety of FEHA’s unlawful practices provisions, including Section 12940(m), which requires employers to make reasonable accommodation for “the known physical or mental disability of an applicant or employee,” and Section 12940(n), which requires employers to engage in an interactive process to determine effective reasonable accommodations for “an employee or applicant with a known physical or mental disability.” However, although that interpretation is not universally accepted and remains subject to further judicial clarification, employers should be aware that courts are extending the accommodation requirement this way.

The Backstory: Castro-Ramirez and the Unresolved Question of Associational Disability Accommodation

This issue has been percolating for years. In 2016, the California Court of Appeal in Castro-Ramirez v. Dependable Highway Express, Inc., 2 Cal. App. 5th 1028, held that FEHA supports a cause of action for associational disability discrimination. But the court expressly declined to decide whether FEHA also requires employers to accommodate employees based on an associational disability, suggesting only that Section 12940(m) “may reasonably be interpreted to require accommodation based on the employee’s association with a physically disabled person.” In the years that followed, a handful of unpublished decisions concluded the opposite, reasoning that the accommodation provisions do not expressly incorporate the broader definition of disability from Section 12926(o). Meanwhile, in late 2020 and early 2021, the Fair Employment and Housing Council itself issued a Request for Public Input on this very question, signaling that even the regulatory body overseeing FEHA viewed the issue as unsettled.

The 2025 Trilogy: Acosta, Head, and De Wit

In 2025, three federal district courts in California squarely confronted the open question and each concluded that FEHA does require accommodation and interactive process engagement for associational disability claims.

Acosta v. NAS Insurance Services, LLC (C.D. Cal.)

In Acosta, the plaintiff requested reduced hours, a flexible schedule, and full-time remote work to care for her son, who had been diagnosed with a severe developmental delay. Her employer denied every request, telling her that “accommodations are for employees who have a disability, and do not extend to dependents of employees for whom the employee is a caretaker.” She alleged she was eventually constructively terminated. The court denied the employer’s motion to dismiss, including claims for failure to engage in the interactive process and failure to provide reasonable accommodation under FEHA, holding that Sections 12940(m) and (n) “embrace employees perceived to be associated with a person who is disabled” and rejecting the argument that ADA precedent should control.

Head v. Costco Wholesale Corporation (N.D. Cal.)

In Head, a Costco employee exhausted his FMLA/CFRA leave and Costco’s one-year leave policy while caring for his wife, who had cancer. When told he must return to work or resign, he resigned and Costco later declined to rehire him after his wife passed away. The court denied the motion for summary judgment on the failure to accommodate and interactive process claims, allowing them to proceed on an associational disability theory.

De Wit v. Amazon.com Services, LLC (C.D. Cal.)

In De Wit, the plaintiff took intermittent leave to care for his mother, who suffered from dementia, and was terminated after a disputed leave calculation resulted in negative unpaid time off under Amazon’s attendance policy. The court granted summary judgment for Amazon on the facts, but agreed that claims for failure to accommodate and engage in the interactive process may be brought on an associational disability theory. The court emphasized that Amazon had approved multiple leave requests, communicated with the employee, and applied its policies consistently, which were facts that supported its defense despite recognizing the viability of the legal theory.

What This Means for Employers

These decisions are not binding on California state courts as the California Supreme Court has not yet addressed the issue. However, this case trend suggests that at least some courts may be receptive to associational disability claims based on a failure to accommodate or engage in the interactive process. In this developing landscape, employers confronting caregiving-related requests may face increased scrutiny regarding whether any individualized assessment or interactive process occurred, even as the scope of any obligation remains unsettled.

If you have questions about how these developments may affect your workplace policies or about a specific accommodation request, please contact any member of the Coblentz Employment Group.

This alert is intended to provide general information and does not constitute legal advice. Each situation is fact-specific, and you should consult with counsel regarding your particular circumstances.

By Scott Hall, Phillip Wiese, and Katherine Gianelli

Since CalPrivacy (formerly the CPPA) finalized sweeping updates to the California Consumer Privacy Act (CCPA) regulations in July 2025, risk assessments are now a centerpiece of data privacy compliance. The message from regulators is clear: California is moving decisively toward a proactive, risk-based privacy regime, and businesses will be expected to evaluate and document their higher-risk data practices before they occur.

For many organizations, this marks a significant evolution in compliance expectations. Risk assessments are no longer a matter of internal best practice. They are now a formal, enforceable requirement that will demand new processes, closer coordination across teams, and greater executive oversight and accountability.

Risk Assessments as a Core Compliance Obligation

Beginning January 1, 2026, businesses subject to the CCPA must conduct risk assessments for processing activities that present a “significant risk” to consumers’ privacy. These assessments must be completed before the relevant processing takes place, reflecting a shift away from reactive compliance and toward forward-looking risk management.

The scope of what constitutes “significant risk” is broad. In practice, it will capture many common data-driven activities, including the sale or sharing of personal information, the use of sensitive personal data such as precise geolocation or health information, and the deployment of automated decision-making technologies in consequential contexts like hiring, lending, or housing. Profiling in workplace or educational environments, as well as certain AI and analytics tools that infer consumer characteristics, also fall within the scope.

For companies that rely heavily on data analytics, targeted advertising, or use of automated decision-making technology, this means that risk assessments are likely to become a routine and recurring part of operations, rather than an occasional compliance exercise.

A Structured and Substantive Analysis

The CCPA regulations set forth the specific information an assessment must contain. Businesses will need to prepare a written analysis that clearly explains the purpose of the processing, the categories of personal information involved, and how the data will be used, retained, and shared. Business employees whose job duties include participating in the processing of personal information subject to a risk assessment must be included in the business’s risk assessment process.

At the heart of the requirement is a balancing test: organizations must weigh the benefits of the processing, both to the business and to consumers, against the foreseeable risks to individual privacy. In doing so, the analysis must:

• Identify the specific business purpose for processing;
• Identify the categories of personal information involved, including any sensitive personal information, and the minimum information necessary for achieving the stated business purpose;
• Identify any safeguards in place to mitigate risks; and
• Document operational details of the processing, including:
  • How the information is collected, used, and disclosed;
  • The duration of retention (or how such duration will be determined);
  • How the business interacts with customers;
  • How many customers are affected;
  • What disclosures the business makes to customers about the processing; and
  • What third parties (service providers, contractors, or otherwise) will have access to that information and what purpose that access will serve.

This assessment requires thoughtful judgment and attention to detail as those with knowledge of the processing consider questions about the business’s data processing practices.

As noted, risk assessments must be completed prior to initiating any processing activity that presents a significant risk to consumer privacy. Additionally, businesses must update their risk assessments within 45 days when there is a material change relating to the processing activity, or, at minimum, every three years.

Reporting Obligations

CalPrivacy has coupled these substantive requirements with new reporting and certification obligations. Businesses will be required to submit summaries of their risk assessments by April 1 the year after they have been completed, starting April 1, 2028.  The summary must certify under penalty of perjury that the substance of the risk assessment is correct. While full assessments do not need to be routinely filed, they must be maintained and produced upon request.

This framework transforms risk assessments into regulator-facing documents, not just internal analyses. As a result, companies should expect that their reasoning, methodologies, and conclusions could be scrutinized in an enforcement context by CalPrivacy.

Implementation Timelines and Transition

The regulations provide a phased timeline, but the runway is shorter than it may appear. The obligation to conduct risk assessments began in January 2026, and existing data processing activities must be evaluated and a risk assessment prepared by the end of 2027, covering processing during 2026 and 2027. But for any new processing activities started after January 1, 2026 that trigger compliance obligations, a risk assessment must be completed before that new processing can begin. The first round of annual reporting is set to occur on April 1, 2028, with ongoing summary submissions required each year thereafter.

Given the breadth of in-scope activities and the level of detail required, many organizations will need substantial lead time to build and operationalize compliant programs.

Preparing for Risk-Based Privacy Practices

The practical impact of these requirements will extend across the enterprise. Legal and privacy teams will need to develop standardized frameworks and documentation processes, while product, engineering, and data teams will need to integrate risk analysis into development lifecycles. Security functions will play a key role in aligning technical safeguards with identified risks, and senior leadership may be called upon to review and certify compliance.

Organizations that have not yet formalized their data governance practices may face particular challenges, especially in mapping data flows and documenting decision-making. At the same time, companies with more mature privacy programs will need to revisit and enhance their existing processes to meet CalPrivacy’s more prescriptive and transparent requirements.

Looking Ahead

California’s regulations reinforce its position at the forefront of U.S. privacy law and reflect a broader global trend toward risk-based regulation. For businesses, the takeaway is clear: Now is the time to conduct risk assessments on relevant processing activities and to start preparing plans to submit summary assessments to CalPrivacy.

Organizations that act now to build scalable, defensible risk assessment programs will be better positioned not only to meet regulatory expectations, but also to support responsible innovation in an increasingly complex data landscape.

The Coblentz Data Privacy & Cybersecurity team can help you navigate CalPrivacy’s risk assessment requirements. Please reach out to Scott Hall or Phillip Wiese for further information or assistance.

By Scott Hall and Phillip Wiese

CalPrivacy (formerly the California Privacy Protection Agency), announced recently that it intends to begin auditing businesses’ compliance with the California Consumer Privacy Act (CCPA).  

In February 2026, CalPrivacy formed its Audits Division to conduct compliance audits. The agency expects those audits to begin later this year and will focus on obtaining and analyzing privacy and technology records to ensure businesses are adhering to the CCPA’s requirements. CalPrivacy also expects the Audits Division to work closely with the Enforcement Division, which has been settling enforcement proceedings in recent months.

While CalPrivacy has not identified the initial focus areas of its audits, businesses should confirm compliance with all aspects of the CCPA. Recently, the CalPrivacy Enforcement Division has paid particular attention to children’s data, minimizing friction for exercising CCPA rights, and data broker obligations. Under the CCPA, businesses must also have a comprehensive privacy policy, updated on an annual basis.

If you have questions about your obligations under the CCPA, or if you would like for a Coblentz attorney to review your privacy policy, assist with a risk assessment, or facilitate a cybersecurity audit, please reach out to Scott Hall or Phillip Wiese. Our Data Privacy & Cybersecurity team would be happy to assist you.

By Scott Hall and Phillip Wiese

The Seventh Circuit recently confirmed that the 2024 amendment to the Illinois Biometric Information Privacy Act (“BIPA”) would apply retroactively, effectively limiting the available statutory damages under the statute. Going forward, damage awards under sections 15(b) or 15(d) will be limited for each plaintiff to “at most, one recovery” regardless of the number of violations, avoiding what at least one defendant described as “potentially crippling financial liability” for even simple BIPA violations.

BIPA Overview

BIPA prohibits companies from collecting, obtaining, or disclosing an individual’s biometric data, including biometric identifiers (e.g., eye or fingerprint scans, voice prints, face geometry, etc.) or biometric information (i.e., data derived from a biometric identifier) without first providing notice to and obtaining consent from the individual. Subsection 15(b) governs collection of biometric data and subsection 15(d) governs its disclosure. Plaintiffs could recover $1,000 for a negligent violation, or $5,000 for an intentional or reckless violation of the statute. Importantly, however, the law as originally written did not specify how to calculate damages or whether plaintiffs could recover for each time a company collected, obtained, or disclosed the biometric data. For example, BIPA was silent as to whether a plaintiff who clocked in using a fingerprint scanner twice a day for 30 days without providing consent could recover just once, up to $5,000, or for sixty separate violations, as much as $300,000. Plaintiffs have used this ambiguity to extract large settlements from companies.

In 2023, the Illinois Supreme Court confirmed that damages should be awarded on a “per-scan” basis.[1] In other words, each time a company collected, obtained, or disclosed an individual’s biometric data without consent, it could be liable for statutory damages. The Illinois Supreme Court also wrote, in dicta, that to the extent the decision would result in “excessive damage awards,” the Illinois legislature could amend the law.

The Illinois General Assembly took up the Supreme Court’s offer in 2024, amending the damages section of BIPA to clarify that each person could recover for “one recovery” under subsections (b) and (d) so long as the company used “the same method of collection” for each.[2] The legislature also confirmed the discretionary nature of any damages award by noting that an individual is entitled to “at most,” recovery based on a single violation.[3]

Retroactive Application of Amendment

After Cothron, the question remained as to whether the amendment would have retroactive effect. The Seventh Circuit recently held in the affirmative, that the damages cap would have retroactive effect.[4] The Seventh Circuit analyzed whether the amendment was substantive or procedural. Only procedural amendments could be retroactive under Illinois law.

The BIPA amendment was procedural because it involved the “rules that prescribe[d] the steps for having a right or duty judicially enforced.”[5] The text of the amendment and the Illinois Supreme Court’s discussion of Section 20 in Cothron indicated that it addressed the availability of damages, not proscribed conduct. Additionally, the amendment exclusively was contained in the damages section of BIPA, not in the liability section. Each of these points demonstrated that the amendment was remedial and therefore procedural, so it could have retroactive effect.

The appellees argued that the panel’s interpretation would wipe away millions of dollars of liability, and also that whether someone has been injured once or a thousand times is a matter of substance,[6] but the Court was not persuaded and pointed to language in Cothron noting that damages were discretionary, so plaintiffs were not guaranteed any specific recovery in the first place.[7]

Key Takeaways 

• Going forward, there will be upper limits on the amount of damages available to plaintiffs. Each plaintiff can seek up to $5,000 for violations of BIPA sections (b) or (d). No longer can a plaintiff seek damages for every BIPA violation over the course of multiple years, which may lower a company’s exposure exponentially.
• Courts still have discretion over the amount of damages, up to the statutory maximum, or even whether to award damages at all.
• Businesses that collect biometric data should continue to maintain a privacy policy that discloses the specific data collected and collect data only from those consumers who expressly consent.
• The Texas biometric privacy law allows the Texas Attorney General to levy fines based on each individual violation, now putting that law at odds with BIPA. The Texas law does not have a private right of action.

The Coblentz Data Privacy & Cybersecurity team is experienced at litigating BIPA matters and can help you navigate the changing legal landscape. Please reach out to Scott Hall or Phillip Wiese for further information or assistance.

 

[1] Cothron v. White Castle Sys., Inc., 216 N.E.3d 918, 927 (Ill. 2023).

[2] 740 ILCS 14/20(b), (c).

[3] Id.

[4] Clay v. Union Pacific Railroad Co., 2026 WL 891902 (7th Cir. Apr. 1, 2026).

[5] Id. at *3.

[6] Id. at *4

[7] Id. at *6.

Join Coblenz partner Ashley Weinstein-Carnes on Thursday, May 21, 2026 during the Bisnow Bay Area Senior Housing Summit. Ashley will moderate the panel “Building and Designing Senior Housing that Performs,” which will cover how senior housing facilities are being designed and built to support comfort, accessibility, safety, and wellness while maintaining efficiency and constructibility. For more details and to register, please click here.