By Scott Hall and Phillip Wiese

The Ninth Circuit recently issued a decision partially lifting a broad preliminary injunction staying enforcement of the California Age-Appropriate Design Code Act (“CAADCA”). As a result, portions of the law are now in effect and create ongoing obligations for businesses that provide online services, products, or features “likely to be accessed by children.” Those provisions are described below.

By way of background, the California legislature in 2022 enacted the California Age-Appropriate Design Code Act (“CAADCA”), which established certain standards to protect children’s privacy online. Importantly, the law defined a child as anyone under 18 years old. This creates a separate age threshold from the CCPA, which imposes certain obligations for children under 13 and under 16 years old. Practically since the CAADCA was enacted, the law has faced legal challenges and has been preliminarily enjoined by courts, but as a result of the recent Ninth Circuit decision, the preliminary injunction as to the entire law has been lifted and portions of the law are now in effect.

Although litigation is ongoing and the implementation of the law continues to develop, the CAADCA imposes the following obligations for businesses:

• Estimate the age of child users or apply a “high level” of privacy protection to all users;
• Set privacy settings for children to the highest level by default;
• Use age-appropriate language for privacy policies aimed at children;
• Allow parents to monitor the child’s online activity and provide a signal to the child when being tracked;
• Provide tools to help users exercise their privacy rights;
• Minimize and limit the usage of personal information collected to estimate a child’s age; and
• Not process a child’s precise geolocation by default or absent a signal that the geolocation is being collected.

There are also a number of provisions that are not in effect and remain subject to the Ninth Circuit’s preliminary injunction:

• Businesses are not presently required to conduct Data Protection Impact Assessments (“DPIA”) for any product or service likely to be accessed or used by children. The Ninth Circuit held that this was a violation of First Amendment rights.
• There are a number of prohibitions in the CAADCA on collecting or using children’s personal information (1) that the business knows “is materially detrimental to the physical health, mental health, or well-being of a child” or (2) absent a compelling reason that the collection or use “is in the best interests of children.” The Ninth Circuit held that the quoted language was unconstitutionally vague and those prohibitions are not enforceable.

In addition to the evolving legal landscape in California, other state legislatures have started drafting their own child privacy laws. Similar laws have been enacted in Arkansas, Colorado, Louisiana, Maryland, Mississippi, Montana, Nebraska, New York, Texas, Utah, and Vermont, although no two laws are the same. And while legal challenges have been raised with respect to many of these laws, the focus on children’s privacy rights remains clear. We expect these laws to be the focus of state regulators and privacy advocates for the foreseeable future.

If your company needs assistance with any privacy issues, Coblentz Data Privacy & Cybersecurity attorneys can help. Please contact Scott Hall at shall@coblentzlaw.com or Phillip Wiese at pwiese@coblentzlaw.com for further information or assistance.

A roundup of news focused on real estate issues in the June 2026 state and local elections.

California

I Have Some Questions for the Democrats Who Want to Run California (New York Times): Ezra Klein hosted California’s top five Democratic candidates for governor to learn how each candidate plans to make progess on the issue of housing affordability.

‘Buckshot’ or moonshot? Dem candidates to replace Newsom offer grand plans for more housing (Politico): A central question for the Democratic candidates for California’s next governor is whether they will pursue many incremental “buckshot” fixes for more housing or implement a sweeping “moonshot” strategy to meaningfully increase supply.

How California’s Next Governor Would Tackle Rent, Insurance and Housing Costs (KQED): The gubernatorial candidates have made housing a leading issue in their campaigns, including a focus on the need to lower construction costs and address homelessness, but diverge on certain housing issues.

Here’s How California’s Next Governor Will Change Your Taxes (KQED): California’s leading gubernatorial candidates offer sharply different tax plans against the backdrop of affordability concerns and a projected state budget deficit.

San Francisco

The real estate industry picks its candidate in CA-11 (The Real Deal): Of San Francisco’s three leading congressional candidates, the real estate industry has contributed more to State Senator Scott Wiener’s campaign than to those of Supervisor Connie Chan or former congressional staffer Saikat Chakrabarti.

Scott Wiener passed laws that made it easier to build in California. Can he do the same in Congress? (Cal Matters): If elected, Senator Scott Wiener’s record of passing ambitious pro-housing laws in California may be tested against the far slower, less centralized realities of Congress.

S.F. Mayor Daniel Lurie’s edge at City Hall could hinge on these two supervisor races (SF Chronicle): Two closely watched San Francisco supervisor races have become proxy battles over Mayor Daniel Lurie’s pro-housing and moderate governance agenda, with challengers criticizing the Lurie-appointed incumbents’ support for denser zoning and their alignment with the mayor and his political allies.

Join Scott Hall and members of the Coblentz Data Privacy Team on Tuesday, June 16, 2026 for a timely discussion of key developments shaping the privacy, cybersecurity, and AI landscape this year.

Learn about practical considerations for your business and gain insight into:

• Emerging AI legal and regulatory developments at the state and federal levels
• CCPA enforcement trends and recent regulatory developments
• Compliance obligations under recent CCPA regulations and other state privacy laws
• Key privacy litigation trends, including claims under CIPA, VPPA, CDAFA, and BIPA

To register, please click here. 

Date: Tuesday, June 16, 2026

Time: 10:00am – 11:ooam PDT

Format: Join us via webinar

CLE credit: This program is eligible for 1.0 Technology in the Practice of Law California MCLE credit. CLE is earned by both viewing and listening to this program for no less than 60 minutes. Dial-in only participants will not earn credit. Virtual attendance will be tracked and logged. CLE certificates of attendance will be made available via email in the days following the presentation.

By Scott Hall and Saachi Gorinstein

California’s data broker regulations continue to evolve, raising important compliance questions for businesses that compile and license personal data, including what constitutes a data broker and what obligations attach to those businesses. Those questions are often not straightforward, especially where personal information is collected through publicly available databases. Companies operating in B2B data markets should review and assess their obligations under the California Consumer Privacy Act (CCPA) and California’s Data Broker Law as updated by SB 362 and SB 361.

SB 362 and SB 361 amended California’s Data Broker Law by adding new obligations for businesses that qualify as data brokers: SB 362 (the “Delete Act”) established a centralized deletion mechanism and new operational requirements, including the Delete Request and Opt-out Platform (“DROP”) system, while SB 361 (the “Defending Californians’ Data Act”) expanded registration disclosure and transparency obligations.

When Does a Business Qualify as a Data Broker?

A “data broker” is a business that knowingly collects and sells personal information about consumers with whom it does not have a direct relationship. This definition incorporates key terms from the CCPA, including “personal information” and “sale.”

A critical threshold issue is whether the data being collected and sold qualifies as “personal information.” “Sale,” here and under the CCPA, means to sell, rent, disclose, make available, or otherwise disseminate a consumer’s personal information in exchange for monetary or other valuable consideration. And “personal information” is information that identifies, relates to, or could reasonably be linked with a consumer or a consumer’s household.

The CCPA excludes certain publicly available information from the definition of personal information, including information lawfully made available from federal, state, or local government records, certain information made available to the general public by the consumer or from widely distributed media, and certain information made available by a person to whom the consumer disclosed the information, if the consumer has not restricted it to a specific audience.

As a result, a business that collects and sells only publicly available information may not be handling “personal information” for purposes of the data broker definition. However, there is no categorical exemption for businesses that rely on public records. The analysis turns on whether the data retains its status as publicly available information or is transformed through the business’s aggregation, enhancement, or licensing practices.

For companies that compile professional contact data from licensing boards or government registries, this distinction can be outcome-determinative. While the CCPA excludes certain publicly available information from the definition of personal information, the analysis may become more complex where that data is aggregated, enhanced, or combined with other sources, raising questions as to whether the resulting dataset continues to qualify as publicly available information.

Do Data Brokers Have to Delete Public Record Data?

An important nuance is that DROP changes how consumers submit deletion requests, but it does not eliminate existing statutory limitations on consumer rights under the CCPA.

Upon receiving a DROP request, a data broker must delete the consumer’s personal information in its possession. Critically, however, under the CCPA, publicly available information is excluded from the definition of personal information for certain purposes. As a result, CCPA consumer rights, including the right to deletion, generally do not apply to such information.

CalPrivacy guidance reinforces this point, stating that businesses may deny consumer requests, including deletion requests, where the information at issue is “publicly available information” or otherwise exempt from the CCPA. More broadly, data brokers may retain personal information if an applicable CalPrivacy deletion exception applies. These exceptions include, among others, completing transactions, security and fraud prevention, legal compliance, and internal operational uses. When an exception applies, the business must limit use of retained data to the purpose justifying retention.

At the same time, businesses should avoid treating this as a blanket exemption. Whether information qualifies as publicly available is a fact-specific inquiry, particularly where data is aggregated, enhanced, or combined with other datasets. If a business holds both exempt publicly available information and non-exempt personal information about a consumer, the non-exempt data may still need to be deleted in response to a request.

In addition, even where a deletion request is denied, other obligations may still apply. For example, if a business sells or shares personal information, it must still inform consumers of their right to opt out of such sale or sharing.

Accordingly, while DROP introduces new operational requirements for processing deletion requests, it does not expand the scope of what information must ultimately be deleted under the CCPA. Depending on the volume and type of data collected, this process could take time, so businesses may want to start categorizing their data now, ahead of the August 1 deadline to begin processing deletion requests.

“Direct Relationship” Interpretation

The Data Broker Law also requires that the business lack a “direct relationship” with consumers. The recent Delete Act regulations add crucial context defining a direct relationship as one in which the “consumer has intentionally interacted with a business for the purpose of accessing, purchasing, using, requesting, or obtaining information about the business’s products or services.”

This definition is important for businesses that collect data through indirect or passive means, including third-party tracking technologies, data append services, or third-party datasets. A business should not assume that collecting data directly from a consumer necessarily creates a direct relationship. The consumer’s interaction must be intentional and directed to the business’s own products or services.

Even with this definition, important questions remain. For example, businesses may still need to assess how the concept applies in attenuated B2B contexts, whether particular interactions with individual business representatives are sufficient, and how data obtained outside a first-party interaction should be treated. These issues require careful, fact-specific analysis.

2026 Compliance Timeline and Requirements

While determining whether a company is a data broker can be complicated, once that determination has been made, the compliance timeline and requirements are more straightforward. Businesses that qualify as data brokers face several key obligations beginning in 2026:

• Registration: Data brokers must register annually with CalPrivacy (formerly the CPPA) by January 31 following each year in which they meet the definition.
• DROP System: As part of registration, businesses must create an account on CalPrivacy’s Delete Request and Opt-Out Platform (DROP), which took effect on January 1, 2026. Then, beginning August 1, 2026, data brokers must access the DROP system at least once every 45 days and process verified deletion requests through it, subject to statutory exceptions. While this obligation does not affect whether the Company must register for 2026, it is a new material operational compliance requirement after registration.
• Metrics Reporting: By July 1 each year, data brokers must publish detailed metrics in their privacy policies regarding consumer requests, including the number of requests received, fulfilled, and denied, and response times.
• Audits: Starting January 1, 2028, data brokers must undergo independent third-party audits every three years and maintain audit records for six years.

SB 362 and SB 361 expand disclosure and operational requirements, including more detailed reporting on the categories of personal information collected and consumer request handling.

Enforcement Risk and Prior-Year Exposure

CalPrivacy has made data broker compliance a clear enforcement priority. The agency has conducted enforcement sweeps and entered into settlements with data brokers for violations of the Delete Act, signaling increased scrutiny.

Failure to comply with registration requirements can result in:

• Administrative fines of $200 per day of non-compliance;
• Payment of unpaid registration fees; and
• Recovery of CalPrivacy’s investigative and enforcement costs.

Separate penalties may apply for failure to comply with deletion requirements, including fines of $200 per day per unfulfilled deletion request.

In addition, CalPrivacy and the California Attorney General may seek civil penalties of up to $2,663 per violation and $7,988 per intentional violation, including for violations involving minors. Importantly, these penalties may apply not only to current violations, but also to prior-year conduct within the applicable statute of limitations.

Key Takeaways

For B2B businesses that license or monetize data, several takeaways emerge:

• Public record sourcing does not automatically resolve data broker status.
• Whether data qualifies as “publicly available” under the CCPA is a critical threshold issue.
• The meaning of “direct relationship” requires careful, fact-specific legal analysis.
• 2026 introduces significant new operational obligations, including DROP-based deletion workflows.
• Enforcement is active, and non-compliance carries meaningful financial and operational risk.

Given these developments, businesses should evaluate their data practices now to determine whether they may qualify as data brokers and to prepare for upcoming registration and compliance requirements.

If your company needs assistance with any privacy issues, Coblentz Data Privacy & Cybersecurity attorneys can help. Please contact Scott Hall at shall@coblentzlaw.com for further information or assistance.

 

By Scott Hall

Artificial intelligence regulation has entered a new phase. What started as policy conversations about innovation, ethics, and voluntary guardrails is now a real compliance issue centered on privacy, transparency, discrimination risk, and accountability for automated outcomes. For businesses, the question is no longer just whether to use AI, but how to use it responsibly, lawfully, ethically, and efficiently, while building trust with consumers.

California remains one of the key states to watch. The state has continued to expand its privacy framework in ways that directly affect AI systems, including through the CPPA’s finalized rules on automated decision-making technology, risk assessments, and cybersecurity audits, as well as statutes addressing AI disclosures, training-data transparency, and synthetic content. Those developments are important —not just because of California’s market power, but because they reflect a broader regulatory instinct: treating AI as part of the privacy and consumer protection landscape, especially when automated tools rely on personal information.

At the same time, federal AI policy has become more unsettled. Rather than moving toward one comprehensive federal law, the national approach has continued to shift with changing administrations, executive branch priorities, and agency agendas. President Trump recently issued a “National Policy Framework for Artificial Intelligence” intended to preempt state law and address seven objectives that, in many ways, directly contradict the AI framework set out by the Biden administration and states that have already implemented AI regulations. In particular, rather than tighten restrictions on AI systems, the Trump framework would avoid broad content standards with the goal of avoiding excessive litigation. Even if the framework is not enacted, the uncertainty leaves businesses in an awkward position. Less federal oversight does not necessarily mean lower risk. In practice, it often means less uniformity, more uncertainty, and greater pressure to track what states, regulators, and private plaintiffs are doing without a lot of central guidance.

This reality helps explain why states continue to move aggressively to fill the gap. Some are adopting broad, risk-based AI frameworks. Others are focusing on narrower but still important issues, such as chatbot disclosures, profiling, health-related uses, insurance determinations, and AI tools used in employment decisions. The regulatory picture is developing issue by issue and sector by sector, rather than through a single national standard. That legal and regulatory patchwork—which is familiar in the privacy landscape—is harder for businesses to manage, but it is quickly becoming the reality for AI.

One notable theme is that states are increasingly using existing legal frameworks to address AI risk, rather than waiting for entirely new AI statutes. In employment, for example, states are starting to apply discrimination principles directly to automated hiring and screening tools. In privacy, states are using profiling, sensitive-data, and transparency rules to reach AI systems that make or support consequential decisions. That means companies must not only monitor new AI laws, but also consider how older laws may apply to the new technologies they are using.

We are also likely to see different rules for different AI uses. Not every AI-enabled tool will draw the same level of scrutiny. Consumer-facing tools that support routine tasks are likely to face lighter oversight than systems used for underwriting, hiring, eligibility, diagnosis, or other decisions that can significantly affect individuals. That risk-based approach is consistent with both the EU model and California’s Automated Decision-making Technology (ADMT) rules, which focus more closely on significant decision-making contexts. For companies, the practical takeaway is that compliance efforts should be prioritized based on use case, not just on whether a tool is labeled “AI.”

Globally, the EU AI Act remains the leading comprehensive model, with obligations tied to risk classification and substantial requirements for high-risk and general-purpose AI systems. Other jurisdictions are taking different approaches, but the overall direction is the same: more formal governance and more regulatory interest in documentation, transparency, and accountability. For companies operating across borders, that means AI compliance cannot be treated solely as a U.S. state-law issue. It increasingly requires a governance structure that can respond to different legal triggers while maintaining a consistent baseline of documentation and control.

We can also expect regulators to dig deeper into how AI works in practice. They want to know what data a system uses, how its outputs are reviewed, whether human oversight is real or just nominal, and whether the system creates privacy, fairness, or transparency concerns. As a result, AI governance is starting to look a lot like privacy compliance: inventorying systems, documenting use cases, assessing risk, limiting data use, testing for problems, and putting controls in place that can be defended later. Accountability in how AI is actually used matters more than simply having a policy on paper. It is also worth noting that enforcement risk is not limited to agency action. As AI becomes more embedded in decision-making, private plaintiffs are also testing new theories in private litigation, including through discrimination claims for AI use in employment and hiring decisions, or wiretapping claims for AI notetaking tools or other online services.

Ultimately, AI regulation is not emerging through just one statute, one agency, or one theory of liability. It is developing through privacy law, consumer protection, sector-specific regulation, administrative rulemaking, state legislation, and private litigation, often all at once. In the U.S., California remains one of the clearest signals of where this is heading, but it is not alone. Businesses adopting AI should expect questions not just about what the technology can do, but about what data is used, how it is governed, whether and how humans remain accountable, and whether AI use matches reasonable expectations of privacy and fairness. As AI becomes embedded in business operations, companies will be best positioned to manage risk when governance is built into everyday decision-making and workflows, rather than addressed only after problems arise.

If your company needs assistance with any privacy issues, Coblentz Data Privacy & Cybersecurity attorneys can help. Please contact Scott Hall at shall@coblentzlaw.com for further information or assistance.

Navigating the Evolving Legal Landscape of Data Privacy, Cybersecurity, and AI

By Scott Hall, Phillip Wiese, Leeza Arbatman, Kat Gianelli, and Saachi Gorinstein

Download a PDF version of this report here.

Privacy, cybersecurity, and AI regulation continue to be front and center in all aspects of business operations. Two additional states, Oklahoma and Alabama, have recently passed comprehensive consumer privacy laws, increasing the patchwork enforcement framework across the country, while federal laws continue to be proposed but may not be any closer than before.

At the same time, regulators have accelerated enforcement actions against companies that do not comply with state laws, and privacy litigation continues to flood dockets with claims for violations of the California Invasion of Privacy Act (CIPA) and the Video Privacy Protection Act (VPPA). Companies are also facing increased regulatory scrutiny over the collection and use of health data and minors’ data, while also navigating uncertain waters with respect to the intersection of artificial intelligence governance and consumer privacy.

Our 2026 Spring Privacy Report examines key developments shaping the privacy, cybersecurity, and AI landscape this year, along with practical considerations for businesses. View the full report here.

Summer Privacy Webinar – June 16, 2026

Please join Scott Hall and the Data Privacy team on Tuesday, June 16, 2026 for our Summer Privacy Webinar, where we will discuss these developments in greater detail. RSVP for the webinar here.

If your company needs assistance with any privacy issues, Coblentz Data Privacy & Cybersecurity attorneys can help. Please contact Scott Hall at shall@coblentzlaw.com for further information or assistance.

The California Department of Housing and Community Development (HCD) has released 22 new Housing Law Fact Sheets that provide concise, standalone summaries of key state housing laws. As state housing laws continue to expand and evolve, the fact sheets offer quick-reference guidance on statutory requirements, recent legislative changes, and relevant technical assistance letters. Topics that may be of interest to developers include:

• Accessory Dwelling Unit law
• Density Bonus Law
• Housing Accountability Act
• Housing Crisis Act (SB 330)
• SB 35 / SB 423 streamlining
• Permit Streamlining Act
• Transit-Oriented Development (SB 79)

HCD also recently revamped its Technical Assistance and Enforcement Letters Dashboard to make it easier to locate individual letters sent to local jurisdictions on a range of housing law implementation issues. Together, the materials offer a practical reference for navigating entitlement strategy, local agency obligations, and state housing-law compliance across California.

A roundup of news and multimedia from the Unfamiliar Terrain team:

San Francisco

Why the skyscraper race is back on when SF has plenty of empty offices (SF Standard): Although one-third of San Francisco’s 90 million square feet of office space remains vacant since the pandemic, several developers are pursuing plans to build the City’s next great skyscraper, with investor backing.

Apartment rents soar to all-time highs — ‘San Francisco is rewriting its own record books’ (SF Business Times): San Francisco’s apartment rents are at their highest levels ever, driven by competition from tech workers. Local rent growth is significantly outpacing national trends.

S.F. tech company expands its footprint as leasing surge lifts downtown office market (SF Chronicle): A year after signing a long-term, 150,000 square foot lease at One Sansome, Databricks has expanded its office footprint in the space by 90,000 square feet, showing strong momentum for the City’s office market.

Bay Area

Big Tech’s favorite landlord is leaning into housing. It’s daring others to follow (SF Standard): The Sobrato Organization, long known for developing major Silicon Valley corporate tech campuses, is turning significant attention toward affordable housing, marked by the opening of The Millton, a 120-unit all-affordable development in Redwood City.

Newsom issues ‘final warning’ to cities over housing law violations — only one is in the Bay Area (Mercury News): Gov. Gavin Newsom issued notices to 15 jurisdictions, including Half Moon Bay, giving them 30 days to address housing law violations before potential referral to the Attorney General. The jurisdictions are more than two years behind on securing state-certified housing elements, and continued noncompliance could expose them to litigation, fines, loss of state funding, and builder’s remedy consequences.

California and Beyond

California considering a first of its kind idea to boost factory-built housing (CalMatters): The Legislature is considering a new proposal that would allow the state to serve as a financial backstop for factory-built housing projects. Under AB 2166, introduced by Buffy Wicks, the state would provide credit support to surety companies, enabling them to issue payment and performance bonds for factory-built construction.

Tight Curves and Wide Horizons: The Return of Highway 1 (NY Times): A travel feature explores the reopening of California’s Highway 1 through Big Sur and reflects on how recurring landslides, climate pressures, and costly repairs continue to shape the future of one of the state’s most iconic transportation corridors.

Cities scramble to comply with or fight major state housing law (CalMatters): With a July 1 deadline looming for local governments to introduce local “wiggle room” around SB 79, which broadly increases building height limits near major transit stops, cities around the state are exploring ways to tailor their own plans or buy themselves more time.

A Bill Aimed at Creating Homes Is Leaving Plots Empty Instead (Wall Street Journal): A U.S. Senate housing bill would significantly restrict the build-to-rent industry, causing financing to pull back and putting projects on pause.

California blew a hole in environmental planning law. Now, lawmakers are trying to fix it (CalMatters): California lawmakers are scrambling to more clearly define the new CEQA exemption for “advanced manufacturing” passed as part of the 2025 CEQA reform. The proposed fix would add limits and community protections, setting up a fight between environmental justice advocates seeking more review and industry groups arguing that streamlined approvals are needed for clean-energy manufacturing and economic development.