By Hannah Withers and Hannah Jones

In 2025, three federal district courts in California addressed the same open question and reached a similar conclusion: that under California’s Fair Employment and Housing Act (“FEHA”), California employers may be required to engage in the interactive process and potentially provide reasonable accommodations to caretaker employees who are not disabled themselves, but who request accommodations to care for other disabled persons. This requirement goes beyond the prohibition of discriminating against employees because they are associated with disabled individuals and has practical implications for how employers need to evaluate leave requests, schedule modifications, and other accommodations sought by employee caregivers.

This Is Only About Disability Accommodations Under FEHA, Not The Federal ADA

This development is specific to California’s FEHA and it does not arise under the federal Americans with Disabilities Act (“ADA”). The distinction stems from how the two statutes are structured.

Under the ADA, the prohibition relating to discriminating against an employee for “association” with someone who is disabled appears only in the anti-discrimination provision, not in the accommodation provisions. Federal courts have therefore consistently held that the ADA does not require accommodation of a non-disabled employee based on associational disability.

FEHA arguably allows a different approach. California Government Code Section 12926(o) defines the statute’s list of protected characteristics, including “physical disability” and “mental disability,” to encompass “a perception that the person is associated with a person who has, or is perceived to have, any of those characteristics.” Some Courts have interpreted this definition to apply to the entirety of FEHA’s unlawful practices provisions, including Section 12940(m), which requires employers to make reasonable accommodation for “the known physical or mental disability of an applicant or employee,” and Section 12940(n), which requires employers to engage in an interactive process to determine effective reasonable accommodations for “an employee or applicant with a known physical or mental disability.” However, although that interpretation is not universally accepted and remains subject to further judicial clarification, employers should be aware that courts are extending the accommodation requirement this way.

The Backstory: Castro-Ramirez and the Unresolved Question of Associational Disability Accommodation

This issue has been percolating for years. In 2016, the California Court of Appeal in Castro-Ramirez v. Dependable Highway Express, Inc., 2 Cal. App. 5th 1028, held that FEHA supports a cause of action for associational disability discrimination. But the court expressly declined to decide whether FEHA also requires employers to accommodate employees based on an associational disability, suggesting only that Section 12940(m) “may reasonably be interpreted to require accommodation based on the employee’s association with a physically disabled person.” In the years that followed, a handful of unpublished decisions concluded the opposite, reasoning that the accommodation provisions do not expressly incorporate the broader definition of disability from Section 12926(o). Meanwhile, in late 2020 and early 2021, the Fair Employment and Housing Council itself issued a Request for Public Input on this very question, signaling that even the regulatory body overseeing FEHA viewed the issue as unsettled.

The 2025 Trilogy: Acosta, Head, and De Wit

In 2025, three federal district courts in California squarely confronted the open question and each concluded that FEHA does require accommodation and interactive process engagement for associational disability claims.

Acosta v. NAS Insurance Services, LLC (C.D. Cal.)

In Acosta, the plaintiff requested reduced hours, a flexible schedule, and full-time remote work to care for her son, who had been diagnosed with a severe developmental delay. Her employer denied every request, telling her that “accommodations are for employees who have a disability, and do not extend to dependents of employees for whom the employee is a caretaker.” She alleged she was eventually constructively terminated. The court denied the employer’s motion to dismiss, including claims for failure to engage in the interactive process and failure to provide reasonable accommodation under FEHA, holding that Sections 12940(m) and (n) “embrace employees perceived to be associated with a person who is disabled” and rejecting the argument that ADA precedent should control.

Head v. Costco Wholesale Corporation (N.D. Cal.)

In Head, a Costco employee exhausted his FMLA/CFRA leave and Costco’s one-year leave policy while caring for his wife, who had cancer. When told he must return to work or resign, he resigned and Costco later declined to rehire him after his wife passed away. The court denied the motion for summary judgment on the failure to accommodate and interactive process claims, allowing them to proceed on an associational disability theory.

De Wit v. Amazon.com Services, LLC (C.D. Cal.)

In De Wit, the plaintiff took intermittent leave to care for his mother, who suffered from dementia, and was terminated after a disputed leave calculation resulted in negative unpaid time off under Amazon’s attendance policy. The court granted summary judgment for Amazon on the facts, but agreed that claims for failure to accommodate and engage in the interactive process may be brought on an associational disability theory. The court emphasized that Amazon had approved multiple leave requests, communicated with the employee, and applied its policies consistently, which were facts that supported its defense despite recognizing the viability of the legal theory.

What This Means for Employers

These decisions are not binding on California state courts as the California Supreme Court has not yet addressed the issue. However, this case trend suggests that at least some courts may be receptive to associational disability claims based on a failure to accommodate or engage in the interactive process. In this developing landscape, employers confronting caregiving-related requests may face increased scrutiny regarding whether any individualized assessment or interactive process occurred, even as the scope of any obligation remains unsettled.

If you have questions about how these developments may affect your workplace policies or about a specific accommodation request, please contact any member of the Coblentz Employment Group.

This alert is intended to provide general information and does not constitute legal advice. Each situation is fact-specific, and you should consult with counsel regarding your particular circumstances.

By Scott Hall, Phillip Wiese, and Katherine Gianelli

Since CalPrivacy (formerly the CPPA) finalized sweeping updates to the California Consumer Privacy Act (CCPA) regulations in July 2025, risk assessments are now a centerpiece of data privacy compliance. The message from regulators is clear: California is moving decisively toward a proactive, risk-based privacy regime, and businesses will be expected to evaluate and document their higher-risk data practices before they occur.

For many organizations, this marks a significant evolution in compliance expectations. Risk assessments are no longer a matter of internal best practice. They are now a formal, enforceable requirement that will demand new processes, closer coordination across teams, and greater executive oversight and accountability.

Risk Assessments as a Core Compliance Obligation

Beginning January 1, 2026, businesses subject to the CCPA must conduct risk assessments for processing activities that present a “significant risk” to consumers’ privacy. These assessments must be completed before the relevant processing takes place, reflecting a shift away from reactive compliance and toward forward-looking risk management.

The scope of what constitutes “significant risk” is broad. In practice, it will capture many common data-driven activities, including the sale or sharing of personal information, the use of sensitive personal data such as precise geolocation or health information, and the deployment of automated decision-making technologies in consequential contexts like hiring, lending, or housing. Profiling in workplace or educational environments, as well as certain AI and analytics tools that infer consumer characteristics, also fall within the scope.

For companies that rely heavily on data analytics, targeted advertising, or use of automated decision-making technology, this means that risk assessments are likely to become a routine and recurring part of operations, rather than an occasional compliance exercise.

A Structured and Substantive Analysis

The CCPA regulations set forth the specific information an assessment must contain. Businesses will need to prepare a written analysis that clearly explains the purpose of the processing, the categories of personal information involved, and how the data will be used, retained, and shared. Business employees whose job duties include participating in the processing of personal information subject to a risk assessment must be included in the business’s risk assessment process.

At the heart of the requirement is a balancing test: organizations must weigh the benefits of the processing, both to the business and to consumers, against the foreseeable risks to individual privacy. In doing so, the analysis must:

• Identify the specific business purpose for processing;
• Identify the categories of personal information involved, including any sensitive personal information, and the minimum information necessary for achieving the stated business purpose;
• Identify any safeguards in place to mitigate risks; and
• Document operational details of the processing, including:
  • How the information is collected, used, and disclosed;
  • The duration of retention (or how such duration will be determined);
  • How the business interacts with customers;
  • How many customers are affected;
  • What disclosures the business makes to customers about the processing; and
  • What third parties (service providers, contractors, or otherwise) will have access to that information and what purpose that access will serve.

This assessment requires thoughtful judgment and attention to detail as those with knowledge of the processing consider questions about the business’s data processing practices.

As noted, risk assessments must be completed prior to initiating any processing activity that presents a significant risk to consumer privacy. Additionally, businesses must update their risk assessments within 45 days when there is a material change relating to the processing activity, or, at minimum, every three years.

Reporting Obligations

CalPrivacy has coupled these substantive requirements with new reporting and certification obligations. Businesses will be required to submit summaries of their risk assessments by April 1 the year after they have been completed, starting April 1, 2028.  The summary must certify under penalty of perjury that the substance of the risk assessment is correct. While full assessments do not need to be routinely filed, they must be maintained and produced upon request.

This framework transforms risk assessments into regulator-facing documents, not just internal analyses. As a result, companies should expect that their reasoning, methodologies, and conclusions could be scrutinized in an enforcement context by CalPrivacy.

Implementation Timelines and Transition

The regulations provide a phased timeline, but the runway is shorter than it may appear. The obligation to conduct risk assessments began in January 2026, and existing data processing activities must be evaluated and a risk assessment prepared by the end of 2027, covering processing during 2026 and 2027. But for any new processing activities started after January 1, 2026 that trigger compliance obligations, a risk assessment must be completed before that new processing can begin. The first round of annual reporting is set to occur on April 1, 2028, with ongoing summary submissions required each year thereafter.

Given the breadth of in-scope activities and the level of detail required, many organizations will need substantial lead time to build and operationalize compliant programs.

Preparing for Risk-Based Privacy Practices

The practical impact of these requirements will extend across the enterprise. Legal and privacy teams will need to develop standardized frameworks and documentation processes, while product, engineering, and data teams will need to integrate risk analysis into development lifecycles. Security functions will play a key role in aligning technical safeguards with identified risks, and senior leadership may be called upon to review and certify compliance.

Organizations that have not yet formalized their data governance practices may face particular challenges, especially in mapping data flows and documenting decision-making. At the same time, companies with more mature privacy programs will need to revisit and enhance their existing processes to meet CalPrivacy’s more prescriptive and transparent requirements.

Looking Ahead

California’s regulations reinforce its position at the forefront of U.S. privacy law and reflect a broader global trend toward risk-based regulation. For businesses, the takeaway is clear: Now is the time to conduct risk assessments on relevant processing activities and to start preparing plans to submit summary assessments to CalPrivacy.

Organizations that act now to build scalable, defensible risk assessment programs will be better positioned not only to meet regulatory expectations, but also to support responsible innovation in an increasingly complex data landscape.

The Coblentz Data Privacy & Cybersecurity team can help you navigate CalPrivacy’s risk assessment requirements. Please reach out to Scott Hall or Phillip Wiese for further information or assistance.

By Scott Hall and Phillip Wiese

CalPrivacy (formerly the California Privacy Protection Agency), announced recently that it intends to begin auditing businesses’ compliance with the California Consumer Privacy Act (CCPA).  

In February 2026, CalPrivacy formed its Audits Division to conduct compliance audits. The agency expects those audits to begin later this year and will focus on obtaining and analyzing privacy and technology records to ensure businesses are adhering to the CCPA’s requirements. CalPrivacy also expects the Audits Division to work closely with the Enforcement Division, which has been settling enforcement proceedings in recent months.

While CalPrivacy has not identified the initial focus areas of its audits, businesses should confirm compliance with all aspects of the CCPA. Recently, the CalPrivacy Enforcement Division has paid particular attention to children’s data, minimizing friction for exercising CCPA rights, and data broker obligations. Under the CCPA, businesses must also have a comprehensive privacy policy, updated on an annual basis.

If you have questions about your obligations under the CCPA, or if you would like for a Coblentz attorney to review your privacy policy, assist with a risk assessment, or facilitate a cybersecurity audit, please reach out to Scott Hall or Phillip Wiese. Our Data Privacy & Cybersecurity team would be happy to assist you.

By Scott Hall and Phillip Wiese

The Seventh Circuit recently confirmed that the 2024 amendment to the Illinois Biometric Information Privacy Act (“BIPA”) would apply retroactively, effectively limiting the available statutory damages under the statute. Going forward, damage awards under sections 15(b) or 15(d) will be limited for each plaintiff to “at most, one recovery” regardless of the number of violations, avoiding what at least one defendant described as “potentially crippling financial liability” for even simple BIPA violations.

BIPA Overview

BIPA prohibits companies from collecting, obtaining, or disclosing an individual’s biometric data, including biometric identifiers (e.g., eye or fingerprint scans, voice prints, face geometry, etc.) or biometric information (i.e., data derived from a biometric identifier) without first providing notice to and obtaining consent from the individual. Subsection 15(b) governs collection of biometric data and subsection 15(d) governs its disclosure. Plaintiffs could recover $1,000 for a negligent violation, or $5,000 for an intentional or reckless violation of the statute. Importantly, however, the law as originally written did not specify how to calculate damages or whether plaintiffs could recover for each time a company collected, obtained, or disclosed the biometric data. For example, BIPA was silent as to whether a plaintiff who clocked in using a fingerprint scanner twice a day for 30 days without providing consent could recover just once, up to $5,000, or for sixty separate violations, as much as $300,000. Plaintiffs have used this ambiguity to extract large settlements from companies.

In 2023, the Illinois Supreme Court confirmed that damages should be awarded on a “per-scan” basis.[1] In other words, each time a company collected, obtained, or disclosed an individual’s biometric data without consent, it could be liable for statutory damages. The Illinois Supreme Court also wrote, in dicta, that to the extent the decision would result in “excessive damage awards,” the Illinois legislature could amend the law.

The Illinois General Assembly took up the Supreme Court’s offer in 2024, amending the damages section of BIPA to clarify that each person could recover for “one recovery” under subsections (b) and (d) so long as the company used “the same method of collection” for each.[2] The legislature also confirmed the discretionary nature of any damages award by noting that an individual is entitled to “at most,” recovery based on a single violation.[3]

Retroactive Application of Amendment

After Cothron, the question remained as to whether the amendment would have retroactive effect. The Seventh Circuit recently held in the affirmative, that the damages cap would have retroactive effect.[4] The Seventh Circuit analyzed whether the amendment was substantive or procedural. Only procedural amendments could be retroactive under Illinois law.

The BIPA amendment was procedural because it involved the “rules that prescribe[d] the steps for having a right or duty judicially enforced.”[5] The text of the amendment and the Illinois Supreme Court’s discussion of Section 20 in Cothron indicated that it addressed the availability of damages, not proscribed conduct. Additionally, the amendment exclusively was contained in the damages section of BIPA, not in the liability section. Each of these points demonstrated that the amendment was remedial and therefore procedural, so it could have retroactive effect.

The appellees argued that the panel’s interpretation would wipe away millions of dollars of liability, and also that whether someone has been injured once or a thousand times is a matter of substance,[6] but the Court was not persuaded and pointed to language in Cothron noting that damages were discretionary, so plaintiffs were not guaranteed any specific recovery in the first place.[7]

Key Takeaways 

• Going forward, there will be upper limits the amount of damages available to plaintiffs. Each plaintiff can seek up to $5,000 for violations of BIPA sections (b) or (d). No longer can a plaintiff seek damages for every BIPA violation over the course of multiple years, which may lower a company’s exposure exponentially.
• Courts still have discretion over the amount of damages, up to the statutory maximum, or even whether to award damages at all.
• Businesses that collect biometric data should continue to maintain a privacy policy that discloses the specific data collected and collect data only from those consumers who expressly consent.
• The Texas biometric privacy law allows the Texas Attorney General to levy fines based on each individual violation, now putting that law at odds with BIPA. The Texas law does not have a private right of action.

The Coblentz Data Privacy & Cybersecurity team is experienced at litigating BIPA matters and can help you navigate the changing legal landscape. Please reach out to Scott Hall or Phillip Wiese for further information or assistance.

[1] Cothron v. White Castle Sys., Inc., 216 N.E.3d 918, 927 (Ill. 2023).

[2] 740 ILCS 14/20(b), (c).

[3] Id.

[4] Clay v. Union Pacific Railroad Co., 2026 WL 891902 (7th Cir. Apr. 1, 2026).

[5] Id. at *3.

[6] Id. at *4

[7] Id. at *6.

By Scott Hall and Phillip Wiese

This update is intended as a follow-up to the Coblentz 2025 Mid-Year Privacy Report’s discussion of California privacy enforcement themes.

Since our 2025 mid-year privacy report highlighted the CPPA’s (now CalPrivacy’s) early enforcement playbook (Honda and Todd Snyder) and the California Attorney General’s landmark Healthline settlement, California regulators have kept up the pace into early 2026. Recent enforcement matters confirm that regulators are less interested in “paper compliance” than whether consumer choices actually work across real-world tech stacks, devices, and vendors. They also show expanding attention to (1) streaming/CTV ecosystems, (2) mobile apps (including youth data), (3) job applicant/employee-related data, and (4) data broker obligations under the Delete Act.

Below is a brief summary of new enforcement actions and an analysis of enforcement themes.

Recent Enforcement Actions and Developments

• Disney: “Account-wide” opt-outs across services and devices are expected and required.
  

  In February 2026, the California Attorney General announced a $2.75 million settlement with Disney entities tied to Disney’s streaming ecosystem. The core allegation was functional—namely, that consumers would try to opt out through toggles, a webform, or Global Privacy Control (GPC), but those signals allegedly did not fully propagate across the “bundle” of services and devices tied to the consumer’s account—leaving gaps where sale/sharing continued. This is the clearest statement yet (in enforcement posture) that if a business can link devices/services to a consumer for advertising or measurement, regulators expect it to be able to link those same devices/services to the consumer’s privacy elections—and to do so comprehensively.

• PlayOn Sports: CalPrivacy tackles opt-out mechanisms in high school sports website.
  

  In March 2026, CalPrivacy announced a $1.10 million decision against PlayOn Sports, a media company that sells digital tickets to certain high school events, including football games, theater performances, and school dances. According to CalPrivacy, high school students were required to agree to the use of tracking technology and collection of personal information without a meaningful way to opt out of that data collection in order to use the website. This enforcement action represented CalPrivacy’s first foray into enforcing the CCPA expressly on behalf of minors, describing the high school students as a “uniquely vulnerable population.”

• Ford Motor Co.: Opt-out requests need not be verified.
  

  In March 2026, CalPrivacy also announced a $375,000 decision against Ford Motor Company, finding that the automaker created “unnecessary friction” by improperly processing consumer requests to opt out of the sale or sharing of personal information. In particular, Ford used a standardized form for all CCPA requests, including the right to opt-out, and then required consumers to respond to a follow-up email to verify their identity. While companies can require verification for certain CCPA requests, including the rights to know, correct, and delete, the CCPA does not provide a similar verification process for opting out of data selling or sharing. Companies may consider utilizing different workstreams for opt-out requests and other CCPA-related requests to avoid this issue.

• Tractor Supply Co.: Opt-out mechanisms must work properly.
  

  In September 2025, CalPrivacy announced a $1.35 million decision against rural lifestyle retailer Tractor Supply Company after a single consumer reported the Tractor Supply privacy practices to the agency. CalPrivacy determined that Tractor Supply violated the CCPA in numerous ways. Critically, the CalPrivacy decision stated that Tractor Supply had a webform that did not in practice allow consumers to opt out of the sale or sharing of personal information. According to CalPrivacy, consumers could fill out a webform purporting to allow them to opt out of data sharing/selling, but Tractor Supply took no action to effectuate those requests. Additionally, CalPrivacy stated that Tractor Supply lacked CCPA-compliant contracts with service providers and other third parties, and that Tractor Supply did not provide all requisite notices under the CCPA, including to job applicants. As a result of these issues, Tractor Supply received the largest fine levied to date by CalPrivacy.

• Jam City: Don’t forget about mobile app opt-outs and under-16 protections.
  

  In November 2025, the AG announced a $1.4 million settlement with a mobile app gaming company. The AG’s announcement emphasized two points: (1) if personal information is sold/shared through mobile apps, consumers need compliant opt-out methods in-app, and (2) the CCPA’s heightened protections for consumers under 16 (affirmative opt-in for sale/sharing) are an active enforcement area. This builds directly on the mid-year theme that enforcement is moving from websites into the app ecosystem and is increasingly focused on whether the consumer experience is simple and effective.

• CalPrivacy (CPPA): Delete Act/data broker enforcement.
  

  In January 2026, CalPrivacy announced enforcement actions against a marketing firm and a technology firm for each failing to register as a data broker. CalPrivacy claimed that that the marketing firm was selling personal information about individuals with certain health conditions for targeting advertising and emphasized that simply packaging personal information into “custom audiences” or value-added products does not avoid data broker obligations. This connects to the broader enforcement theme that regulators are looking through form to function: if the business model involves the buying or selling of consumers’ personal information, it must comply with the CCPA and the Delete Act.

Privacy Enforcement Themes to Keep Top of Mind

• Regulators expect “functional” opt-outs, including end-to-end propagation across vendors, devices, and services. These latest enforcement actions make clear that the regulators expect companies to create a straightforward and streamlined consumer opt-out process. If, for example, a consumer opts out of data sharing/selling, that request must be fulfilled across the company’s entire ecosystem unless the consumer specifically limits the request. The company cannot unilaterally exempt certain verticals or parts of the business. Additionally, the opt-out methods must meaningfully allow consumers to opt out of data sharing/selling. Webforms, Global Privacy Controls, and other opt-out methods must be checked regularly to ensure functionality. The regulators have been quick to act where those methods do not work as expected.
• Regulators expect low-friction user experience—and will treat friction as a compliance risk. Both CalPrivacy and the AG have focused on the specific opt-out mechanisms for data collection or data selling/sharing, targeting companies that appear to have made it difficult or impossible to opt out of data sharing/selling and still use mobile apps. For example, the regulators have looked unfavorably on cookie banners that cover critical website functions and that must be accepted before the consumer can use the website. This is especially the case where the user must accept cookies, rather than choosing whether to accept or reject cookies. And on the topic of cookie banners, companies should consider evaluating their cookie banners to ensure symmetry of choice for both allowing and rejecting cookies.
• Youth and sensitive-context data remain high priority. CalPrivacy noted in its announcement of the PlayOn decision that students are “uniquely vulnerable,” and any websites they use should not “fuel advertising and commercial surveillance” at the expense of enhancing their educational opportunities. Similarly, the AG has cracked down on companies allegedly selling children’s information as well as disseminating sensitive consumer health information. Companies should consider reviewing their data collection practices to determine whether they collect, share or sell these types of data, and if so, evaluate whether proper disclosures are in place.

Your Key Next Steps

• Audit your opt-out functionality across all web, mobile, and platform integrations and ensure a consistent and defensible approach. The opt-out process should be straightforward and streamlined.
• Inventory service provider / contractor / third-party contracts for required restrictions and flow-down obligations—especially in advertising and analytics. The regulators continue to monitor the adequacy of the contracts governing these relationships.
• Reassess youth and student-data touchpoints, including age-gating logic, opt-in mechanisms, SDK behavior, retention, and security controls.
• Evaluate data broker status (including “custom audience” and profiling services) and confirm registration/fees where required. Additionally, prepare for an influx of delete request and opt-out platform (DROP) requests. DROP was released to the public in January, and data brokers must begin deleting data within 90 days, starting August 1, 2026.
• Don’t forget about applicant/HR privacy. Because employees and job applicants are covered by the CCPA, take time to review or revise notices and rights processes for those individuals.

Coblentz partner Scott Hall and members of the Coblentz Data Privacy Team presented “2025 Privacy Overview: How to Ensure Compliance and Reduce Business Risk” on October 21, 2025. The team discussed the global and U.S. AI legal landscape, provided an overview of U.S. state privacy laws, updates related to children’s privacy and health data privacy, 2025 privacy litigation trends related to the Video Privacy Protection Act (VPPA), the California Invasion of Privacy Act (CIPA), and California’s SB 690, and summarized regulatory enforcement actions.

Key Takeaways

Proactive Privacy Governance Is Now a Legal Imperative

Businesses should develop a unified privacy governance framework that harmonizes obligations across state, federal, and international laws. Fragmented compliance efforts create operational risk and regulatory exposure, especially as new state privacy laws (now in 20 states) expand enforcement. Embedding privacy impact assessments into product and vendor workflows is essential.

Contracts Are the Front Line for Risk Allocation

Businesses should tighten data processing agreements, vendor clauses, and cross-border transfer mechanisms. In-house teams should review indemnity and liability provisions related to data breaches, confirm that vendors meet equivalent security standards, and ensure ongoing audit rights. “Paper compliance” can be a recurring pitfall as documentation must reflect actual practice.

Incident Response Readiness and Documentation Drive Defensibility

Businesses should ensure that incident response plans are legally defensible and not just operationally sound. This includes maintaining privileged documentation, conducting post-incident reviews, and aligning notification procedures with each jurisdiction’s timing requirements. Regulators are now assessing whether response documentation shows “reasonable security practices” in action.

If your company needs assistance with any privacy issues, Coblentz Data Privacy & Cybersecurity attorneys can help. Please contact Scott Hall at shall@coblentzlaw.com for further information or assistance.

To view the recording of our 2025 Privacy Overview webinar, please click here.

To view our 2025 Privacy Developments Action Item Checklist, please click here.

(And Yes—They Do Need to Ask)

By Scott Hall

AI-powered meeting tools have made it incredibly easy to record, transcribe, and summarize conversations. But ease of use shouldn’t override legal obligations or sound data governance. As these tools become more common, it’s important for businesses to ask a fundamental question: Do we really need a record of every meeting?

Whether for internal meetings or external calls, AI notetaking tools come with real legal and privacy risks. In many cases, the better choice may be to opt out of recording altogether—and never assume silence means consent.

Consent Still Comes First

Recording laws haven’t changed just because AI has entered the room. Under federal law, “one-party consent” may be enough, but over a dozen states—including California, Florida, and Pennsylvania—require all parties to consent before a conversation can be recorded. That includes AI tools that silently transcribe, summarize, or analyze conversations.

If your meeting involves participants in one of these state, or in multiple states, the safest approach is to apply the strictest rule. And if you’re using a tool that silently joins a call, records the conversation, and spits out an AI summary—without every participant clearly agreeing to it—you could be violating state and federal law. Simply put: if you’re using an AI notetaker or transcript tool, you need to tell people—and get their permission.

AI Creates More Than Just Notes—It Creates Risk

Many organizations adopt AI notetaking simply to avoid the time-consuming work of manual documentation. But this can backfire. Transcripts often include stray comments, speculation, internal debates, or even sensitive information that a human notetaker would leave out. And AI tools can completely miss or misunderstand the context in which statements are made, including sarcasm, jokes, or simply the tone or inflection with which certain statements are said, which can alter the meaning of those statements, in addition to hallucinating content. Moreover, these materials—accurate or inaccurate—can become discoverable in litigation or investigations—even if they were only meant for internal use.

AI records can also:

• Conflict with formal meeting minutes, undermining credibility;
• Waive attorney-client privilege if legal conversations are transcribed by third-party services;
• Create inconsistent records across versions (raw transcript, AI summary, follow-up notes);
• Increase data exposure if stored indefinitely or shared with vendors using it to train AI models

When businesses reflexively record everything “just in case,” they often end up storing conversations they never needed—and wish they didn’t have.

Manual Notes Still Have a Place

Not every meeting needs to be transcribed. AI tools are often marketed as efficiency boosters, but businesses should resist the urge to capture everything simply to avoid notetaking. Typed notes remain a valuable, lower-risk alternative—especially when discussions involve sensitive strategy, personnel, or legal matters.

Ask yourself: If this meeting were the subject of a lawsuit or investigation, would we want a full transcript of everything that was said? If not, don’t create one in the first place.

If You Do Use AI Tools, Govern Them Carefully

If your organization is using—or considering—AI meeting assistants, take these governance steps:

• Be Intentional
  Don’t record by default. Choose transcription only for meetings where it clearly adds value.
• Get Explicit Consent
  Use verbal notices, written policies, or meeting pop-ups to inform all participants and log their consent.
• Vet Your Vendors
  Review AI tool settings and terms. Turn off features you don’t need, and block vendor use of your data for model training.
• Update Yor Privacy Policies and Employee Handbooks
  Clearly disclose when and how AI transcription or recording tools are used—and whether third parties are involved.
• Limit Access and Retention
  Keep transcripts only as long as necessary. Restrict access to relevant personnel.
• Establish Internal Guidelines
  Create policies that define when AI notetaking is appropriate for your organization and when it’s not. Train employees to use these tools thoughtfully and sparingly.

If You Join a Meeting That’s Being Recorded, Don’t Be Afraid to Say No

It’s common to feel awkward asking a host to turn off an AI notetaker or to pause a recording—especially in professional settings. But your discomfort shouldn’t override your privacy preferences. If you didn’t consent to being recorded, you have every right to speak up, ask for the tool to be disabled, or leave the meeting if needed. Respectful pushback is not unprofessional—it’s prudent. At a minimum, you should request a transcript of the notes or a copy of the recording after the meeting and review it for accuracy.

Conclusion

AI offers powerful tools—but recording everything is not a compliance strategy. It’s a shortcut that many companies are taking without thinking through the potential long-term problems.

Saying no to AI notetaking isn’t being anti-tech—it’s being pro-accountability. It reflects good governance, legal awareness, and respect for privacy. Sometimes, not hitting “record” is the most prudent decision your team can make.

By Fred W. Alvarez, Hannah L. Jones, Daniel M. Bruggebrew, Allison Moser, Paige B. Pulley, Hannah Withers, and Stacey Zartler

With the Governor’s signing window closed, employers now have clarity on which proposed California workplace measures will take effect in 2026. Our prior alert, “Legislative Bills That Could Redefine California Workplaces in 2026,” outlined the key California proposals under consideration with a summary of each bill. This update focuses on the California employment measures that became law and provides practical guidance to help California employers prepare for the sweeping changes ahead.

AB 692 – Ban on Most Stay-or-Pay Agreements

Key Requirements/Changes: Makes most repayment or retention provisions in employment unenforceable; limited exceptions for tuition or education costs.

Action Items: Employers should carefully review employment agreement templates that include repayment or retention provisions, such as signing bonuses or training cost reimbursements. Any “stay-or-pay” language that does not meet the limited statutory exceptions should be removed or revised to comply with the new law. Employers may wish to develop alternative retention strategies—such as milestone-based bonuses or enhanced career development opportunities—to achieve retention goals without relying on repayment agreements.

SB 464 – Broader Pay Data Reporting Requirements

Key Requirements/Changes: Expands pay data demographic reporting to include sexual orientation.

Action Items: Employers subject to California’s pay data reporting requirements should prepare for expanded pay data reporting obligations in the next filing cycle and confirm that vendors or third-party reporting platforms can accommodate the new data fields.

SB 642 – Pay Scale in Job Postings

Key Requirements/Changes: Clarifies definition of “pay scale” disclosures in job postings; extends lawsuit deadline to 3 years.

Action Items: Companies should review their job posting templates and hiring procedures to ensure compliance with the clarified definition of “pay scale.” Pay ranges should reflect a “good-faith estimate” of what the employer reasonably expects to pay for a position upon hire. Recruiting and compensation teams should align on consistent methodologies for establishing pay ranges and maintain documentation supporting these determinations, as employers will now need to retain such records for at least three years to defend against potential claims.

SB 590 – Paid Family Leave Expanded to Chosen Family

Key Requirements/Changes: Extends California PFL benefits to care for a “designated person,” aligning with the California Family Rights Act, starting in 2028.

Action Items: Employers should update their leave request forms, benefits communications, and internal policies to include care for a “designated person” as a qualifying reason for Paid Family Leave benefits starting July 1, 2028.

SB 513 – Personnel Records Must Include Training Data

Key Requirements/Changes: Adds training, education, and certification details to required personnel records.

Action Items: Employers should audit their personnel files to confirm that employee training, certification, and education records are properly documented. Going forward, HR teams should establish a consistent process for recording the type, date, and outcome of all required training programs. Employers may need to update their HRIS systems or personnel record templates to ensure this information can be easily accessed and verified during audits or employee file requests.

SB 303 – Good Faith Bias Disclosure Protections

Key Requirements/Changes: Good faith disclosures of bias during discrimination or other bias mitigation trainings does not constitute unlawful discrimination.

Action Items: Employers should update internal policies and training materials to reflect that good faith admissions of bias during bias mitigation trainings do not constitute unlawful discrimination. Employers should also ensure that disciplinary decisions are not based on these good faith disclosures.

SB 294 – Know Your Rights Notice

Key Requirements/Changes: Requires new workplace notice by Feb. 1, 2026; $500/day penalty per employee for noncompliance.

Action Items: Employers should prepare to distribute the new “Know Your Rights” notice to all employees before the February 1, 2026 deadline. HR and compliance teams should monitor guidance from the Labor Commissioner for the official notice template and ensure that both onsite and remote employees receive it. Employers should also maintain clear records of when and how the notice was distributed to demonstrate compliance and avoid penalties.

The Coblentz Employment team is available to answer any questions you may have about the impact of these regulations.

By Fred W. Alvarez, Hannah L. Jones, Daniel M. Bruggebrew, Allison Moser, Paige B. Pulley, Hannah Withers, and Stacey Zartler

California is once again at the forefront of workplace regulation, with a slate of 2026 bills that would significantly expand employee rights and increase employer compliance obligations. From limits on AI in employment decisions, to restrictions on stay-or-pay agreements, expanded pay data reporting, and new immigration-related protections, these measures highlight the state’s aggressive approach to reshaping the employer-employee relationship.

Governor Newsom has until October 12, 2025 to sign or veto these bills. Below is a table summarizing the most significant proposals currently on his desk as well as a deeper dive into each bill. We will provide follow-up guidance once final enactments are known to help employers prepare for compliance. Unless otherwise noted, any new laws signed will take effect on January 1, 2026.

Limits on AI in Employment Decisions (SB 7): Under California’s SB 7, employers may not rely exclusively on AI (referred to in the bill as automated decision systems, or ADS) to make key employment decisions such as hiring, promotion, discipline, or termination. ADS are defined as AI-driven or algorithmic tools that make, or materially assist in making, decisions that significantly affect employees. Examples include resume-screening software, video interview analysis tools, chatbot applicant pre-screening platforms, promotion recommendation systems, and certain types of employee monitoring programs.

Employers that use ADS to assist in employment-related decisions—but not as the sole basis—will be subject to new notice and disclosure obligations if this law takes effect. For applicants, employers must disclose the use of ADS and provide information about the underlying algorithms as part of the application process. For current employees, employers must give at least 30 days’ advance notice in a “standalone written communication” before adopting any new ADS for disciplinary or promotion purposes. In both contexts, employees and applicants must be given access to ADS-related data and the right to appeal any employment decision made with the assistance of ADS.

Importantly, SB 7 builds on the AI regulations adopted by the California Civil Rights Council (CRC) in October 2025, extending notice and disclosure obligations to both current and prospective employees. For additional background on the CRC regulations, see our prior client alert here.

Failure to comply with SB 7 may result in enforcement by the Labor Commissioner or private civil actions, with potential remedies including actual damages, civil penalties of up to $500 per violation, and recovery of attorneys’ fees.

Ban on Most Stay-or-Pay Agreements (AB 692): Employers have long relied on signing bonuses, retention bonuses, or repayment obligations for training, tuition, or immigration costs to encourage employees to stay in the job for a set period of time. These arrangements come with a price tag for employees who leave early: repayment.

Under AB 692, which would apply to contracts entered into on or after January 1, 2026, most of these “stay-or-pay” arrangements will be prohibited. The law not only renders such agreements unenforceable but also exposes employers to potential employee lawsuits seeking damages or other remedies, with penalties including the greater of actual damages or a $5,000 minimum per violation.

While broad in scope, AB 692 does carve out limited exceptions. For example, repayment provisions for tuition costs related to transferable educational credentials may still be enforceable if they meet detailed statutory requirements. Similarly, signing and retention bonus agreements remain permissible, but only if they are set out in a standalone agreement that complies with highly technical conditions.

Expanded Leave Rights for Immigration Proceedings (AB 1136): In response to heightened federal immigration enforcement activity, including ICE raids and the current administration’s restrictive stance on immigration, California has advanced new protections for employees facing immigration or deportation proceedings.

Under the proposed law, employers must place an employee on unpaid leave for up to 12 months if the employee is detained or incarcerated due to pending immigration or deportation proceedings. If the employee is released during that period and provides valid work authorization, the employer must reinstate the employee to their former position without loss of seniority.

The bill also requires employers to provide up to five unpaid days off within a 12-month period for employees to address matters related to immigration status, work authorization, or visa status. This includes attending appointments, interviews, adjudications, legal proceedings, detentions, or any other required meetings related to the employee’s immigration situation.

Broader Pay Data Reporting Requirements (SB 464): SB 464 expands California’s existing pay data reporting obligations for private employers with more than 100 employees. Employers must now collect and maintain demographic information used for reporting purposes separately from employees’ personnel records. The law also broadens the scope of required reporting. In addition to race, ethnicity, and sex, employers must now report on employees’ sexual orientation (if voluntarily disclosed).

Clearer Rules for Pay Scale in Job Postings (SB 642): California law already requires employers to include “pay scale” information in job postings, but the term has long been a source of confusion. SB 642 attempts to clarify the term by defining “pay scale” as a “good-faith estimate” of the salary or hourly wage range that the employer reasonably expects to pay for the position upon hire. The bill also extends the statute of limitations for violations, giving employees three years (instead of two) to bring a lawsuit for pay equity violations.

Paid Family Leave Expanded to Chosen Family (SB 590): Beginning July 1, 2028, if SB 590 is signed by the governor, California’s Paid Family Leave (PFL) program will expand to provide wage replacement benefits when employees take time off to care for a “designated person.” This change is intended to support Californians who rely on chosen family members for care. The California Family Rights Act (CFRA) already provides job-protected leave to care for a designated person. SB 590 aligns the PFL program with CFRA by extending wage replacement benefits to cover the same category of leave.

Personnel Records Must Include Training Data (SB 513): SB 513 expands the definition of personnel records relating to an employee’s performance to expressly include education and training records. Employers that maintain such records will be required to ensure they include specified information, such as the type of training, date(s) completed, and any certifications or credentials earned, as part of the employee’s personnel file.

Employee Right to Wear Face Masks (AB 1326): AB 1326 would prohibit employers from preventing employees from wearing face masks in the workplace, unless a mask would create a safety hazard. The bill also permits employers to require employees to briefly remove a face covering while at the worksite for identification purposes.

Know Your Rights Notice (SB 294): Employers are required to distribute a new “Know Your Rights” notice to all employees by February 1, 2026. Failure to comply may result in penalties of $500 per employee, per day, up to a maximum of $10,000.

The Coblentz Employment team is available to answer any questions you may have about the impact of these regulations. We will provide follow-up guidance once final enactments are known.