By Scott Hall and Phillip Wiese

CalPrivacy (formerly the California Privacy Protection Agency) recently announced that it intends to begin auditing businesses’ compliance with the California Consumer Privacy Act (CCPA).  

In February 2026, CalPrivacy formed its Audits Division to conduct compliance audits. The agency expects those audits to begin later this year and will focus on obtaining and analyzing privacy and technology records to ensure businesses are adhering to the CCPA’s requirements. CalPrivacy also expects the Audits Division to work closely with the Enforcement Division, which has been settling enforcement proceedings in recent months.

While CalPrivacy has not identified the initial focus areas of its audits, businesses should confirm compliance with all aspects of the CCPA. Recently, the CalPrivacy Enforcement Division has paid particular attention to children’s data, minimizing friction for exercising CCPA rights, and data broker obligations. Under the CCPA, businesses must also have a comprehensive privacy policy, updated on an annual basis.

If you have questions about your obligations under the CCPA, or if you would like for a Coblentz attorney to review your privacy policy, assist with a risk assessment, or facilitate a cybersecurity audit, please reach out to Scott Hall or Phillip Wiese. Our Data Privacy & Cybersecurity team would be happy to assist you.

By Scott Hall and Phillip Wiese

The Seventh Circuit recently confirmed that the 2024 amendment to the Illinois Biometric Information Privacy Act (“BIPA”) would apply retroactively, effectively limiting the available statutory damages under the statute. Going forward, damage awards under sections 15(b) or 15(d) will be limited for each plaintiff to “at most, one recovery” regardless of the number of violations, avoiding what at least one defendant described as “potentially crippling financial liability” for even simple BIPA violations.

BIPA Overview

BIPA prohibits companies from collecting, obtaining, or disclosing an individual’s biometric data, including biometric identifiers (e.g., eye or fingerprint scans, voice prints, face geometry, etc.) or biometric information (i.e., data derived from a biometric identifier) without first providing notice to and obtaining consent from the individual. Subsection 15(b) governs collection of biometric data and subsection 15(d) governs its disclosure. Plaintiffs could recover $1,000 for a negligent violation, or $5,000 for an intentional or reckless violation of the statute. Importantly, however, the law as originally written did not specify how to calculate damages or whether plaintiffs could recover for each time a company collected, obtained, or disclosed the biometric data. For example, BIPA was silent as to whether a plaintiff who clocked in using a fingerprint scanner twice a day for 30 days without providing consent could recover just once, up to $5,000, or for sixty separate violations, as much as $300,000. Plaintiffs have used this ambiguity to extract large settlements from companies.

In 2023, the Illinois Supreme Court confirmed that damages should be awarded on a “per-scan” basis.[1] In other words, each time a company collected, obtained, or disclosed an individual’s biometric data without consent, it could be liable for statutory damages. The Illinois Supreme Court also wrote, in dicta, that to the extent the decision would result in “excessive damage awards,” the Illinois legislature could amend the law.

The Illinois General Assembly took up the Supreme Court’s offer in 2024, amending the damages section of BIPA to clarify that each person could recover for “one recovery” under subsections (b) and (d) so long as the company used “the same method of collection” for each.[2] The legislature also confirmed the discretionary nature of any damages award by noting that an individual is entitled to “at most,” recovery based on a single violation.[3]

Retroactive Application of Amendment

After Cothron, the question remained as to whether the amendment would have retroactive effect. The Seventh Circuit recently held in the affirmative, that the damages cap would have retroactive effect.[4] The Seventh Circuit analyzed whether the amendment was substantive or procedural. Only procedural amendments could be retroactive under Illinois law.

The BIPA amendment was procedural because it involved the “rules that prescribe[d] the steps for having a right or duty judicially enforced.”[5] The text of the amendment and the Illinois Supreme Court’s discussion of Section 20 in Cothron indicated that it addressed the availability of damages, not proscribed conduct. Additionally, the amendment exclusively was contained in the damages section of BIPA, not in the liability section. Each of these points demonstrated that the amendment was remedial and therefore procedural, so it could have retroactive effect.

The appellees argued that the panel’s interpretation would wipe away millions of dollars of liability, and also that whether someone has been injured once or a thousand times is a matter of substance,[6] but the Court was not persuaded and pointed to language in Cothron noting that damages were discretionary, so plaintiffs were not guaranteed any specific recovery in the first place.[7]

Key Takeaways 

• Going forward, there will be upper limits on the amount of damages available to plaintiffs. Each plaintiff can seek up to $5,000 for violations of BIPA sections (b) or (d). No longer can a plaintiff seek damages for every BIPA violation over the course of multiple years, which may lower a company’s exposure exponentially.
• Courts still have discretion over the amount of damages, up to the statutory maximum, or even whether to award damages at all.
• Businesses that collect biometric data should continue to maintain a privacy policy that discloses the specific data collected and collect data only from those consumers who expressly consent.
• The Texas biometric privacy law allows the Texas Attorney General to levy fines based on each individual violation, now putting that law at odds with BIPA. The Texas law does not have a private right of action.

The Coblentz Data Privacy & Cybersecurity team is experienced at litigating BIPA matters and can help you navigate the changing legal landscape. Please reach out to Scott Hall or Phillip Wiese for further information or assistance.

[1] Cothron v. White Castle Sys., Inc., 216 N.E.3d 918, 927 (Ill. 2023).

[2] 740 ILCS 14/20(b), (c).

[3] Id.

[4] Clay v. Union Pacific Railroad Co., 2026 WL 891902 (7th Cir. Apr. 1, 2026).

[5] Id. at *3.

[6] Id. at *4

[7] Id. at *6.

By Scott Hall and Phillip Wiese

This update is intended as a follow-up to the Coblentz 2025 Mid-Year Privacy Report’s discussion of California privacy enforcement themes.

Since our 2025 mid-year privacy report highlighted the CPPA’s (now CalPrivacy’s) early enforcement playbook (Honda and Todd Snyder) and the California Attorney General’s landmark Healthline settlement, California regulators have kept up the pace into early 2026. Recent enforcement matters confirm that regulators are less interested in “paper compliance” than whether consumer choices actually work across real-world tech stacks, devices, and vendors. They also show expanding attention to (1) streaming/CTV ecosystems, (2) mobile apps (including youth data), (3) job applicant/employee-related data, and (4) data broker obligations under the Delete Act.

Below is a brief summary of new enforcement actions and an analysis of enforcement themes.

Recent Enforcement Actions and Developments

• Disney: “Account-wide” opt-outs across services and devices are expected and required.
  

  In February 2026, the California Attorney General announced a $2.75 million settlement with Disney entities tied to Disney’s streaming ecosystem. The core allegation was functional—namely, that consumers would try to opt out through toggles, a webform, or Global Privacy Control (GPC), but those signals allegedly did not fully propagate across the “bundle” of services and devices tied to the consumer’s account—leaving gaps where sale/sharing continued. This is the clearest statement yet (in enforcement posture) that if a business can link devices/services to a consumer for advertising or measurement, regulators expect it to be able to link those same devices/services to the consumer’s privacy elections—and to do so comprehensively.

• PlayOn Sports: CalPrivacy tackles opt-out mechanisms in high school sports website.
  

  In March 2026, CalPrivacy announced a $1.10 million decision against PlayOn Sports, a media company that sells digital tickets to certain high school events, including football games, theater performances, and school dances. According to CalPrivacy, high school students were required to agree to the use of tracking technology and collection of personal information without a meaningful way to opt out of that data collection in order to use the website. This enforcement action represented CalPrivacy’s first foray into enforcing the CCPA expressly on behalf of minors, describing the high school students as a “uniquely vulnerable population.”

• Ford Motor Co.: Opt-out requests need not be verified.
  

  In March 2026, CalPrivacy also announced a $375,000 decision against Ford Motor Company, finding that the automaker created “unnecessary friction” by improperly processing consumer requests to opt out of the sale or sharing of personal information. In particular, Ford used a standardized form for all CCPA requests, including the right to opt-out, and then required consumers to respond to a follow-up email to verify their identity. While companies can require verification for certain CCPA requests, including the rights to know, correct, and delete, the CCPA does not provide a similar verification process for opting out of data selling or sharing. Companies may consider utilizing different workstreams for opt-out requests and other CCPA-related requests to avoid this issue.

• Tractor Supply Co.: Opt-out mechanisms must work properly.
  

  In September 2025, CalPrivacy announced a $1.35 million decision against rural lifestyle retailer Tractor Supply Company after a single consumer reported the Tractor Supply privacy practices to the agency. CalPrivacy determined that Tractor Supply violated the CCPA in numerous ways. Critically, the CalPrivacy decision stated that Tractor Supply had a webform that did not in practice allow consumers to opt out of the sale or sharing of personal information. According to CalPrivacy, consumers could fill out a webform purporting to allow them to opt out of data sharing/selling, but Tractor Supply took no action to effectuate those requests. Additionally, CalPrivacy stated that Tractor Supply lacked CCPA-compliant contracts with service providers and other third parties, and that Tractor Supply did not provide all requisite notices under the CCPA, including to job applicants. As a result of these issues, Tractor Supply received the largest fine levied to date by CalPrivacy.

• Jam City: Don’t forget about mobile app opt-outs and under-16 protections.
  

  In November 2025, the AG announced a $1.4 million settlement with a mobile app gaming company. The AG’s announcement emphasized two points: (1) if personal information is sold/shared through mobile apps, consumers need compliant opt-out methods in-app, and (2) the CCPA’s heightened protections for consumers under 16 (affirmative opt-in for sale/sharing) are an active enforcement area. This builds directly on the mid-year theme that enforcement is moving from websites into the app ecosystem and is increasingly focused on whether the consumer experience is simple and effective.

• CalPrivacy (CPPA): Delete Act/data broker enforcement.
  

  In January 2026, CalPrivacy announced enforcement actions against a marketing firm and a technology firm for each failing to register as a data broker. CalPrivacy claimed that that the marketing firm was selling personal information about individuals with certain health conditions for targeting advertising and emphasized that simply packaging personal information into “custom audiences” or value-added products does not avoid data broker obligations. This connects to the broader enforcement theme that regulators are looking through form to function: if the business model involves the buying or selling of consumers’ personal information, it must comply with the CCPA and the Delete Act.

Privacy Enforcement Themes to Keep Top of Mind

• Regulators expect “functional” opt-outs, including end-to-end propagation across vendors, devices, and services. These latest enforcement actions make clear that the regulators expect companies to create a straightforward and streamlined consumer opt-out process. If, for example, a consumer opts out of data sharing/selling, that request must be fulfilled across the company’s entire ecosystem unless the consumer specifically limits the request. The company cannot unilaterally exempt certain verticals or parts of the business. Additionally, the opt-out methods must meaningfully allow consumers to opt out of data sharing/selling. Webforms, Global Privacy Controls, and other opt-out methods must be checked regularly to ensure functionality. The regulators have been quick to act where those methods do not work as expected.
• Regulators expect low-friction user experience—and will treat friction as a compliance risk. Both CalPrivacy and the AG have focused on the specific opt-out mechanisms for data collection or data selling/sharing, targeting companies that appear to have made it difficult or impossible to opt out of data sharing/selling and still use mobile apps. For example, the regulators have looked unfavorably on cookie banners that cover critical website functions and that must be accepted before the consumer can use the website. This is especially the case where the user must accept cookies, rather than choosing whether to accept or reject cookies. And on the topic of cookie banners, companies should consider evaluating their cookie banners to ensure symmetry of choice for both allowing and rejecting cookies.
• Youth and sensitive-context data remain high priority. CalPrivacy noted in its announcement of the PlayOn decision that students are “uniquely vulnerable,” and any websites they use should not “fuel advertising and commercial surveillance” at the expense of enhancing their educational opportunities. Similarly, the AG has cracked down on companies allegedly selling children’s information as well as disseminating sensitive consumer health information. Companies should consider reviewing their data collection practices to determine whether they collect, share or sell these types of data, and if so, evaluate whether proper disclosures are in place.

Your Key Next Steps

• Audit your opt-out functionality across all web, mobile, and platform integrations and ensure a consistent and defensible approach. The opt-out process should be straightforward and streamlined.
• Inventory service provider / contractor / third-party contracts for required restrictions and flow-down obligations—especially in advertising and analytics. The regulators continue to monitor the adequacy of the contracts governing these relationships.
• Reassess youth and student-data touchpoints, including age-gating logic, opt-in mechanisms, SDK behavior, retention, and security controls.
• Evaluate data broker status (including “custom audience” and profiling services) and confirm registration/fees where required. Additionally, prepare for an influx of delete request and opt-out platform (DROP) requests. DROP was released to the public in January, and data brokers must begin deleting data within 90 days, starting August 1, 2026.
• Don’t forget about applicant/HR privacy. Because employees and job applicants are covered by the CCPA, take time to review or revise notices and rights processes for those individuals.

Coblentz partner Scott Hall and members of the Coblentz Data Privacy Team presented “2025 Privacy Overview: How to Ensure Compliance and Reduce Business Risk” on October 21, 2025. The team discussed the global and U.S. AI legal landscape, provided an overview of U.S. state privacy laws, updates related to children’s privacy and health data privacy, 2025 privacy litigation trends related to the Video Privacy Protection Act (VPPA), the California Invasion of Privacy Act (CIPA), and California’s SB 690, and summarized regulatory enforcement actions.

Key Takeaways

Proactive Privacy Governance Is Now a Legal Imperative

Businesses should develop a unified privacy governance framework that harmonizes obligations across state, federal, and international laws. Fragmented compliance efforts create operational risk and regulatory exposure, especially as new state privacy laws (now in 20 states) expand enforcement. Embedding privacy impact assessments into product and vendor workflows is essential.

Contracts Are the Front Line for Risk Allocation

Businesses should tighten data processing agreements, vendor clauses, and cross-border transfer mechanisms. In-house teams should review indemnity and liability provisions related to data breaches, confirm that vendors meet equivalent security standards, and ensure ongoing audit rights. “Paper compliance” can be a recurring pitfall as documentation must reflect actual practice.

Incident Response Readiness and Documentation Drive Defensibility

Businesses should ensure that incident response plans are legally defensible and not just operationally sound. This includes maintaining privileged documentation, conducting post-incident reviews, and aligning notification procedures with each jurisdiction’s timing requirements. Regulators are now assessing whether response documentation shows “reasonable security practices” in action.

If your company needs assistance with any privacy issues, Coblentz Data Privacy & Cybersecurity attorneys can help. Please contact Scott Hall at shall@coblentzlaw.com for further information or assistance.

To view the recording of our 2025 Privacy Overview webinar, please click here.

To view our 2025 Privacy Developments Action Item Checklist, please click here.

(And Yes—They Do Need to Ask)

By Scott Hall

AI-powered meeting tools have made it incredibly easy to record, transcribe, and summarize conversations. But ease of use shouldn’t override legal obligations or sound data governance. As these tools become more common, it’s important for businesses to ask a fundamental question: Do we really need a record of every meeting?

Whether for internal meetings or external calls, AI notetaking tools come with real legal and privacy risks. In many cases, the better choice may be to opt out of recording altogether—and never assume silence means consent.

Consent Still Comes First

Recording laws haven’t changed just because AI has entered the room. Under federal law, “one-party consent” may be enough, but over a dozen states—including California, Florida, and Pennsylvania—require all parties to consent before a conversation can be recorded. That includes AI tools that silently transcribe, summarize, or analyze conversations.

If your meeting involves participants in one of these state, or in multiple states, the safest approach is to apply the strictest rule. And if you’re using a tool that silently joins a call, records the conversation, and spits out an AI summary—without every participant clearly agreeing to it—you could be violating state and federal law. Simply put: if you’re using an AI notetaker or transcript tool, you need to tell people—and get their permission.

AI Creates More Than Just Notes—It Creates Risk

Many organizations adopt AI notetaking simply to avoid the time-consuming work of manual documentation. But this can backfire. Transcripts often include stray comments, speculation, internal debates, or even sensitive information that a human notetaker would leave out. And AI tools can completely miss or misunderstand the context in which statements are made, including sarcasm, jokes, or simply the tone or inflection with which certain statements are said, which can alter the meaning of those statements, in addition to hallucinating content. Moreover, these materials—accurate or inaccurate—can become discoverable in litigation or investigations—even if they were only meant for internal use.

AI records can also:

• Conflict with formal meeting minutes, undermining credibility;
• Waive attorney-client privilege if legal conversations are transcribed by third-party services;
• Create inconsistent records across versions (raw transcript, AI summary, follow-up notes);
• Increase data exposure if stored indefinitely or shared with vendors using it to train AI models

When businesses reflexively record everything “just in case,” they often end up storing conversations they never needed—and wish they didn’t have.

Manual Notes Still Have a Place

Not every meeting needs to be transcribed. AI tools are often marketed as efficiency boosters, but businesses should resist the urge to capture everything simply to avoid notetaking. Typed notes remain a valuable, lower-risk alternative—especially when discussions involve sensitive strategy, personnel, or legal matters.

Ask yourself: If this meeting were the subject of a lawsuit or investigation, would we want a full transcript of everything that was said? If not, don’t create one in the first place.

If You Do Use AI Tools, Govern Them Carefully

If your organization is using—or considering—AI meeting assistants, take these governance steps:

• Be Intentional
  Don’t record by default. Choose transcription only for meetings where it clearly adds value.
• Get Explicit Consent
  Use verbal notices, written policies, or meeting pop-ups to inform all participants and log their consent.
• Vet Your Vendors
  Review AI tool settings and terms. Turn off features you don’t need, and block vendor use of your data for model training.
• Update Yor Privacy Policies and Employee Handbooks
  Clearly disclose when and how AI transcription or recording tools are used—and whether third parties are involved.
• Limit Access and Retention
  Keep transcripts only as long as necessary. Restrict access to relevant personnel.
• Establish Internal Guidelines
  Create policies that define when AI notetaking is appropriate for your organization and when it’s not. Train employees to use these tools thoughtfully and sparingly.

If You Join a Meeting That’s Being Recorded, Don’t Be Afraid to Say No

It’s common to feel awkward asking a host to turn off an AI notetaker or to pause a recording—especially in professional settings. But your discomfort shouldn’t override your privacy preferences. If you didn’t consent to being recorded, you have every right to speak up, ask for the tool to be disabled, or leave the meeting if needed. Respectful pushback is not unprofessional—it’s prudent. At a minimum, you should request a transcript of the notes or a copy of the recording after the meeting and review it for accuracy.

Conclusion

AI offers powerful tools—but recording everything is not a compliance strategy. It’s a shortcut that many companies are taking without thinking through the potential long-term problems.

Saying no to AI notetaking isn’t being anti-tech—it’s being pro-accountability. It reflects good governance, legal awareness, and respect for privacy. Sometimes, not hitting “record” is the most prudent decision your team can make.

By Fred W. Alvarez, Hannah L. Jones, Daniel M. Bruggebrew, Allison Moser, Paige B. Pulley, Hannah Withers, and Stacey Zartler

With the Governor’s signing window closed, employers now have clarity on which proposed California workplace measures will take effect in 2026. Our prior alert, “Legislative Bills That Could Redefine California Workplaces in 2026,” outlined the key California proposals under consideration with a summary of each bill. This update focuses on the California employment measures that became law and provides practical guidance to help California employers prepare for the sweeping changes ahead.

AB 692 – Ban on Most Stay-or-Pay Agreements

Key Requirements/Changes: Makes most repayment or retention provisions in employment unenforceable; limited exceptions for tuition or education costs.

Action Items: Employers should carefully review employment agreement templates that include repayment or retention provisions, such as signing bonuses or training cost reimbursements. Any “stay-or-pay” language that does not meet the limited statutory exceptions should be removed or revised to comply with the new law. Employers may wish to develop alternative retention strategies—such as milestone-based bonuses or enhanced career development opportunities—to achieve retention goals without relying on repayment agreements.

SB 464 – Broader Pay Data Reporting Requirements

Key Requirements/Changes: Expands pay data demographic reporting to include sexual orientation.

Action Items: Employers subject to California’s pay data reporting requirements should prepare for expanded pay data reporting obligations in the next filing cycle and confirm that vendors or third-party reporting platforms can accommodate the new data fields.

SB 642 – Pay Scale in Job Postings

Key Requirements/Changes: Clarifies definition of “pay scale” disclosures in job postings; extends lawsuit deadline to 3 years.

Action Items: Companies should review their job posting templates and hiring procedures to ensure compliance with the clarified definition of “pay scale.” Pay ranges should reflect a “good-faith estimate” of what the employer reasonably expects to pay for a position upon hire. Recruiting and compensation teams should align on consistent methodologies for establishing pay ranges and maintain documentation supporting these determinations, as employers will now need to retain such records for at least three years to defend against potential claims.

SB 590 – Paid Family Leave Expanded to Chosen Family

Key Requirements/Changes: Extends California PFL benefits to care for a “designated person,” aligning with the California Family Rights Act, starting in 2028.

Action Items: Employers should update their leave request forms, benefits communications, and internal policies to include care for a “designated person” as a qualifying reason for Paid Family Leave benefits starting July 1, 2028.

SB 513 – Personnel Records Must Include Training Data

Key Requirements/Changes: Adds training, education, and certification details to required personnel records.

Action Items: Employers should audit their personnel files to confirm that employee training, certification, and education records are properly documented. Going forward, HR teams should establish a consistent process for recording the type, date, and outcome of all required training programs. Employers may need to update their HRIS systems or personnel record templates to ensure this information can be easily accessed and verified during audits or employee file requests.

SB 303 – Good Faith Bias Disclosure Protections

Key Requirements/Changes: Good faith disclosures of bias during discrimination or other bias mitigation trainings does not constitute unlawful discrimination.

Action Items: Employers should update internal policies and training materials to reflect that good faith admissions of bias during bias mitigation trainings do not constitute unlawful discrimination. Employers should also ensure that disciplinary decisions are not based on these good faith disclosures.

SB 294 – Know Your Rights Notice

Key Requirements/Changes: Requires new workplace notice by Feb. 1, 2026; $500/day penalty per employee for noncompliance.

Action Items: Employers should prepare to distribute the new “Know Your Rights” notice to all employees before the February 1, 2026 deadline. HR and compliance teams should monitor guidance from the Labor Commissioner for the official notice template and ensure that both onsite and remote employees receive it. Employers should also maintain clear records of when and how the notice was distributed to demonstrate compliance and avoid penalties.

The Coblentz Employment team is available to answer any questions you may have about the impact of these regulations.

By Fred W. Alvarez, Hannah L. Jones, Daniel M. Bruggebrew, Allison Moser, Paige B. Pulley, Hannah Withers, and Stacey Zartler

California is once again at the forefront of workplace regulation, with a slate of 2026 bills that would significantly expand employee rights and increase employer compliance obligations. From limits on AI in employment decisions, to restrictions on stay-or-pay agreements, expanded pay data reporting, and new immigration-related protections, these measures highlight the state’s aggressive approach to reshaping the employer-employee relationship.

Governor Newsom has until October 12, 2025 to sign or veto these bills. Below is a table summarizing the most significant proposals currently on his desk as well as a deeper dive into each bill. We will provide follow-up guidance once final enactments are known to help employers prepare for compliance. Unless otherwise noted, any new laws signed will take effect on January 1, 2026.

Limits on AI in Employment Decisions (SB 7): Under California’s SB 7, employers may not rely exclusively on AI (referred to in the bill as automated decision systems, or ADS) to make key employment decisions such as hiring, promotion, discipline, or termination. ADS are defined as AI-driven or algorithmic tools that make, or materially assist in making, decisions that significantly affect employees. Examples include resume-screening software, video interview analysis tools, chatbot applicant pre-screening platforms, promotion recommendation systems, and certain types of employee monitoring programs.

Employers that use ADS to assist in employment-related decisions—but not as the sole basis—will be subject to new notice and disclosure obligations if this law takes effect. For applicants, employers must disclose the use of ADS and provide information about the underlying algorithms as part of the application process. For current employees, employers must give at least 30 days’ advance notice in a “standalone written communication” before adopting any new ADS for disciplinary or promotion purposes. In both contexts, employees and applicants must be given access to ADS-related data and the right to appeal any employment decision made with the assistance of ADS.

Importantly, SB 7 builds on the AI regulations adopted by the California Civil Rights Council (CRC) in October 2025, extending notice and disclosure obligations to both current and prospective employees. For additional background on the CRC regulations, see our prior client alert here.

Failure to comply with SB 7 may result in enforcement by the Labor Commissioner or private civil actions, with potential remedies including actual damages, civil penalties of up to $500 per violation, and recovery of attorneys’ fees.

Ban on Most Stay-or-Pay Agreements (AB 692): Employers have long relied on signing bonuses, retention bonuses, or repayment obligations for training, tuition, or immigration costs to encourage employees to stay in the job for a set period of time. These arrangements come with a price tag for employees who leave early: repayment.

Under AB 692, which would apply to contracts entered into on or after January 1, 2026, most of these “stay-or-pay” arrangements will be prohibited. The law not only renders such agreements unenforceable but also exposes employers to potential employee lawsuits seeking damages or other remedies, with penalties including the greater of actual damages or a $5,000 minimum per violation.

While broad in scope, AB 692 does carve out limited exceptions. For example, repayment provisions for tuition costs related to transferable educational credentials may still be enforceable if they meet detailed statutory requirements. Similarly, signing and retention bonus agreements remain permissible, but only if they are set out in a standalone agreement that complies with highly technical conditions.

Expanded Leave Rights for Immigration Proceedings (AB 1136): In response to heightened federal immigration enforcement activity, including ICE raids and the current administration’s restrictive stance on immigration, California has advanced new protections for employees facing immigration or deportation proceedings.

Under the proposed law, employers must place an employee on unpaid leave for up to 12 months if the employee is detained or incarcerated due to pending immigration or deportation proceedings. If the employee is released during that period and provides valid work authorization, the employer must reinstate the employee to their former position without loss of seniority.

The bill also requires employers to provide up to five unpaid days off within a 12-month period for employees to address matters related to immigration status, work authorization, or visa status. This includes attending appointments, interviews, adjudications, legal proceedings, detentions, or any other required meetings related to the employee’s immigration situation.

Broader Pay Data Reporting Requirements (SB 464): SB 464 expands California’s existing pay data reporting obligations for private employers with more than 100 employees. Employers must now collect and maintain demographic information used for reporting purposes separately from employees’ personnel records. The law also broadens the scope of required reporting. In addition to race, ethnicity, and sex, employers must now report on employees’ sexual orientation (if voluntarily disclosed).

Clearer Rules for Pay Scale in Job Postings (SB 642): California law already requires employers to include “pay scale” information in job postings, but the term has long been a source of confusion. SB 642 attempts to clarify the term by defining “pay scale” as a “good-faith estimate” of the salary or hourly wage range that the employer reasonably expects to pay for the position upon hire. The bill also extends the statute of limitations for violations, giving employees three years (instead of two) to bring a lawsuit for pay equity violations.

Paid Family Leave Expanded to Chosen Family (SB 590): Beginning July 1, 2028, if SB 590 is signed by the governor, California’s Paid Family Leave (PFL) program will expand to provide wage replacement benefits when employees take time off to care for a “designated person.” This change is intended to support Californians who rely on chosen family members for care. The California Family Rights Act (CFRA) already provides job-protected leave to care for a designated person. SB 590 aligns the PFL program with CFRA by extending wage replacement benefits to cover the same category of leave.

Personnel Records Must Include Training Data (SB 513): SB 513 expands the definition of personnel records relating to an employee’s performance to expressly include education and training records. Employers that maintain such records will be required to ensure they include specified information, such as the type of training, date(s) completed, and any certifications or credentials earned, as part of the employee’s personnel file.

Employee Right to Wear Face Masks (AB 1326): AB 1326 would prohibit employers from preventing employees from wearing face masks in the workplace, unless a mask would create a safety hazard. The bill also permits employers to require employees to briefly remove a face covering while at the worksite for identification purposes.

Know Your Rights Notice (SB 294): Employers are required to distribute a new “Know Your Rights” notice to all employees by February 1, 2026. Failure to comply may result in penalties of $500 per employee, per day, up to a maximum of $10,000.

The Coblentz Employment team is available to answer any questions you may have about the impact of these regulations. We will provide follow-up guidance once final enactments are known.

By Scott C. Hall and Mari S. Clifford

On September 9, 2025, California Attorney General Rob Bonta, together with the California Privacy Protection Agency and the Attorneys General of Colorado and Connecticut, announced a joint enforcement sweep targeting businesses that fail to honor the Global Privacy Control (GPC). Regulators sent and will continue to send warning letters to companies that appear not to be processing consumer requests to opt out of data sales and targeted advertising, signaling heightened scrutiny and a coordinated, nationwide approach to enforcement.

What Is the GPC and Why It Matters

The GPC is a browser setting or extension that automatically communicates a consumer’s request to opt out of the “sale” or “sharing” of their personal information. Under laws in California, Colorado, Connecticut, and a growing list of other states (Delaware, Maryland, Minnesota, Montana, Nebraska, New Hampshire, New Jersey, Oregon, and Texas), businesses are required to honor this signal.

In practice, the GPC means that if a consumer has the setting enabled, your website must block or suppress cookies, pixels, and other tracking technologies that involve data sales or targeted advertising. Examples of technologies commonly used for targeted advertising include Meta Pixel, Google Ads and DoubleClick/Google Marketing Platform, TikTok Pixel, and Microsoft/Bing Ads UET Tag, among others. If these tools remain active when a consumer sends a GPC signal, your company may be out of compliance.

As detailed in Coblentz’s 2025 Mid-Year Privacy Report, enforcement attention to GPC sits against the backdrop of a growing wave of privacy litigation. Plaintiffs are testing whether modern tracking technologies (such as pixels, session-replay tools, and chat integrations) can be shoehorned into legacy statutes like the California Invasion of Privacy Act (CIPA) and the Video Privacy Protection Act (VPPA). Courts have issued conflicting rulings, and California has even advanced legislation (SB 690) to rein in expansive CIPA theories. The takeaway from this is that regulators view GPC as a clear compliance obligation, while plaintiffs’ lawyers are probing the same ecosystem of cookies and pixels from a different angle. Companies that shore up GPC compliance are addressing not only a regulatory expectation but also reducing exposure to lawsuits.

Compliance Steps to Take Now

• Check GPC compliance with your web development/IT team: Confirm your website and cookie management tools detect and honor the GPC signal.
• Review tracking technologies: Revisit how cookies, pixels, and other technologies are classified, and keep in mind that U.S. “sale” and “targeted advertising” rules do not always map to EU-style categories.
• Test suppression: Verify that enabling GPC suppresses cookies and pixels used for sales or targeted ads.
• Validate across states: Test the signal to ensure compliance not only in California but also in the other states requiring GPC recognition.

If your company uses third-party advertising or analytics tools like Meta Pixel, Google Ads, or DoubleClick, regulators expect you to be honoring GPC signals today. With this coordinated enforcement sweep underway, now is the time to test, document, and shore up compliance across all applicable jurisdictions.

Please reach out to the Coblentz team for further information or assistance.

By Mari S. Clifford and Scott C. Hall

Cross-border data transfers between the EU and U.S. remain a legal and operational minefield. While the July 2023 adequacy decision ushered in the EU-U.S. Data Privacy Framework (DPF), recent developments have called its long-term stability into question. In parallel, both EU regulators and U.S. authorities have ramped up scrutiny of international data flows—ushering in a more complex, risk-sensitive compliance era for transatlantic businesses.

The State of the Framework

The DPF, designed to replace the invalidated Privacy Shield, allows certified U.S. companies to receive EU personal data without standard contractual clauses (SCCs) or transfer impact assessments (TIAs). But its legal foundation—U.S. Executive Order 14086—has come under renewed pressure following:

• Dismissals of key privacy oversight officials in the U.S.
• Structural changes to the Data Protection Review Court.
• Broad access authority granted to a new U.S. intelligence body—the Department of Government Efficiency (DOGE).

The European Commission has signaled support for maintaining the DPF but acknowledged that ongoing U.S. political developments could impact its sustainability. Legal challenges remain possible, and several supervisory authorities have advised against over-reliance.

Enforcement is Real: The Uber Case

In January 2025, the Dutch DPA fined Uber €290 million—the largest penalty issued by the regulator to date—for unlawful transfers of EU driver data to the U.S. without valid safeguards after discontinuing SCCs in 2021. Uber argued that GDPR’s territorial scope negated the need for Chapter V safeguards. The DPA rejected this, reaffirming that data transfers must meet all GDPR conditions regardless of joint controllership claims.

The decision underscores that even global, well resourced companies cannot afford gaps in transfer compliance.

New U.S. Restrictions Create Reverse Pressure

The compliance calculus is also shifting in the other direction. The U.S. Department of Justice’s “Bulk Data Rule,” effective April 2025, imposes strict restrictions on transfers of sensitive personal data from the U.S. to “countries of concern” (including China, Russia, and others). While aimed at national security, the rule applies to any U.S.-based entity—including those acting as processors for EU data—raising novel compliance challenges for onward transfers out of the U.S.

Implications include:

• Required audits and risk assessments.
• CISA-level cybersecurity obligations.
• Potential delays or restrictions for multinational
  vendor chains.

Takeaways for Businesses

To maintain compliant and resilient data transfer programs in this dynamic environment, organizations should:

• Verify DPF Certifications: Ensure U.S. recipients are currently certified and that the certification covers the specific data and processing purpose.
• Retain SCCs and TIAs as a Backup: Maintain robust documentation and fallback mechanisms in case the DPF is invalidated or suspended.
• Monitor U.S. Bulk Data Rules: Assess whether EU data processed in the U.S. is subject to onward transfer restrictions under the DOJ’s new regime.
• Conduct Ongoing Transfer Risk Reviews: Include recent regulatory, legal, and political developments in third-country assessments.
• Align Internal Definitions: Ensure data transfer definitions match those used by EU authorities— including for remote access scenarios.
• Anticipate Regulatory Questions: Regulators may require granular evidence of safeguards, especially for transfers involving sensitive data (e.g., biometrics, employment, location).

While the DPF provides useful breathing room, it is not a bulletproof shield. EU-U.S. data flows remain structurally fragile, and organizations must layer compliance strategies—technical, contractual, and legal—to minimize exposure. Proactive alignment with evolving expectations on both sides of the Atlantic remains the best defense.

If your company needs assistance with any privacy issues, Coblentz Data Privacy & Cybersecurity attorneys can help. Please contact Scott Hall at shall@coblentzlaw.com for further information or assistance.