The California Supreme Court decided J.O. v. Superior Court on May 28, 2026, in a unanimous opinion authored by Justice Groban. The Court overruled part of a 1977 precedent and held, for the first time, that when a party abuses the judge-disqualification statute to force a particular judge off all of their cases in bad faith, a court can look behind the paperwork and ask what’s really going on. For anyone who litigates in California, and especially for anyone who litigates against an institutional opponent, the rules around judicial disqualification just shifted.

The Tool at the Center of the Case

California’s Code of Civil Procedure section 170.6 gives every litigant a powerful right. By signing an affidavit, or simply stating under oath, that a judge is “prejudiced” against them, a party can force that judge off the case. No proof required. No hearing. The disqualification is automatic, and a new judge gets assigned. The idea behind the rule is sound. Sometimes a litigant has a good-faith belief that a judge is biased but can’t prove it, and the law would rather remove the judge than force a party to litigate in front of someone they distrust.

The problem is what happens when the tool gets weaponized. If a district attorney’s office, a public defender, a county counsel, or even a private firm that handles most of one kind of case decides it wants a particular judge gone, it can file the same challenge in case after case. Done at scale, this isn’t about prejudice in any single case. It’s about removing a judge the office doesn’t like, often because the judge ruled against them once. Courts call this a “blanket challenge.”

What Happened Here

The petitioner, identified only as J.O., is under a conservatorship in San Joaquin County. According to the allegations, after Judge Erin E. Guy Castillo admonished a county counsel attorney for improper conduct, the county counsel’s office began disqualifying her across the board in conservatorship cases. Petitioner’s counsel estimates the office filed roughly 325 section 170.6 challenges against her in under four months. The result, as alleged, was that Judge Guy Castillo got reassigned out of the department handling mental health and conservatorship matters and into one hearing misdemeanors, traffic, and small claims.

The trial court felt its hands were tied. Under the 1977 precedent, Solberg v. Superior Court, blanket challenges were treated as immune from this kind of constitutional objection, so the court rejected the challenge to the practice without ever examining whether it was made in bad faith. The Court of Appeal denied relief. The Supreme Court took the case to decide whether Solberg still held up.

The Big Move

It doesn’t, at least not on this point. The Court explained that the judiciary of 1977 looks nothing like the one operating today. Caseloads have ballooned. In 1977 there were about 54,000 felony filings statewide. In the most recent year measured, there were nearly 180,000. Courts now run specialized calendars for things like conservatorships, family law, and drug and mental health treatment, all of which depend on assigning judges with particular training. Budgets are tighter and judicial vacancies are real. In that environment, letting a party force a specialized judge off an entire category of cases does real damage to the court’s ability to run itself.

That damage, the Court held, is a separation of powers problem. The California Constitution gives the judiciary, through the presiding judge, the authority to assign its own judges. When a litigant uses blanket challenges in bad faith to override those assignments, it lets one party effectively seize a function the Constitution reserves for the courts. So the Court overruled Solberg to the extent it barred courts from examining blanket abuses, while leaving the statute itself, and every good-faith individual challenge, fully intact.

How It Works Now

The Court borrowed the familiar burden-shifting framework from jury-selection challenges. First, the party opposing a section 170.6 motion has to timely object and make a preliminary showing that the other side is lodging bad-faith blanket challenges, often by pointing to a pattern of repeated strikes against the same judge after an adverse ruling. If that showing is made, the burden shifts to the party that filed the challenge to give a genuine, case-specific reason for believing the judge is prejudiced. Then the court decides whether the challenge was made in good faith or as part of a bad-faith blanket policy. A single good-faith challenge is still automatic and still requires no proof. Only the abusive, across-the-board pattern is now open to scrutiny.

One detail worth noting for civil practitioners. The Court made clear this applies to everyone, not just prosecutors. A private law firm that handles the bulk of a particular kind of case in a small county could just as easily abuse the statute to push out the one judge hearing those matters. The constitutional problem comes from the conduct, not the identity of the party.

What This Means for Litigants

If you litigate in California, the integrity of who hears your case just got a little more protected. The practice of quietly running a judge off the bench by paper, which has frustrated courts for decades, now has a check on it. Institutional players who relied on blanket challenges as a strategic tool need to rethink that approach, because the affidavit that used to be unreviewable can now be examined when a pattern of bad faith is shown.

At the same time, the Court was careful about what it did not do. It did not touch the facial validity of section 170.6, and it rejected an amicus proposal to bar government attorneys from using the statute at all, calling that solution a step too far. Your right to disqualify a judge you genuinely believe is biased, in your own case, is exactly where it was. What changed is the ability to weaponize that right across an entire docket.

The Bottom Line

J.O. v. Superior Court restores a piece of authority the courts thought they had lost. For most litigants, the practical takeaway is reassurance that the forum is harder to manipulate. For institutional and high-volume litigants who treated blanket challenges as part of the playbook, the takeaway is a warning. The pattern that used to be invisible is now something a court can be asked to examine, and the time to reassess that strategy is before the objection lands, not after.

If your matter involves questions about judicial assignment, disqualification, or litigating against a repeat institutional opponent in California, this decision may affect how you plan your approach. Reach out to Horst Legal Counsel to talk through what it means for your case.

The post California Courts Can Now Ask Why You Keep Firing the Judge appeared first on Horst Legal Counsel.

The California Supreme Court answered both questions in J.M. v. Illuminate Education, Inc., a unanimous opinion authored by Justice Liu and issued on May 14, 2026, with a separate concurrence by Justice Groban. The headline holdings reshape how data breach claims are pleaded in California under the Confidentiality of Medical Information Act, and they redraw the boundary of who counts as a “customer” with standing under the Customer Records Act. For technology vendors, school districts, healthcare-adjacent platforms, and any business that processes personal information through a third-party service, the practical implications are immediate.

The Setup

Illuminate Education provides software services to school districts across the country. Among other things, its platform stores data on individual students, including medical information that districts use for educational planning and intervention. The Ventura County Office of Education contracts with Illuminate to support the district where the plaintiff, identified only as J.M., was a student.

In early 2022, Illuminate experienced a data breach. Its investigation eventually confirmed that databases containing protected student information had been subject to unauthorized access over a roughly twelve-day window in late December 2021 and early January 2022. Illuminate notified the Ventura County Office of Education about twelve days after confirming the breach. Notice to affected families, including J.M.’s guardians, didn’t go out until June 10, 2022, roughly five months after Illuminate first detected the suspicious activity. J.M., through his guardian, sued on behalf of a putative class for violations of the Confidentiality of Medical Information Act and the Customer Records Act.

The trial court dismissed the case at the demurrer stage. The Court of Appeal reversed. The Supreme Court granted review and, on May 14, issued an opinion that splits the difference, but in ways that significantly change the landscape for both sides of these disputes.

The Big Move: “Actually Viewed” Is Dead

For more than a decade, California’s Court of Appeal had held that a plaintiff suing under the Confidentiality of Medical Information Act couldn’t state a claim unless the plaintiff alleged that the breached information was actually viewed by an unauthorized party. The rule originated in Regents of the University of California v. Superior Court in 2013 and was reinforced by Sutter Health v. Superior Court in 2014 and Vigil v. Muir Medical Group IPA, Inc. in 2022. Defendants relied on this rule routinely. If the laptop was stolen but never accessed, no claim. If the hard drive was lost but the data was encrypted and the thief was probably after the hardware, no claim. The “actually viewed” requirement was, for years, one of the most defendant-friendly features of California data breach law.

The Supreme Court has now disapproved all three of those opinions to the extent they’re inconsistent with the new standard. In place of “actually viewed,” the Court adopted what it described as the primary inquiry going forward: whether the information was exposed to a significant risk of unauthorized access or use.

The Court’s reasoning is grounded in the statutory text. Civil Code section 56.101 requires covered entities to preserve the confidentiality of medical information. Civil Code section 56.36, in turn, authorizes a civil action and even provides for nominal damages of $1,000 without any requirement that the plaintiff suffered or was threatened with actual damages. The Court concluded that a regime that conditions liability on proof of actual viewing is hard to square with a statute that authorizes recovery without proof of actual harm.

The Court also flagged a practical concern that resonates with anyone who handles modern privacy litigation. Victims of data breaches rarely know what happened to their data unless they suffer downstream harm. And as the Court explicitly noted, breaches may now be facilitated by artificial intelligence or automated cybercrime in ways that never involve a human actually viewing the information. An “actually viewed” rule fits an earlier era of data theft. It doesn’t fit how breaches happen in 2026.

Importantly, the Court was careful to clarify that mere loss of possession isn’t always enough. The “significant risk” standard is meant to do real work. Smash-and-grab thefts of hardware where the thief was after the device, not the data, may fall short. Encrypted data with no realistic path to access may fall short. The analysis is fact-intensive and considers the form, duration, and extent of the breach, as well as any mitigation by the covered entity. Justice Groban’s concurrence pushed this point further, emphasizing that the new standard demands a realistic and appreciable risk, not mere theoretical exposure, and that any “significant risk” must be grounded in facts showing unauthorized access or use is reasonably likely under the circumstances.

The Other Move: Who Is a “Provider of Health Care”

The plaintiff still lost the case. The Court held that J.M. hadn’t adequately alleged that Illuminate is a “provider of health care” within the meaning of Civil Code section 56.06, which is a threshold requirement for any claim under the relevant sections of the Confidentiality of Medical Information Act.

The reasoning is worth understanding because it draws a line that many software vendors will want to study. Section 56.06 reaches businesses that maintain medical information in order to make that information available to individuals or to health care providers, for the purpose of allowing the individual to manage their own information or for diagnosis and treatment. The Court found that J.M.’s complaint alleged that Illuminate makes its data available to educators, students, and parents to support educational evaluation and planning, not for individual medical management or for diagnosis and treatment by a health care provider. The Legislature, the Court explained, had specific business models in mind when it extended the statute beyond traditional medical providers, including personal health record services and consumer-facing health applications. A business-to-business educational software platform, even one that stores medical information, doesn’t automatically fall within those categories.

Justice Groban’s concurrence went further on this point. He argued that J.M. had also failed to allege that maintaining medical information is integral to Illuminate’s business purpose in the first place, and that he would have affirmed the trial court’s denial of leave to amend, on the view that the defects in the complaint can’t be cured. The majority left that determination to the lower courts on remand.

For technology companies, the holding cuts two ways. The expanded liability standard means that covered entities now face data breach exposure on substantially easier pleading terms than before. But the statutory definition of who counts as a covered entity remains limited, and businesses that process medical information purely as part of a downstream service to a business customer, rather than as a service to individual end users, may not be covered at all.

The Customer Records Act Holding

The Court also held that J.M. couldn’t sue under the Customer Records Act because he wasn’t Illuminate’s “customer” within the meaning of that statute. The Customer Records Act authorizes a civil action by an injured “customer,” which it defines as an individual who provides personal information to a business for the purpose of purchasing or leasing a product or obtaining a service from that business.

The Ventura County Office of Education purchased Illuminate’s services. J.M. didn’t. The Court of Appeal had reasoned that J.M. and other students were the ultimate beneficiaries of Illuminate’s services and should be treated as customers for purposes of the statute. The Supreme Court rejected that reasoning. The Customer Records Act defines “customer” narrowly and uses that term, rather than the broader “consumer” or “individual,” when authorizing a private right of action. The Legislature’s choice is treated as deliberate.

This is a meaningful clarification for any business that operates on a business-to-business model where the end users of the service never directly transact with the vendor. The Customer Records Act may not give those end users a path to sue the vendor directly, even when the vendor experiences the breach.

What This Means in Practice

A handful of takeaways worth flagging for in-house counsel, technology executives, and anyone with vendor risk on their balance sheet.

The “actually viewed” defense is gone for any covered entity. Vendor and service agreements that allocated risk on the assumption that this defense was available need to be re-papered. Incident response playbooks that assumed a breach without confirmed access would be defensible need to be revisited.

The statutory definition of “provider of health care” still does work. Tech vendors processing medical information in a purely business-to-business context, without making the information available to individuals for personal management or to providers for diagnosis and treatment, may have a strong argument that they aren’t covered. That argument has to be made carefully and is fact-dependent.

End users may have fewer direct paths to sue a business-to-business vendor under the Customer Records Act than the Court of Appeal had suggested. But other statutory regimes, including the California Consumer Privacy Act, remain available and contain their own enforcement mechanisms.

The Court’s specific reference to artificial intelligence as a mechanism by which breaches can occur without human viewing isn’t a holding, but it signals that California courts are thinking about how privacy statutes apply to modern data exposure scenarios. Businesses building AI products, or businesses whose data may be ingested by AI systems, should treat this as one more reason to take a fresh look at their data governance.

Bottom Line

J.M. v. Illuminate Education, Inc. is the kind of decision that will be litigated around for years. Plaintiffs’ counsel will lean on the new “significant risk” standard. Defense counsel will lean on the narrow statutory definitions that still limit who is covered in the first place. The shape of California data breach litigation just changed, and the right time to think about what that means for your business is now, not after the next incident.

If your business processes personal or medical data through third-party vendors, or if you’re the vendor sitting on that data, this decision changes the calculus on incident response, contract allocation, and litigation exposure. Reach out to Horst Legal Counsel to talk through how this affects your operation.

The post California’s “Actually Viewed” Defense Just Died in Data Breach Cases appeared first on Horst Legal Counsel.

Horst Legal Counsel | February 2026

California businesses that sell consumer products know the rhythm: a Proposition 65 notice arrives, the 60-day clock starts, and the company has to decide whether to settle, fix the alleged exposure, or prepare for litigation. For years, defendants have fought back by scrutinizing every line of the pre-suit notice, hoping that a technical deficiency would kill the case before it ever reached the merits. That strategy just got significantly harder.

In Environmental Health Advocates, Inc. v. Pancho Villa’s, Inc., the Fourth District Court of Appeal answered a question no California court had squarely addressed: are the procedural requirements of a Proposition 65 pre-suit notice mandatory, requiring strict compliance, or directory, requiring only substantial compliance? The court held they are directory. That single distinction reshapes how both sides should approach Prop 65 notice disputes going forward.

What Happened

Environmental Health Advocates (EHA) sent Pancho Villa’s a 60-day pre-suit notice alleging that its tortilla products exposed consumers to acrylamide, a known carcinogen. The notice identified the chemical, the product by name and UPC number, the route of exposure, and the timeframe. It attached OEHHA’s Proposition 65 summary and a certificate of merit.

Pancho Villa’s moved for judgment on the pleadings, arguing the notice was fatally defective in two ways. First, the notice listed contact information for EHA’s outside counsel rather than an individual “within” EHA itself, as the regulation’s text requires. Second, the original notice attached an older version of OEHHA’s Proposition 65 summary rather than the most current revision. The trial court agreed and dismissed the case.

The Holding: Substantial Compliance, Not Strict Compliance

The Court of Appeal reversed. Applying the framework for distinguishing mandatory from directory statutory requirements, the court concluded that Section 25903 of the regulations is directory. The governing test is substantial compliance, meaning actual compliance with the substance essential to every reasonable objective of the regulation. Under this standard, technical deviations that do not undermine the notice’s core purposes will not invalidate a Prop 65 action.

The court identified three core functions of the 60-day notice: enabling prosecutors to assess whether to bring a public enforcement action, giving the alleged violator an opportunity to cure, and defining the scope of the private party’s right to sue. Providing counsel’s contact information rather than a principal’s name satisfied all three objectives. Attaching an older but substantively accurate summary of the law likewise accomplished the provision’s purpose of giving the recipient general background on Proposition 65.

Importantly, the court distinguished its holding from cases involving complete failures of compliance, such as omitting the certificate of merit entirely or failing to attach any version of the required summary. Substantial compliance does not excuse wholesale omissions. It protects against dismissal for technical imperfections when the notice achieves its regulatory objectives.

What the Court Did Not Decide

The opinion leaves open where the line falls between a “technical imperfection” and a substantive deficiency. Whether a notice that fails to identify the chemical, the product, or the route of exposure could survive under substantial compliance remains unanswered. Those elements go to the core purpose of the notice, and a different outcome is likely where they are absent.

Why This Matters for Businesses Facing Prop 65 Claims

For defendants, the practical impact is immediate: technical notice challenges just became a weaker shield. Motions to dismiss based on minor defects in contact information, attachment versions, or formatting irregularities are unlikely to succeed after this opinion. Defense resources are better directed toward the merits, specifically whether the product actually exposes consumers to the listed chemical at actionable levels and whether the business qualifies for a safe harbor.

For companies issuing Prop 65 notices, the opinion is reassuring but not a license to be careless. The notice still has to work. It must identify the parties, the chemical, the product, the exposure route, and the timeframe with enough specificity to serve the statute’s enforcement purposes.

Practical Takeaways

For defendants: Recalibrate your notice-challenge strategy. If the defect you have identified is the version of an attachment or the job title of the contact person, that motion is now a long shot. Focus discovery and dispositive motions on exposure levels, warning adequacy, and safe harbor defenses.

For plaintiffs and enforcers: Substantial compliance is not zero compliance. The court was careful to distinguish cases where entire required elements were missing. Treat the notice as a checklist where every box is checked, even if the details are imperfect.

For all parties: Read the OEHHA rulemaking record. The court relied heavily on OEHHA’s Final Statement of Reasons, and the agency’s own language, that notice requirements are not intended to become “a trap for the unwary,” drove the result.

Bottom Line

Environmental Health Advocates v. Pancho Villa’s establishes that Proposition 65’s pre-suit notice requirements are directory, not mandatory. Substantial compliance is the standard. For businesses defending Prop 65 actions, the path to dismissal now runs through the merits of the alleged exposure, not the formatting of the notice.

Horst Legal Counsel represents businesses in civil litigation, regulatory compliance, and employment law matters throughout California. If your business has received a Proposition 65 notice or is facing a consumer product compliance challenge,  contact us to discuss your options.

The post Proposition 65 Notice Defects No Longer Automatic Case-Killers: appeared first on Horst Legal Counsel.