Consumer Products Law Blog

California Senate Bill 690 (SB 690) has just cleared a major hurdle, sailing through the State Senate with unanimous support. This closely watched bill aims to curb the proliferation of lawsuits under the California Invasion of Privacy Act (CIPA) by carving out an exemption for routine online tracking tools used in “commercial business purposes.” As SB 690 heads to the Assembly, it’s worth examining the backdrop of rampant CIPA litigation that prompted this reform, what exactly the bill will change and how it might reshape the privacy litigation landscape in California.

Background: CIPA and the wave of website privacy lawsuits

Enacted in 1967, CIPA was designed to prohibit the unauthorized recording or eavesdropping on confidential communications (like phone calls) without consent. In recent years, however, creative plaintiffs’ lawyers have dusted off this decades-old wiretapping law and applied it to modern websites and apps. Common web technologies, from session replay software and chatbots to cookies and pixels have been accused of violating CIPA on the theory that collected data shared with third-party service providers equals an unlawful interception, or that routine collection of data constitutes a “trap and trace” or “pen register” device.

The results have been an influx of litigation targeting any company with a website. Using primarily CIPA and other common law torts (which have generally been harder to plead for cases involving routine internet practices), plaintiffs have filed thousands of lawsuits and likely have served even more demand letters in the last few years. Over 1,500 companies have been sued since 2022 for allegedly violating CIPA. Each alleged CIPA violation carries a statutory damage of US$5,000 per violation, and CIPA lawsuits have generally not resulted in large settlements in the non-health care related context.

For companies that did push back, the results varied in the trial courts. In some cases, courts have dismissed CIPA claims by finding that ordinary web tracking does not constitute “interception” of communications in transit. See, e.g., Sanchez v. Cars.com Inc., 2025 WL 487194 (Cal.Super. Jan. 27, 2025); Aviles v. Liveramp, Inc., 2025 WL 487196 (Cal.Super. Jan. 28, 2025). For instance, one federal court in April 2025 granted summary judgment to a defendant on the basis that a third-party cookie only accessed data after the communication was completed, not while it was in transit. See Torres v. Prudential Fin., Inc., 2025 WL 1135088 (N.D. Cal. Apr. 17, 2025). Yet other courts have allowed such claims to proceed, or at least left the door open, creating uncertainty. See, e.g., Lesh v. Cable News Network, Inc., 767 F. Supp. 3d 33 (S.D.N.Y. 2025); Vishal Shah v. Capital One Fin. Corp., 2025 U.S. Dist. LEXIS 42677 (N.D. Cal. Mar. 3, 2025).

There are three recent Ninth Circuit appeals that grapple with CIPA liability. The first of them affirmed the dismissal of a CIPA claim against Papa John’s, holding that the company could not be liable for intercepting its own communications and that the plaintiff failed to allege it assisted a third party in doing so. See Thomas v. Papa John’s Int’l, Inc., 2025 WL 1704437 (9th Cir. June 18, 2025). However, the Ninth Circuit court revived a CIPA claim against Bloomingdale’s, finding that the plaintiff had sufficiently alleged that the “contents” of her communications were captured in real time by a third-party session replay vendor and disregarded the counterargument that masking text fields prevented another party from viewing the information. See Mikulsky v. Bloomingdale’s, LLC, 2025 WL 1718225 (9th Cir. June 20, 2025).

A third case, against Converse, was just affirmed on summary judgment by the Ninth Circuit after the district court found that the plaintiff failed to produce evidence that Salesforce, which operated Converse’s website chat feature, intercepted or read her online communications. Circuit Judge Jay Bybee filed a concurrence to say that the first clause of section 631(a) was designed for traditional telephone communications, and not the internet. Judge Bybee also addressed Javier v. Assurance IQ, LLC, No. 21-16351 (9th Cir. May 31, 2022) to say that Javier did stand for the proposition that section 631(a) as a whole applies to internet communications, while noting that Javier is unpublished and not precedential. See Gutierrez v. Converse Inc., 2025 WL 1895315 (9th Cir. July 9, 2025). The bottom line: CIPA, a law written in the era of rotary telephones, has been used by plaintiff’s lawyers to leverage hundreds of settlements against companies so far without any clear guidance from the courts.

SB 690: Key changes to CIPA

To curb potential abuse, SB 690 (authored by Senator Anna Caballero) proposes to amend CIPA with a broad exemption for businesses’ use of online data collection tools. In essence, if companies deploy tracking technologies for a legitimate commercial purpose, those activities would no longer be treated as illegal eavesdropping under CIPA. Here are the key provisions of the bill:

• “Commercial business purpose” exemption: SB 690 creates an exception to CIPA’s prohibition on eavesdropping or recording communications when the activity is done for a commercial business purpose. In practical terms, this would permit companies to use cookies, pixels, session replay scripts, chatbots and similar tools to collect and analyze user data without incurring CIPA liability.
• No CIPA private lawsuits for business purposes: The bill clarifies that CIPA’s private right of action (which lets individuals sue for violations) will not apply to the processing of personal information done for a commercial business purpose. This means plaintiffs could no longer file CIPA lawsuits over commonplace website tracking activities, so long as those activities meet the bill’s definition of a business purpose.
• Pen registers and trap/trace devices excluded: SB 690 would also amend CIPA’s definitions of “pen register” and “trap and trace” devices, which CIPA currently restricts, to explicitly exclude any device or process used in a way consistent with a commercial business purpose. This change closes another avenue plaintiffs have used to claim that web analytics tools unlawfully record addressing or routing information.
• Aligned with CCPA’s definitions: To prevent abuse, SB 690 defines “commercial business purpose” in line with California’s comprehensive privacy law, the California Consumer Privacy Act (CCPA). In short, it refers to processing personal information for a legitimate business purpose or in a manner subject to consumer opt-out rights, echoing CCPA’s framework. The intent is to harmonize CIPA with existing data privacy standards: if a company’s use of tracking tech complies with the CCPA’s requirements (for example, honoring opt-outs for sale of data), then that use would be deemed a permissible “business purpose” under CIPA. As Senator Cabellero explains, activities already regulated by the CCPA would no longer invite overlapping CIPA lawsuits.  

Notably, SB 690 originally included a retroactivity clause that would have applied these exemptions to any case pending as of January 1, 2026. Had that provision survived, it could have nullified hundreds of ongoing CIPA lawsuits in one stroke. However, privacy advocates sharply criticized the retroactive reach as a giveaway to corporate defendants, potentially depriving consumers of any remedy for past privacy invasions. In response to this backlash, the Senate removed the retroactivity language in late May. As passed by the Senate, SB 690’s changes will apply prospectively—reining in future lawsuits but not automatically wiping out existing ones.

Implications and looking ahead

If SB 690 becomes law, it can dramatically reduce CIPA litigation risk for businesses in California. Routine online practices, like using analytics cookies or recording customer service chats, would no longer open companies’ exposure over CIPA, so long as those practices are within a “commercial business purpose” and consistent with CCPA’s privacy rules. Given the bipartisan support behind the bill (the Senate approved it 32-0), lawmakers clearly recognize the need to curb what proponents call “abusive” lawsuits over standard web technology. Businesses, especially retailers and others with consumer-facing sites, are hailing the bill as overdue for relief. Following its Senate passage, SB 690 now moves to State Assembly where the debate between curbing lawsuit abuse and preserving privacy rights is sure to continue. The bill’s quick progress and unanimous Senate vote suggest strong momentum toward enactment. If it does become law (likely taking effect in 2026), California will effectively remove the private litigation threat for businesses’ use of cookies, analytics and other common web tools—a change that could prompt similar reforms in other states confronting copycat wiretapping statutes. Will SB 690 ultimately strike the right balance between protecting consumer privacy and shielding businesses from frivolous suits, or will it swing the pendulum too far in favor of industry? At this point, only time will tell.