SB 690: A Potential Pause in CIPA Litigation

By: Anokhy Desai

Status: Advanced to Assembly Privacy and Consumer Protection Committee as a two-year bill.

Recently, the California legislature concluded its 2025 Session. SB 690, which would update the California Invasion of Privacy Act (CIPA), the State’s wiretap law, will proceed as a two-year bill and legislators can take it up again during the 2026 legislative session. This will allow more time for consideration of this bill that aims, among other things, at reducing the number of lawsuits relying on CIPA to argue that the non-consensual use of web tracking technologies amounts to a wiretap prohibited by CIPA. Proponents say the bill will help decrease costs faced by midsized and smaller businesses lacking the resources to defend against such lawsuits. Critics claim the bill will allow privacy rights violations to continue to go unpunished, especially as a recent report found “rampant non-compliance” with the California Consumer Privacy Act (CCPA), five years after its passage.

Background of the California Invasion of Privacy Act (CIPA)

Signed into law just one year before the federal Wiretap Act, the California Invasion of Privacy Act of 1967 similarly makes it unlawful to intercept or record confidential communications without consent at the state level.^[1] Since its passing, CIPA has been amended and expanded to account for changes in technology; the protection of cell phone communications was added in 1985,^[2] the coverage of cordless phone communications was added in 1990,^[3] all-party consent for any type of call was added in 1992,^[4] and the criminalization of recording and disclosing confidential communications of healthcare providers without consent added in 2017.^[5]

California has historically been at the forefront of technology law, and the privacy realm is no exception. In 2020, the State became the first in the country to pass a comprehensive data privacy law – the CCPA– and by 2022, when only four other states had passed similar privacy laws, the legislature had already passed the California Privacy Rights Act to amend the CCPA.^[6] As of now, 19 states have passed a version of a state-level data privacy law, and none of them provide a true private right of action. However, the CCPA allows consumers to sue “businesses” (as such term is defined in the CCPA) for damages ranging from $100-$750 per incident for a data breach arising from a lack of reasonable security practices, provided the consumer first gives the business 30 days written notice and an opportunity to cure, assuming the alleged violation is capable of being cured. Due to resource constraints and policy considerations, only the most egregious and exemplary violations trigger enforcement proceedings initiated by the California Attorney General or the California Privacy Protection Agency (CalPrivacy). The resulting enforcement gap was quickly filled by creative lawsuits that use state wiretap laws like CIPA to vindicate alleged private rights of action, specifically for web tracking technology-based privacy harms.

CIPA as a Data Privacy Mechanism

As a general matter, CIPA applies to businesses, employers, governmental entities, and even private individuals who monitor, record, and/or intercept confidential communications without consent. In recent years, consumers and plaintiffs’ attorneys in California are using CIPA to bring forth complaints against organizations for their use of web tracking technologies like cookies and pixels without consumer consent.

A common argument by plaintiffs-side attorneys is that web tracking technologies act as an illegal “pen register” under CIPA by “recording” a user’s interactions with websites (i.e., collecting user information like IP address, browser type, etc.) from a user’s browser, which amounts to recording the “dialing, routing, addressing, or signaling [of] information transmitted by an instrument . . . from which a[n] . . . electronic communication is transmitted, but not the contents of a communication.”^[7]

Another common argument is that the use of web tracking technologies without user consent violates CIPA because the law prohibits use of a pen register or trap and trace device without a court order or explicit consent from the person being tracked. When something like a cookie identifies consumers, gathers data, and correlates that data through unique “fingerprinting,” this constitutes a “process” through which a pen register can be deployed.^[8]

Introduction of SB 690

Since the first uses of CIPA as a mechanism for data protection-related lawsuits a few years ago,^[9] these arguments have moved the needle for the recognition of privacy harms not otherwise tackled by CCPA enforcement and for businesses to adopt privacy best practices that are also required by CCPA. However, trade groups argue that smaller businesses do not have the Big Tech-sized vault of resources they feel are necessary to defend themselves in litigation, especially as each CIPA violation can amount to $5,000, per instance, per consumer. This has led to CIPA suits ending in quick settlements, which in turn has attracted more litigants. This contributes to what law firms have deemed “hold[ing] businesses ransom based on their use of everyday online technologies.”

In response, Senator Anna Caballero, along with other California state senators and assemblymembers on both sides of the aisle, sponsored SB 690 to curb the “explosion of [CIPA] lawsuits filed against businesses using common website tools like cookies” and give some relief to businesses using web tracking technologies if they are being used for “a commercial business purpose.”^[10] This term is defined as “the processing of personal information that . . . is performed to further a business purpose” and is subject to a consumer’s CCPA opt-out rights. The wide berth this exception gives to businesses would shield them from CIPA liability, and is cheered on by tort reform groups and law firms alike, while receiving backlash from privacy and consumer advocate groups like the Electronic Frontier Foundation, Consumer Federation of California, ACLU California Action, Privacy Rights Clearinghouse, and the California Low Income Consumers Coalition.

Moving Forward

Despite receiving unanimous votes in the state Senate, SB 690 did not pass in the Assembly and was ultimately held as a two-year bill, meaning it will have a chance to be reconsidered in the next calendar year. In a surprising move, Senator Caballero, the primary sponsor of the bill, made the decision to pause the bill in the Assembly until at least 2026, citing “outstanding concerns around consumer privacy.”

The Senator’s remarks, in addition to the bill slowly coming to a halt at the hands of its primary sponsor after a relatively quick set of amendments and votes in the first chamber, may indicate a loss of steam for the future of this bill. For now, concerned businesses should continue to take proactive steps to limit CIPA exposure by reviewing their website’s tracking technologies to make sure only the stated data is being collected, monitoring what types of data are being transmitted by the trackers that are used, ensuring privacy policies reflect actual internal practices, and updating cookie banner language to provide the option for true consent.

Related Articles:

• AI and Privacy: A Guide to California’s Recently Passed Legislation By: Afshan Bhatia, Anokhy Desai, Kewa Jiang, and Hina Moheyuddin
• Status Update on California AI, Privacy and Technology-Related Bills By: Kewa Jiang
• SB 420 and Automated Decision Systems: California’s Next Step on AI Regulation By: Adriana Beach

---

^[1] Cal. Penal Code §§630 et seq.

^[2] Id. at §632.5.

^[3] Id. at §632.6.

^[4] Id. at §632.7.

^[5] Id. at §632.01.

^[6] California Consumer Privacy Act, Cal. Civ. Code §1798.100 et seq.

^[7] Cal. Penal Code §638.50(b).

^[8] Greenley v. Kochava, 684 F. Supp. 3d 1024 (S.D. Cal. 2023).

^[9] Id.

^[10] SB 690, Crimes: Invasion of Privacy (proposed), §638.50 (e).