Skip to content

California Legislature Proposes Bill to Provide Relief from Abusive CIPA Lawsuits

July 7, 2026

For the past several years, thousands of California businesses have been targeted with a familiar letter: a demand for thousands of dollars, citing a decades-old wiretapping statute, over a chat widget, an analytics pixel, cookie, or other marketing tools catching many companies completely unaware. Often the cited basis is the California Invasion of Privacy Act (CIPA), enacted in 1967, long before the internet, let alone website-tracking technology existed. After persistent complaints from businesses, the California Legislature has made a second attempt to close the loophole that has turned CIPA into a cottage industry of claims and litigation.

How CIPA Became a Tool for Abuse

CIPA’s pen register and trap and trace provisions, Penal Code §§ 638.50 and 638.51, were originally designed to prevent covert government surveillance of communications routing data. Plaintiffs repurposed these provisions to argue that website technology, anything that captures a visitor’s IP address or routing information, amounts to the unauthorized use of a “pen register” or “trap and trace device.”

CIPA allows for a private right of action and the recovery of statutory penalties up to $5,000 per violation. This means a plaintiff need not show actual harm: no financial loss, no identity theft, no emotional distress. The statute has led to hundreds of lawsuits and a large volume of settlement demand letters to businesses. According to testimony before the Assembly Privacy and Consumer Protection Committee, the number of cases asserting claims under Section 638.51 has grown from roughly 600 to more than 4,000 in the span of about a year, spurring an outcry from affected businesses and business associations.

The Recent Amendment to SB 690 & What It Could Do

First introduced in February 2025, Senate Bill 690 sought to curb CIPA’s applicability to website-tracking technology used by businesses. After some concerns, the bill, as amended on July 2, intends to protect businesses as follows:

  • Applies only the pen register and trap and trace sections. The bill amends Penal Code § 637.2 as it applies to violations of §§ 638.50 and 638.51. Currently, it does not include CIPA’s wiretapping and eavesdropping provisions under Sections 631 and 632.
  • Eliminates the private right of action. Under the amended bill, only the California Attorney General may bring an action against a private actor for an alleged Section 638.51 violation arising from conduct on an internet website, online application, or mobile application.
  • Applies retroactively, reaching back to include cases already pending. Senator Caballero has defended limited retroactive applicability by pointing to the surge in filings that occurred after the bill was introduced. If the law goes into effect on January 1, 2027, it could apply to cases/claims after January 1, 2025.
  • Leaves the underlying conduct legal or illegal exactly as it was. This is a change in who can sue, not a substantive exemption for businesses. The Attorney General retains full authority to pursue genuine violations.

What Comes Next

SB 690 is not yet law. It must still clear further committee review, pass both the full Senate and Assembly, and be signed into law by Governor Newsom. Also, if signed, the amendment would not take effect until January 1, 2027. Until SB 690 is enacted, the current litigation landscape remains unchanged. In the meantime, businesses should carefully review websites, and more generally, data collection practices to mitigate potential exposure under CIPA and similar federal and state laws

  1. Audit website-tracking technologies, chat tools, analytics pixels, session-replay software, in light of business needs and potential risk exposure under the CIPA and other federal and state statutes.
  2. Review privacy policies and consent mechanisms to ensure they are aligned with the business needs, uses and practices, and overall, legally compliant.
  3. Evaluate pending demands or litigation with counsel before deciding on the next steps.

We will continue to track SB 690 as it moves through the Legislature. We’ll provide updates as further amendments, votes, or a final signature occur.

Businesses facing CIPA-related claims or demand letters should consult with Clark Hill’s Data Privacy team regarding their specific circumstances.

This publication is intended for general informational purposes only and does not constitute legal advice or a solicitation to provide legal services. The information in this publication is not intended to create, and receipt of it does not constitute, a lawyer-client relationship. Readers should not act upon this information without seeking professional legal counsel. The views and opinions expressed herein represent those of the individual author(s) only and are not necessarily the views of Clark Hill PLC or Clark Hill Solicitors LLP. Although we attempt to ensure that postings on our website are complete, accurate, and up to date, we assume no responsibility for their completeness, accuracy, or timeliness.

 

Subscribe for the latest

Subscribe