Privacy & Information Security Law Blog

Democratic State Senator Anna M. Caballero introduced Senate Bill 690 (S.B. 690), which aims to curb “abusive lawsuits” under the California Invasion of Privacy Act (“CIPA”) based on the use of cookies and other online technologies, on February 24, 2025, and the Bill is now scheduled to be heard by the Senate Public Safety Committee on April 29, 2025.

Over the past few years, the plaintiffs’ bar has leveraged CIPA to hold businesses ransom based on their use of everyday online technologies (e.g., cookies, pixels, beacons, chat bots, session replay and other similar technology) on their websites. The plaintiffs’ bar has claimed such technologies: (1) facilitate “wiretapping” under Section 631 of CIPA; and/or (2) constitute illegal “pen registers” or “trap and trace devices” under Section 638.50 of CIPA. Nearly every business with a public-facing website has been or may soon be targeted with threats of significant liability stemming from the availability of statutory damages under CIPA. Even those businesses that comply with the comprehensive California Consumer Privacy Act of 2018 (“CCPA”), which governs the collection and use of consumer personal information, are not immune from such threats. Faced with the threat of such aggregated statutory damages under CIPA, many businesses opt to pay out settlements to mitigate potentially enterprise-threatening risk. And those rational decisions unfortunately have spawned a cottage industry responsible for an endless stream of filed and threatened CIPA litigation that seemingly has served only to enrich the plaintiffs’ bar.  

S.B. 690 might spell doom for these perceived abuses and the negative consequences they have had on online commerce. Caballero states that the bill aims to “[s]top[] the abusive lawsuits against California businesses and nonprofits under CIPA for standard online business activities that are already regulated by” the CCPA.

If enacted, S.B. 690 would exempt online technologies used for a “commercial business purpose” from wiretapping and pen register/trap-and-trace liability. Notably, the definition of “commercial business purpose” broadly encompasses the use of “personal information” in a manner already permitted by the CCPA. The exclusion of such practices from CIPA’s ambit should curb the “abusive lawsuits” cited by Caballero when she unveiled S.B. 690 and provide certainty to businesses engaged in online commerce.