Executive Summary
- What’s new: The California Assembly is poised to reconsider S.B. 690, a bill that was designed to narrow CIPA’s scope and offer relief from the wave of dubious CIPA matters that many businesses have faced in recent years.
- Why it matters: CIPA’s $5,000-per-violation statutory damages provision has been the basis of countless pre-suit letters, arbitration demands and putative class actions challenging the use of common, expected and commercially reasonable technologies on consumer-facing websites.
- What to do next: Businesses that have faced or might face CIPA claims should consider closely monitoring the progress of the legislation and offering testimonials to help California legislators understand the exploitation of CIPA by plaintiffs.
__________
The California Invasion of Privacy Act of 1967 (CIPA)1 — a criminal statute designed to prohibit the recording or wiretapping of communications without the consent of all participants — has been the basis of countless pre-suit letters, arbitration demands and putative class actions challenging the use of common, expected and commercially reasonable technologies on consumer-facing websites. We previously reported on the increasing number of these claims, and the uptick has continued.
Now, the California Assembly is poised to reconsider legislation that might offer relief from the wave of dubious CIPA matters.
These matters seek to leverage CIPA’s $5,000-per-violation statutory damages provision (with no cap on aggregate damages) while mischaracterizing common and expected website technology tools as “spyware” or enabling “eavesdropping.”
Many consumer-facing websites (including those associated with plaintiffs’ firms, courts and regulators) use technologies that are similar to, or the same as, those that are often at issue. Privacy policies with robust disclosures are often ignored altogether in the complaints or notices. Choice of law issues have not been definitively addressed, even though many websites do not have a nexus to California (and some consumer-facing terms affirmatively disclaim the application of CIPA) and other states have specific statutes modeled after the Federal Wiretap Act.
CIPA was drafted before the advent of the modern internet, so application of the statute to website technologies has led to confusion and conflicting decisions in the courts. As a result, this gap continues to be exploited with claims threatening to weaponize class and mass devices absent immediate settlements. The California courts have been flooded with CIPA actions — and that tells only a part of the story, given how much of this activity is not reflected in publicly filed actions.
The environment is similar to what led former Federal Communications Commission Chairman Ajit Pai to label a different privacy statute, the Telephone Consumer Protection Act (TCPA), the “poster child for lawsuit abuse.”2 Indeed, as Judge Vince G. Chhabria of the U.S. District Court for the Northern District of California declared, “The language of CIPA is a total mess. It was a mess from the get-go, but the mess gets bigger and bigger as the world continues to change and as courts are called upon to apply CIPA’s already-obtuse language to new technologies,”3 and “it’s virtually impossible to understand what Section 631(a) [of CIPA] actually means.”4 In the same opinion, the court expressed hope that “the [California] Legislature will go back to the drawing board on CIPA” and that “it would probably be best to erase the board completely and start writing something new.”5
Senate Bill No. 690 (S.B. 690), introduced by California State Sen. Anna Caballero on February 21, 2025, sought to address these issues by narrowing key provisions of CIPA and creating a “commercial business purpose” exception.6 The proposed amendment defined a “commercial business purpose” as “the processing of personal information either performed to further a business purpose or subject to a consumer’s opt-out rights.”
Applied specifically to Section 631 of CIPA, which prohibits the interception of the contents of a communication while in transit, the bill included language stating that the section does not apply to communications intercepted for “[a] commercial business purpose.” Additionally, S.B. 690 sought to amend the definitions of “pen registers” and “trap and trace” devices under CIPA Section 638.51 to exclude devices or processes used “in a manner consistent with a commercial business purpose.” The bill also restricted CIPA’s private right of action from being invoked when personal information has been processed for a commercial business purpose.
The logical consequence of these proposed changes is that a potential plaintiff or claimant would have to affirmatively plead that the use of third-party technologies and software on the relevant websites is not for a “commercial business purpose” under CIPA.
The countless number of CIPA-related claims asserted against businesses across industries in recent months reflects continued efforts to expand the reach of this statute in ways not contemplated by the California legislature. This volume defies the principle that criminal statutes should be construed narrowly. These threatened actions and arbitrations (including mass arbitrations, which have their own coercive concerns) are also overwhelming. As Caballero herself has stated, the purpose of S.B. 690 was to end the deluge of CIPA litigation against businesses for “standard online business activities” that are already regulated by separate legislation under the California Consumer Privacy Act (CCPA).7 The CCPA already requires businesses to comply with the country’s most comprehensive privacy framework and has an active enforcement regime through the California Privacy Protection Agency.
As originally introduced, S.B. 690 also would have made its provisions retroactive to any pending case. However, this portion of the bill was stricken prior to unanimous Senate passage in June 2025. The bill has since stalled in the California Assembly, leaving its fate uncertain.
In the meantime, broader efforts are underway to address CIPA’s misuse: Organizations such as the Alliance for Legal Fairness have formed to help California lawmakers understand how CIPA increasingly has been exploited in ways that were never intended. In addition, the California Court of Appeal is in the midst of addressing whether website technologies qualify as “pen registers” and “trap and trace” devices under CIPA Section 638.51.8
In anticipation of a hearing scheduled for July 1, 2026, before the California Assembly’s Committee on Privacy and Consumer Protection, the Alliance for Legal Fairness was encouraging businesses that have faced or are facing CIPA claims to share their written or verbal stories at CIPAstories.com. We hope that testimonials were provided to help California lawmakers understand how CIPA, as it currently stands, has been wrongly exploited by plaintiffs.
_______________
1 Cal. Penal Code §§ 630-638.55.
2 Rules & Regulations Implementing the Tel. Consumer Prot. Act of 1991, 30 FCC Rcd. 7961, 8073 (2015) (Pai, Comm’r, dissenting).
3 Doe v. Eating Recovery Ctr. LLC, 806 F. Supp. 3d 1109, 1112 (N.D. Cal. 2025).
4 Id. at 1118.
5 Id. at 1119.
6 S.B. 690, 2025-2026 Leg., Reg. Sess. (Cal. 2025).
7 Press release, Cal. Sen. Anna M. Caballero, “Senator Anna M. Caballero Unveils Bold Legislative Package for 2025” (April 8, 2025).
8 See Variety Media, LLC v. the Superior Ct. of L.A. Cnty., Case No. B350578.
This memorandum is provided by Skadden, Arps, Slate, Meagher & Flom LLP and its affiliates for educational and informational purposes only and is not intended and should not be construed as legal advice. This memorandum is considered advertising under applicable state laws.