CIPA Lawsuit Abuse: Why California’s Wiretap Law Is Still a Mess and the Legislative Battle to Fix It

Table of Contents

The California Invasion of Privacy Act (CIPA) was passed in 1967. A time before the internet existed. Lyndon B. Johnson was in the White House, the first-ever Super Bowl had just been played, and the modern internet wouldn’t exist for decades but the law would have serious impacts today but who could have known?

This ancient criminal statute originally designed to stop rotary-phone wiretapping and physical eavesdropping has been weaponized into one of the most aggressive civil litigation engines in the United States and is costing businesses who violate millions of dollars every month and one of the only ways to keep the status-quo for your business and be compliant is to use the software from Captain Compliance to avoid expensive litigation issues.

For corporate compliance, in house legal counsels, and chief privacy officers, CIPA has become an absolute nightmare. Plaintiffs’ attorneys are leveraging CIPA’s steep $5,000-per-violation statutory damages provision (which carries no aggregate cap) to file a relentless wave of pre-suit demands, mass arbitrations, and class-action lawsuits. The target? Completely standard, commercially reasonable website tools like chat functions, session replay software, analytics tracking, and cookies.

Fortunately, relief may finally be on the horizon. The California Legislature is actively reconsidering a critical piece of reform—Senate Bill 690 (S.B. 690) which aims to narrow CIPA’s scope and protect businesses from ongoing exploitation.

Here is a breakdown of the current legal chaos, the key judicial decisions defining the crisis, and how S.B. 690 could reshape the digital compliance landscape.

The Core of the Crisis: Eavesdropping or Standard Business Analytics?

Under CIPA (Cal. Penal Code §§ 630-638.55), it is illegal to record or intercept communications without the consent of all parties. In the digital age, plaintiffs’ attorneys argue that when a business uses a third-party software provider (such as a customer service chat plugin or a data analytics provider), that third party is an unauthorized “eavesdropper” intercepting the communication in transit under CIPA Section 631(a).

Furthermore, a highly problematic sub-trend has emerged regarding CIPA Section 638.51, which governs “pen registers” and “trap and trace” devices (tools originally used by law enforcement to record dialed phone numbers). Plaintiffs are increasingly claiming that standard website tracking software and IP address logging constitute an illegal digital “pen register.”

The consequences of this litigation wave are severe:

  • The “Lawsuit Abuse” Playbook: Much like how the Telephone Consumer Protection Act (TCPA) was famously dubbed the “poster child for lawsuit abuse” by former FCC Chairman Ajit Pai, CIPA has been twisted into a compliance trap.

  • Mass Arbitration Extortion: Because CIPA claims are frequently subjected to arbitration clauses, plaintiffs’ firms file thousands of individual arbitration demands simultaneously. This forces companies to pay millions of dollars in upfront administrative filing fees just to defend themselves, effectively coercing immediate settlements.

  • Hypocrisy in Application: Ironically, the very website technologies being targeted are used by almost every corner of the internet—including the websites of the plaintiffs’ law firms, the courts, and regulatory agencies themselves.

CIPA Overview from State Legislature

What the Courts Are Saying: “A Total Mess”

Because CIPA was written for a bygone era, federal and state judges have struggled to apply it uniformly to modern internet technology, resulting in a fractured landscape of conflicting decisions.

Perhaps no judge has summarized the frustration better than Judge Vince G. Chhabria of the U.S. District Court for the Northern District of California. In the milestone 2025 case Doe v. Eating Recovery Ctr. LLC, 806 F. Supp. 3d 1109 (N.D. Cal. 2025), Judge Chhabria pulled no punches regarding the unworkability of the statute:

“The language of CIPA is a total mess. It was a mess from the get-go, but the mess gets bigger and bigger as the world continues to change and as courts are called upon to apply CIPA’s already-obtuse language to new technologies…”

Judge Chhabria further remarked that “it’s virtually impossible to understand what Section 631(a) actually means,” concluding that “the [California] Legislature will go back to the drawing board on CIPA… it would probably be best to erase the board completely and start writing something new.”

Meanwhile, the fight over digital “pen registers” remains highly volatile. The California Court of Appeal is currently reviewing this exact issue in Variety Media, LLC v. the Superior Court of Los Angeles County (Case No. B350578). This pending decision will definitively rule on whether logging standard website metadata and IP addresses actually violates Section 638.51.

Enter S.B. 690: The Legislative Shield for “Standard Online Business Activities”

Responding to the explicit pleas of the judiciary and the business community, California State Senator Anna M. Caballero introduced Senate Bill No. 690 (S.B. 690).

The primary purpose of S.B. 690 is to draw a clear line between malicious spyware and legitimate commercial operations. In announcing her legislative package, Senator Caballero explicitly stated that the bill aims to halt the deluge of predatory CIPA litigation targeting “standard online business activities.” Caballero argued that these commercial practices are already heavily regulated by the California Consumer Privacy Act (CCPA) and enforced by the California Privacy Protection Agency/CalPrivacy (CPPA), making CIPA lawsuits redundant and abusive.

Key Provisions of S.B. 690:

  1. The “Commercial Business Purpose” Exception: The bill introduces a broad exception for data processing performed to further a legitimate business purpose or data that is subject to a consumer’s standard CCPA opt-out rights.

  2. Defusing Section 631 (Wiretapping): S.B. 690 adds specific language ensuring that Section 631’s wiretapping and interception prohibitions do not apply to communications processed for a commercial business purpose.

  3. Defusing Section 638.51 (Pen Registers): The amendment explicitly excludes devices or software processes used in a manner consistent with a commercial business purpose from being defined as “pen registers” or “trap and trace” tools.

  4. Shifting the Burden of Proof: If passed, the logical consequence of S.B. 690 is that the burden shifts back to the plaintiff. A claimant would have to affirmatively plead and prove that a website’s third-party software was not being utilized for a legitimate commercial business purpose.

Where Does the Bill Stand Now?

S.B. 690 originally included a retroactivity clause that would have wiped out existing, pending CIPA lawsuits. While that retroactive provision was stripped to secure an initial unanimous Senate passage in June 2025, the bill subsequently stalled in the California Assembly.

However, the tide is turning. The California Assembly’s Committee on Privacy and Consumer Protection has put the bill back on the docket for a major hearing.

S.B. 690 Compliance Software

While the legislature debates the future of S.B. 690, the CIPA litigation risk remains severe. Compliance officers and risk management teams should take immediate action:

  • Audit Website Trackers and Plugins: Conduct a thorough inventory of all third-party tools on your website, including chatbots, session replay scripts, and marketing pixels.

  • Implement “Consent Before Tracking” Frameworks: Review your cookie banners and consent management platforms. Robust, explicit disclosures and “opt-in” mechanisms prior to loading tracking scripts remain your strongest defense under current law.

  • Review Privacy Policies and Terms of Use: Ensure your privacy disclosures explicitly name the categories of third-party vendors handling data. Work with legal counsel to include robust arbitration clauses and class-action waivers in your website terms of use.

  • Make Your Voice Heard: Organizations like the Alliance for Legal Fairness have mobilized to educate lawmakers on how CIPA is being weaponized against main-street businesses. Companies that have fallen victim to predatory pre-suit demands or mass arbitrations are being encouraged to share their experiences to ensure legislators vote in favor of S.B. 690.

 

Written by: 

Online Privacy Compliance Made Easy

Captain Compliance makes it easy to develop, oversee, and expand your privacy program. Book a demo or start a trial now.