CIPA Reform: Is a Whittled-Down Version of SB 690 on the Verge of Becoming Law?

Table of Contents

The landscape of digital privacy litigation in California is sitting on a razor’s edge. For over two years, an relentless wave of demand letters and class-action filings has targeted commercial websites of all sizes. These legal threats rely on an expansive, modern reinterpretation of the California Invasion of Privacy Act (CIPA), a statute originally drafted in the 1960s to combat telephonic wiretapping.

By applying decades-old wiretapping and surveillance definitions to standard web software—specifically web beacons, analytics tracking scripts, chatbots, and session replay tools—plaintiffs’ attorneys have built a highly lucrative enforcement machine. However, a major legislative development in Sacramento suggests the tide may finally be turning. The California Assembly’s Committee on Privacy and Consumer Protection recently advanced an amended version of Senate Bill 690 (SB 690).

Once considered completely stalled, this whittled-down version of the bill targets the specific legal mechanism fueling the current litigation boom: the “pen register” and “trap and trace” loophole. If this targeted iteration of SB 690 passes the full legislature, it will fundamentally alter the risk calculus for any business operating an online storefront or consumer-facing website in the state of California.

The Genesis of the CIPA Litigation Boom

Understanding the impact of the proposed legislative fix requires examining how an anti-wiretapping law became the ultimate weapon for modern class-action plaintiffs. CIPA was enacted in 1967 to prevent the physical tapping of telephone lines without consent. For decades, it remained a relatively obscure law used primarily in criminal matters or traditional privacy disputes.

The current litigation explosion began when creative plaintiffs’ firms realized they could map the literal definitions within the statute onto modern web data transfers. The arguments generally bypass standard data privacy laws like the California Consumer Privacy Act (CCPA), focusing instead on a strict liability framework where statutory damages accumulate automatically without requiring proof of actual harm or financial loss.

The most explosive weapon in the plaintiffs’ arsenal involves California Penal Code Section 638.51. Historically, a “pen register” was a mechanical device attached to a telephone line to record the numbers dialed from that specific phone. Conversely, a “trap and trace” device captured incoming routing data to identify the source of a call.

Plaintiffs argue that when a user visits a business website and common tracking scripts (such as IP-lookup tools, advertising pixels, or analytics software) log the user’s IP address, browser type, and navigation history, those scripts act as digital pen registers or trap and trace devices. Because the statute prohibits installing these devices without a prior court order or explicit consent, plaintiffs assert that nearly every commercial website using basic marketing tools is operating an illegal surveillance operation.

The financial pressure on businesses is immense. Because CIPA provides for statutory damages per violation, a website with thousands of daily visitors faces catastrophic theoretical liability. Rather than risking trial, the vast majority of targeted companies opt for out-of-court settlements. These settlements generally range from $10,000 to $25,000 per instance. Cumulatively, this legal strategy has extracted over $500 million from the business community, flowing directly into the pockets of a small group of plaintiffs’ firms and repetitive pro se litigants.

Critical Impact Areas of the Amended Legislation

The updated version of SB 690 does not attempt to rewrite the entirety of California’s privacy landscape. Instead, it operates like a scalpel, aiming directly at the specific statutory leverage points that made the pen register theory viable. The following breakdown details the exact mechanisms and operational changes proposed by the revised bill:

  • Retroactive Elimination of the Private Right of Action: The most consequential change in the revised text is the explicit elimination of a private right of action under Section 638.51. Consumers and class-action attorneys would no longer have the legal standing to sue businesses for statutory damages regarding digital pen registers. Crucially, the bill’s current draft contemplates a retroactive application. If passed, this would legally dismantle thousands of active lawsuits and pending demand letters overnight, effectively erasing the core statutory foundation upon which they were built.

  • Consolidation of Enforcement Power: By removing individual citizens and private law firms from the enforcement equation, SB 690 shifts all oversight power under Section 638.51 back to public officials. Future enforcement regarding unauthorized pen registers or data routing surveillance would rest entirely with the California Attorney General, local district attorneys, and city prosecutors. This shift alters the regulatory dynamic, replacing profit-driven mass litigation with structured regulatory oversight that typically prioritizes systemic, bad-faith actors rather than standard businesses using commercial analytics plugins.

  • Carve-outs for Standard Commercial Technologies: The amended framework attempts to draw a clear legal boundary between malicious surveillance tools and standard, industry-standard web code. The bill provides safe harbors for standard analytics scripts, functional cookies, and basic operational tags that are required to run a modern website, process transactions, or evaluate user performance. This effectively invalidates the legal argument that a generic marketing pixel is structurally identical to a law-enforcement surveillance tap.

  • Preservation of Core Consent Standards: While the bill strips away the weaponized pen register claims, it leaves California’s broader wiretapping prohibitions intact. Under Sections 631 and 632, individuals can still sue if a business record or shares the actual content of an online communication—such as a live chat conversation or a customer service message—with an unauthorized third party without user consent. Consequently, businesses must remain vigilant about how they structure vendor data-sharing agreements for interactive features like AI chatbots or session recording tools.

  • Protection for Small-to-Midsize Enterprises (SMEs): While massive tech conglomerates have the resources to litigate these claims or build custom internal tracking tools, small and midsize businesses have borne the brunt of the mass demand letter campaigns. The targeted nature of this reform directly shields smaller entities that lack dedicated compliance departments from being forced into predatory settlements over basic plug-and-play website templates.

Chronological Progression of CIPA Reform

The path of SB 690 reflects a fierce political battle between consumer advocacy groups, plaintiffs’ coalitions, and an organized alliance of national and local business associations. This timeline outlines the major procedural steps and legal milestones shaping the destiny of the bill:

Introduction of Initial SB 690 Draft
Early Legislative Session

The bill was originally introduced as a broad structural reform intended to drastically limit CIPA liability across multiple sections. It faced immediate pushback from privacy advocates who argued it would strip consumers of vital digital protections, causing the bill to stall significantly in committee.

The Rise of Mass Pen Register Claims
Late 2024 – 2025

Following favorable trial court rulings that allowed pen register claims to survive early motions to dismiss, plaintiffs’ firms accelerated their campaigns. Demand letters flooded businesses, and cumulative settlement estimates surpassed half a billion dollars, generating immense pressure on lawmakers to intervene.

Trial Courts Decline to Dismiss Variety Media Case
Early 2026

With no clear guidance from California appellate courts, superior court judges consistently ruled that the literal text of Section 638.51 could technically apply to software tracking IP addresses. This forced defendants like Variety Media, LLC to seek emergency appellate intervention, leaving the business community in legal limbo.

Emergency Amendment Realignment
June 2026

Recognizing that a sweeping overhaul of CIPA was politically unviable, proponents of SB 690 fundamentally altered their strategy. The bill was stripped down to focus exclusively on neutralizing the pen register loophole while leaving the rest of CIPA’s consumer privacy frameworks untouched.

Privacy Committee Breakthrough Vote
July 1, 2026

The California Assembly’s Committee on Privacy and Consumer Protection convened a critical meeting. A broad coalition of local and national business associations testified regarding the predatory nature of the current litigation wave. The committee advanced the amended version of SB 690 with 10 affirmative votes, leaving the official tally open for absent members and establishing a cautiously optimistic tone between opposing sides.

Legislative Summer Recess Commences
July 2, 2026

The California legislature officially adjourned for its annual summer recess. This recess creates a temporary pause in active floor debates and voting procedures, giving both corporate lobbying groups and plaintiffs’ coalitions a four-week window to adjust their strategies.

Reconvening of the California Legislature
August 3, 2026

Lawmakers will return to Sacramento to begin the final legislative push of the year. SB 690 must be quickly scheduled for a full floor vote in the Assembly and reconciled with any matching Senate frameworks.

Final Adjournment and Deadline for Enactment
August 31, 2026

The hard operational deadline for the current legislative session. For SB 690 to become law and provide relief to businesses this calendar year, it must successfully pass through both legislative houses and be sent to the Governor’s desk before the midnight adjournment on this date.

Current Realities and Corporate Defense Tactics

While the progress of SB 690 gives corporate defendants a viable reason for optimism, a bill passing a single committee is not a guarantee of legal safety. Between now and the end of August, the current regulatory environment remains hostile. Because the law has not changed yet, plaintiffs’ firms are highly aware of this legislative timeline. There is an immediate risk that these firms will accelerate their demand campaigns over the coming weeks, attempting to lock in settlements before the legislative window closes on August 31.

Furthermore, businesses cannot afford to assume that a retroactive law will survive ultimate judicial scrutiny. Even if SB 690 crosses the finish line and is signed into law by the Governor, plaintiffs’ attorneys will almost certainly challenge the constitutionality of the retroactivity clause in court. They will likely argue that retroactively stripping away an active cause of action violates due process or interferes with vested rights.

Until an appellate court ruling or an enacted statute definitively sets the boundaries of digital pen registers, corporate legal teams must continue to actively manage their digital footprints. This means reviewing consumer cookie banners, auditing third-party script integrations, and ensuring that any deployment of tracking pixels is paired with clear, upfront user disclosures and robust opt-in or opt-out consent mechanisms. The legislative momentum is shifting, but operational defenses must remain active until the governor’s signature is officially on the paper.

Online Privacy Compliance Made Easy

Captain Compliance makes it easy to develop, oversee, and expand your privacy program. Book a demo or start a trial now.