ARTICLE
8 July 2026

California Legislature Takes Aim At CIPA Abuse

TS
Taft Stettinius & Hollister

Contributor

Established in 1885, Taft is a nationally recognized law firm serving individuals and businesses worldwide, in both mature and emerging industries.
We have been writing about the California Invasion of Privacy Act (CIPA) for a while now (and, earlier this year, we predicted this law would continue to be a major issue in 2026).
United States California Privacy
Taft Stettinius & Hollister are most popular:
  • within Antitrust/Competition Law topic(s)

We have been writing about the California Invasion of Privacy Act (CIPA) for a while now (and, earlier this year, we predicted this law would continue to be a major issue in 2026).

From demand letters flooding our clients’ inboxes to the wave of litigation targeting standard website tracking tools, this 1967 wiretapping statute has proven uniquely susceptible to claims that bear little resemblance to the covert surveillance it was designed to prevent. On July 1, 2026, the California Assembly Committee on Privacy and Consumer Protection passed an amended version of Senate Bill 690, and the result is both encouraging and incomplete.

SB 690 in a Nutshell

To be sure, this is not the legislature’s first attempt to provide relief for businesses. The original SB 690, introduced last year, would have created a broad “commercial business purpose” exemption across multiple CIPA sections, including the core wiretap provision (Section 631), the recording prohibition (Section 632), and the pen register statute (Section 638.51). It passed the California Senate unanimously but stalled in the Assembly after the bill’s own sponsor paused it, citing opposition from consumer privacy advocates.

In contrast, the 2026 version is far more modest. The legislature jettisoned the commercial business purpose exemption entirely. No new definitions. No broad safe harbor for routine tracking technologies. Just one targeted fix to one provision: it strips the private right of action for pen register and trap and trace claims under Section 638.51 of the California Penal Code when the alleged violation arises from conduct on a website, online application, or mobile application. Going forward, only the California Attorney General can bring those claims against private actors. The bill, if signed into law, would also apply to any pending Section 638.51 claim filed within two years before the operative date. As currently drafted, the effective date is January 1, 2027, covering claims filed on or after January 1, 2025.

According to testimony before the Assembly committee, pen register claims have “become a poster child for abusive lawsuits.” Indeed, businesses of all sizes are perplexed by what they have received from firms and individuals filing or threatening to file such suits. These threats and suits typically involve collection of relatively benign digital information, like IP addresses and fail to allege concrete injury. With statutory damages of up to $5,000 per violation, the math fuels mass demand letters and class action filings.

Removing the private right of action for these claims is a meaningful step. A broad coalition supported the amended bill at the committee hearing, and committee members signaled that additional amendments targeting other categories of CIPA litigation may come before the August 31, 2026, deadline.

This amendment is hardly comprehensive CIPA reform. The amended SB 690 leaves Sections 631 and 632 completely untouched. The majority of the more aggressive CIPA theories, particularly those alleging that cookies, pixels, chatbots, and session replay tools constitute illegal wiretaps under Section 631, remain fully viable.

Next Steps for Businesses

Even if SB 690 passes and is signed into law, businesses should not let their guard down. Here is what we continue to recommend:

  • Audit your tracking technologies. Know what tools are deployed on your website, what data they collect, and what third parties receive that data. While engaging a company to implement and maintain your website may be efficient, it does not absolve a business of responsibility for what is happening on its website.
  • Update your privacy disclosures. Ensure your privacy policy and any posted terms accurately describe your data collection practices.
  • Deploy consent mechanisms. Use a cookie banner or similar tool for first-time visitors that provides meaningful notice and opt-out options and ensure those options are presented before your tracking technologies engage.
  • Monitor the legislative calendar. Additional CIPA amendments could surface before the session ends, and the California Court of Appeals is still considering whether website technologies qualify as pen registers under Section 638.51.

SB 690, if signed into law, will likely shut down a significant volume of no-harm litigation built on a statute designed for covert government surveillance, not analytics pixels on websites.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

[View Source]

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More