California Senate Bill 690 (“SB 690”) aims to amend CIPA by creating a broad exemption for the use of online tracking technologies if employed for a “commercial business purpose.” This means that companies could deploy cookies, pixels, chatbots, and session replay software to collect and analyze user data – even if it captures personal communications – without facing CIPA lawsuits.
As all of you CIPAWorld dwellers know, in recent years, CIPA has become one of the most aggressively litigated privacy laws in the nation, especially since the infamous CIPA / TCPA catastrophe. Since Javier’s massive expansion of CIPA, thousands of high-profile lawsuits and arbitration demands have been filed against companies allegedly surreptitiously intercepting or “wiretapping” consumer communications through technologies such as session replay software, chatbots, cookies, and pixel trackers – tools that assist legitimate businesses to capture keystrokes, chat transcripts, and browsing behaviors to better a consumer’s journey on its website (or you know even comply with the Telephone Consumer Protection Act). And along with CIPA’s $5,000 PER violation private right of action, it’s no surprise Plaintiff’s attorneys have been filing lawsuits en masse.
But perhaps not for much longer.
SB 690 was introduced by Democratic Senator Anna Caballero, and is rapidly emerging as the most important and controversial privacy legislation of 2025 as it makes it way through the state legislature. SB 690 proposes to amend the heavily litigated CIPA by carving out an exemption for the use of tracking technologies – including cookies, pixels chatbots, and session replay tools – when deployed for a legitimate “commercial business purpose.”
Specifically, SB 690:
- Exempts a commercial business purpose from the general prohibition against eavesdropping or recording a confidential communication.
- Specifies that the civil action, as authorized under current law for a person who has been injured by a violation of CIPA, does not apply to the processing of personal information for a commercial business purpose.
- Specifies that a trap and trace device does not include a device or process that is used in a manner consistent with a commercial business purpose.
- Specifies that a pen register does not include a device or process used in a manner consistent with a commercial business purpose.
- Defines a “commercial business purpose” to mean the processing of personal information either performed to further a business purpose or subject to a consumer’s opt-out rights.
Makes its provisions retroactive and applicable to any case pending as of January 1, 2026.(Notably, when the bill was first introduced, the proposed exemption was explicitly retroactive and would have applied to any legal action pending as of January 1, 2026. This crucial provision would have impacted hundreds of active lawsuits currently making their way through California courts and tribunals, with plaintiffs in those cases seeing their claims effectively neutralized. However, this retroactivity drew sharp criticism from privacy advocates and plaintiffs’ attorneys, who argued that it amounts to a giveaway to corporate defendants and could deprive consumers of remedies for past privacy violations. Following a third reading of the Bill on May 29, 2025, the Senate removed the retroactive provision and ordered the amended bill to a second reading.)
The “commercial business purpose” phrase is defined in alignment with the California Consumer Privacy Act (“CCPA”) to harmonize CIPA with existing state data privacy standards. A “commercial purpose” is defined as the processing of personal information either performed to further a business purpose or subject to a consumer’s opt-out rights. SB 690 also proposes excluding any device that is used in a manner that is “consistent with a commercial business purpose” from the definitions of a pen register and trap and trace device. If passed, the use of online tracking technologies – that are currently under scrutiny – would likely fall under the “commercial purpose” exemption.
Proponents of the bill have argued that the CCPA already regulates how businesses collect, use, and share consumers data (including for website analytics and advertising) and creates opt-out rights, making additional protections under CIPA superfluous and unduly burdensome. If a business uses tracking tools in a manner consistent with the CCPA’s requirements then, under SB 690, they would not be considered in violation of CIPA.
“[SB 690] stops the abusive lawsuits against California businesses and nonprofits under the California Invasion of Privacy Act (CIPA) for standard online business activities that are already regulated by the California Consumer Privacy Act (CCPA).”
– Senator Caballero in a Press Release introducing the bill.
Supporters of the bill note that CIPA’s private right of action is being abused far beyond its original purpose when the law was enacted in 1967:
“Beyond regulatory inconsistency, the unchecked barrage of CIPA lawsuits has done nothing to protect consumer privacy. Instead, these demand letters and lawsuits have created significant costs for California businesses, particularly small and mid-sized businesses – and non-profits – that lack the resources to defend against these claims. Trial lawyers have targeted businesses for using common digital tools such as chatbots—tools that are widely used to enhance user experience and do not constitute unlawful wiretapping or eavesdropping as originally intended under CIPA.
Trial lawyers have sued over 1,500 businesses since 2022, and have sent thousands more demand letters.”
While those in opposition – including of course the NCLC – argue that legislative history makes it clear they were concerned about the future of surveillance and wanting lasting privacy protections for Californians:
“When passed in 1967, CIPA was designed as a forward-looking protection against the full spectrum of technological intrusions into private life. The legislative history demonstrates a clear intention to address and regulate the growing threat of electronic surveillance. These concerns are consistent with the now ubiquitous and invasive commercial practices of internet-based tracking, profiling, and data commodification. CIPA was intended to be robust, technology-neutral, and protective of Californians’ right to control their private communications, regardless of the surveillance medium. The argument advanced by SB 690—that CIPA was intended to be limited to traditional wiretaps—is contradicted by the legislative record, which reveals a sophisticated understanding of, and alarm at, the ever increasing sophistication of private surveillance systems that propelled their vision past the 1960s and into the future.”
Opponents of the bill also argue that the CCPA was never meant to replace privacy laws like the CIPA and that the CCPA works on an opt-out basis but doesn’t let consumers file private lawsuits for most privacy violations – only for data breaches. CIPA, on the other hand, gives consumers the right to take business to court when their “conversations” are being “intercepted” or “recorded” without consent. The bill would take away privacy protections and give tech companies and businesses the right to secretly monitor and record conversations between consumers and business in real time – by claiming to act for a “commercial purpose,” they argue.
SB 690 is now advancing toward a full Senate vote and must be passed out of the California Senate this week – by June 6, 2025, to remain viable this session. Interestingly, it has received unanimous bipartisan support in Senate votes until now.
This could really be a big win for business using everyday common website tools – many tools that are just normal parts of running a website or improving customer experience and were not intended to be covered by a statute that was enacted back in 1967. SB 690 could drastically reduce CIPA risk for companies – and even potentially shape precedent for other states that have similar privacy statutes as California.