A national leader in privacy law, California was among the first states to include an express right to privacy in its constitution, create a data breach notification law, and codify robust consumer data protections. Despite such avenues for safeguarding data privacy and security, over the past several years, Plaintiffs’ attorneys have been relying on a 1967 criminal statute to allege that technologies commonly relied upon by retailers to offer effective and user-friendly online retail experiences constitute unlawful wiretapping.
The California Invasion of Privacy Act (CIPA) was designed to address telephone wiretapping and eavesdropping. In line with California’s “two-party consent” (or, more properly, “all party consent”) requirement, CIPA prohibits recording or wiretapping conversations without the consent of all participants. In recent years, Plaintiffs’ attorneys have issued and filed thousands of demand letters and lawsuits alleging that cookies, chatbots, session replay tools, and tracking pixels unlawfully intercept consumer website interactions and communications and thus provide a sufficient basis for action under CIPA. These claims have raised substantial legal risks and costs for businesses that rely on such analytics and marketing tools— with some seeking statutory damages of $5,000 per website visit, per visitor.
CA Senate Bill SB690 (“SB 690”) is intended to stop these lawsuits. The bill, detailed below, would create a “commercial business purpose” exemption to Sections 631, 632, 632.7, 637.2, and 638.50 of the Penal Code, specifying that processes and devices used for commercial business purposes are not pen registers or trap and trace devices. The Act will help retailers protect themselves from recent litigation theories. Although the bill has bipartisan support, the details and timing are far from clear—especially after Senators amended the bill on May 29th to remove its retroactivity provision, the subject of much debate and disagreement. The bill now awaits further action in the Assembly.
Overview of SB 690
If passed, SB 690 would allow retailers and other companies to avoid CIPA liability by proving that their challenged processing of personal information was “either performed to further a business purpose or subject to a consumer’s opt-out rights.” SB 690 would therefore permit the “processing” of personal information to further a business purpose.
Many activities intended to fall under this exception (e.g., collecting user data through online tracking technologies) are already regulated by the California Consumer Privacy Act (CCPA). Senator Anna Cabellero, the bill’s sponsor, says SB 690 will stop “abusive lawsuits against California small businesses and nonprofits” for “standard online business activities” covered by the CCPA. Notably, CIPA’s fines and penalties are much steeper than the CCPA’s, and CCPA generally does not provide a private right of action for such claims (but see our alert on this recent decision).
Amidst a backdrop of conflicting lower court decisions and a lack of appellate case law, SB 690 would provide much-needed clarity to businesses operating in e-commerce. It would likely also reduce the volume and success of CIPA-based wiretapping claims.
Critics claim that SB 690 will exempt technology companies and data brokers from anti-surveillance laws. Moreover, CIPA is alleged by some to address hidden tracking that the CCPA cannot remediate.
Even if SB 690 is Passed, Retailers Will Still Likely Face Years of Litigation
Since it was introduced, the big question has been whether the law would apply to lawsuits filed before it takes effect. This question is significant, as CIPA has a one-year statute of limitations, and thousands of new CIPA suits could be filed until the end of this period (i.e., one year after any law takes effect). For example, even after Michigan’s Preservation of Personal Privacy Act (PPPA) was amended to stop no-injury lawsuits, cases continued to be filed until the last day in the limitations period—some of which settled for tens of millions of dollars.
SB 690 was originally drafted to broadly apply to any case pending as of January 1, 2026, such that it would have resulted in the dismissal of most, if not all, active lawsuits. In response to criticisms from consumer attorneys and privacy groups that retroactivity would undermine litigation efforts to date, this provision was removed during the bill’s third reading on May 29, 2025. If CA SB 690 is enacted, this revision may lead to an uptick in CIPA claims filed between now and the effective date, just as we saw in Michigan.
While the plaintiff’s bar may have won the retroactivity battle, industry groups are investigating other strategies to help limit the viability of CIPA claims in the short-term.
State of play: Outcomes of CIPA lawsuits to date
In the short term, the new bill does not appear to have slowed down the plaintiffs’ bar. Instead, hundreds of new suits have been filed in recent months, under a new range of theories including that these technologies collect users’ IP addresses, search terms and activity, and chatbot communications.
So far, decisions on demurrers and motions to dismiss are split. And because none of these cases have reached the Court of Appeal or Ninth Circuit, retailers are left with little guidance on how to protect themselves from these claims.
Several recent decisions, however, have offered good news at this time of uncertainty:
- In Torres v Prudential Financial, Inc. (N.D. Cal. Apr. 17, 2025), the court granted summary judgment for defendants, holding that CIPA applies only when parties—willfully and without consent—attempt to or actually read the contents of in-transit communications. In doing so, the court declined to extend CIPA to situations where it was merely possible that a party might read such communications. An appeal was filed in this case on May 19, 2025, in the Ninth Circuit U.S. Court of Appeals.
- In Zhizhi Xu v. Reuters News & Media Inc. (S.D.N.Y. Feb. 13, 2025) and Gabrielli v. Insider, Inc. (S.D.N.Y. Feb. 18, 2025), the courts dismissed the claims, holding that the Plaintiffs lacked Article III standing to bring claims based on mere procedural violations of CIPA (as opposed to harm by targeted advertisements, for example). The courts also declined to recognize IP addresses, shared whenever users access a website, as private or personal information taken by themselves.
- While injury-related arguments have traditionally been used in federal court due to Article III standing requirements, in Rodriguez v. Fountain9, Inc., 2024 WL 4905217 (Cal. Super. Nov. 21, 2024), the court sustained the demurrer without leave to amend where "[t]the alleged injury is abstract and hypothetical because it is solely premised on statutory damages under CIPA." (Other courts, however, have rejected this argument.)
- In Aviles v. Liveramp, Inc., (Cal. Super. Jan. 28, 2025) and Sanchez v. Cars.com Inc. (Cal. Super. Jan. 27, 2025), the courts held that CIPA’s pen register provision was not intended to cover “internet communications” and that a website’s collection of users’ identifying information from their devices does not constitute a pen register or trap and trace device. Citing United States v. Forrester (9th 2008), both courts noted that, as with email, internet users have “no expectation of privacy in the to/from addresses of their messages or the IP addresses of the websites they visit because they should know that this information is provided to and used by Internet service providers for the specific purpose of directing the routing of information.”
Because pleadings challenges are often unsuccessful, retailers should also consider ways to mitigate the risk of CIPA suits from the start. Most notably, CIPA does not apply where the customer consented to the challenged practice. Thus, clear notice and consent mechanisms—if implemented correctly, and by counsel experienced with recent litigation nuances—can go a long way in reducing risk.
Conclusion
It is not the time to start celebrating, yet. While SB 690 may (if passed) bring an end to a class of claims in California, retailers will still have to navigate the multitude of statutes in different states whose language is similarly vague. Many new waves of similar “tracking” lawsuits have emerged across the country over the last two years. Retailers should therefore consult experienced counsel to ensure that they are best protected from the next theory to emerge.
For more information, please contact a member of Benesch's Retail & E-Commerce Industry Group.
Stephanie A. Sheridan at ssheridan@beneschlaw.com or 628.600.2250.
Meegan Brooks at mbrooks@beneschlaw.com or 628.600.2232.
Matthew P. Farrell at mfarrell@beneschlaw.com or 628.600.2244.
Brinson Elliott at belliott@beneschlaw.com or 628.295.2023.