Amending CIPA May Limit Litigation, Though Workarounds Possible

SB-690 is making its way through the state legislature. It would eliminate wiretapping, pen register and trap-and-trace liabilities from online tracking technologies used for business. The California Senate could vote soon on the bill. A legislative committee cleared it for a floor vote on a 6-0 tally last week (see 2505230062).

CIPA is and has been "a bit of a gravy train for the plaintiffs' bar,” with “thousands … of demand letters sent out to website operators, [and] a ton of lawsuits filed,” said Matthew Pearson, a Womble Bond privacy lawyer. “The threat that these lawsuits, this avenue of revenue, may go away” if the amendment passes “incentivizes anybody who is sitting on one of these lawsuits” to file.

“When SB-690 was introduced, you saw a little uptick” in cases filed, which, Pearson predicted, will continue while the bill is pending.

The bill originally included language that said the amendment would apply to all litigation pending as of Jan. 1, 2026, which Pearson said would make "probably a lot of the pending cases go away" if enacted.

However, the Senate revised the legislation on Thursday, removing language that would have made the bill retroactive. "This was likely a political sacrifice made to keep the rest of SB-690 moving forward," California lawyer Julie Clayton said in a LinkedIn post Friday. "But instead of helping clarify legislative intent as to CIPA, this effectively preserves our current patchwork of trial court decisions regarding web-tracking technologies."

"With retroactivity, SB 690 would have provided trial courts much-needed clarity about CIPA's applicability beyond law-enforcement investigations," Clayton continued. "Instead, litigants in pending cases will have to slog forward and hope that, by chance and not uniform authority, they will get their desired outcome. One company's cookies might pass the test, while another's get thrown across the kitchen a la Gordon Ramsay."

Vincent Smolczynski, another data protection lawyer at Seyfarth, said he was unsure SB-690 would decrease the amount of litigation filed; instead, parties would just find other reasons to bring claims. “I don't know that, necessarily, plaintiffs’ attorneys are going to simply admit that this is carte blanche applicable to every instance.” It “potentially could have a litigation-lessening effect,” but “it could also, in some instances, invite additional interpretation or challenges on that front as well.”

Similarly, Pearson said SB-690 “is not a Get-Out-of-Jail Free card,” so it’s likely that plaintiffs'’’ lawyers are “just going to update the allegations to say you don't comply with CIPA, even as amended.”

Harmonizing Privacy Laws

SB-690 would update CIPA, an old statute, harmonizing it with newer privacy laws such as the California Consumer Privacy Act (CCPA), which the California Privacy Rights Act (CPRA) amended, the lawyers said.

Updating is “certainly not unusual when a later-enacted law is inconsistent with the existing law,” said Pearson. “The CCPA is intended to address what CIPA is being used to address right now … so really, what this amendment is trying to do is to harmonize the CCPA and CIPA.”

“Right now, we're in a situation where you can fully comply with the CCPA and still get sued under CIPA,” he added. “What this amendment is trying to do is say, if you comply with the CCPA, you're also in compliance with CIPA.”

Smolczynski added that SB-690 is “a recognition by the California Legislature" of a "disconnect between the CIPA statute as it relates to the CCPA and the CPRA.”

Kathleen McConnell, data law attorney at Seyfarth Shaw, agreed and said the wake of lawsuits and demand letters is “really impacting the way that businesses are operating," influencing choices about “how they're going to handle disclosures around the operation of cookies, pixels and related technologies on their websites.”

The much older CIPA was originally aimed at addressing wiretapping, said McConnell. “The thrust behind the amendment is to really reduce the leveraging of … this old law that wasn't really meant to govern this type of technology, to reduce the number of suits that we're seeing ... particularly for small businesses and nonprofits.”

Pearson agreed. “There are a ton of very small businesses who are getting these demand letters, who just don't have the ability to either hire an attorney or pay a significant settlement,” he said. They were running technology on their site to provide a better experience, and now they’re being sued over it, he added.

“It strikes me as odd … to enact a statute that was as important and as big of a lift as the CCPA, and then, [several] years after it was enacted, to turn around and say, ‘Hey, you know, this other statute that literally was enacted to address call recording? Now that's the more important one, that's the one you have to comply with,’” Pearson said.

Legislators should amend the CCPA if they decide it is not doing its job, but “do not rely on statutes that were never intended to regulate this conduct and that carry with it very, very serious statutory damages, to band-aid over any issues with the CCPA.”

McConnell agreed. The way the law works now is creating “multiple sources of requirements that are not necessarily in harmony, and it does seem like there should be one source for things that [is] governing this,” she said.

Others, however, think the amendment is a mistake. Tracy Rosenberg, an author for citizens' coalition Oakland Privacy, called the legislation an “especially egregious affront to privacy rights,” in a blog on Monday. Previous CIPA rulings have “changed how Big Tech companies do business,” which this amendment will put a stop to “in one of the most crass giveaways to Big Tech and surveillance capitalism that we’ve ever seen.” Rosenberg also said that although the author of the bill alleges the CPRA is enough for consumer protection, there is no private right of action under it, as there is for CIPA.

Future Unclear

If the bill passes the Senate, it must still go to the Assembly before ending up on the governor's desk. The lawyers, who spoke with us prior to the Thursday amendment, raised doubts about it passing this year.

In terms of language, the bill "accomplishes" what its proponents "are hoping to accomplish,” McConnell said. “However, I think it may encounter some pushback as it goes through the legislative process in terms of potentially having effects beyond that. The wording is a little … bit broad.”

Smolczynski said he is 50/50 on the bill passing this session. “Perhaps something that is more narrowly tailored has a better chance,” he said. “It may be that in this round the breadth of the … exemption, as written in the amendment, is just too broad for what could reasonably get through the legislature.”

McConnell thinks that it is slightly more likely to fail than pass, but she wouldn’t be surprised if something passes, even if not in this legislative round. “There is a real tension coming from very real concerns on the business side,” she said. “But I also think there are some very valid concerns on the consumer privacy front as well, and I think that those are likely to become more obviously at loggerheads as this process proceeds.”

Whatever happens could influence the rest of the country, the lawyers said. When it comes to privacy, “California is like the tip of the spear … and then it just kind of trickles east,” Pearson noted.

Smolczynski agreed. “California tends to take the first bite at the apple, and then the other states tend to follow [suit], or slightly modify in some respects,” he said. “Irrespective of what transpires, you're probably going to see a similar follow-on activity from other states.”

Regardless, the lawyers agreed that SB-690 is a necessary update and would serve as a good example for others to follow. “We need to address the issues in the year, or the century, or the decade that actually understands and is knowledgeable about the technology, so that we're not doing this really weird square peg, round hole situation,” Pearson said.