Amid Privacy Concerns, CIPA Amendment Bill Postponed to 2026
A controversial proposed change to the California Invasion of Privacy Act (CIPA) will be held until next year, said state Sen. Anna Caballero (D) during an Assembly Public Safety Committee hearing Tuesday. The committee advanced Caballero’s SB-690 to the Privacy Committee with the understanding that it will be delayed. A day earlier, the committee staff raised questions about whether SB-690 was designed to protect “mom-and-pop” businesses from frivolous lawsuits.
Sign up for a free preview to unlock the rest of this article
Privacy Daily provides accurate coverage of newsworthy developments in data protection legislation, regulation, litigation, and enforcement for privacy professionals responsible for ensuring effective organizational data privacy compliance.
The California Senate last month passed SB-690 in a unanimous vote (see 2506030058). It would eliminate wiretapping, pen register and trap-and-trace liabilities from online tracking technologies used for business under CIPA. While privacy lawyers argue that SB-690 may reduce frivolous lawsuits that are an abuse of the older statute (see 2505280028), tech watchdogs have condemned SB-690 as potentially green-lighting what they call “dystopian big tech surveillance practices” to the detriment of consumer privacy and safety (see 2506050023).
Caballero had planned to propose amendments to narrow the bill’s focus, creating “a rebuttable presumption in CIPA that could be overcome through proof of harm,” she said. “However, there are outstanding concerns surrounding consumer privacy.”
Therefore, while still asking the committee to advance SB-690 Tuesday to the Privacy Committee, Caballero said she plans “to make it a two-year bill.” That means the legislation would be carried over to 2026, the second year of California’s biennial legislative cycle. “This will allow us additional time to work with opposition and to ensure we strike the right balance,” with a goal of ending “abusive lawsuits” while “preserving strong consumer protections against true bad actors.”
Public Safety Committee Chair Nick Schultz (D) shares Caballero’s “concern about the way that small businesses and nonprofits are really being hammered by what I see as an abusive process,” he said. “I also believe that Americans are under greater surveillance than ever in today's day and age by … private companies and even our government. I think that we have to be extraordinarily careful about how we strike that right balance.”
Committee staff analysis Monday noted that while “smaller ‘mom and pop’ websites may be uniquely harmed by frivolous CIPA lawsuits because they do not have the resources to litigate the claims,” SB-690 isn’t “specific to just small company retail sites.”
“Given some of the onerous standards for proving these claims in early pleadings litigation, to say nothing of the likelihood of the success on the merits, it is unclear how much of an issue this is as it relates to larger tech companies dominating the litigation,” the analysis said. “It makes the language used in this bill even more concerning as it appears it may have less to do with protecting smaller companies from vexatious litigation and more about insulating tech giants that track user information.”
“While some amendment to sections in the CIPA may be necessary to stymie frivolous litigation against small companies, large tech companies already have several advocates in every level of government,” the committee analysis added. “The amendments proposed in this bill may have serious unintended consequences for more privacy protections long held sacred by California residents.”
Caballero told the committee it’s not just big businesses targeted by CIPA lawsuits; it’s also nonprofits and small businesses. As the bill moves forward, legislators should look at allowing "some private right of action for really egregious behavior,” though in that case, the plaintiff “should have to prove [it] causes injury or damage.” Otherwise, she said, the conduct should be covered by the California Consumer Privacy Act.