On June 3, 2025, the California Senate unanimously voted to amend the California Invasion of Privacy Act (“CIPA”) to exclude cookies and other commonly used internet tracking technologies from CIPA under certain circumstances. The bill, Senate Bill 690, if passed by the other chamber and signed by the governor, will exempt companies who use tracking technologies for a “commercial business purpose” from the wiretapping provisions of CIPA.
As background, CIPA was enacted in 1967 to address concerns about privacy violations stemming from emerging technologies, particularly wiretapping and eavesdropping. CIPA also includes a provision prohibiting the use of “pen registers” and “trap and trace devices” (these are devices that record outgoing and incoming dialing, routing, addressing, or signaling information) without a court order. CIPA contains a private right of action and authorizes the greater of statutory damages in the amount of $5,000 per violation or three times the amount of actual damages.
In the last few years, plaintiffs’ firms have brought thousands of lawsuits and demand letters against companies that utilize online tracking devices. In the first wave, plaintiffs’ firms focused on the wiretapping and eavesdropping sections of CIPA. In the latest wave of these actions, plaintiffs have asserted violations under the pen register / trap and trace provision of CIPA where, for example, a company collects the user’s IP address, arguing that constitutes improper collection of dialing, routing, addressing, or signaling information.
Advocates for the bill have argued that such practices are abusive and punish companies for engaging in routine online business activities. They have also noted that such usage of CIPA contradicts the spirit and terms of the California Consumer Privacy Act’s (“CCPA”), which is an extensive law that governs online privacy for California residents. Passed in 2018, and since amended, CCPA specifically regulates businesses’ use and collection of consumer data, which leaves enforcement to state authorities, with a limited private right of action for security breaches.
If passed, the bill could help businesses by discouraging CIPA lawsuits on the usage of tracking devices in the world’s fourth largest economy and will provide to businesses a very valuable defense. However, the bill likely will not put an end to CIPA litigation. This is because the bill’s definition of “commercial business purpose” has a very specific, and rather complicated, meaning. It is limited to the processing of personal information that satisfies either of the following criteria: (a) is performed to further a “business purpose”, as defined by the CCPA’s complicated definition of a business purpose; or (b) is subject to a consumer’s opt-out rights under the CCPA, which generally involves situations where the business is selling personal information, sharing personal information for cross-context behavioral advertising, or using sensitive personal information outside of certain circumstances set forth in the CCPA. Interestingly, the bill’s definition of “commercial business purpose” does not encompass the CCPA’s definition of “commercial purpose”, which would have broadened the scope of this definition.
If this bill becomes law, companies can expect that plaintiffs will change their approach by arguing that the defendant lacked a legitimate commercial business purpose in using the tracking technologies. However, this issue will require plaintiffs’ firms to do a lot more work with less likelihood of prevailing, which likely will limit the number of these lawsuits.
Even if this bill becomes law, businesses would be well advised to ensure full, complete and accurate disclosure of their use of tracking technologies in their privacy policies and to continue to have a robust consent management tool on their website as it relates to such technologies.
The bill has support on both sides of the aisle and now heads to the state assembly.