SENATE BILL 690 AMENDED: California Scales Back Its Proposed CIPA Overhaul by Eliminating the “Commercial Business Purpose” Exemption—Here’s What the Latest Means for CIPA Litigation

When California Senate Bill 690 (“SB 690”) was first introduced, it promised to be the most significant overhaul of the California Invasion of Privacy Act (“CIPA”) in decades. Businesses across California were hopeful that the bill would finally rein in the massive amounts of CIPA lawsuits/demands targeting the use of ordinary website technologies like cookies, pixels, chatbots, and session replay software.

But now following its latest July 2, 2026 amendment, SB 690 looks very different.

Gone is the broad “commercial business purpose” exemption that would have largely insulated businesses using common online tracking technologies from CIPA liability. Instead, the CA Legislature has replaced it with a much narrower proposal that focuses on a single statutory provision, California’s pen register and trap and trace law and limits who may enforce it.

In other words, SB 690 has shifted from rewriting CIPA to simply limiting one category of lawsuits. As originally drafted, SB 690 sought to fundamentally change how CIPA applied to modern online business practices.

The bill proposed sweeping amendments to multiple sections of the penal code that would have:

  • exempted communications intercepted or recorded for a “commercial business purpose” from CIPA’s wiretapping prohibitions;
  • exempted the processing of personal information for a commercial business purpose from CIPA’s private right of action;
  • excluded technologies used for a commercial business purpose from the definitions of “pen register” and “trap and trace device”;
  • defined “commercial business purpose” by reference to the California Consumer Privacy Act (“CCPA”); and
  • initially applied those changes retroactively to pending litigation.

Had those provisions survived, they likely would have significantly curtailed the thousands of CIPA lawsuits filed over the past several years challenging website technologies such as Meta Pixel, Google Analytics, session replay software, live chat tools, and similar technologies.

Supporters argued the bill simply aligned CIPA with the CCPA, which already regulates how businesses collect and process personal information. If businesses were already complying with the CCPA, they argued, they should not simultaneously face CIPA liability for the same conduct.

Not surprisingly, plaintiffs’ attorneys and privacy advocates strongly opposed the legislation, arguing it would effectively eliminate consumer privacy protections that CIPA has provided for nearly sixty years.

The latest amendment strips away nearly all of those substantive changes.

Rather than amending multiple provisions of CIPA the latest version focuses almost exclusively on Penal Code section 637.2, which governs civil actions for violations of California’s pen register and trap and trace statute.

Instead of creating broad exemptions for commercial businesses, the amended bill provides that only the California Attorney General may bring an action against a private actor for alleged violations of Section 638.51 arising from conduct occurring on an internet website, online application, or mobile application.

That is a very different bill.

The underlying conduct is not legalized. Businesses do not receive immunity. Rather, private plaintiffs lose standing to bring one specific category of claims, leaving enforcement to the AG. The latest amendment removes nearly every provision that originally generated excitement among businesses facing CIPA litigation.

The CA legislature eliminated the commercial business purpose exemption from Sections 631, 632, and 632.7; the new statutory definition of “commercial business purpose”; the exclusion of website technologies from the definitions of pen registers and trap and trace devices; the exemption for processing personal information; and the broad limitation on CIPA’s private right of action.

So while the bill may knock out one category of claims, claims under Sections 631 and 632 are still fair game for plaintiffs.

Interestingly, while an earlier amendment removed the bill’s original retroactive provision after criticism from privacy advocates, the amended bill once again includes retroactive language—although in a much narrower form. Rather than applying to all CIPA claims, the amended bill provides that the limitation on private enforcement applies retroactively to pending Section 638.51 claims filed within two years before the bill’s operative date.

While the amended bill, if passed, may help defendants facing Section 638.51 claims, SB 690 does not solve the CIPA litigation/demand problem.

The overwhelming majority of website privacy lawsuits are brought under Sections 631 and 632—provisions left entirely untouched by the latest amendment. Companies using cookies, pixels, chatbots, session replay software, and similar technologies should therefore continue evaluating their compliance practices and monitoring case law developments.

The original proposal sought to modernize CIPA by recognizing that commonplace website technologies are fundamentally different from the telephone wiretapping practices CIPA was enacted to prohibit in 1967. The latest amendment abandons that broader policy goal and instead adopts a far more modest procedural reform, limiting private enforcement of only one statutory provision while leaving the rest of California’s increasingly active CIPA landscape intact.

Of course, this bill is still moving through the California legislature and further amendments remain possible. As always, we’ll keep an eye on this.

XoXo

Queenie

Leave a Reply