California is a bellwether for privacy laws, which is why we’ve been watching carefully as recent events suggest that business-friendly interests may be gaining a foothold in what has historically been one of the most restrictive states in the country. Since the landmark California Consumer Privacy Act (“CCPA”) went into effect in 2020, interest groups, regulators, and politicians have been battling to impact the future of the statute and related regulations. Meanwhile, creative plaintiffs’ lawyers have turned their focus to the California Invasion of Privacy Act (“CIPA”) to argue that California’s eavesdropping statute also applies to online tracking technologies. But recent developments related to both the CIPA and the CCPA may give businesses reason for hope.
Most notably, the California Senate Appropriations Committee recently held a hearing on California Senate Bill 690 (SB 690), which would amend the CIPA to permit the use of online tracking technologies for “commercial business purposes.” The bill, if passed, would end a flood of litigation against companies of all types and sizes in California over the past 18 months, alleging that use of fairly standard tracking technologies constitutes “eavesdropping” under the CIPA. The use of tracking technologies would still need to comply with the CCPA and other comparable laws, but the CIPA would no longer be a landmine for the unwary. And importantly, the bill’s terms are explicitly made retroactive to any cases pending as of January 1, 2026 (perhaps incentivizing plaintiffs’ lawyers to settle at deep discounts before year’s end – take note CIPA defense lawyers).
On the CCPA front, battle lines continue to be drawn between those who want to see even more stringent regulations and those who are concerned that the existing requirements are already hurting businesses. In April, Governor Gavin Newsom joined the fray, siding with “Big Tech” on at least some issues related to the CCPA, urging them not to hurt California’s flourishing AI sector, which could cause companies to leave the state and create confusing compliance obligations across industries. And in a surprise turn of events, the most recent revised regulations released by the California Privacy Protection Agency (relating to cybersecurity audits, risk assessments, and automated decision-making technology) seem as though they will lessen the impact on businesses (including by granting businesses more time to complete cybersecurity audits, paring back some of the more onerous audit requirements, and narrowing the definition of automated decision-making).
We’ll continue to monitor the developments in California – particularly given how they can ripple across the country – so keep an eye on this space for further updates.