Skip to content

Menu

Network by SubjectChannelsBlogsHomeAboutContact
AI Legal Journal logo
Subscribe
Search
Close
PublishersBlogsNetwork by SubjectChannels
Subscribe

California Legislature Takes Aim at CIPA Abuse

By Scot Ganow & Zachary Heck on July 7, 2026
Email this postTweet this postLike this postShare this post on LinkedIn

We have been writing about the California Invasion of Privacy Act (CIPA) for a while now (and, earlier this year, we predicted this law would continue to be a major issue in 2026).

From demand letters flooding our clients’ inboxes to the wave of litigation targeting standard website tracking tools, this 1967 wiretapping statute has proven uniquely susceptible to claims that bear little resemblance to the covert surveillance it was designed to prevent. On July 1, 2026, the California Assembly Committee on Privacy and Consumer Protection passed an amended version of Senate Bill 690, and the result is both encouraging and incomplete.

SB 690 in a Nutshell

To be sure, this is not the legislature’s first attempt to provide relief for businesses. The original SB 690, introduced last year, would have created a broad “commercial business purpose” exemption across multiple CIPA sections, including the core wiretap provision (Section 631), the recording prohibition (Section 632), and the pen register statute (Section 638.51). It passed the California Senate unanimously but stalled in the Assembly after the bill’s own sponsor paused it, citing opposition from consumer privacy advocates.

In contrast, the 2026 version is far more modest. The legislature jettisoned the commercial business purpose exemption entirely. No new definitions. No broad safe harbor for routine tracking technologies. Just one targeted fix to one provision: it strips the private right of action for pen register and trap and trace claims under Section 638.51 of the California Penal Code when the alleged violation arises from conduct on a website, online application, or mobile application. Going forward, only the California Attorney General can bring those claims against private actors. The bill, if signed into law, would also apply to any pending Section 638.51 claim filed within two years before the operative date. As currently drafted, the effective date is January 1, 2027, covering claims filed on or after January 1, 2025.

According to testimony before the Assembly committee, pen register claims have “become a poster child for abusive lawsuits.” Indeed, businesses of all sizes are perplexed by what they have received from firms and individuals filing or threatening to file such suits. These threats and suits typically involve collection of relatively benign digital information, like IP addresses and fail to allege concrete injury. With statutory damages of up to $5,000 per violation, the math fuels mass demand letters and class action filings.

Removing the private right of action for these claims is a meaningful step. A broad coalition supported the amended bill at the committee hearing, and committee members signaled that additional amendments targeting other categories of CIPA litigation may come before the August 31, 2026, deadline.

This amendment is hardly comprehensive CIPA reform. The amended SB 690 leaves Sections 631 and 632 completely untouched. The majority of the more aggressive CIPA theories, particularly those alleging that cookies, pixels, chatbots, and session replay tools constitute illegal wiretaps under Section 631, remain fully viable.

Next Steps for Businesses

Even if SB 690 passes and is signed into law, businesses should not let their guard down. Here is what we continue to recommend:

  • Audit your tracking technologies. Know what tools are deployed on your website, what data they collect, and what third parties receive that data. While engaging a company to implement and maintain your website may be efficient, it does not absolve a business of responsibility for what is happening on its website.
  • Update your privacy disclosures. Ensure your privacy policy and any posted terms accurately describe your data collection practices.
  • Deploy consent mechanisms. Use a cookie banner or similar tool for first-time visitors that provides meaningful notice and opt-out options and ensure those options are presented before your tracking technologies engage.
  • Monitor the legislative calendar. Additional CIPA amendments could surface before the session ends, and the California Court of Appeals is still considering whether website technologies qualify as pen registers under Section 638.51.

SB 690, if signed into law, will likely shut down a significant volume of no-harm litigation built on a statute designed for covert government surveillance, not analytics pixels on websites.

Taft will continue to monitor developments related to CIPA litigation and similar trends. If you have questions about this decision, or about website tracking technologies more broadly,  Taft’s Privacy, Security & AI attorneys are available to assist. As always, please sign up to receive emails of our latest posts here on Privacy and Data Security Insights, and follow us on LinkedIn for the latest in privacy, security and artificial intelligence legal news.

Photo of Scot Ganow Scot Ganow

Scot is a partner in Taft’s Dayton office, and chair of the firm’s Privacy and Data Security Practice.  As a former chief privacy officer and leveraging more than ten years of management and compliance experience in Fortune 500 companies, Scot brings a diverse…

Scot is a partner in Taft’s Dayton office, and chair of the firm’s Privacy and Data Security Practice.  As a former chief privacy officer and leveraging more than ten years of management and compliance experience in Fortune 500 companies, Scot brings a diverse business background to his privacy and data security practice. Scot has represented clients in a variety of sectors, including consumer reporting, construction, healthcare, and manufacturing.

Read more about Scot GanowScot's Linkedin Profile
Show more Show less
Photo of Zachary Heck Zachary Heck

Zach’s practice focuses on privacy and data security. Specifically, Zach assists clients in the areas of privacy compliance, defense litigation, class action defense and guidance in the aftermath of an information security event, including data breach. Zach has experience advising clients with respect…

Zach’s practice focuses on privacy and data security. Specifically, Zach assists clients in the areas of privacy compliance, defense litigation, class action defense and guidance in the aftermath of an information security event, including data breach. Zach has experience advising clients with respect to FTC investigations, federal privacy regulations such as HIPAA, FCRA, TCPA, and GLBA, as well as state laws governing personally identifiable information. For his clients, he also provides regulatory analysis, risk management, policy development, training and audits.

Read more about Zachary HeckZachary's Linkedin Profile
Show more Show less
  • Posted in:
    Privacy & Data Security
  • Blog:
    Taft Privacy & Data Security Insights
  • Organization:
    Taft Stettinius & Hollister LLP
  • Article: View Original Source

LexBlog logo
Copyright © 2026, LexBlog. All Rights Reserved.
Legal content Portal by LexBlog LexBlog Logo