/>iVarnum Viewpoints
-
Expect continued litigation risk in the near term. CIPA lawsuits targeting website cookies are widespread, with over 1,500 filed in the past 18 months.
-
Relief is on the horizon but delayed. Senate Bill 690 would create a “commercial business purpose” exception, protecting routine business uses of cookies, but it won’t take effect until January 2026 and won’t apply retroactively.
-
Proactive steps are critical. Businesses should be prepared for an increase in demand letters and lawsuits before SB 690 becomes law and should consult counsel to assess risk and develop response strategies.
Companies that use cookies on their websites have seen a flood of lawsuits and demand letters claiming the industry-standard software violates users’ privacy rights by collecting personal information.
Many of these claimants rely on theories of liability under California law, which they argue applies even if the company does not have a physical presence in the state. The claimant’s goal is often to extract a nuisance-value settlement, then move on to the next target. The California Invasion of Privacy Act (CIPA) is a particularly attractive statute for cookie litigants because it provides for statutory damages of $5,000 per violation.
California lawmakers have taken notice of these CIPA-related “shakedown letters and lawsuits” observing that “[i]n the last 18 months, trial lawyers have sued over 1,500 business using [CIPA]’s private right of action, arguing that these typical business activities constitute ‘wiretapping’ or an illegal ‘pen register,’ necessitating ‘opt-in’ consent before the business can, for example, save an online shopping cart or show an ad.”
See Senate Committee on Public Safety Bill Analysis, Senate Bill 690, 2025-2026 Reg. Sess. (April 25, 2025).
Legislative Response: Senate Bill 690
To combat these lawsuits, the California State Senate unanimously passed Senate Bill 690, which would substantially reform CIPA by creating a “commercial business purpose” exception. Specifically, SB 690 would:
- Exempt commercial business purposes from the general prohibition against eavesdropping or recording a confidential communication.
- Clarify that the civil action authorized under current law for a person injured by a CIPA violation does not apply to the processing of personal information for a commercial business purpose.
- Specify that a trap and trace device, as defined in the CIPA, does not include a device or process used in a manner consistent with a commercial business purpose.
- Specify that a pen register does not include a device or process used in a manner consistent with a commercial business purpose.
- Define “commercial business purpose” as the processing of personal information either to further a business purpose, as defined in the California Privacy Act, or subject to a consumer’s opt-out rights.
SB 690 is now in the California State Assembly. If passed, it will go to Governor Gavin Newsom for final approval. Based on bipartisan support, the bill appears poised for enactment in 2026.
Implications for Businesses
While SB 690 would be a welcome change for businesses that have received CIPA-related demands, there is an important caveat: the bill would not apply retroactively and would not take effect until January 2026.
Regardless of whether SB 690 is ultimately enacted, its delayed effective date may prompt a new wave of cookie-based CIPA lawsuits in the months ahead, as claimants seek to file before the commercial-purpose exception becomes law.
Summer Associate Alex Sax contributed to this advisory. Alex is currently a law student at Wayne State University Law School.
