On June 3, 2025, the California Senate passed Senate Bill 690 ("SB 690") in a unanimous 35-0 vote, advancing a measure that would significantly limit lawsuits under the California Invasion of Privacy Act ("CIPA") against businesses using standard online technologies. Notably, the bill was amended prior to passage to remove its retroactivity provision, meaning it will not apply to pending cases. The bill now moves to the Assembly for further consideration.

Over the last several years, CIPA—originally enacted in 1967 to address wiretapping and eavesdropping—has been repurposed by plaintiffs’ attorneys as a powerful tool to target online businesses for their use of common web technologies such as cookies, pixels, chatbots, and session replay tools. This has resulted in a dramatic surge of lawsuits, often class actions, alleging that these technologies constitute illegal “wiretapping” or the use of “pen registers” and “trap and trace” devices under CIPA. The business community, including small and mid-sized ecommerce companies, has faced a wave of demand letters and litigation, with businesses sometimes being coerced to settle rather than risk the threat of statutory damages and protracted legal battles. These lawsuits have been widely criticized as burdensome and predatory, creating significant legal uncertainty and financial risk for companies operating in California. In response, SB 690 was introduced to protect companies that use online tracking technologies for a commercial business purpose from violating CIPA. 

Key Provisions and Scope of SB 690

SB 690 proposes to address this problem by introducing exemptions for activities conducted for “commercial business purposes” from several core CIPA provisions. The bill would exempt from liability the interception or recording of communications when done for a commercial business purpose. It also clarifies that the use of pen registers and trap and trace devices for commercial business purposes does not fall within the scope of CIPA’s prohibitions. Perhaps most significantly, SB 690 would bar private lawsuits for the processing of personal information for a commercial business purpose, effectively eliminating the private right of action for a wide range of CIPA claims related to online business activities.

The definition of “commercial business purpose” in SB 690 is closely tied to the California Consumer Privacy Act (“CCPA”) and the California Privacy Rights Act (“CPRA”). It encompasses the processing of personal information to further a business purpose as defined in the CCPA, such as operational purposes, auditing, security, marketing, and analytics. It also includes activities subject to a consumer’s opt-out rights under the CCPA and CPRA, such as the sale or sharing of personal information. The bill adopts the CCPA’s definitions of “personal information” and “processing,” ensuring consistency across California’s privacy statutes.

A particularly notable feature of SB 690, as originally proposed, was its retroactive application, which would have applied the bill’s provisions to any case pending as of January 1, 2026. However, this retroactivity provision faced significant opposition during the legislative process. On May 29, 2025, just before the Senate vote, the bill was amended to remove the retroactivity language. As passed by the Senate, SB 690 is now silent on retroactive application and would likely only apply prospectively. 

The bill now proceeds to the Assembly, where it will undergo committee reviews, three readings, and a final vote. If both houses pass the bill in the same form, it will be sent to the Governor for approval.

Potential Implications for Businesses

The legislative intent behind SB 690 is clear: CIPA was never meant to regulate the types of routine online data collection and analytics now at issue in many lawsuits. Proponents of the bill argue that the CCPA and CPRA provide a comprehensive, modern framework for regulating online privacy, including robust notice and opt-out rights for consumers. SB 690 is intended to harmonize California’s privacy laws, prevent duplicative and conflicting legal standards, and curb abusive litigation that threatens both large and small businesses. By clarifying that business activities already regulated by the CCPA are not within the scope of CIPA, the bill aims to restore legal certainty and allow businesses to focus on compliance with California’s primary privacy statutes, rather than defending against costly and unpredictable CIPA lawsuits.

If enacted, SB 690 would dramatically reduce the risk of CIPA litigation for businesses that use standard online tracking and analytics technologies in compliance with the CCPA and CPRA. This would provide much-needed relief from the lawsuits that have proliferated in recent years, allowing companies to redirect resources away from legal defense of specious claims.

Conclusion

With the Senate’s passage of SB 690 and the removal of the retroactivity provision, the bill represents a significant potential shift in the legal landscape for online businesses operating in California. Its progress and any further amendments will be closely watched by stakeholders across the technology, ecommerce, and privacy sectors.