On June 3, 2025, the California Senate unanimously passed Senate Bill 690 (SB 690) in a 35-0 vote, a strong show of support for reining in a flood of lawsuits that have taken many companies by surprise over the last few years. The bill now heads to the California Assembly, where it will face further scrutiny. If ultimately signed into law, SB 690 could reshape how privacy law is enforced in the digital space, offering much-needed clarity (and relief) for businesses across the country.

What is SB 690 All About?

SB 690 is aimed squarely at modernizing how California’s Invasion of Privacy Act (CIPA) is applied in today’s online economy. Originally passed in 1967 to address concerns around wiretapping and old-school eavesdropping, CIPA has recently been used in a very different context against websites and online tools for tracking online users’ behavior and use of a website.

In the last few years, plaintiffs’ lawyers have filed a wave of lawsuits alleging that everyday digital tools, such as cookies, chatbots, and analytics software violate CIPA. Some lawsuits even treat these technologies as illegal surveillance devices under the law. The result? A growing number of businesses, from major retailers to small e-commerce shops, have been hit with expensive and time-consuming legal threats.

Many of these cases are class actions, often pushing businesses to settle rather than fight it out in court. Critics have called this a form of legal “gotcha” using a decades-old law to penalize routine online practices that are otherwise regulated by California’s more recent privacy laws.

What SB 690 Would Change

SB 690 seeks to fix this problem by updating CIPA to reflect how digital communication and data collection actually work today. The bill would:

• Exempt businesses from CIPA liability when they record or intercept online communications for a “commercial business purpose.”
• Clarify that tools like session replay software, chat logs, or web tracking pixels are not “wiretaps” or surveillance devices when used in standard business operations.
• Prevent private lawsuits (i.e., lawsuits brought by consumers, not the government) related to these practices, as long as the company is using the data for a valid business reason.

Importantly, SB 690 defines “commercial business purpose” by borrowing language from California’s existing privacy laws—the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA). That means businesses following those laws’ rules around data collection, marketing, analytics, and consumer opt-outs would be protected under SB 690.

What About Current Lawsuits?

Originally, SB 690 was written to apply retroactively, which would have wiped out many of the CIPA lawsuits already in progress. But that retroactive provision faced resistance and was removed just before the Senate vote. As it stands now, the bill would only apply to future cases, so businesses already facing CIPA lawsuits won’t receive immediate relief, and websites that track users before obtaining consent (particularly in California) could still face these demands and lawsuits in the meantime.

Why This Matters

Supporters of SB 690 argue that it restores legal balance. California already has some of the toughest privacy laws in the country. The CCPA and CPRA give consumers strong rights, including the ability to opt out of having their data sold or shared. But CIPA, which wasn’t designed for the internet era, has created an overlapping (and often conflicting) patchwork of rules.

The business community has been calling for reform, arguing that the CIPA lawsuits are stifling innovation and creating a “tax” on companies just for using standard tools to understand their customers or secure their platforms.

What’s Next?

SB 690 now moves to the California Assembly, where it will go through committee hearings and floor votes. If it passes the Assembly without changes, it will head to Governor Newsom’s desk. If amended, it may need to go back to the Senate for a final vote.

If SB 690 becomes law, businesses that use standard online tools for legitimate purposes (marketing, security, customer service, etc.) and comply with CCPA/CPRA rules will be far less likely to face CIPA lawsuits. That could mean fewer legal headaches, fewer settlements, and more certainty in how businesses can operate online.

But until the bill is fully enacted, the current legal risks under CIPA remain so businesses should stay alert and ensure compliance with existing privacy laws. The battle over online privacy enforcement in California is far from over, but SB 690 could mark a turning point.