California moves to shield businesses from privacy lawsuits, but within limits
Posted: June 26, 2025
California lawmakers have passed a bill intended to curb a wave of lawsuits under state wiretapping legislation.
The new law provides a tighter interpretation of the California Invasion of Privacy Act (CIPA) that should stem the flow of litigation against businesses using online tracking technologies.
But last-minute amendments to the final text could limit the law’s effectiveness, leaving businesses open to allegations that their online marketing tools enable illegal wiretapping.
Jump to:
The CIPA problem
For several years, businesses have faced class action lawsuits under CIPA, a wiretapping law enacted in 1967, long before online tracking technologies such as cookies and pixels became commonplace.
CIPA outlaws the non-consensual use of technologies such as “pen registers” and “trap and trace devices” used to intercept communications before the internet. The law’s broad definitions have been interpreted to prohibit the use of online tracking tools without consent.
As such, many businesses have found their digital marketing operations in the crosshairs of law firms and litigation funders. Hundreds of cases have been lodged under CIPA, including the Moody v C2 Educational Systems (2024), which is broadly considered to have strengthened plaintiffs’ arguments.
Senate Bill 690’s solution
On June 3, 2025, the California Senate passed Senate Bill 690 (SB 690), a bill that attempts to clearly distinguish legitimate business activities from the wiretapping schemes CIPA was intended to prevent.
SB 690 aligns CIPA with a more modern privacy law, the California Consumer Privacy Act (CCPA).
The bill would specify that businesses do not violate CIPA if they are engaged in activities conducted for “legitimate business purposes”. The definition of “legitimate business purposes” cross-references two provisions of the CCPA:
- The activities from which consumers have the “right to opt out”: The sale or sharing of personal information, the use or disclosure of sensitive personal information, and any online activities subject to an Opt-Out Preference Signal (OOPS).
- The CCPA’s eight “business purposes” (not covered by the “right to opt out”), which include operations like auditing website performance, providing customer services, and conducting certain analytics.
The suggested legislative logic is that, rather than suing, California consumers can exercise their CCPA rights to opt out of the first class of SB 690’s “legitimate business purposes”. The second class of purposes is deemed legitimate under the CCPA and not sufficiently intrusive to warrant litigation.
While businesses engaged in these legitimate business activities are now effectively shielded from lawsuits under CIPA – even if they do not request consent – they might still be targeted by regulators and plaintiffs citing the CCPA or other data privacy laws.
The timing issue
While businesses will welcome relief from the threat of future CIPA-related litigation, there’s an important caveat. Earlier versions of the bill would have applied retroactively, potentially resolving existing legal cases that are currently working their way through the courts.
The final Senate version removed this retroactive provision, meaning the new protections would only apply to future cases filed after the law takes effect.
This change preserves the validity of lawsuits already in progress and maintains potential liability for CIPA violations that occurred before 1 January 2026, when SB 690 takes effect.
Even after this date, businesses will still need to navigate the complex patchwork of online privacy laws across the US and globally. This requires close attention to cookie banners, transparency notices, and other online activities, including obtaining consent from consumers where appropriate.
