Overview
The California Invasion of Privacy Act (CIPA), Cal. Penal Code §§ 630, et seq., was enacted in 1967 to combat the use of wiretaps to eavesdrop on private telephone conversations. Except with respect to legitimate use of wiretaps by law enforcement, CIPA's purpose was to protect the right of privacy by, among other things, requiring that all parties consent to the monitoring or recording of their communications. (About a dozen other states also require that all parties to a telephone conversation provide their consent before their calls are monitored or recorded, which is why it is commonplace to be greeted with the familiar "This call may be monitored or recorded for quality assurance"-type disclosure at the outset of calls with a company.) Although it is a criminal statute, CIPA also provides a private right of action with recoverable statutory damages of the greater of $5,000 per violation or three times the amount of actual damages sustained.
In part because of the significant statutory damages available even in the absence of actual consumer injury, CIPA has become one of the country's most highly litigated privacy laws in recent years. Despite the statute's original purpose to prohibit the use of traditional wiretap technology and the fact that it was enacted many decades before the modern Internet became generally accessible to the public, thousands of lawsuits and arbitration demands have been filed in California (and many more pre-suit demand letters sent), alleging that commonly deployed features and software on websites, including chatbots, cookies, and pixel trackers, run afoul of CIPA. In an attempt to mold CIPA to the digital age, plaintiffs allege that these technologies transmit to third parties information about their interactions with websites without their consent, which they claim violate CIPA's prohibitions on wiretapping, eavesdropping on or recording confidential communications, or using a "pen register" or "trap and trace device." California courts have come out on both sides of the issue, with some finding that CIPA applies to these website technologies and others finding that it does not. This litigation risk and exposure to significant damages awards has caused many companies to settle CIPA lawsuits and threats rather than take on the uncertainties associated with litigation.
The plaintiffs' bar's momentum, however, may soon change. Earlier this year, California State Senator Anna Caballero introduced Senate Bill 690 (S.B. 690), which aims to "stop[ ] abusive lawsuits against California businesses and nonprofits under [CIPA] for standard online business activities[.]" Indeed, according to the California Senate Committee on Public Safety, the express purpose of the proposed amendment "is to protect businesses from vexatious litigation." If enacted, S.B. 690 would provide a broad "commercial business purpose" exemption to CIPA’s prohibitions on eavesdropping or recording communications, and prohibitions on the use of pen registers or trap and trace devices. The current version of the bill defines "commercial business purpose" as the processing of personal information either performed to further a business purpose or subject to a consumer's opt-out rights under the California Consumer Privacy Act. This bit of common-sense, bipartisan legislation is a welcome development to the industry. Just last week, the State Senate referred S.B. 690 to the California State Assembly by a decisive 35-0 vote.
If passed, S.B. 690 would substantially reshape privacy litigation in California by offering relief to businesses that may get caught in the Act's crosshairs for simply deploying common website technologies. However, although the initial version of the bill included an explicit provision making the legislation "retroactive and applicable to any case pending as of January 1, 2026," that provision has been struck in more recent amendments. Steptoe attorneys have substantial experience litigating and counseling on these and other CIPA issues, and will continue to track S.B. 690 and other CIPA developments closely.
