With SB 690 stalled, the current legal landscape under CIPA remains unchanged.
Businesses facing litigation under the California Invasion of Privacy Act (CIPA) will find no legislative relief in 2025. The California Assembly has officially placed SB 690—a bill designed to limit the scope of CIPA liability—on hold. As a result, the bill is now classified as a two-year bill, meaning the earliest it could be reconsidered is 2026. There is no possibility it will take effect before 2027, if it is ever reconsidered at all. This development leaves the current wave of CIPA litigation—and the legal uncertainty that comes with it—fully intact for at least another year.
Introduced by California Senator Anna Caballero, SB 690 sought to amend key provisions of CIPA (including Sections 631, 632 and 638.50) to include a “commercial purpose” exception. This would have clarified that routine website business practices—such as the use of session replay technology, chat features or third-party analytics—do not constitute unlawful wiretapping or eavesdropping when used for legitimate commercial purposes. The bill passed the California Senate by a vote of 35–0, creating optimism that it would also pass the Assembly and be signed into law by Governor Gavin Newsom.
The original version of the bill included retroactive application, which would have mooted hundreds of pending lawsuits. However, that provision was removed before Senate passage. Ultimately, the bill failed to advance out of committee in the Assembly and will not proceed during this legislative session.
With SB 690 stalled, the current legal landscape under CIPA remains unchanged. California state and federal courts continue to interpret the statute inconsistently in cases involving website tracking technologies and live chat support tools. In the meantime, plaintiffs’ lawyers continue to file CIPA lawsuits at a steady pace. The lack of legislative clarity—combined with some plaintiff-friendly rulings—means businesses remain exposed to significant liability, including statutory damages of $5,000 per violation.
Because SB 690 cannot move forward until 2026 at the earliest, businesses should prepare for at least another year of uncertainty in this space and continued active CIPA litigation.
Steps to Take
Review and Update Compliance Practices
Companies operating websites or digital platforms accessible to California consumers should review their use of tracking, analytics and chat technologies to ensure proper notice and consent mechanisms are in place. This includes ensuring that privacy policies are regularly reviewed and updated.
Continue to Monitor Evolving Case Law
Recent decisions—such as Gutierrez v. Converse Inc., et al., No. 24-4797 (9th Cir. 2025) and Mikulsky v. Bloomingdale’s LLC, et al., Case Nos. 24-3564 and 24-3837—highlight the evolving (and sometimes conflicting) judicial interpretations of CIPA.
About Duane Morris
Our attorneys are closely monitoring these CIPA developments and can provide real-time updates and strategic advice, especially in regard to recent legal decisions and their impact on the case-law landscape.
For More Information
If you have any questions about this Alert, please contact J. Colin Knisely, Michael S. Zullo, any of the attorneys in our Privacy and Data Protection Group, any of the attorneys in our Technology, Media and Telecom Industry Group or the attorney in the firm with whom you are regularly in contact.
Disclaimer: This Alert has been prepared and published for informational purposes only and is not offered, nor should be construed, as legal advice. For more information, please see the firm's full disclaimer.