The 2025 California legislative session ended without passing critical reforms to the California Invasion of Privacy Act (CIPA), leaving businesses vulnerable and scrambling to manage escalating compliance challenges and legal exposure on their own.

Why Was Reform Needed?

CIPA, originally enacted in 1967 to protect against telephone wiretapping, has recently been used to challenge how websites collect and process user data using tools like Google Analytics, Meta Pixel, and session replay software. Plaintiffs allege these tools “intercept” online communications without proper user consent, invoking CIPA’s provisions on eavesdropping and signal tracing even though the law predates the digital era by decades.

Despite the uncertainty, most courts have not dismissed these claims early, opening the door to expensive litigation. Each violation can mean statutory damages of $5,000 per violation, with potential exposure ballooning rapidly for businesses with significant web traffic.

What Happened with SB 690?

Senate Bill 690 (SB 690) was introduced as a modernization effort, aiming to exempt routine data collection for business operations or analytics from being treated as illegal wiretapping under CIPA. The bill cleared the Senate but stalled in the Assembly Judiciary Committee amid calls for further negotiation between privacy advocates, industry groups, and consumer-rights organizations.

With SB 690 in limbo, companies must continue to navigate the ambiguities and aggressive lawsuits that have become commonplace since plaintiffs’ firms began targeting legacy tracking technologies and years-old analytics integrations.

Essential Compliance Action Steps for Businesses

Until state lawmakers act, businesses should consider taking the following steps to mitigate risk and demonstrate good faith if challenged:

  1. Conduct a Comprehensive Privacy Audit
    • Inventory all data-collection tools including analytics, marketing pixels, session replay, chat, and plug-ins; and
    • Determine what information is being collected and who has access to it (including third parties).
  1. Obtain Clear and Affirmative Consent
    • CIPA requires explicit, affirmative opt-in consent before collecting user data. Use action-based consent banners (e.g., “By clicking Accept, you agree…”);
    • Passive consent such as “by continuing to browse” is insufficient; do not collect personal information before explicit consent; and
    • Some tools, like Google Analytics, now offer “consent mode” to restrict data collection until consent is given. This can be used for all California-based IP addresses visiting your website.
  1. Update Privacy Disclosures
    • Accurately describe all data practices and third-party tool usage in easy-to-understand language in your privacy policy and consent pop-ups; and
    • Ensure public disclosures match actual practices; discrepancies can increase liability.
  1. Strengthen Vendor Agreements
    • Technology vendors contracts must require compliance, limit data use, and include indemnification where possible.
  1. Implement Role-Based Data Controls
    • Restrict access to personal data to only necessary personnel and systems; retain records only as long as needed.
  1. Educate and Align Internal Teams
    • Ensure marketing and IT teams understand CIPA risks and consent requirements. Many issues stem from misunderstandings rather than intentionally ignoring these risks.
  1. Insurance, Indemnification, and Reputational Risk
    • Most general liability and cyber insurance policies exclude coverage for statutory privacy violations like CIPA claims. This gap may leave businesses financially exposed to high defense costs and settlements. Review policy language with brokers or counsel and seek possible amendments .

Beyond direct costs, reputational harm can be significant, as plaintiffs’ firms often publicize lawsuits to exert pressure on companies and attract copycat claims. Transparent, user-friendly communication about data practices is the best defense.

What’s Next?

Many expect SB 690 or similar reform efforts to reappear in the next legislative session, and California courts will continue grappling with conflicting interpretations of CIPA. Until then, regulatory uncertainty will persist, with plaintiffs’ firms actively exploiting it. Preparation and transparency remain businesses’ best shields: proactive audits, updated disclosures, and robust consent mechanics are essential. Audit before you’re accused. Legacy laws like CIPA now pose modern threats. With reforms delayed, compliance is a business-wide mandate, not just a legal question. Companies that act now to align practices, communications, and governance will be best positioned to avoid costly disputes and reputational damage.