Stalled CIPA Reform Leaves Businesses to Face Compliance Alone

California lawmakers have wrapped up their 2025 legislative session without passing reforms to the California Invasion of Privacy Act, leaving businesses on their own to navigate compliance and litigation risk for another year.

The failure of Senate Bill 690—which would have created a “commercial business purpose” exemption to CIPA—means the wave of lawsuits targeting companies over their use of web analytics and digital tracking tools will continue well into 2026.

For now, the message is clear: Until legislators act, businesses must take proactive steps to ensure their online practices comply with a 58-year-old law that was never designed for the internet age.

An Outdated Statute

Originally enacted in 1967 to stop the wiretapping of telephone calls, CIPA was repurposed to challenge how websites collect and process data—a trend that started to gain traction around 2022. Plaintiffs’ lawyers have argued that tools such as Google Analytics, Meta Pixel, and session replay software “intercept” digital communications without consent, in violation of the statute’s provisions on eavesdropping and signal tracing.

Courts haven’t definitively resolved whether these tools fall under the statute’s scope, but many have declined to dismiss such claims early, emboldening plaintiffs and creating immense exposure for businesses. Each alleged violation can carry statutory damages of $5,000 per user, a figure that multiplies quickly across thousands of website interactions.

A Lifeline Deferred

SB 690 was designed to modernize the CIPA by clarifying that routine data collection for operational or analytical purposes doesn’t constitute illegal wiretapping. The bill passed in the state Senate but stalled in the Assembly Judiciary Committee before adjournment. Lawmakers cited competing priorities and the need for further discussion among privacy advocates, industry groups, and consumer-rights organizations.

That delay leaves companies in limbo. With no legislative clarity, plaintiffs’ firms continue to file suits at a brisk pace, often relying on boilerplate complaints that allege secret tracking or unauthorized data sharing. For many businesses, these claims arrive without warning, triggered by the use of common website tools installed years earlier by marketing teams or third-party vendors.

Steps for Businesses

While SB 690 remains on hold, companies can take meaningful steps to minimize risk and strengthen compliance. The goal isn’t simply to avoid litigation, but to demonstrate diligence and transparency if a claim arises.

Conduct a comprehensive privacy audit. Businesses would be wise to do inventories of all data-collection technologies on their websites or apps. They should identify analytics platforms, marketing pixels, session replay software, chat tools, and plug-ins that track visitor behavior. In addition, companies should evaluate what information they collect—content, metadata, or both—and determine whether any third parties have access to it.

Ensure clear and affirmative consent. Under CIPA, affirmative, explicit opt-in consent is required. When a user first visits a company website, no information should be collected until that consent is obtained. A banner should appear with an action-based prompt, such as, “By clicking Accept, you agree to the terms of our Privacy Policy, including the use of tracking technologies.” Passive language such as “by continuing to browse” is unlikely to suffice. Until or unless a user clicks, “Accept,” businesses should avoid collecting any personally identifiable information. Some analytics platforms, such as Google Analytics, offer a “consent mode” that allows limited, anonymized functionality until full consent is granted.

Update privacy disclosures. Privacy policies should accurately describe data-collection practices in plain, user-friendly terms. Companies using third-party analytics tools need to identify them and describe their function. Courts scrutinize the alignment between actual data practices and what’s disclosed publicly, and any misalignment can amplify liability.

Strengthen vendor agreements. It’s important to review contracts with technology providers to ensure they include privacy and data-handling provisions. Businesses should require vendors to certify compliance with applicable privacy laws, limit data use to legitimate operational purposes, and provide indemnification for violations stemming from their conduct.

Implement role-based controls. Ensuring that only necessary personnel or systems can access user data, and that logs or recordings are retained only as long as needed, can go a long way toward reducing both privacy risk and litigation leverage.

Train internal teams. Privacy risk often arises not from malice but from misunderstanding. Marketing and IT departments should be aligned on data use, consent mechanisms, and the potential legal implications of digital tracking tools.

Insurance and Indemnification

Businesses should also review their insurance coverage. Many general liability and cyber policies exclude statutory privacy violations, including CIPA claims. Coverage gaps can leave companies solely responsible for defense costs and settlements, which can easily exceed six or seven figures. Stakeholders should confirm with their brokers or counsel whether company policies include—or could be amended to include—coverage for privacy-related statutory damages.

The Reputational Factor

Even if a CIPA claim can be defended successfully, reputational harm can be severe. Plaintiffs’ firms often publicize lawsuits through press releases and social media, framing them as “consumer privacy” cases even when the facts involve standard analytics practices. Public scrutiny can erode customer trust and invite copycat claims.

Transparency is the best defense. Companies that communicate openly about their data practices, provide easy-to-read disclosures, and respect user choice are less likely to be targeted, or at least better positioned to respond credibly if they are.

Looking Ahead

Observers expect SB 690—or a similar reform bill—to be reintroduced when the legislature reconvenes. California courts will continue to grapple with conflicting interpretations of CIPA’s reach. Businesses can expect a steady stream of filings, as plaintiffs’ firms take advantage of the current uncertainty.

Until reform arrives, CIPA compliance is no longer just a matter for privacy counsel; it’s a cross-functional business imperative. Proactive auditing, transparent communication, and meticulous consent practices can prevent costly litigation and demonstrate good-faith compliance.

California’s legislative inaction leaves companies operating under a law that predates email, let alone analytics dashboards. Yet the plaintiffs’ bar has adapted it into a potent modern weapon. The most effective shield is preparation: Audit before you’re accused.

This article does not necessarily reflect the opinion of Bloomberg Industry Group, Inc., the publisher of Bloomberg Law, Bloomberg Tax, and Bloomberg Government, or its owners.

Author Information

Aaron Plesset is an associate in the Los Angeles headquarters of Michelman & Robinson.

Marc Jacobs is partner in the Los Angeles headquarters of Michelman & Robinson.

Write for Us: Author Guidelines