No relief in sight: CIPA claims surge, legal landscape remains unchanged

A bill aiming to mitigate the number of “shakedown” lawsuits filed against businesses under the California Invasion of Privacy Act (CIPA) stalled during the 2025 legislative session, leaving the current deluge of CIPA litigation—and the legal uncertainty that comes with it—fully intact for at least another year.

According to Atlanta, GA-based law firm Fisher Phillips’s Digital Wiretapping Map, of the 3,847 privacy claims involving digital tracking technologies filed nationally since March of 2023, 2,935 (76%) have been in California alone, with 1,082 (37%) of those targeting the retail sector.

That’s why the state’s business community—including the California Chamber of Commerce, the Fresno Chamber of Commerce and various pro-business coalitions—are strongly in support of CIPA reform, primarily driven by SB 690 (Caballero, D-Merced).

Senator Caballero introduced SB 690 to amend key provisions of CIPA to include a “commercial purpose” exception. This would have made it clear that routine website business practices, such as the use of session replay technology, chat features or third-party analytics, do not constitute unlawful wiretapping or eavesdropping when used for legitimate commercial purposes. Such tools are widely used to provide data on web site traffic, functionality and customer experience.

Despite the Senate unanimously passing the bill in June, Caballero made the decision in July to pause the bill in the Assembly until at least this year, citing “outstanding concerns around consumer privacy.” SB 690 was instead made a two-year bill, meaning that it could be reconsidered in 2026. The withdrawal means that CIPA reform is on hold until further notice, and businesses must continue to navigate CIPA litigation without the protections SB 690 would have provided.

CIPA’s reemergence in the modern era

CIPA is a nearly 60-year-old law, passed in 1967, meant to criminalize traditional wiretapping and eavesdropping, primarily in the context of landline telephone calls. It was never meant to wrangle the complexities of the digital age or regulate how businesses track user interactions on the internet.

However, plaintiffs’ attorneys are dusting it off in the modern era to challenge common website tracking tools, alleging that certain online features such as search boxes and tracking technologies (like cookies and pixels) allow companies or their vendors to—using CIPA’s language—“intercept” or “eavesdrop on” user interactions without consent.

Claimants’ complaints focus on a few main arguments, primarily that website tracking technologies capture IP addresses when users visit a site. In turn, those addresses can be sent to third parties like Facebook, TikTok and Google. This collection and subsequent sending of information to third parties without consent is similar to a pen register or trap-and-trace device, which is unlawful under CIPA.

Applying rules for dated gadgetry to the latest technology is the old square peg in a round hole, critics argue, leading to a kind of legislative murk that exposes businesses to significant liabilities, including statutory damages of $5,000 per violation. Since these lawsuits are often brought as class actions, potential exposure can be devastating.

What are best practices to mitigate risk?

Concerned businesses should take proactive steps to limit CIPA exposure by carefully auditing all website tracking technologies in use, including cookies, pixels and chatbots.

Next, companies should make sure only the stated data are being collected, monitor the types of data being transmitted by the trackers used, ensure privacy policies reflect actual practices, and update cookie banner language to provide the option for true consent.

Additionally, privacy policies should clearly disclose how consumer data are collected, used and shared. Those disclosures should specifically state the use of web tracking technology and provide users with information about their rights.

Finally, legal experts advise businesses to ensure that any tracking technologies currently in use are necessary for operations and that their use is limited to what is appropriate.

For more updates on Fresno County development and business initiatives, stay connected with the Fresno Chamber of Commerce.

Photo by Marija Zaric on Unsplash