CIPA Reform In 2026: What Website Operators Need To Know

Over the last few years, businesses, nonprofits, and other website operators have seen thousands of lawsuits and arbitrations filed under the California Invasion of Privacy Act (CIPA) alleging that the use of ubiquitous cookies and pixels on websites violates CIPA's wiretap and pen register provisions. The California legislature considered curbing that explosion of litigation with SB 690, which was introduced in the 2025 session with some enthusiasm but ultimately stalled.

Thus, although there is some hope of relief as the legislative session picks back up in 2026, organizations are left in the same situation as before—balancing business needs and value with risk mitigation.

SB 690 at a Glance

CIPA was originally enacted in 1967 to address traditional wiretapping and eavesdropping concerns which, at the time, primarily involved telephonic communications. It therefore did not address digital technologies or adtech now used for website marketing. Nonetheless, in recent years, several thousands of lawsuits and arbitrations have sought to apply CIPA in precisely that context.

In 2025, California lawmakers advanced SB 690 to modernize CIPA for the internet era. The amendment aims to tamp down lawsuits targeting routine website technologies by adding a broad "commercial business purpose" exemption to CIPA's wiretap and pen-register provisions and, thus, clarify that use of these technologies for business purposes would not trigger CIPA liability. Early versions of the bill included a retroactivity provision that would have applied to all pending cases as of January 1, 2026, but that provision was removed in the Senate amid criticism from consumer advocate groups.

Why SB 690 Stalled in 2025

Despite unanimous passage in the Senate, SB 690 did not clear the Assembly before the 2025 legislative session adjourned, and it was thus designated a two-year bill. Reports indicate the bill stalled in the Assembly Judiciary process, with lawmakers citing the need for further stakeholder dialogue and competing policy priorities, leaving businesses to face continued litigation through at least 2026.

The primary resistance to the bill came from privacy and consumer groups who argued that SB 690's proposed exemption was too broad and would shield opaque tracking practices that CCPA enforcement has not yet addressed. Removal of the bill's retroactivity provision would reduce immediate litigation relief, and plaintiffs' filings continued apace through the close of the year amid split trial court decisions on CIPA's scope.

What's Next for SB 690 in 2026

Notably, it was SB 690's author and primary sponsor that paused the bill in the Assembly in 2025, citing opposition from consumer privacy advocates and attorneys' groups. So, it remains to be seen whether SB 690 will advance at all, at least in its current form, in 2026.

SB 690 is eligible for reconsideration as a two-year bill in the 2026 session, which reconvenes January 5. The last day to introduce bills is February 20, and the final day to pass bills August 31. Expect policy committee activity in spring, fiscal deadlines in May, and floor-only periods late May and in the final August push. If revived, SB 690 is likely to remain prospective only, reinforcing the importance of near-term compliance and risk mitigation for existing site technologies.

What Businesses and Organizations Should Do Now

Until reform is enacted, CIPA suits over pixels, analytics, chatbots, search bar functions, and replay tools will continue, complete with statutory damages of $5,000 per alleged violation and inconsistent early-dismissal outcomes. Further, even if SB 690 eventually passes in its current form, relief would not be coming until at least 2027, if not longer. Organizations therefore need to take steps now to assess their risk.

Risk mitigation for each specific organization will necessarily vary, but it will generally involve assessing practices, identifying any higher risk processing activities, and updating disclosures, consents, and vendor governance as appropriate.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.