Privacy Lawyers Tout Judge's Call for CIPA Update

SB-690 by state Sen. Anna Caballero (D) would eliminate penalties under CIPA for businesses using wiretapping, pen register and trap-and-trace as online tracking technologies. Privacy lawyers argue that the proposal may reduce frivolous lawsuits that are an abuse of the older statute (see 2505280028).

But tech watchdogs disagree (see 2506050023). In an Oct. 20 press release about the conclusion of the 2025 legislative session, the Consumer Federation of California highlighted the postponement of SB-690 as an example of its work to keep “bad things from happening to consumers.” CFC said the bill would “have allowed a massive expansion of Big Tech’s surveillance and spying powers, without a consumer’s knowledge or consent.”

The Senate passed SB-690 but it stalled in the Assembly amid concerns that it might be aimed at protecting tech giants more than small businesses from frivolous lawsuits (see 2507010057). However, because state lawmakers converted SB-690 into what the California legislature calls a “two-year bill,” they can resume consideration of the controversial measure next year. The bill is currently in the Assembly Privacy Committee.

Chhabria’s decision in Doe v. Eating Recovery Center (ERC) could give the bill a boost. Calling CIPA “a total mess,” the judge expressed hope that legislators “will go back to the drawing board on CIPA.”

Immediately after the ruling, Womble Bond privacy lawyer Matthew Pearson said “one would hope” state lawmakers listen (see 2510210041). Multiple privacy practices, including at Seyfarth, Fisher Phillips and Troutman Amin, also touted Chhabria’s call for legislative action in recent blog posts.

San Francisco-based attorney Alicia Baiardo and two colleagues from McGuireWoods said Friday that the California legislature “must modernize CIPA to reflect how the internet actually works.” SB-690 “is a necessary first step in that direction,” they said. “Passing SB 690 and undertaking a broader, technology-informed rewrite of CIPA would deliver the clarity that courts and businesses need, while preserving consumer protections.”

CIPA “is a 1967 criminal wiretapping statute being stretched to govern 2025-era internet technologies,” the McGuireWoods lawyers said. “The result has been a patchwork of conflicting decisions that turn on hair-splitting distinctions about what it means to ‘read’ a communication ‘in transit,’ whether URLs and clickstream data constitute ‘contents,’ and how third-party service providers fit within a statute that never contemplated real-time web analytics, session replay tools, or ad technology.”

“This disarray imposes substantial, recurring costs on California businesses -- defense expenditures, insurance pressures, product redesigns, and settlement leverage untethered to any clear statutory boundaries -- without delivering predictable privacy outcomes for consumers,” they said. “That is an unsustainable public policy for a statute that carries statutory damages per violation and threatens to punish commonplace digital practices that other California privacy regimes, such as the [California Consumer Privacy Act], already regulate with far greater specificity.”

The court decision “highlights the urgent need for legislative clarity with respect to the application of CIPA to the internet,” wrote Hunton privacy attorneys Jason Kim and Paige Van Oosten on Monday. “Many businesses targeted by the plaintiffs’ bar would agree with Judge Chhabria’s conclusion that the ‘California Legislature needs to step up.’”

“Notwithstanding Judge Chhabria’s clear call to action, the California Legislature has stalled efforts to bring the clarity and certainty needed,” the Hunton lawyers noted. “By deferring final action [on SB-690] until at least the next legislative session, the Assembly has left courts and businesses in limbo, perpetuating the uncertainty spotlighted in Doe v. ERC .”