Will California SB 690 end CIPA website tracking lawsuits? Not yet — and possibly not in its current form at all. California Senate Bill 690 would create a commercial business purpose exemption to CIPA that would effectively eliminate the private right of action for most website tracking claims. It passed the California Senate unanimously, 35-0. It then stalled in the Assembly, was designated a two-year bill, and cannot take effect before January 1, 2027 at the earliest. Its primary sponsor paused it herself, citing outstanding concerns around consumer privacy. Whether it passes in 2026, passes in amended form, or fails entirely is genuinely uncertain.
What is not uncertain: SB 690's failure to advance in 2025 has given plaintiffs a clear deadline to file all claims they can before the new limitations potentially take effect — and the number of filings has not slowed. The bill's existence has accelerated the litigation it was designed to stop.
This post explains what SB 690 would do, what happened to it, what the current legislative timeline looks like, and — most importantly — what businesses should be doing right now that does not depend on when or whether SB 690 passes.
What SB 690 would actually do
SB 690 proposes to amend CIPA by introducing exemptions for activities conducted for a "commercial business purpose" from several core CIPA provisions — exempting from liability the interception or recording of communications when done for a commercial business purpose.
The commercial business purpose definition is closely tied to CCPA. It encompasses the processing of personal information to further a business purpose as defined in the CCPA — operational purposes, auditing, security, marketing, and analytics — as well as activities subject to a consumer's opt-out rights under the CCPA and CPRA.
In practical terms, if SB 690 passes in its current form, a business using Meta Pixel, session replay tools, Google Analytics, and chat widgets for routine commercial operations would be outside CIPA's reach for those tools — provided the use is consistent with CCPA's framework and subject to consumer opt-out rights. The $5,000-per-violation private right of action that has funded the current wave of CIPA demand letters and class actions would be eliminated for this category of activity.
Perhaps most significantly, SB 690 would bar private lawsuits for the processing of personal information for a commercial business purpose — effectively eliminating the private right of action for a wide range of CIPA claims related to online business activities.
The bill would also clarify the pen register and trap and trace provisions: devices used for commercial business purposes would be excluded from CIPA's § 638.51 prohibitions. This directly addresses the § 638.51 theory that plaintiffs have been testing against IP address collection and behavioral tracking metadata.
The history: from unanimous Senate passage to Assembly stall
SB 690's legislative history is a study in the difference between a bill that passes and a bill that becomes law.
Senator Anna Caballero introduced SB 690 in response to what she characterized as an explosion of abusive lawsuits against California small businesses and nonprofits for standard online activities already regulated by CCPA. She argued that allowing these suits to proceed under CIPA goes against legislative intent, creates confusion, punishes compliance, and does not make Californians safer.
The original bill included a retroactivity provision that would have applied to any case pending as of January 1, 2026 — effectively wiping out the entire backlog of existing CIPA litigation in one stroke. This provision was removed on May 29, 2025 in response to criticism from consumer attorneys and privacy groups that retroactivity would undermine litigation efforts to date.
On June 3, 2025, the California Senate passed SB 690 unanimously, 35-0. The bill then moved to the Assembly.
The bill failed to advance out of committee in the Assembly and will not proceed during the 2025 legislative session. In a significant development, Senator Caballero herself made the decision to pause the bill in the Assembly, citing outstanding concerns around consumer privacy. The bill's sponsor stopping her own bill in the second chamber is not a routine procedural delay. It signals that the concerns raised in the Assembly were substantive enough that Caballero concluded more work was needed before a final vote.
The 2026 legislative timeline
SB 690 is eligible for reconsideration as a two-year bill in the 2026 session, which reconvened January 5. The last day to introduce bills is February 20, and the final day to pass bills is August 31, 2026.
The key dates for anyone tracking SB 690 in 2026: the bill must pass the Assembly and be signed by Governor Newsom before August 31, 2026 to take effect January 1, 2027. If it passes after the deadline, it cannot take effect until 2028. If it fails again, it cannot be reintroduced in the same form without starting the legislative process over.
Three scenarios are possible. The bill passes in current form — unlikely without resolution of the consumer privacy concerns that caused the 2025 stall. It passes in amended form — possible, with the commercial business purpose exemption narrowed to address privacy advocates' concerns. It fails again — also possible, particularly if the political calculus around privacy legislation shifts in 2026. Notably, it was SB 690's own author and primary sponsor that paused the bill in the Assembly, so it remains to be seen whether the bill will advance at all.
Why the filing surge is happening right now
The mechanics of CIPA's statute of limitations create a specific pressure that the bill's timeline is producing.
CIPA has a one-year statute of limitations for civil claims. Since SB 690 does not apply retroactively and would only operate prospectively, a major uptick in CIPA claims is expected as plaintiffs scramble to bring claims before any change in the law. The Michigan parallel is instructive: even after Michigan's Preservation of Personal Privacy Act was amended to stop no-injury lawsuits, cases continued to be filed until the last day in the limitations period — some of which settled for tens of millions of dollars.
The practical implication: if SB 690 passes and takes effect January 1, 2027, plaintiffs have until December 31, 2027 to file any claims based on conduct occurring on or before January 1, 2027. The one-year limitations window after the effective date will produce its own filing surge even if the law passes. For businesses currently running non-compliant tracking configurations, the passage of SB 690 does not eliminate their exposure for past violations — it only limits future liability from conduct occurring after the effective date.
This is why waiting for SB 690 to resolve the problem is not a compliance strategy. The violations that are occurring on your website today are accruing potential liability regardless of what the legislature does in August.
What the opposition's concerns actually are
Understanding why the bill stalled requires understanding what consumer privacy advocates objected to — because those objections reveal the substantive policy tension that makes the bill's passage uncertain.
The core concern is that the commercial business purpose exemption is too broad. Under the proposed language, virtually any use of tracking technology by a for-profit business qualifies as a commercial business purpose. The exemption would apply to a company collecting sensitive health data through a pixel, a company running session replay on a medical patient portal, and a company sharing behavioral data with advertising networks — all of these are commercial business purposes under the definition.
Privacy advocates argued that CCPA does not cover these practices as fully as the bill's sponsors suggested. CCPA's enforcement record has been described as showing rampant non-compliance, and CCPA generally does not provide the private right of action that has made CIPA an effective enforcement tool. Replacing CIPA's private right of action with reliance on CCPA regulatory enforcement is, in the privacy advocates' view, replacing a functioning deterrent with a deficient one.
The removal of the retroactivity provision was a concession to these concerns — but it was not sufficient to move the bill out of the Assembly. The residual disagreement is about whether the forward-looking exemption is appropriately scoped, and that disagreement has not been resolved.
What this means for your compliance program
SB 690 is not a compliance strategy. Even in the optimistic scenario — the bill passes in 2026, takes effect January 1, 2027 — it does not apply retroactively. Every violation that occurs between now and the effective date remains actionable for up to one year after it occurs. A business that is currently running non-compliant tracking and is waiting for SB 690 to resolve the exposure is accumulating liability that the bill will not touch.
The commercial business purpose exemption does not eliminate the consent architecture requirement. SB 690 ties the exemption to activities consistent with CCPA — including activities subject to consumer opt-out rights. A tracking tool that fires before a GPC-enabled user has a chance to opt out, or that fires before any consent mechanism is displayed, is not self-evidently within the commercial business purpose exemption even if the bill passes. The consent architecture that CIPA's prior consent standard requires today is also the architecture that demonstrates CCPA opt-out compliance tomorrow.
The filing surge makes the next 12–18 months the highest-risk period in CIPA's history. The combination of established legal theories, a pending legislative deadline, and plaintiffs' incentive to file before the exemption takes effect means the demand letter volume will not decrease while the bill is pending. It will increase.
Frequently asked questions
Will SB 690 end CIPA lawsuits?
Not entirely, and not immediately. If passed in current form, SB 690 would eliminate the private right of action for website tracking activities conducted for a commercial business purpose — significantly reducing demand letters and class actions targeting standard analytics, advertising pixels, and session replay tools. It would not apply retroactively. And categories of CIPA exposure that fall outside the commercial business purpose definition — including AI chatbot training data use and health-specific interceptions — may not be covered by the exemption.
When will SB 690 take effect?
The earliest possible effective date is January 1, 2027, if the bill passes the Assembly and is signed by Governor Newsom before August 31, 2026. If the bill fails in 2026, it cannot be reintroduced in the same form without starting the legislative process over. There is no guarantee it passes — its own sponsor paused it in the Assembly citing outstanding consumer privacy concerns.
Should I wait for SB 690 before investing in CIPA compliance?
No, for three reasons. First, SB 690's prospective-only structure means it does not eliminate liability for conduct occurring before its effective date. Second, the consent architecture that satisfies CIPA's prior consent standard today also satisfies CCPA's opt-out compliance — the investment serves both laws simultaneously. Third, the filing surge triggered by SB 690's pending deadline is producing more demand letters, not fewer, making the current period the highest-risk window in the statute's history.
Does SB 690 affect the § 638.51 pen register claims?
Yes — SB 690 would clarify that devices and processes used for commercial business purposes are not pen registers or trap and trace devices under § 638.51. This directly addresses the theory that advertising pixels, analytics tools, and behavioral tracking constitute unlawful pen registers. If the bill passes, the § 638.51 theory for standard commercial tracking tools would be eliminated prospectively.
What if SB 690 passes in amended form with a narrower exemption?
A narrowed exemption would likely cover a smaller category of tracking activities — possibly excluding AI chatbot training data use, health-adjacent data collection, or tracking of sensitive categories. Businesses should not assume that any version of SB 690 covers all of their current tracking practices. A compliance program built around CIPA's current prior consent standard satisfies any version of the exemption, because prior consent is the most protective posture regardless of what the exemption covers.
Is SB 690 likely to pass in 2026?
Uncertain. The bill has genuine bipartisan support — it passed the Senate 35-0 — but the concerns that caused it to stall in the Assembly have not been publicly resolved. The bill's own sponsor paused it herself, which is an unusual signal. Whether the 2026 session produces a narrowed bill that resolves the privacy advocates' concerns or whether the bill fails again depends on negotiations that have not concluded. Businesses should plan their compliance programs for the scenario where SB 690 does not pass rather than the scenario where it does.
The bottom line
SB 690 is real legislative activity that could meaningfully reduce CIPA litigation risk — but only prospectively, only if it passes, only in the form that ultimately becomes law, and only for activities that fall within the commercial business purpose definition. The compliance program that protects you today does not depend on any of those uncertainties.
A correctly implemented consent architecture that satisfies CIPA's prior consent standard protects you whether SB 690 passes in 2026, passes in 2027, passes in amended form, or fails entirely. It also positions you correctly if the exemption is narrower than the current draft suggests.
The infrastructure answer
The free PieEye compliance scan tells you where your current implementation stands against CIPA's existing standard — which is the standard that applies right now, today, while SB 690's fate is being decided in Sacramento.
For the complete technical architecture for prior consent and vendor contract review, the CIPA compliance guide covers the implementation requirements alongside every other high-risk tracking tool in your stack.
Run a free PieEye compliance scan — it takes minutes, requires no code changes to initiate, and tells you exactly what a plaintiffs' attorney's scanning tool would find if it looked at your website today.