CIPA in 2026: Will SB 690 Save You?

Subhead: California's biggest swing at fixing the CIPA litigation wave stalled. Here's the honest answer on what that means for your website — and the moves to make before August 31.

If you've been watching California's Senate Bill 690 with one eye and your demand-letter inbox with the other, here's the short version: SB 690 didn't pass in 2025. It's eligible for reconsideration in the 2026 session through August 31. Until and unless it passes, CIPA liability is exactly where it was last summer — $5,000 per violation, every California-facing website still exposed.

Book a 10-minute demo↗ to see exactly which scripts on your site are firing before consent — the question every CIPA demand letter is built on.

What SB 690 was supposed to do

CIPA — the California Invasion of Privacy Act, originally a 1967 wiretapping statute — has been the legal foundation for over a thousand class actions and tens of thousands of demand letters against website operators in the last two years. The theory: cookies, pixels, chatbots, and session replay tools that fire before a California visitor consents constitute "interception" of a private communication, which triggers $5,000 in statutory damages per violation. No actual harm required.

SB 690 was the legislative attempt to draw a line between "actual eavesdropping" and "running a website." The bill would add a commercial business purpose exception to four CIPA sections (§§ 631, 632, 632.7, and 638.50). In practical terms, if a company processes personal information either to further a legitimate business purpose or in a way that is already subject to a consumer's CCPA opt-out rights, the activity wouldn't be wiretapping or trap-and-trace.

In plain English: SB 690 would mean cookies, pixels, chatbots, and session replay — used the way most companies use them — stop being a CIPA problem.

Where SB 690 actually stands

Three things matter about the bill's current status:

1. The Senate passed it unanimously. On June 3, 2025, the California Senate voted 35-0 to advance SB 690. Unanimous Senate passage in California is rare and is the strongest possible signal of momentum.
2. It stalled in the Assembly. Senator Caballero, the bill's sponsor, paused it before an Assembly floor vote, citing "outstanding concerns around consumer privacy" raised by consumer-protection groups.
3. It's a two-year bill. SB 690 carries into the 2026 legislative session. The session reconvened January 5. The final day to pass bills in 2026 is August 31.

One additional detail worth knowing: a retroactivity provision was removed on May 29, 2025. If SB 690 passes in 2026, it will apply prospectively. Lawsuits already filed under CIPA's current language are unaffected by the new exception.

Will it pass in 2026?

Honest answer: nobody can promise. But here's the case for and against.

The case for passage: A 35-0 Senate vote, ongoing pressure from the California business community, and a documented surge of "demand-letter mill" litigation that targets small and mid-sized businesses on procedural technicalities. Even consumer-friendly legislators are increasingly uncomfortable with the volume of $5,000-per-violation extortion-style demands the current statute enables.

The case against passage: Consumer-privacy groups view the "commercial business purpose" exception as too broad — broad enough to swallow the rule. The retroactivity removal was a concession to those groups but didn't resolve their deeper concern. If the 2026 amendments narrow the exception further to win privacy-group support, the bill may pass in a form that helps less than the current draft would.

The practical timeline: even in the optimistic case, SB 690 wouldn't take effect until January 1, 2027.

What that means for your website right now

Through at least the end of 2026, and very possibly longer, CIPA exposure is unchanged. The statute remains the same. The plaintiff firms remain active. Demand letters are being sent today. Verdicts are being entered — the Frasco v. Flo Health jury found Meta liable for billions in potential CIPA damages↗ in August 2025, and a federal court refused to set the verdict aside in September.

Three implications:

1. Waiting for SB 690 is not a compliance strategy. Even if the bill passes, it applies prospectively. Any exposure you accumulate between now and the effective date is yours to keep.

2. The "commercial business purpose" defense isn't a real defense yet. Some defense filings have argued it informally, but it has no force in California law until SB 690 is enacted. Don't let a vendor tell you otherwise.

3. The Javier rule still controls chatbots and session replay. The Ninth Circuit's holding that retroactive consent doesn't cure a CIPA violation means consent must be obtained before any third-party tracking technology fires. SB 690 wouldn't change that — it would carve out commercial-purpose processing, but the prior-consent rule for any non-exempt activity remains.

A four-question CIPA exposure check

Run your website through these four questions today. Each "yes" is potential exposure.

1. Does any third-party script — Meta Pixel, Google Analytics, TikTok Pixel, LinkedIn Insight Tag, a chatbot, session replay tool — fire on page load before a California visitor accepts a consent banner?
2. Does your consent banner default to "all on" or otherwise count silence or scrolling as consent?
3. Is your consent record per-user, time-stamped, and retrievable for at least three years?
4. Are GPC (Global Privacy Control) signals from California visitors honored as opt-outs, including for advertising and analytics?

If you can't answer all four with confidence, the next step is a scan.

Run a free PieEye scan↗ to see exactly which scripts are firing pre-consent, whether your banner is doing what it claims, and where your consent records stand.

What "compliant" looks like in 2026 — regardless of SB 690

The compliance posture that satisfies CIPA today is also the posture that will satisfy whatever SB 690 looks like if it passes. There's no version of this where investing in real consent infrastructure was the wrong call.

Block tracking scripts in California until consent. Geo-fence by IP or by precise location and suppress all non-essential scripts for California visitors until they actively accept. Opt-out mode — where tags fire on page load and users can decline later — does not satisfy CIPA's prior-consent rule.

Run a Consent Management Platform that gates tags at the source. Whether that's a CMP firing through Google Tag Manager, a server-side gate, or both, the rule is the same: no PII or routing information leaves the page before the user agrees.

Keep server-side consent records for at least three years. CIPA claims have a one-year statute of limitations, but plaintiff firms often plead to extend that with related claims. Three years of queryable, per-user consent records is the defensible posture.

Honor GPC signals as a confirmed opt-out. California regulators have been clear: a GPC signal is a valid opt-out under CCPA, and ignoring it is evidence of bad faith that bleeds directly into CIPA cases.

Audit your tag manager configuration quarterly. Tags get added by marketing teams. Vendors push updates that change firing rules. The configuration you signed off on six months ago may not be the configuration running today.

How PieEye fits

PieEye was built specifically for the CIPA problem. Three things make us different from the general-purpose CMPs:

• Pre-consent script suppression for California visitors is on by default. Not a setting to find. Not a paid upgrade.
• Per-user server-side consent records are retained for three years, queryable by date range without engineering.
• A free pre-consent scan that tells you specifically whether your Meta Pixel, Google Analytics, or other named tracker is firing before consent — the exact question every CIPA demand letter is built on.

We compare ourselves head-to-head against OneTrust in PieEye vs OneTrust: CIPA Compliance Compared↗. The short version: if you're an ecommerce or DTC brand with a California-facing site, you don't need an enterprise platform. You need pre-consent gating that works on day one.

Book a 10-minute demo↗ and we'll walk through your stack on screen — what's firing, what isn't, and what we'd change.

Quick links to deeper reading

• What Is CIPA?↗ — the foundational overview
• CIPA vs. CCPA↗ — why CCPA compliance doesn't cover you
• CIPA Demand Letter Guide↗ — what to do if one lands
• Trap and Trace: Respond the Right Way↗
• Meta Pixel and CIPA↗
• Google Tag Manager and CIPA↗
• Frasco v. Flo Health: The CIPA Jury Verdict↗