Could New Privacy Law Coalition Help Curb California Wiretapping Litigation? What Businesses Need to Know About CIPA Reform
A broad coalition of California businesses, nonprofits, healthcare providers, and community organizations formally launched a campaign this week to push for reform of the state law being weaponized against businesses that use standard website tools. The Reform CIPA Coalition is backing the revival of legislative efforts to limit the law’s scope and put a halt to the trend that has led to thousands of lawsuits and countless demand letters, arbitrations, and settlements. The coalition’s April 6 launch is a meaningful development and signals a renewed effort to push for a legislative fix that was paused last year. Here’s what you need to know and some steps you can take as the debate shakes out.
The Law That Wasn’t Built for the Internet
The California Invasion of Privacy Act (CIPA) was enacted in 1967 to address old-fashioned wiretapping and eavesdropping: phone calls, recording devices, and the kinds of things you’d expect to see in spy movies and soap operas. It was never designed to govern how a business runs analytics on its own website.
But enterprising plaintiffs’ attorneys figured out that CIPA’s broad language, which prohibits “intercepting” communications without consent and prohibits “pen registers” and “trap and trace devices” without a court order, could be stretched to cover routine digital tools and software. These include cookies, pixels, session replay, chat widgets, search bars, ADA accessibility tools, and similar features that appear on virtually every commercial website.
Under this legal theory, running a standard analytics tool or embedding a third-party chat feature on your website could constitute illegal “wiretapping” or use of a “pen register” or “trap and trace device.” The damages are statutory (meaning plaintiffs don’t have to prove actual harm) and the class action exposure can be enormous. That combination has made CIPA a preferred vehicle for demand letter and litigation campaigns targeting businesses of all sizes.
FP Tracker Shows Litigation Business is Booming
The numbers tell a striking story. According to Fisher Phillips’ Digital Wiretapping Litigation Map, which tracks public filings tied to digital tracking technologies, there have been more than 4,300 lawsuits filed nationwide since a landmark 2022 ruling opened the door. Over 75% of those (roughly 3,300 cases) were filed in California alone. Many of the lawsuits filed outside California, such as in Florida, New York, and Illinois, also allege CIPA claims.
And these numbers don’t include claims filed in arbitration (which are not public record) and the many demand letters sent by plaintiffs’ attorneys that are resolved before a lawsuit is filed. Many businesses settle rather than fight, faced with the prospect of expensive litigation and uncertain outcomes. Unfortunately, this dynamic only signals to plaintiffs’ attorneys that their playbook works.
Courts Have Provided Inconsistent Answers
Courts have not provided consistent answers that would create clear guidelines. Some judges have dismissed these claims as overreaching, while others have allowed them to proceed. That split has created a compliance landscape nightmare for California businesses.
Fisher Phillips has tracked these developments extensively, including wins, losses, and the ongoing confusion. Here’s just a small sampling of our most important Insights:
Good News
- Major Win in CIPA Case Signals Higher Hurdles for Privacy Plaintiffs: What You Should Do to Protect Your Organization (March 2026)
- California Court Limits Website Privacy Claims: Key Takeaways for Website Operators and Business Owners (Jan 2026)
- Judge Tosses California Digital Wiretapping Claim: Here’s the Good News + Lessons for Businesses (Oct 2025)
- California Businesses Score Another Key Privacy Win: 3 Things Your Business Should Do After Latest CIPA Court Decision (Aug 2025)
Bad News
- Court Allows CIPA Claim Involving Third-Party Pixels To Proceed, Ignores Contrary Case Law: What Your Business Needs To Know (Dec 2025)
- From Search to Share: Court Holds Third-Party Interception of Search Bar Terms Can Support CIPA Claim (April 2025)
- Groundbreaking Class Certification Decision in Website Tracking Case Serves as Wake-Up Call for Businesses: Proactive Steps You Can Take (Dec 2024)
Mixed Bag
Judge Vince Chhabria of the US District Court for the Northern District of California recently said: “The language of CIPA is a total mess. It was a mess from the get-go, but the mess gets bigger and bigger as the world continues to change and as courts are called upon to apply CIPA’s already-obtuse language to new technologies.” He also called on state lawmakers to get to work and bring the statute into the modern age.
SB 690: What it Would Have Done, and Why it Stalled
In response to this litigation surge and the call from Judge Chhabria, State Senator Anna Caballero introduced SB 690 in 2025. The bill would introduce a “commercial business purpose” carve-out, narrowing CIPA’s scope for businesses using tracking technologies for standard operational reasons. It would also limit private rights of action for damages where personal information is processed for a commercial business purpose.
The bill passed the California Senate unanimously, 33-0. Then it stalled. By July 2025, Senator Caballero announced she was pausing SB 690 in the Assembly, citing outstanding concerns around consumer privacy and continued opposition from consumer advocacy groups.
Opponents argued the “commercial business purpose” exemption was too broad and could expose sensitive consumer data (including health information and immigration status) to third-party entities. That political friction was enough to freeze the bill.
The bill was therefore paused last year but lawmakers turned it into a “two-year bill,” which means it remains eligible to be taken up this year.
A Coalition Pushes Back
That’s the backdrop for the April 6 coalition launch. The Reform CIPA Coalition brings together nonprofits, community organizations, and businesses to support the legislative solutions contained in SB 690. Its main argument is that modern digital practices should be governed by modern privacy laws, not a statute written decades before the internet existed.
The coalition’s membership is deliberately broad, including organizations in industries that have been commonly targeted (retail, hospitality, healthcare, etc.). But churches, food banks, and non-profits have lined up alongside to show this isn’t just a corporate lobbying effort.
The coalition’s launch signals that proponents of SB 690 will be pushing hard for the bill to be taken up and (hopefully) passed this year.
5 Steps to Protect Your Business Right Now
Even though momentum might be gaining and a legislative fix may have more organized political support than it did when it stalled last year, you can’t wait for a solution from Sacramento to protect you today. California businesses need to take active steps to protect your interests.
1. Audit every tracking tool on your website. Conduct a thorough inventory of all cookies, pixels, tags, beacons, chat features, session replay software, and analytics tools currently deployed on your sites. Pay particular attention to third-party vendors. Some of them begin capturing user data before any consent is obtained, which is precisely the behavior CIPA plaintiffs target. Know what’s running, who operates it, and when data collection begins.
2. Strengthen your consent mechanisms. Passive consent (a buried notice in your privacy policy, or a banner that doesn’t require affirmative action) isn’t always enough. Consent should be clear and prominent. Whether to obtain opt-in consent before any data is shared with third parties through cookies will depend on your risk tolerance for repeat CIPA claims, as well as on the type of data and third parties involved. Review your cookie banners and consent flows with fresh eyes and ensure they reflect current best practices.
3. Align your privacy disclosures with what you actually do. Privacy policies that don’t accurately describe your tracking practices create compounded exposure, and can support both CIPA claims and CCPA claims simultaneously. If your policy says one thing and your tools do another, that gap needs to close.
4. Get legal counsel involved before you get a demand letter. The demand letter campaigns in this space are often automated and indiscriminate. Businesses get targeted based on what’s detectable on their website, not because plaintiffs’ attorneys have done a deep review of your practices. Proactive legal review, privacy audits, and vendor contract assessment are far less expensive than reactive litigation.
5. Take part in legislative efforts. Besides joining the Coalition, you should consider reaching out to the FP Advocacy team to help develop best strategies for having your voice heard on this subject.
Conclusion
To stay current on CIPA developments, legislative progress, and other California privacy litigation trends, subscribe to Fisher Phillips’ Insights. For guidance specific to your situation, contact your Fisher Phillips attorney, the author of this Insight, or any member of our Digital Wiretapping Litigation Team.
Related People
