California State Sen. Anna Caballero, D-Fresno
Businesses operating online in California and far beyond the Golden State's borders could soon receive a rare reprieve from alleged lawsuit abuse, as Democratic and Republican California state lawmakers alike are lining up behind a key reform measure to a longstanding state privacy law.
Earlier this month, the California State Senate voted unanimously, 32-0, to advance legislation which would for the first time specifically exempt businesses from being sued for using "cookies," "pixels" and similar technology to traffic and monitor online traffic and customer behavior on their sites.
The legislation, docketed as Senate Bill 690, specifically would revise the California Invasion of Privacy Act to declare that law - an anti-wiretapping measure enacted decades before the invention of the personal computer, much less the internet and ecommerce - should not apply to claims involving such ubiquitous web tracker programs, as long as they have a "commercial business purpose."
According to a blog post published at CIPAWorld.com by author Tammana Malik, of the corporate law firm of Troutman Amin, the term "commercial business purpose" is defined to align with the same term used in California's Consumer Privacy Act (CCPA).
So long as businesses use "tracking tools in a manner consistent with the CCPA’s requirements then, under SB 690, they would not be considered in violation of CIPA," Amin wrote.
Sponsors of the legislation said the measure is needed to address a flood of "abusive lawsuits" filed by trial lawyers seeking to claim a potentially big payday through the law's statutory damages of $5,000 per violation.
Supporters of SB690 have noted trial lawyers have sued more than 1,500 businesses just in the past three years under CIPA, with more lawsuits continuing to arrive. The lawsuits generally accuse companies engaged in online commerce of allegedly violating the rights of Californians under the CIPA law by allegedly surreptitiously tracking customers' online behaviors and sharing - or selling - that information to others without consent.
Defense lawyers have noted many of the businesses targeted by the actions have opted to settle, paying out tens of millions of dollars in the process, with trial lawyers claiming around one-third of the funds under traditional attorney fee provisions.
The lawsuits, however, have not only posed a large and growing risk to businesses operating in California and elsewhere, but have also crossed up the courts, as they address the questions posed by the novel application of CIPA to the internet. Judges in federal and state courts have rendered diverse and conflicting decisions on those questions, which include how to apply the law to businesses that just happen to draw customers from California.
In April, for instance, the U.S. Ninth Circuit Court of Appeals greatly increased the reach of CIPA. In a case involving a class action lawsuit against online payment processor Shopify, a majority of Ninth Circuit judges agreed the Canada-based company can be sued in California courts under CIPA because Shopify processes payments for California customers purchasing goods and services from online retailers.
The ruling prompted a dissenting judge to scoff that the majority had created a "traveling cookie" rule that rewrites the rules, contrary to U.S. Supreme Court precedent, governing who can be sued and where. Essentially, the court had opened California courts as an all-purpose jurisdiction, open to anyone who claims they engaged in online business while in the state, whether or not they lived in the state or the business they were suing was located in California.
While such cases have tied up the courts, California state lawmakers moved earlier this year to reform the CIPA law to all but end such lawsuits altogether.
In announcing the filing of SB690, State Sen. Anna Caballero, D-Fresno, said the measure was specifically intended to "stop the abusive lawsuits against California businesses and nonprofits under the CIPA for standard online business activities that are already regulated by the California Consumer Privacy Act."
Corporate defense attorneys have hailed the positive outlook for SB690.
Attorneys J. Colin Knisely and Michael S. Zullo, of the firm of Duane Morris, said the legislation could "have a significant impact on data privacy litigation in California, where CIPA litigation has exploded in recent years."
In a blog post on June 11, they said: "The 'commercial business' exception would limit the scope of CIPA, reducing the number of lawsuits filed against businesses for their use of standard online technologies. This change in the law could provide greater legal clarity for businesses operating on the internet, aligning CIPA more closely with the CCPA and other privacy regulation."
SB690 has drawn opposition from trial lawyers and activists who have defended the surge in CIPA lawsuits and have asserted the reform would allow "tech giants and data brokers" to "roll back consumer privacy rights" and launch a "massive expansion of big tech's surveillance and spying powers," while escaping liability.
Opponents of the legislation include the Consumer Attorneys of California, which lobbies for the interests of trial lawyers who specialize in suing businesses; internet privacy group, the Electronic Frontier Foundation; social justice group TechEquity; the National Consumer Law Center; Consumer Federation of California; Consumer Reports; the Privacy Rights Clearinghouse; and the Dolores Huerta Foundation for Community Organizing, among others.
Following the state Senate vote, the opponents are attempting to stop or at least water down the legislation in the California State Assembly to prevent locking trial lawyers out of using the lucrative CIPA law, rather than the CCPA statute to sue big tech companies.
Generally, trial lawyers and plaintiffs can expect to use CIPA to extract much larger payouts, and, unlike CIPA, the CCPA does not include a so-called private right of action, which allows individuals and groups to sue companies for alleged privacy rights violations without getting the approval of California state regulators.
Supporters of SB690 noted that, despite strong bipartisan support to this point, the legislation could still face challenges in the Assembly, as left-wing interests allied with trial lawyers work against the bill.
Trial lawyers already have secured a key victory for them, as lawmakers agreed at the end of May to remove language that would have applied the legislation retroactively, to lawsuits filed in the past under CIPA. This could mean businesses targeted by such lawsuits could still face significant settlement demands or judgments.
Also, under its current language, the changes to CIPA would not take effect until Jan. 1, 2026.
That delay has prompted warnings from corporate defense lawyers that businesses should look for a surge in CIPA lawsuits over web trackers in the months to come.
"That could mean a major uptick in CIPA claims and lawsuits during the remainder of 2025 as plaintiffs scramble to bring claims prior to any change in the law," Knisely and Zullo said.
The legislation advanced to the first of three required readings in the Assembly on June 4.
On June 16, SB690 was assigned to the Assembly's Public Safety Committee for discussion and consideration.
