California’s Senate Bill 690 has undergone a dramatic transformation, leaving businesses far less protected from privacy litigation than the original proposal promised.
When SB 690 was first introduced, it was widely seen as the most significant overhaul of the California Invasion of Privacy Act in decades, offering businesses meaningful shelter from lawsuits.
A July 2, 2026 amendment stripped away the broad “commercial business purpose” exemption that would have largely insulated businesses using common online tracking technologies from CIPA liability.
The exemption would have covered everyday website tools including cookies, pixels, chatbots, and session replay software, technologies that have generated thousands of lawsuits in recent years.
Rather than rewriting CIPA across multiple statutory provisions, the amended bill now focuses almost exclusively on limiting who can enforce one specific section of California law.
The latest version of SB 690 targets Penal Code section 637.2, providing that only the California Attorney General may bring a civil action against private actors for violations of Section 638.51 arising from conduct on websites or applications.
Supporters of the original bill had argued it simply aligned CIPA with the California Consumer Privacy Act, meaning businesses complying with one law should not face separate liability under the other.
Plaintiffs’ attorneys and privacy advocates strongly opposed the legislation, arguing it would effectively eliminate consumer privacy protections that CIPA has provided for nearly sixty years.
The amended bill does not legalise the underlying conduct, nor does it grant businesses immunity, it simply removes private plaintiffs’ standing to bring that one specific category of claims.
Critically, claims under Sections 631 and 632, which cover the overwhelming majority of website privacy lawsuits, remain entirely untouched by the latest amendment.
The amended bill also reintroduces a retroactive provision, applying the private enforcement limitation to pending Section 638.51 claims filed within two years before the bill’s operative date.
An earlier version had included broader retroactive language before criticism from privacy advocates prompted its removal, making this scaled-back return notable for defendants in active litigation.
The original proposal sought to modernise CIPA by recognising that commonplace website technologies differ fundamentally from the telephone wiretapping practices the law was enacted to prohibit in 1967.
The latest amendment abandons that broader policy goal and adopts a far more modest procedural reform, leaving the rest of California’s increasingly active CIPA landscape intact.
Companies using cookies, pixels, chatbots, session replay software, and similar technologies should continue evaluating their compliance practices and monitoring case law developments as the bill progresses.
SB 690 is still moving through the California legislature and further amendments remain possible before it reaches a final vote.

