No Critical Reforms to California Invasion of Privacy Act

California’s privacy drama has a very 2025 twist: a law written when rotary phones still had cultural authority is now being used to police cookies, pixels, session replay tools, chat widgets, and other everyday website technology. That law is the California Invasion of Privacy Act, better known as CIPA, and despite mounting pressure to modernize it, no critical reform made it across the finish line during the 2025 legislative session.

For businesses, that means the same uncomfortable truth remains in place: a 1967 wiretap statute is still being stretched across the modern internet like a fitted sheet on a king-size mattress. It sort of covers the bed, but not without a lot of strain and a real chance something will snap.

This matters because CIPA is no longer a sleepy background law. It has become one of the sharpest tools in privacy litigation, especially in California. Plaintiffs have used it to challenge routine website tracking practices, while defendants argue the statute was never designed to regulate ordinary online analytics or customer service technology. Lawmakers tried to address that gap with Senate Bill 690, but the effort stalled. So the courtroom, not the Capitol, is still where much of the action is happening.

What CIPA was built to do, and why that matters now

CIPA was enacted in 1967 to address eavesdropping, wiretapping, and secret recording of communications. Its legislative purpose was broad in spirit but rooted in old-school communications technology. The law was written to protect privacy in an era of telephone lines, physical connections, and devices that literally listened in on conversations. That history still matters because much of today’s litigation turns on whether the statute’s original text truly fits digital communication.

At the center of many lawsuits is Section 631, which prohibits certain forms of unauthorized interception or reading of communications in transit. Another key provision, Section 637.2, gives private plaintiffs a powerful enforcement hook by allowing civil suits and statutory damages. That damages provision is a big reason CIPA claims can become financially serious very quickly. Even when no one alleges massive economic loss, the statutory exposure gets everyone’s attention in a hurry.

In plain English, CIPA was not drafted with website analytics dashboards, marketing pixels, embedded scripts, or live chat software in mind. But plaintiffs have argued that many of those tools function as modern interception devices, especially when third parties receive user communications in real time. Businesses, unsurprisingly, disagree and say that standard web tools are now being treated like illegal tap lines from a spy movie. That disagreement is the engine of the current litigation boom.

What SB 690 tried to fix

In 2025, California lawmakers introduced SB 690 as a modernization effort. The bill aimed to create a “commercial business purpose” exception under CIPA. In practical terms, that would have carved out a significant zone of protection for routine data processing tied to business operations or data practices already governed by California’s broader privacy framework, including consumer opt-out rights.

The proposal was a major deal because it did not nibble around the edges. It would have amended key CIPA provisions, including Sections 631, 632, 632.7, 637.2, and 638.50, to exempt certain processing activities done for a commercial business purpose. Earlier versions also included retroactive language, which would have had an even bigger effect on pending lawsuits, but that retroactivity provision was later removed before the bill passed the Senate.

Supporters saw SB 690 as a practical correction to a legal mess. Their core argument was that CIPA has become a de facto website tracking statute without ever being designed, debated, or balanced as one. They argued that businesses using common analytics and advertising tools should not face wiretapping claims for conduct already addressed elsewhere in privacy law.

Critics saw something very different. Privacy advocates warned that the bill’s exceptions were too broad and would weaken long-standing protections by giving companies more room to monitor users without meaningful accountability. From that point of view, SB 690 was not a cleanup bill. It was a rollback.

No critical reform passed, and that is the headline

SB 690 did make real progress for a while. It passed the California Senate on June 3, 2025, by a 35-0 vote. That kind of unanimous Senate floor result usually suggests momentum, not doom. But in the Assembly, the bill slowed down, moved through Public Safety, and was then re-referred to the Privacy and Consumer Protection Committee. It ultimately became a two-year bill, which means California ended 2025 without passing the critical reforms many businesses had hoped for.

That failure matters for two reasons. First, it leaves the text of CIPA essentially untouched in the face of a fast-growing body of digital privacy lawsuits. Second, it tells businesses they cannot count on Sacramento to rescue them on schedule. Reform may still come in a future session, but for now, there is no clean statutory reset and no quick legislative off-ramp.

The result is a legal environment where companies, agencies, retailers, software platforms, healthcare organizations, and nonprofits all have to operate under uncertainty. In other words, everyone gets the same gift basket: possible litigation, unclear boundaries, and expensive legal advice.

Why the lack of reform is such a problem

1. The statute is old, but the lawsuits are aggressively modern

CIPA claims today often target technologies that many companies view as ordinary parts of running a website. Common examples include analytics tools, advertising pixels, replay software, and embedded chat features. The problem is not that these tools are obscure or exotic. The problem is that they are normal. That makes the litigation risk much wider than many business leaders first assume.

2. Statutory damages change the economics

CIPA’s civil damages framework gives plaintiffs leverage. Lawsuits under the statute can become expensive even before a court decides whether the legal theory is strong. Discovery costs, motion practice, reputational pressure, and the possibility of class-wide exposure can push defendants into high-stakes decisions early in the case.

3. The case law is mixed

Some courts have been skeptical of expansive CIPA theories, especially when the alleged conduct looks more like a company monitoring its own website than a secret outsider tapping into communications. Other courts have allowed claims to move forward when plaintiffs plausibly alleged that a third-party tool captured the contents of communications in real time. That split means no one gets to relax.

4. Compliance is not just a legal department issue anymore

CIPA risk often starts in places like marketing, website optimization, customer support, vendor management, and product development. The legal issue is real, but the operational issue is just as important. A company can create exposure long before anyone in legal sees a screenshot.

The courts are still writing the practical rules

Because lawmakers did not deliver a full modernization fix, courts have continued shaping the real-world meaning of CIPA in internet cases. And the results are not perfectly consistent.

Bloomingdale’s showed plaintiffs can still survive

In June 2025, the Ninth Circuit revived a CIPA claim against Bloomingdale’s. The court concluded the plaintiff had plausibly alleged that the contents of communications on the website, not just non-substantive routing information, were disclosed to a third-party session replay vendor. That made the case important because it suggested plaintiffs can still move forward when they plead specific facts about real-time data capture and content sharing.

Papa John’s showed defendants still have defenses

Also in June 2025, the Ninth Circuit affirmed dismissal in a case against Papa John’s. One key takeaway was the “party exception” idea: a party to a communication generally is not liable for eavesdropping on its own conversation. That does not wipe out CIPA risk, but it gives businesses a meaningful argument in cases where plaintiffs try to characterize a website operator as an unlawful listener to its own exchange with a user.

Converse raised the bar in chat cases

In July 2025, the Ninth Circuit affirmed summary judgment for Converse in a case involving a website chat feature provided by Salesforce. The court found the record did not show that the vendor actually read the plaintiff’s messages in transit. That distinction mattered. Capability alone was not enough. For defendants, that was helpful. For plaintiffs, it was a reminder that suspicion and proof are not the same thing.

Popa highlighted the standing fight

Then came another wrinkle. In August 2025, the Ninth Circuit held in Popa v. Microsoft that the plaintiff had not alleged a sufficiently concrete injury to establish Article III standing in federal court. The case involved session replay technology, and the ruling underscored that even when a privacy claim sounds serious, plaintiffs still must show the kind of actual, concrete injury federal courts require.

Taken together, these decisions show a pattern: CIPA litigation is neither dead nor simple. Some claims are being narrowed, some are moving forward, and none of this feels stable enough for a business to sleep soundly next to an old cookie banner and hope for the best.

Why critics opposed reform

Any honest analysis of the lack of reform should include the other side. Consumer and privacy advocates did not oppose SB 690 by accident. They argued that California built its reputation on strong privacy protections, and broad exemptions for commercial data processing could hollow out those protections at exactly the wrong time.

That concern was not frivolous. Digital tracking tools can reveal a great deal about users, including browsing behavior, purchase intent, interests, and in some cases potentially sensitive patterns. Privacy advocates worried that if CIPA were narrowed too much, businesses would gain legal cover before consumers gained meaningful control. In that view, the legislative stalemate was frustrating for businesses but also a sign that California still takes privacy rights seriously enough to fight over them.

So the current stalemate reflects a genuine policy collision. One side wants clarity for ordinary business technology. The other wants to avoid creating a loophole large enough to drive the ad-tech truck through.

What businesses should be doing right now

Audit every tracking tool, not just the famous ones

Companies should identify every script, pixel, chatbot, plug-in, and replay tool on their websites and apps. The obscure vendor someone added three redesigns ago can be just as risky as the big-name platform everyone already knows about.

Review consent flows with fresh eyes

If a tool can collect or transmit user data before meaningful consent, that deserves immediate review. A banner that technically exists but functionally does nothing is not a shield. It is a decorative umbrella in a hurricane.

Make privacy disclosures match reality

Privacy policies should describe what happens on the site in language normal people can understand. If the policy says one thing and the script behavior says another, plaintiffs will notice, regulators may notice, and judges tend not to enjoy surprises.

Revisit vendor contracts

Third-party providers should not be treated like legal wallpaper. Contracts should address data use restrictions, security, cooperation in litigation, indemnification, and the exact role the vendor plays in handling user communications.

Bring legal, marketing, and product teams into the same room

A surprising amount of privacy risk comes from departmental separation. Marketing wants optimization, product wants insight, engineering wants performance, and legal wants everyone to stop improvising. CIPA compliance gets much easier when those interests are coordinated instead of discovered in deposition prep.

Experience from the field: what this looks like in real life

In practice, the lack of CIPA reform does not feel abstract. It feels like a retailer finding out that a harmless-looking session replay tool may have captured checkout behavior in ways no one internally documented. It feels like an in-house lawyer discovering that three different teams approved three different analytics tools, none of which were mapped in one place. It feels like a marketing director asking why a consent banner loads after several scripts have already fired, followed by a silence so loud it deserves its own legal hold notice.

For midsize companies, especially, the experience is usually not dramatic at first. It starts with confusion. Someone reads about a lawsuit against a familiar brand and wonders whether the company uses the same technology. Then a privacy consultant runs a scan and finds trackers embedded across landing pages, search functions, chat windows, and confirmation forms. Suddenly the issue is no longer “some weird California thing.” It becomes a budgeting issue, a board issue, and a why-didn’t-we-know-this-earlier issue.

Agencies and website vendors are feeling it too. Many are now being asked detailed questions that clients did not ask two years ago. Who receives the data? Is it stored? Is it replayed? Can the provider read message content in transit? Does the tool activate before consent? Those questions sound technical, but they are really legal questions wearing engineering clothes.

Healthcare and wellness companies often have an especially tense experience because users may enter symptom searches, appointment details, or insurance-related information into web forms. Even where the company believes it is using tools responsibly, the optics of third-party tracking around sensitive browsing paths can turn ordinary risk into reputational risk. A lawsuit does not have to win immediately to create a trust problem.

Nonprofits and educational organizations are not immune either. Many assume CIPA suits mainly target large retailers and flashy consumer brands. But any organization with a California-facing website, embedded tracking technology, and imperfect consent practices can land in the same conversation. The law does not care whether the script was installed by a luxury fashion brand, a telehealth startup, or a well-meaning donor platform running on autopilot.

The most common experience, though, is operational whiplash. One court says a theory is weak. Another says a similar theory can proceed. A bill looks promising. Then it stalls. A compliance team updates disclosures, but a vendor changes code without much fanfare. Business leaders are not wrong to feel like the ground is shifting under them, because it is.

That is why the companies coping best right now are not the ones waiting for perfect certainty. They are the ones building repeatable privacy habits: auditing tools often, requiring consent before risky processing, tightening vendor language, and treating data flows like something worth understanding before a plaintiff explains them back to you in a complaint.

Conclusion

No critical reform to the California Invasion of Privacy Act passed in 2025, and that left California’s website privacy battles exactly where businesses did not want them: active, expensive, and unresolved. SB 690 briefly looked like the state’s best chance to bring order to a fast-expanding wave of CIPA litigation. Instead, it stalled, and the old statute remains on the books with new theories piled on top of it.

For businesses, the lesson is simple even if the law is not: do not wait for a perfect legislative rescue. CIPA has become too important, too litigated, and too unpredictable to treat as a niche issue. Whether reform comes later or not, the companies in the strongest position will be the ones that stop treating online tracking like a purely technical choice and start treating it like what it has become in California: a front-line privacy decision.