California Senate Bill 690, once positioned as the most significant rewrite of the California Invasion of Privacy Act (CIPA) in decades, is no longer the heavyweight it once was. A July 1, 2026, hearing before the Assembly Committee on Privacy and Consumer Protection stripped out the broad "commercial business purpose" exemption that would have shielded most website tracking technology from CIPA claims, leaving a narrow fix that bars private plaintiffs from suing over one specific CIPA theory. The bill has cleared every committee and floor vote to date without a single "no," and now sits in the Assembly Appropriations Committee.
It still has real distance to cover before California’s August 31, 2026, constitutional deadline, and even if it passes, it will not resolve the bulk of the CIPA demand letters and lawsuits businesses are currently facing over cookies, pixels, and chatbots. As the bill unfolds in the legislature, businesses should prepare for an uptick in CIPA claims as litigants see a closing window of opportunity.
What SB 690 Looks Like Now
The bill amends a single section, 637.2, to take private plaintiffs out of one category of CIPA claims. Under the current print, only the California Attorney General may bring an action against a private actor for a violation of section 638.51, CIPA’s pen register and trap-and-trace provision, if the violation is alleged to arise from conduct on a website, online application, or mobile application. Private plaintiffs lose standing to sue on that theory; the underlying conduct is not legalized, and businesses gain no immunity, they simply stop facing private lawsuits over it.
The retroactivity provision reaches back, but only on this one theory of liability. The bill applies the new standing bar to any pending section 638.51 claim in an action commenced within two years before the bill’s operative date. Because the bill carries no urgency clause, that operative date would default to January 1, 2027, if enacted this year. A severability clause was also added, protecting the rest of the bill if any provision is struck down.
The version that passed the Senate 35-0 last year would have added a "commercial business purpose" exemption across CIPA sections 631, 632, 632.7, and 638.50, covering the wiretapping and eavesdropping prohibitions as well as the pen register definitions, and would have let businesses avoid CIPA liability entirely for tracking activity that serves a business purpose or is subject to a consumer’s CCPA opt-out rights. The July 1 amendment eliminated all of that.
How We Got Here
Senator Anna Caballero introduced SB 690 on February 21, 2025, to address the wave of CIPA lawsuits and pre-suit demand letters targeting cookies, pixels, chatbots, and session-replay tools. An early draft applied retroactively to any case pending as of January 1, 2026, a provision the Senate stripped on May 29, 2025, after objections from the American Civil Liberties Union California Action, the Electronic Frontier Foundation, and other privacy and plaintiffs' bar groups. The Senate passed the narrowed bill 35-0 on June 3, 2025. It then stalled in the Assembly for the rest of the year, with Caballero pausing her own bill amid continued opposition, and it carried over as a two-year bill into the 2026 session. The Assembly Public Safety Committee and the Assembly Committee on Privacy and Consumer Protection took it up again on July 1, 2026, voting 9-0 and 14-0 respectively, with the Privacy and Consumer Protection Committee adopting the amendments that produced the current, much narrower bill.
What's Left Before SB 690 Becomes Law
The bill needs to clear four more stages. Assembly Appropriations has to hear and pass it, and given the bill’s fiscal designation, that could include a hold on the suspense file. From there it needs a floor vote in the full Assembly, requiring a majority of 41 of 80 votes. Because the Assembly amended a bill that originated in the Senate, the Senate then has to vote to concur in those amendments before the bill can go to the governor; if the Senate does not concur, the bill goes to a conference committee to resolve the differences.
Once both chambers have passed identical text, the bill is enrolled and presented to Governor Gavin Newsom, who has 12 days to sign or veto while the legislature is in session, or 30 days if the bill is presented in the final 12 days of session or after adjournment. California has no pocket veto, so a bill the Governor neither signs nor vetoes within that window becomes law anyway. All of this has to happen by August 31, 2026, the last day of the 2025-26 regular session, or the bill dies.
Likelihood of Passage
Every recorded vote so far has been unanimous or close to it: 6-0 in two Senate committees, 35-0 on the Senate floor, and 9-0 and 14-0 in the two Assembly committees this month. The amendments appear designed specifically to answer the objections that killed the broader version last year, trading blanket immunity for a narrow, Attorney General-only enforcement model with a bounded retroactive window. Bipartisan co-authors on both sides of the aisle add to that momentum.
Working against it, the same coalition of consumer and privacy advocates that pressured Caballero into pausing the bill in 2025 remains formally opposed, the bill still needs a full floor vote and Senate concurrence within a compressed August calendar, and a pending California Court of Appeal case, Variety Media LLC v. Superior Court could reshape the stakes by deciding whether website technology even qualifies as a pen register under section 638.51 in the first place. On balance, the odds look better than they did a year ago, but passage is not a certainty, and the bill could still be amended again before a final vote.
What Businesses Should Do Now
- Do not treat SB 690 as near-term relief. In its current form it only reaches section 638.51 pen register claims against private actors for website, app, or mobile conduct, not the wiretap and eavesdropping theories under sections 631 and 632 that drive most cookie, pixel, and chatbot demand letters.
- If you are facing a pending section 638.51 claim filed within roughly the last two years, track this bill’s progress. The retroactive standing bar could support a motion to dismiss if the bill becomes operative while your claim is still pending.
- Continue compliance work on notice and consent mechanisms, and on vendor governance for cookies, pixels, chatbots, and session-replay tools, regardless of whether this bill passes.
- Watch the California Court of Appeal’s decision in Variety Media LLC v. Superior Court, which could determine whether pen register theories apply to website technology at all, independent of anything the legislature does with SB 690.
For more information, please contact us or your regular Parker Poe contact. Click here to subscribe to our latest alerts and insights.