California flag with courthouse gavel and scales of justice representing California CIPA website lawsuits.

California’s CIPA Shakedown Lawsuits: What They Are, and How SB 690 Fights Them

Thousands of “CIPA” lawsuits are targeting ordinary websites across California. This week, a bill to stop them — SB 690 — cleared a key committee.

If your business has a website, there’s a wave of litigation in California you should know about — and this week, it hit a real turning point.

On July 1, 2026, SB 690 (Caballero) passed the Assembly Privacy and Consumer Protection Committee unanimously. For the thousands of California businesses, nonprofits, healthcare providers, and public agencies that have been targeted by a growing wave of “CIPA shakedown” lawsuits, it’s the most significant progress in years. Here’s what happened, what it means, and what still needs to be done.

The problem: a 1967 law aimed at the modern internet

Over the past couple of years, a small number of law firms have filed thousands of lawsuits and sent tens of thousands of demand letters against California businesses. The target isn’t fraud or genuine misconduct. It’s ordinary website functionality — the analytics, appointment scheduling, payment processing, and customer-service chat tools that virtually every modern site relies on.

The legal theory stretches the California Invasion of Privacy Act (CIPA), a criminal wiretapping statute written in 1967, to cover routine online activity its authors never imagined. The strategy is volume, not merit: file near-identical claims at scale, and count on businesses settling because fighting costs more than paying.

At EcomBack, we see this up close. We work every day with California companies on their websites, and our clients use exactly the standard tools these lawsuits target. Doing nothing wrong, unfortunately, isn’t much of a shield when the math favors settling.

What SB 690 does

SB 690 modernizes California law by clarifying that routine online business activities are governed by the state’s existing consumer privacy framework — chiefly the CCPA — rather than a decades-old criminal wiretapping statute. Importantly, it does this without weakening privacy protections for consumers. Californians stay protected; businesses stop being shaken down over standard website features.

The July 1 progress

The version that cleared committee delivers real, concrete protection:

  • It stops private lawsuits under CIPA’s “pen register” and “trap and trace” provision — the basis for roughly two-thirds of the abusive claims.
  • It provides retroactive protection for two years of pending claims covered by the bill.
  • It may take effect immediately upon signing. Advocates are pursuing an urgency clause so the law would apply right away, rather than waiting until January 1.

When this effort began, that outcome was far from guaranteed. It happened because businesses across the state spoke up and helped the committee understand the real-world harm these lawsuits cause.

Watch the hearing: You can view the full July 1 committee hearing here.

The work that remains

The bill isn’t finished. As currently amended, SB 690 does not yet address claims brought under Section 631 — the wiretapping theory behind many of the demand letters businesses have received. Advocates, including the Stop CIPA Shakedowns Lawsuits Coalition, plan to spend the summer working with legislators to close that remaining gap so the protections are comprehensive.

In other words: a meaningful win, with more to do.

What businesses should do now

If your business has received a CIPA-related demand letter, or has a matter pending, the committee’s action may be relevant to how you proceed — this is worth raising with your attorney as they evaluate next steps. (This post is general information, not legal advice.)

More broadly, this is a good moment to make sure your website is built and documented responsibly. Sound privacy practices, clear disclosures, and thoughtful use of third-party tools don’t just reduce legal exposure — they build the consumer trust these laws are meant to protect. That’s the work we do with clients every day at EcomBack, and it’s why we’ve been following SB 690 so closely.

We’ll continue to share updates as the bill moves forward, including when there are new opportunities to lend your voice.

Want to learn more about the coalition behind this effort? Visit StopCIPAShakedowns.com. Questions about your website’s compliance? Reach out to us at EcomBack.

Share: