If you run an ecommerce site, the tools you use every day, like ad pixels, session replay, chat widgets, even your search bar, are the same tools fueling a wave of lawsuits in California right now.

The tools running your store are now the tools running these lawsuits.
The California Assembly's Committee on Privacy and Consumer Protection is holding a hearing on SB 690, a bill meant to slow the flood of opportunistic litigation against online businesses under the California Invasion of Privacy Act (CIPA).
A Cold War wiretapping law, pointed at your checkout page
Quick background, in case you've been lucky enough to avoid this one so far:
CIPA is a Cold War–era criminal statute written to stop the wiretapping of landline phones. Plaintiffs' attorneys dusted it off, pointed it at ordinary web technologies, and argued that it applies to features like pixels, session replay, and search bars. It carries a private right of action and a $5,000 per-violation penalty. Thousands of cases have been filed in California. It's likely tens of thousands more have quietly settled.
One federal judge put it bluntly: "The language of CIPA is a total mess. It was a mess from the get-go, but the mess gets bigger and bigger as the world continues to change… it is imperative for the Legislature to bring CIPA into the modern age."
What SB 690 tries to fix
SB 690 tries to do exactly that. It would exempt personal information processed for a "commercial business purpose," which is already covered under the CCPA. The Senate passed it unanimously in June 2025. It's been sitting in the Assembly ever since.
Nobody installs a pixel thinking about a wiretapping law.
Here's the part most ecommerce teams don't see coming.
You probably didn't add any of these tools with a privacy statute in mind. A pixel went in for attribution. Session replay got installed to debug checkout. Chat showed up to cut support tickets. None of it felt like a legal decision at the time.
That's usually how this kind of exposure builds, one tool at a time, until a statute like CIPA makes it visible.
Here's hoping the hearing builds some momentum, because California could use a cleaner rulebook. In the meantime, it's worth knowing what's firing on your site and why.
Disclaimer: This content is provided for general informational purposes only and does not constitute legal or other professional advice. Without limiting the foregoing, the content may not reflect recent developments in the law, may not be complete, and may not be accurate or relevant in an applicable jurisdiction. This content is not a substitute for obtaining legal advice from a qualified licensed attorney in the applicable jurisdiction. The content is general in nature and may not pertain to specific circumstances, so it should not be used to act or refrain from acting based on it without first obtaining advice from professional counsel qualified in the applicable subject matter and jurisdictions.
Get monthly updates on the latest updates on policy & the shifting privacy landscape.
Other related blog posts
Dive into a world of knowledge, trends, and industry updates on the TrueVault blog.



