Executive Summary: Sacramento is weighing a bill to narrow some CIPA theories, but it hasn’t become law. Meanwhile, courts have issued mixed decisions that keep compliance a live issue for any site or platform using pixels, analytics, chat, session replay, or embedded media.
The legislative “relief”: SB 690 (status—pending)
California’s SB 690 would amend CIPA’s pen-register / trap-and-trace provisions to clarify that tools used for a “commercial business purpose” are not pen registers or trap-and-trace devices—aimed squarely at claims premised on routine web tracking. The measure advanced in 2025 but, as of now, it is not enacted, so it offers no current safe harbor.
What courts have been doing in the meantime
- Pen-register / trap-and-trace claims face pushback. California trial courts have rejected attempts to stretch those provisions to ordinary website data (e.g., IP address beacons), sustaining demurrers and finding the statutes were aimed at telephone-style signaling—not internet traffic. Helpful, but not universal.
- “Prior consent” still drives § 631(a). The Ninth Circuit’s Javier decision underscores that retroactive consent is not enough; businesses need consent before interception/recording of a user’s interaction. On remand, the claims later faltered on limitations, but the consent timing rule remains a lever for plaintiffs.
- Appeals in session-replay/chat suits: mixed signals. A trio of Ninth Circuit matters (including Thomas v. Papa John’s) has sharpened the focus on technical specifics—what was captured, when, and by whom (vendor as “third party” vs. service provider). Outcomes vary by configuration and pleadings, so one company’s win doesn’t guarantee another’s.
- AI/voice and contact-center tools are in the crosshairs. In Ambriz v. Google, the court let claims proceed over Google’s Cloud Contact Center AI, highlighting allegations that a vendor could access or use call content/subscriber info—another reminder that “capability,” not just actual use, can carry pleading stages.
What this means for site and platform owners (now)
- Treat consent as a gate, not a footer. Ensure non-essential tags (analytics, ads, chat, replay, embeds) are blocked until opt-in, and keep logs showing when/what the user consented to. “By using this site” boilerplate is weak under § 631(a).
- Tighten your vendor story. DPAs should make vendors true service providers (no model training, no cross-client enrichment), and your architecture should prevent vendors from reading content “in transit.” Courts scrutinize vendor status.
- Expect pen-register add-ons—but move to dismiss. Recent state-court rulings give solid arguments that those claims don’t fit web traffic. Keep them in the early-motion bucket.
- Document reality. Keep versioned policies by date, CMP settings, tag-manager histories, and before/after HAR files to prove what fires pre-consent (ideally, nothing). Mixed appellate outcomes turn on facts.
Outlook
If SB 690 passes, it would likely blunt some pen-register/trap-and-trace theories going forward. But it won’t likely serve as a a retro-fix for past conduct, and it likely will not resolve core § 631(a) “prior consent” and “third-party interceptor” battles. Until there’s a definitive statewide rule—or your own design, compliance and record keeping makes the facts boring for the trolls —CIPA remains an active compliance risk.
Questions about your configuration or response options? We can review live sites for legal compliance (consent language, placement, vendor posture) and assist in the event of claims, responses and insurance tenders. We also often coordinate with technical team on implementation.