joel-durkee-5HdF3ugOSxM-unsplash

On June 3, 2025, the California Senate unanimously passed Senate Bill 690 (SB 690), a bill that seeks to add a “commercial business purposes” exception to the California Invasion of Privacy Act (CIPA).

After multiple readings on the Senate floor, SB 690 passed as amended, and will now proceed to the California State Assembly. SB 690, as originally drafted, was explicitly made retroactive to any cases pending as of January 1, 2026.  The most recent amendments on the Senate floor remove the retroactivity provisions, meaning the bill, if passed by the Assembly and signed by the Governor, will only apply prospectively.  The amendments to remove the retroactive provisions of SB 690 are not unexpected. Retroactive application provisions are traditionally frowned upon by the California legislature and may offend due process principles.

If passed, SB 690 would exempt the use of certain online tracking technologies from violating CIPA, provided they are used for a “commercial business purpose” and comply with existing privacy laws like the California Consumer Privacy Act (CCPA).  SB 690 could significantly impact prospective litigation under CIPA for online business activities.  Indeed, there may be the proverbial “rush to the courthouse” if plaintiffs and plaintiffs’ attorneys begin to feel that passage of SB 690 is forthcoming or likely, now that the bill will proceed to the State Assembly.

Businesses may want to consider engaging their government relations teams or contacting members of the California State Assembly to express their positions on the bill as it now passes to the other chamber of the California legislature.

On May 19, 2025, the California Senate Appropriations Committee, which handles budgetary and financial matters, held a hearing on California Senate Bill 690 (SB 690).  The proposed bill would amend the California Invasion of Privacy Act (CIPA) by adding an exception to the statute which has the effect of permitting use of tracking technologies for “commercial business purposes.”

The Appropriations Committee referred SB 690 to the Suspense File.  Generally, if the cost of a bill meets certain fiscal thresholds, the Appropriations Committee will refer the bill to the Suspense File.  Having met that threshold, SB 690 will now proceed to a vote-only Suspense Hearing to be held on May 23, 2025.  No testimony will be heard during the May 23, 2025 hearing.  SB 690 will then either move on to the Senate Floor, or be held in committee.  While referral to the Suspense File is not necessarily a death knell to SB 690, statistics show that a number of bills die quietly in the Suspense Hearing due, in part, to its non-public process. 

If passed, SB 690 would exempt the use of such online tracking technologies from violating CIPA, provided they are used for a “commercial business purpose” and comply with existing privacy laws like the California Consumer Privacy Act (CCPA).  SB 690 could significantly impact current litigation under CIPA for online business activities. Not only will plaintiffs be far less likely to file new lawsuits alleging violations of CIPA, but SB 690’s provisions are explicitly made retroactive to any cases pending as of January 1, 2026, which could lead to dismissals of ongoing lawsuits, as well.

Businesses may want to consider engaging their government relations teams or contacting members of the Senate Appropriations Committee to express their positions on the bill. 

fatos-bytyqi-Agx5_TLsIf4-unsplash

California Senate Bill 690 (SB 690), introduced by Senator Anna Caballero, is continuing to proceed through the California state legislative process. The proposed bill would amend the California Invasion of Privacy Act (CIPA) by adding an exception to the statute which has the effect of permitting use of tracking technologies for “commercial business purposes.” CIPA, enacted in 1967, was originally established to prohibit the unauthorized recording of or eavesdropping on confidential communications, including telephone calls and other forms of electronic communication.  However, over recent years CIPA claims in lawsuits have been used to target business’ online use of cookies, pixels, trackers, chatbots, and session replay tools on their websites. 

If passed, SB 690 would exempt the use of such online tracking technologies from violating CIPA, provided they are used for a “commercial business purpose” and comply with existing privacy laws like the California Consumer Privacy Act (CCPA).  SB 690 could significantly impact current litigation under CIPA for online business activities. Not only will plaintiffs be far less likely to file new lawsuits alleging violations of CIPA, but SB 690’s provisions are explicitly made retroactive to any cases pending as of January 1, 2026, which could lead to dismissals of ongoing lawsuits, as well.

On April 29, 2025, the Senate Public Safety Committee unanimously voted to advance SB 690, and it was subsequently re-referred to the Senate Appropriations Committee.  A hearing before the Appropriations Committee is currently scheduled for May 19, 2025.

kevin-ku-w7ZyuGYNpRQ-unsplash (2)

The California Privacy Protection Agency (“CPPA”) has made it abundantly clear: privacy compliance isn’t just about publishing the right disclosures – it’s about whether your systems actually work. On May 6, the agency fined Todd Snyder, Inc. $345,178 for failures that highlight a growing regulatory focus on execution of California Consumer Privacy Act (“CCPA”) compliance. The action sends a powerful message: even well-resourced companies are not insulated from enforcement if they don’t actively test and manage how privacy rights are honored in practice.

Not Just Tools – Working Tools

The action against Todd Snyder was rooted in executional failure. The company had a portal in place for consumer rights requests, but it wasn’t processing opt-out submissions – a failure that lasted for roughly 40 days, according to the CPPA. The cookie banner that should have enabled consumers to opt out of cookie tracking would disappear prematurely, preventing users from completing their requests.

The company further required users to verify their identity before opting out and requested sensitive personal information, such as a photograph of their driver’s license. The CPPA determined this was not only unnecessary, but a violation in itself. The allegations around improper verification reflect concerns raised in a CPPA Enforcement Advisory issued last year, which cautioned businesses against collecting excessive information from consumers asserting their privacy rights.

Continue Reading CPPA Underscores That Businesses Own CCPA Compliance – Even When Privacy Management Tools Fail
philipp-katzenberger-iIJrUoeRoCQ-unsplash (1)

As 2025 begins, businesses across the U.S. will be required to navigate an even more expanded landscape of state-level privacy regulations. In all, eight states are introducing comprehensive privacy laws, further adding to the growing patchwork of privacy requirements in the U.S.

January is kicking off with a flurry as five states (Iowa, Delaware, Nebraska, New Hampshire, and New Jersey) implement their laws in the first two weeks. Later this year, Tennessee, Minnesota, and Maryland will join the mix. For companies operating in the U.S., staying ahead in this shifting regulatory environment is essential. Failure to comply could result in hefty penalties, legal exposure, and a loss of consumer trust.

The good news? Businesses already aligned with current privacy laws may only need minor updates to meet the new requirements. However, it is important to be aware of all consumer-facing interactions, data collections, and sharing of personal information in each state to keep a firm handle on your compliance obligations.

Continue Reading A New Year and New Compliance Requirements: Additional State Privacy Laws Take Effect in 2025

On September 6, 2024, the U.S. Department of Labor (DOL) issued Compliance Assistance Release No. 2024-01, titled “Cybersecurity Guidance Update.” The updated guidance clarifies that the DOL cybersecurity guidance applies to all ERISA-covered plans, and not just retirement plans, but also health and welfare plans. Also, as a direct response to service providers’ concerns, the DOL expanded its 2021 guidance to emphasize that plan sponsors, fiduciaries, recordkeepers, and participants should adopt cybersecurity practices across all employee benefit plans. With cyber risks continually evolving, the update highlights the importance of implementing robust security practices to protect participant information and plan assets.

Continue Reading The Department of Labor’s Expanded Cybersecurity Guidance: What ERISA Plan Sponsors and Fiduciaries Need to Know

Seyfarth Synopsis: In a significant decision for website operators, the Massachusetts Supreme Judicial Court clarified that tracking users’ web activity does not constitute illegal wiretapping under the state’s Wiretap Act. The court found that person-to-website interactions fall outside the Act’s scope, which focuses on person-to-person communications. However, the court emphasized that other privacy laws could still apply to such tracking practices. This ruling may influence how similar cases proceed nationwide and signals to the Massachusetts legislature that any broader restrictions on web tracking require explicit statutory action.

Continue Reading Tracking Users’ Web Browsing Activity Does Not Constitute Illegal Wiretapping under Massachusetts Law

More Information & To Register

November 11 – 13, 2024
Fairmont Scottsdale Princess
Scottsdale, AZ

Seyfarth Shaw is a sponsor for the 2024 ANA Masters of Advertising Law Conference, the biggest advertising, marketing, and promotion law conference in the nation.  The conference will take place November 11-13 at the Fairmont Scottsdale Princess in Scottsdale, Arizona. During the conference Seyfarth attorneys Joe Orzano and Kristine Argentine will present on a breakout panel and Ken Wilton, Ameena Majid, and Gina Ferrari will lead a roundtable discussion. Additional details are provided below. 

Continue Reading Seyfarth to Sponsor and Present at 2024 ANA Masters of Advertising Law Conference

This blog post was cross-posted from Seyfarth’s Employment Law Lookout blog.

In the case of Okonowsky v. Garland23-55404.pdf (law360news.com), the Ninth Circuit considered a claim that social media posts made by a co-worker on a personal account constitute actionable workplace harassment under Title VII.  The appeals court firmly “reject[ed] the notion that only conduct that occurs inside the physical workplace can be actionable, especially in light of the ubiquity of social media and the ready use of it to harass and bully both inside and outside of the physical workplace.” 

Continue Reading Personal Does Not Mean Private: Ninth Circuit Holds Personal Social Media Posts Can Constitute Workplace Harassment

Seyfarth Synopsis: Earlier this year, we reported that the Illinois Senate passed Senate Bill 2979 with a vote of 46 to 13, and the Illinois House of Representatives passed Senate Bill 2979 with a vote 81 to 30. This bill addressed concerns arising from recent legal interpretations of the Illinois Biometric Information Privacy Act (“BIPA,” 740 ILCS 14/ et seq.), particularly following the Illinois Supreme Court’s 2023 decision in Cothron v. White Castle System Inc., in which the Court held that a claim under BIPA accrues each time that an individual’s biometric information or identifier is captured or collected.

Continue Reading BIPA LEGISLATIVE UPDATE: Governor Pritzker Signs Amendment Limiting Damages To A Single Recovery