by Don Marti and Robert Tauler
While other states debate private right of action in privacy laws, California already has one, and it’s working for us. Since it was enacted the California Invasion of Privacy Act (CIPA) has included an individual’s right to bring a civil suit when someone surreptitiously tracks them, allowing for more robust privacy enforcement than any other state.
CIPA was ahead of its time, but some special interests want to weaken it. California Senate Bill 690, which passed the state Senate in June, would eliminate some of CIPA’s protections entirely if the surveillance was done for a “business purpose.” Unfortunately, a lot of Big Tech and data broker misinformation has come along with the bill, so we are taking the opportunity to clear the air.
Below are the fictions being advanced by Big Tech’s lobbying efforts, which we clarify with the facts.
Fiction: CIPA cases are nuisance lawsuits against legitimate companies.
Fact: Some early cases were dismissed because they failed to show a concrete injury to the plaintiff. But California, sadly, has too many people who have suffered real harm as the result of Big Tech’s data usage practices. Records from one recent case show that Meta buried ‘causal’ evidence of teen mental health harms from Facebook. And Meta estimated that it would earn 10% of its ad revenue from promoting scams and banned goods. Facebook plays a role in one-third of the scams in the USA. Google also uses information that other companies pass to it in order to match fraudulent advertisers to their victims. The FBI recommends “use an ad blocking extension when performing internet searches” because of malware risks.
Meta and Google are clearly inflicting harm on their users, and the root cause of that harm is companies that pass personal data to enable their customers to be targeted.
Fiction: Tracking pixel lawsuits rely on an obsolete law from 1967 that was written to cover land line phones.
Fact: CIPA was initially passed in 1967, but has been amended numerous times, and most recently supplemented in 2016, clearly covering digital media. The drafters of CIPA, even in 1967, clearly intended to cover new communications technologies as they come into use. The original law states,
Advances in science and technology have led to the development of new devices and techniques for the purpose of eavesdropping upon private communications [and] such devices and techniques [have] created a serious threat to the free exercise of personal liberties and cannot be tolerated in a free and civilized society.”
Fiction: Small businesses would be better off if their customers were deprived of CIPA protection.
Fact: All legitimate businesses win when their customers do, because every win-win deal has two sides. Every dollar that Big Tech keeps, or sends to a scammer, is a dollar that’s not spent in a mutually beneficial transaction between a customer and a legitimate business.
Small businesses are the losers in Big Tech’s game, in many ways. Big Tech scrapes their content for AI, uses the data they provide to drive fraud, and even ignores reports of security issues from small business advertisers. Legitimate businesses have suffered long enough.
Fiction: CIPA is obsolete now that California has passed CCPA and CPRA.
Fact: CIPA, CCPA, and CPRA are complementary. According to the legislative analysis of California’s SB 690: “[T]he CCPA is not meant to operate to the exclusion of CIPA,” and, “While the CCPA may provide a remedy in some cases, it may not provide remedies in others. … This overlap between multiple privacy-related statutes seems to be particularly relevant where smaller websites rely on Facebook Pixel, or other tracking services, to track consumers across devices and sites.”
Fiction: Companies will be able to avoid CIPA complaints by adding GDPR-style consent dialogs to their site.
Fact: California is not Ireland. While, on paper, the European Union (EU) has strict privacy laws, regulators in Ireland have a backroom deal with US-based Big Tech companies. Big Tech gets Ireland’s help in blocking or delaying investigations into their violations of EU law, while Big Tech runs their tax avoidance schemes through Ireland and hires people there. If Europe’s requirement for consent to online tracking to be “freely given, specific, informed and unambiguous” were really enforced, the “consent” dialogs seen by European users wouldn’t work.
California juries and judges are not parties to an Ireland-style loophole, so can be counted on to enforce a more realistic definition of consent. The standard for consent to wiretapping under California law “is not to be determined by attributing to that user the skill of an experienced business lawyer or someone who is able to easily ferret through a labyrinth of legal jargon to understand what he or she is consenting to. Instead, a determination of what a”reasonable” user would have understood must take into account the level of sophistication attributable to the general public…” Calhoun v. Google, LLC, 113 F.4th 1141, 1151 (9th Cir. 2024)
In the Flo case, the Court allowed the issue of consent to advance to a jury, since consent “is only effective if the person alleging harm consented ‘to the particular conduct, or to substantially the same conduct’ and if the alleged tortfeasor did not exceed the scope of that consent. Frasco v. Flo Health, Inc., 349 F.R.D. 557, 575 (N.D. Cal. 2025). The jury found that—even though both the app developer and Meta had put users through an “agreement” process where they supposedly consented to data collection—no valid consent had been given. The only sustainable solution will be a move away from surveillance, not keeping the data practices the same and adding yet another thing to click.
Fiction: Changes to CIPA would have to be like SB 690—all or nothing.
Fact: If legitimate sites see a need for a change to CIPA, it could be focused to preserve a path for cases that address real Big Tech harms. Attorneys have suggested alternate language that would exempt normal web site features from CIPA if operated in compliance with CCPA and CPRA, including support for Global Privacy Control. But the shadowy “Alliance for Legal Fairness” (which does not reveal its members or sources of funding) is asking to remove CIPA protections entirely.
Fiction: Throwing complicated “privacy compliance” at the CIPA situation will let Big Tech go back to business as usual.
Fact: The California political process has spoken. People consistently reject corporate surveillance. The message from the Legislature in 1967 is the same as the message that voters sent with Proposition 24 in 2020, and that the jury in the Flo case sent this year. It’s time for Big Tech to face reality, stop trying to deny basic human privacy norms, or, if they won’t, for the rest of us to take action.
Please remember to register to vote and keep your address up to date for jury duty. We have work to do.