Opinion
1967 wiretap law is fueling a shakedown of small businesses
Special agent listens on the reel tape recorder. Officer wiretapping in headphones. Spying of conversations.Capitol Weekly welcomes Opinions on California public policy or politics. Please read our guidelines for opinion pieces before submitting an Op-Ed. Submissions that do not adhere to our guidelines will not be considered for publication.
OPINION — When a reporter published Judge Robert Bork’s video rental history during his 1987 Supreme Court confirmation hearings, Congress responded quickly. Lawmakers passed the Video Privacy Protection Act to ensure that a person’s viewing habits would not become public fodder. It was a sensible response to a real privacy concern in the era of video stores and VHS tapes.
The problem is that privacy laws written for an earlier technological age are now being stretched to reach ordinary website tools in ways their drafters never intended.
That is especially true in California, where the California Invasion of Privacy Act, or CIPA, has become the weapon of choice in web privacy litigation. A staggering 75% of all web privacy claims are CIPA-related.
Enacted to address Cold War-era wiretapping on rotary phones, CIPA is now being deployed against commonplace website functions such as chat widgets, payment tools, analytics scripts and other embedded services. In practice, creative plaintiffs’ firms are asking courts to treat common web tools as the equivalent of an illegal wiretap.
This is not a marginal issue; it is the core of a volume-driven litigation model. Coalition’s State of Web Privacy report found that 75% of reported web privacy claims were CIPA-related, and that just four law firms accounted for nearly three-quarters of all privacy claims.
In one recent case, a plaintiff demanded $280,000 based on a single visit to a website, tallying alleged $5,000 statutory violations across multiple third-party tools on the page.
The strategy behind these claims is simple: stack statutory damages high enough to create maximum leverage, then pressure businesses to settle because defending the case costs more than paying it off.
That is not how a modern privacy regime should operate.
California already has one: the California Consumer Privacy Act (CCPA). The CCPA sets out a contemporary framework for disclosure, consent, data handling, and consumer rights. Yet the injustice of the current landscape is that tools compliant with California’s modern privacy framework are still being targeted under this archaic 1960s wiretap statute.
Businesses that have spent millions structuring their operations to align with CCPA obligations are getting blindsided by creative CIPA demands.
The result is a legal regime that rewards opportunistic litigation while diverting resources away from hiring, operations, and genuine privacy improvements. When small businesses are forced to pay tens of thousands of dollars to settle dubious wiretapping claims, that money does not come out of thin air.
It is money that cannot be spent on employees, customer service, security or growth. In that sense, these lawsuits function like a hidden tax on ordinary digital commerce.
Worse still, this burden is falling hardest on the businesses least equipped to absorb it. Unlike the CCPA, CIPA does not contain the same revenue thresholds that intentionally shield smaller businesses from burdensome compliance litigation.
Coalition’s data shows that 59% of web privacy claims targeted businesses with less than $100 million in annual revenue. Even more striking, 18% of CIPA-related claims were brought against micro-businesses with less than $10 million in revenue.
These are not giant technology companies with armies of in-house counsel. They are local restaurants, nurseries, and family businesses using ordinary website tools to process payments, answer customer questions, or keep their lights on. For them, a single boilerplate demand letter can create existential pressure.
That is why California lawmakers must pass SB 690.
The bill would restore a basic principle of justice: privacy law should protect consumers from misuse of their data, not convert ordinary digital infrastructure into an engine for economic extortion untethered from real harm.
If the state wants to regulate modern web practices, it should continue to do so through clear, modern rules under the CCPA. It should not leave small businesses guessing whether a standard analytics tag or a customer support chat box will trigger a ruinous lawsuit.
None of this is an argument against privacy enforcement. Quite the opposite. Strong privacy protections depend on clear rules, credible enforcement, and remedies that bear a rational relationship to actual injury.
When old statutes are stretched beyond their intended scope, public confidence in privacy law suffers.
California lawmakers have an opportunity to correct course. SB 690 would not eliminate privacy protections; it would align them with technological reality and legislative intent. Laws written in the 1960s for landlines should not be used to penalize ordinary, CCPA-aligned website operations. If California wants a privacy framework that is both serious and sustainable, it must pass SB 690.
Sezaneh Seymour leads regulatory risk and policy at Coalition after senior cybersecurity and trade roles across the U.S. government. Daniel Woods heads emerging risks at Coalition and is an academic focused on cybersecurity, privacy, and risk.
Want to see more stories like this? Sign up for The Roundup, the free daily newsletter about California politics from the editors of Capitol Weekly. Stay up to date on the news you need to know.
Sign up below, then look for a confirmation email in your inbox.

Leave a Reply