SB 690 amends multiple Penal Code sections to create an explicit exception for the processing of personal information done for a “commercial business purpose.” The change inserts that exception into the state’s wiretapping and eavesdropping statutes (sections 631, 632, 632.7) and into the definitions governing pen-registers and trap-and-trace devices, and it removes the private statutory cause of action for such commercial processing under section 637.2. The bill defines “commercial business purpose” by cross-reference to California Civil Code definitions — either processing that furthers a defined business purpose or processing that is subject to a consumer’s opt-out rights under specific Civil Code sections.
Why it matters: the amendment narrows the reach of longstanding criminal and civil privacy protections by creating a statutory safe harbor for many routine data-collection and tracking practices used by online platforms, advertisers, analytics vendors, and other commercial actors. It also shifts who can challenge those commercial practices away from individual plaintiffs toward other mechanisms (agency enforcement or consumer opt-outs), with retroactive effect to January 1, 2026.
At a Glance
What It Does
SB 690 adds a commercial-purpose exception to multiple Penal Code privacy prohibitions, excludes business-use devices from the pen-register and trap-and-trace definitions, and bars private suits under section 637.2 for processing that meets that commercial-purpose test. It defines the term by pointing to Civil Code 1798.140(e) and to processing that is subject to consumers’ opt-out rights.
Who It Affects
Digital advertisers, analytics providers, platforms that collect or decode routing/dialing data, telecommunications providers performing billing or accounting, and any entity that processes personal information to further business aims or under opt-out regimes. Privacy plaintiffs and lawyers who bring statutory claims under Penal Code chapter 12 will also be affected.
Why It Matters
The bill effectively legalizes certain nonconsensual interceptions and recordings when characterized as commercial processing, replacing a private damages remedy with a regime tied to civil-code definitions and opt-out mechanisms—this changes litigation risk, evidence admissibility, and the incentives for companies that handle communication metadata or content.
More articles like this one.
A weekly email with all the latest developments on this topic.
What This Bill Actually Does
SB 690 rewrites how California treats the interception and recording of communications when that activity serves a commercial purpose. Rather than just focusing on consent as the baseline, the bill creates an explicit exception across multiple criminal provisions: if the processing of personal information qualifies as a “commercial business purpose,” then the otherwise-prohibited tapping, interception, or recording is not governed by those Penal Code prohibitions.
The bill does not remove criminal or civil liability for noncommercial interceptions; prosecutors and private plaintiffs still may pursue traditional claims where the commercial exception does not apply.
Concretely, the bill amends the statutes that criminalize wiretapping and eavesdropping (sections 631, 632, and 632.7) to list a commercial business purpose among the enumerated exceptions. It also revises the chapter’s definitional section (638.50) to add commercial business purpose as an exclusion from the pen-register and trap-and-trace device definitions.
That means devices or processes used to record dialing, routing, or signaling information — including many tools used for analytics, billing, or targeted advertising — may fall outside the statutory coverage if used consistently with the commercial-purpose test.To determine what counts as a commercial business purpose, the bill points to the Civil Code: either the processing furthers a “business purpose” as defined in Civil Code section 1798.140(e) or it is processing that a consumer may opt out of under other Civil Code provisions (1798.120, 1798.121, 1798.135). The bill also removes the private right to sue under Penal Code section 637.2 for harms that arise from processing that meets the commercial-business-purpose test; statutory damages and treble-damages remedies remain available for noncommercial violations.
Finally, the bill is retroactive to January 1, 2026, making those new exclusions applicable to pending cases as of that date.
The Five Things You Need to Know
SB 690 adds “commercial business purpose” as an explicit exception to criminal prohibitions in Penal Code sections 631, 632, and 632.7, meaning some interceptions or recordings used for business purposes will no longer trigger those criminal provisions.
The bill amends the pen-register and trap-and-trace definitions in Penal Code section 638.50 to exclude devices or processes used in a manner consistent with a commercial business purpose.
Section 637.2’s private statutory remedy (including $5,000 per violation or treble actual damages) does not apply to processing of personal information done for a commercial business purpose.
The term “commercial business purpose” is defined by reference to Civil Code section 1798.140(e) (business purpose) or processing that is subject to consumers’ opt-out rights under Civil Code sections 1798.120, 1798.121, and 1798.135.
The bill applies retroactively to any case pending as of January 1, 2026, potentially removing or narrowing claims already filed at that date.
Section-by-Section Breakdown
Every bill we cover gets an analysis of its key sections.
Adds a commercial-purpose exception to wiretapping prohibitions
This amendment inserts “a commercial business purpose” into the list of exceptions to the statute that criminalizes unauthorized tapping or reading of telegraph and telephone wires. Practically, investigators and prosecutors must now determine whether a challenged connection or interception was carried out to further a commercial purpose before applying §631. The provision preserves the statute’s existing penalties for non-exempt conduct and keeps the evidence-exclusion rule for unlawful interceptions.
Exempts commercial business-purpose recordings from eavesdropping crimes
The bill adds the commercial-purpose carve-out to the statute criminalizing the use of electronic amplifying or recording devices to capture confidential communications. That means recordings made in a business context — where the processing meets the bill’s test — are not subject to the per-violation fines and jail terms in §632. The statutory definition of “person” and the scope of “confidential communication” remain unchanged, leaving open disputes about borderline situations where a communication appears confidential but the processing claims a commercial justification.
Applies the exception to cellular/cordless interception offenses
SB 690 places the same commercial-purpose exception into §632.7, which targets interceptions between cellular and landline or cordless telephones. The section’s technical definitions of “cellular radio telephone” and “cordless telephone” are unchanged, but the new exception means some recordings of those communications — if tied to commercial processing as defined elsewhere — will not meet the statute’s elements.
Removes private statutory damages for commercial-purpose processing
Section 637.2 currently allows injured persons to recover statutory damages or treble actual damages and to seek injunctive relief for violations of the chapter. The amendment explicitly disapplies that private cause of action where the processing at issue is for a commercial business purpose. The practical effect is that individuals seeking remedies for commercial data collection must rely on other avenues (consumer opt-outs, administrative enforcement under civil privacy laws, or contract claims) rather than the chapter’s private damage remedy.
Defines commercial business purpose and narrows device coverage
This is the statutory hub for the bill’s definitional framework. It revises the pen-register and trap-and-trace carve-outs to say those devices do not include processes used consistently with a commercial business purpose, and it defines that term by cross-reference to Civil Code concepts: (1) processing performed to further a business purpose under Civil Code §1798.140(e), or (2) processing that is subject to a consumer opt-out under specified Civil Code sections. The section also imports Civil Code definitions for “personal information” and “processing.” Because the bill relies on cross-code definitions rather than setting bright-line categories, many disputes will turn on interpreting Civil Code terms in the context of criminal statutes.
Makes the act retroactive to January 1, 2026
The bill applies its amendments to any case pending as of January 1, 2026. Retroactivity can narrow or extinguish pending private claims and affects the admissibility and liability analyses in ongoing prosecutions or civil suits; courts will have to determine how the new exceptions apply to facts developed under the old law.
This bill is one of many.
Codify tracks hundreds of bills on Privacy across all five countries.
Explore Privacy in Codify Search →Who Benefits and Who Bears the Cost
Every bill creates winners and losers. Here's who stands to gain and who bears the cost.
Who Benefits
- Digital advertisers and ad tech vendors — they gain a statutory safe harbor for many data-collection and routing activities commonly used for targeting and attribution when those activities meet the bill’s commercial-purpose test.
- Platform and analytics providers — routine telemetry, analytics, and measurement processes that decode signaling or routing data may be removed from criminal exposure under the amended pen-register and trap-and-trace language.
- Telecommunications carriers performing billing or cost-accounting functions — the bill explicitly preserves carrier operational exclusions and bolsters the permissibility of billing-related processing framed as commercial.
- Businesses facing statutory privacy suits — companies currently exposed to private statutory claims under Penal Code chapter 12 for commercial data practices will see reduced exposure to that particular private remedy.
Who Bears the Cost
- Consumers concerned about nonconsensual collection of communications data — they lose a private statutory cause of action for harms linked to commercial processing and must rely on opt-outs or regulatory enforcement instead.
- Privacy plaintiffs and their attorneys — the removal of section 637.2 remedies for commercial processing narrows litigation avenues and damages available in consumer claims under these Penal Code provisions.
- Regulators and enforcement agencies — with fewer private suits, the practical burden of policing commercial interceptions may shift to public agencies without new resources or explicit enforcement mechanisms in this bill.
- Businesses that cannot clearly categorize their processing — entities that mix commercial and noncommercial uses or that lack robust opt-out mechanisms face uncertain legal exposure and potential litigation over whether a use qualifies as a commercial business purpose.
Key Issues
The Core Tension
The central dilemma is a classic privacy-versus-commerce trade-off: SB 690 protects routine business uses of communication and signaling data by carving them out of criminal liability, but in doing so it narrows individual remedies and relies on civil-code opt-out mechanisms that may be weak in practice—leaving consumers with reduced private enforcement and courts with hard interpretive questions about what counts as a legitimate commercial purpose.
SB 690 resolves one problem—legal exposure for commonplace business data practices—by folding those practices into a commercial-purpose exemption tied to Civil Code definitions. That approach trades private statutory enforcement for a reliance on the Civil Code’s opt-out regime and on the concept of a business purpose.
The trade-off raises significant implementation questions: the Civil Code definitions were designed for consumer privacy regulation, not criminal wiretapping law, so courts will face interpretive friction when importing those terms into Penal Code contexts. Expect disputes about whether a particular interception is truly in furtherance of a business purpose or merely characterized as such to avoid liability.
Retroactivity magnifies the bill’s practical impact but also increases uncertainty. Pending claims that were pled under the older statutory regime may be dismissed or materially narrowed, and evidence rulings made under prior law may be revisited.
The bill also does not create a new, parallel regulatory enforcement mechanism to replace the private cause of action it narrows; instead, it leans on existing civil-code opt-outs and on agencies that enforce consumer privacy laws. That creates an enforcement gap if agencies lack resources or if opt-outs are ineffective in practice.
Finally, because the bill exempts certain pen-register and trap-and-trace uses, it may alter the evidentiary landscape in criminal investigations and civil discovery, producing both procedural and substantive ripple effects.
Try it yourself.
Ask a question in plain English, or pick a topic below. Results in seconds.