I really wish they went into more detail of the legal issues and existing law around this area. I had to go into the linked statutes to even find out what the this bill is, and "California Corporate Cover-Up Act" is their term for it, not on the actual bill.
From my (IANAL) read, it looks like somebody realized that CIPA could be construed to criminalize recording IP addresses as wiretapping, and yet basically every website and online service does it to prevent DDoS attacks, abuse, and fulfill legal obligations. And so this bill specifically excludes "identifying the originating number or other dialing, routing, addressing, or signaling information reasonably likely to identify the source of a wire or electronic communication but not the contents of a communication" when done as part of a commercial purpose from being part of the definition of wiretapping.
I know that the EFF's job is to maximize privacy online, and I'd even agree with (and have donated to) that mission. But unless there's some subtle legal argument here, I don't get the uproar. Companies have been collecting IP addresses for the last 30 years, you are not realistically going to stop that practice without breaking the Internet, and so I don't see much of a change from status quo other than not having a law that can be used to fine tech company execs billions of dollars for wiretapping.
(Replying to my own comment because I've been digging and would rather search for truth than argue.) This article has more details about why this an issue now:
Basically, CIPA is a 1994 law, initially aimed at landline telephones, that forbids wiretapping or recording conversations without the consent of both parties. Starting in 2024, there have been a number of lawsuits that argue that things like cookies and recorded chats should be considered wiretapping. Several of these lawsuits have been dismissed, but some are still pending, and the legislature / corporate lobbyists are trying to get ahead of the problem by explicitly exempting themselves from CIPA.
Personally I think a better solution would be to explicitly enumerate the types of tracking that are considered violations of CIPA, rather than adding a blanket exception for commercial purposes. But I also think that wave of CIPA lawsuits in the last year isn't a great trend either: one (recently dismissed) case actually did try to argue that collecting IP addresses was a "pen register", which would've criminalized running a hobby website.
CIPA is a 1967 law. It's been amended numerous times though.
> rather than adding a blanket exception for commercial purposes
It's not a blanket exemption. It's limited to specific commercial purposes listed in Section 1798.140(e) or when it allows a consumer to opt-out in a reasonable way.
If you read the text of SB690, it isn't just excluding IP addresses and session cookies which would be a valid change in the law in my opinion.
https://legiscan.com/CA/text/SB690/id/3186917
Instead, it is allowing wiretapping for a "commercial business purpose", basically anything a company can do to make money like sell your private data to a data broker or the government.
Proponents argue that CIPA is not necessary because we have the California Consumer Privacy Act (CCPA) protecting us, but the CCPA is only opt out and you can't opt out of every company or surveillance you don't know about. The current CIPA is opt in where you have to consent to your communications being wiretapped, so SB690 would change the status quo from requiring companies to get your consent to record your communications to you having to opt out of every possible company.
> "California Corporate Cover-Up Act" is their term for it, not on the actual bill.
As they say in the second sentence of the very first paragraph:
>> S.B. 690, what we’re calling the Corporate Cover-Up Act, is
The linked statute makes far broader exclusions that you imply or would be necessary for what you mention. It just adds "A commercial business purpose" with no provisos or clarification, which invites insanely broad interpretations and effectively nullifies the existing law, just as EFF is saying.
Our federal government is currently being torn down from the goal of "[stirring] action towards not accepting the status quo." Details matter, it turns out.
The linked bill [1] is pretty short and readable, so I'd encourage people to actually check it out (since the EFF article doesn't even quote from it). If you want a diff view, the "Today's Law As Amended" tab [2] shows that.
§ 637.2(d) provides that there is no private right of action to sue for "the processing of personal information for a commercial business purpose." Anything that would otherwise be actionable under the California Invasion of Privacy Act (CIPA) would now be exempt if it includes a commercial business purpose, retroactively.
This is basically a sneaky repeal of the parts of CIPA that chafe big data.
The more I read about this, the more it seems like the EFF is straight-up being dishonest about the bill (which I think it becoming a pattern for the EFF, I'm afraid).
They've branded it the "Corporate Cover-Up Act" (with "Act" in all caps to possibly fool the general public into thinking it's the actual name of the law?!) and saying it will give "Big Tech and data brokers a green light to spy on us without consent for just about any reason".
But they neglect to inform you that the bill explicitly limits the reasons. Those exceptions are:
- Auditing related to counting ad impressions to unique visitors, verifying positioning and quality of ad impressions, and auditing compliance with this specification and other standards.
- Helping to ensure security and integrity to the extent the use of the consumer’s personal information is reasonably necessary and proportionate for these purposes.
- Debugging to identify and repair errors that impair existing intended functionality.
- Short-term, transient use, including, but not limited to, nonpersonalized advertising shown as part of a consumer’s current interaction with the business, provided that the consumer’s personal information is not disclosed to another third party and is not used to build a profile about the consumer or otherwise alter the consumer’s experience outside the current interaction with the business.
- Performing services on behalf of the business, including maintaining or servicing accounts, providing customer service, processing or fulfilling orders and transactions, verifying customer information, processing payments, providing financing, providing analytic services, providing storage, or providing similar services on behalf of the business.
- Providing advertising and marketing services, except for cross-context behavioral advertising, to the consumer provided that, for the purpose of advertising and marketing, a service provider or contractor shall not combine the personal information of opted-out consumers that the service provider or contractor receives from, or on behalf of, the business with personal information that the service provider or contractor receives from, or on behalf of, another person or persons or collects from its own interaction with consumers.
- Undertaking internal research for technological development and demonstration.
- Undertaking activities to verify or maintain the quality or safety of a service or device that is owned, manufactured, manufactured for, or controlled by the business, and to improve, upgrade, or enhance the service or device that is owned, manufactured, manufactured for, or controlled by the business.
You may think that these exceptions are overly broad, and I may even agree with you. But calling this "any reason" is still deeply disingenuous.
(Disclaimer: I'm not a lawyer. If I was, as I assume many contributors to the EFF are, I would be tempted to be against this bill, because being able to sue businesses for virtually any data collection, even legitimate, on the basis of a 1967 law that was meant to ban phone wiretapping and thus has insanely steep fines? No way the paragons of virtue we know many lawyers to be would salivate at the thought of that!)
> (b) This section does not apply to any of the following:
> (1) A public utility, or telephone company, engaged in the business of providing communications services and facilities, or to the officers, employees or agents thereof, where the acts otherwise prohibited herein are for the purpose of construction, maintenance, conduct, or operation of the services and facilities of the public utility or telephone company.
> (2) The use of any instrument, equipment, facility, or service furnished and used pursuant to the tariffs of a public utility.
> (3) A telephonic communication system used for communication exclusively within a state, county, city and county, or city correctional facility.
If you read Section 1798.140 of the Civil Code:
“Commercial purposes” means to advance a person's commercial or economic interests, such as by inducing another person to buy, rent, lease, join, subscribe to, provide, or exchange products, goods, property, information, or services, or enabling or effecting, directly or indirectly, a commercial transaction."
Basically SB690 means that a business can spy on us including our most private data and use it for anything that makes them money like selling it to data brokers or to the government.
No offense to you in particular, but HN makes me feel like I'm taking crazy pills, or on the Truman Show sometimes. If I had a dream where someone replied to my analysis of the law here with "if you read this section of the law it says X" and then provided a link, and I already KNEW that what they were saying was untrue, because I posted that link a month ago (https://news.ycombinator.com/item?id=44202153), but I clicked it anyway, only to find that they had mixed-up separate parts of that law and paraphrased them badly, I'd wake up and think "wow I need to touch grass". But yet, here it is happening in front of my eyes.
That said, I see some of those "legitimate business purposes" as things the CCPA was explicitly intending to redefine as illegitimate. In particular, while it says it would still limit third-party data collection for marketing, it would no longer limit when the company itself (e.g. Facebook) does that data collection for itself. Additionally the "analytics services" is standard speak for "all data that can be hoovered up for cross-site tracking", and is specifically exempted as well.
On the face there is certainly clarification that' needed, and some of the exemptions are needed (E.g. security features), but the current bill clearly includes extras that effectively completely revoke everything the CCPA tries to do.
Who says Democrats can't get anything done? No one even mentioned You Know Who, but that's probably because state media refuses to talk about this at all.
From my (IANAL) read, it looks like somebody realized that CIPA could be construed to criminalize recording IP addresses as wiretapping, and yet basically every website and online service does it to prevent DDoS attacks, abuse, and fulfill legal obligations. And so this bill specifically excludes "identifying the originating number or other dialing, routing, addressing, or signaling information reasonably likely to identify the source of a wire or electronic communication but not the contents of a communication" when done as part of a commercial purpose from being part of the definition of wiretapping.
I know that the EFF's job is to maximize privacy online, and I'd even agree with (and have donated to) that mission. But unless there's some subtle legal argument here, I don't get the uproar. Companies have been collecting IP addresses for the last 30 years, you are not realistically going to stop that practice without breaking the Internet, and so I don't see much of a change from status quo other than not having a law that can be used to fine tech company execs billions of dollars for wiretapping.