I really wish they went into more detail of the legal issues and existing law around this area. I had to go into the linked statutes to even find out what the this bill is, and "California Corporate Cover-Up Act" is their term for it, not on the actual bill.

From my (IANAL) read, it looks like somebody realized that CIPA could be construed to criminalize recording IP addresses as wiretapping, and yet basically every website and online service does it to prevent DDoS attacks, abuse, and fulfill legal obligations. And so this bill specifically excludes "identifying the originating number or other dialing, routing, addressing, or signaling information reasonably likely to identify the source of a wire or electronic communication but not the contents of a communication" when done as part of a commercial purpose from being part of the definition of wiretapping.

I know that the EFF's job is to maximize privacy online, and I'd even agree with (and have donated to) that mission. But unless there's some subtle legal argument here, I don't get the uproar. Companies have been collecting IP addresses for the last 30 years, you are not realistically going to stop that practice without breaking the Internet, and so I don't see much of a change from status quo other than not having a law that can be used to fine tech company execs billions of dollars for wiretapping.

The linked bill [1] is pretty short and readable, so I'd encourage people to actually check it out (since the EFF article doesn't even quote from it). If you want a diff view, the "Today's Law As Amended" tab [2] shows that.

[1] https://leginfo.legislature.ca.gov/faces/billNavClient.xhtml...

[2] https://leginfo.legislature.ca.gov/faces/billCompareClient.x...

§ 637.2(d) provides that there is no private right of action to sue for "the processing of personal information for a commercial business purpose." Anything that would otherwise be actionable under the California Invasion of Privacy Act (CIPA) would now be exempt if it includes a commercial business purpose, retroactively.

This is basically a sneaky repeal of the parts of CIPA that chafe big data.

Discussed previously: https://news.ycombinator.com/item?id=44189442

The more I read about this, the more it seems like the EFF is straight-up being dishonest about the bill (which I think it becoming a pattern for the EFF, I'm afraid).

They've branded it the "Corporate Cover-Up Act" (with "Act" in all caps to possibly fool the general public into thinking it's the actual name of the law?!) and saying it will give "Big Tech and data brokers a green light to spy on us without consent for just about any reason".

But they neglect to inform you that the bill explicitly limits the reasons. Those exceptions are:

- Auditing related to counting ad impressions to unique visitors, verifying positioning and quality of ad impressions, and auditing compliance with this specification and other standards.

- Helping to ensure security and integrity to the extent the use of the consumer’s personal information is reasonably necessary and proportionate for these purposes.

- Debugging to identify and repair errors that impair existing intended functionality.

- Short-term, transient use, including, but not limited to, nonpersonalized advertising shown as part of a consumer’s current interaction with the business, provided that the consumer’s personal information is not disclosed to another third party and is not used to build a profile about the consumer or otherwise alter the consumer’s experience outside the current interaction with the business.

- Performing services on behalf of the business, including maintaining or servicing accounts, providing customer service, processing or fulfilling orders and transactions, verifying customer information, processing payments, providing financing, providing analytic services, providing storage, or providing similar services on behalf of the business.

- Providing advertising and marketing services, except for cross-context behavioral advertising, to the consumer provided that, for the purpose of advertising and marketing, a service provider or contractor shall not combine the personal information of opted-out consumers that the service provider or contractor receives from, or on behalf of, the business with personal information that the service provider or contractor receives from, or on behalf of, another person or persons or collects from its own interaction with consumers.

- Undertaking internal research for technological development and demonstration.

- Undertaking activities to verify or maintain the quality or safety of a service or device that is owned, manufactured, manufactured for, or controlled by the business, and to improve, upgrade, or enhance the service or device that is owned, manufactured, manufactured for, or controlled by the business.

You may think that these exceptions are overly broad, and I may even agree with you. But calling this "any reason" is still deeply disingenuous.

(Disclaimer: I'm not a lawyer. If I was, as I assume many contributors to the EFF are, I would be tempted to be against this bill, because being able to sue businesses for virtually any data collection, even legitimate, on the basis of a 1967 law that was meant to ban phone wiretapping and thus has insanely steep fines? No way the paragons of virtue we know many lawyers to be would salivate at the thought of that!)

Who says Democrats can't get anything done? No one even mentioned You Know Who, but that's probably because state media refuses to talk about this at all.

> SUPPORT: (Verified 05/29/25)

> California News Publishers Association

> News Media Alliance

Ah, right.