This is basically a sneaky repeal of the parts of CIPA that chafe big data.
[1] https://leginfo.legislature.ca.gov/faces/billNavClient.xhtml...
[2] https://leginfo.legislature.ca.gov/faces/billCompareClient.x...
> SUPPORT: (Verified 05/29/25)
> California News Publishers Association
> News Media Alliance
Ah, right.
The more I read about this, the more it seems like the EFF is straight-up being dishonest about the bill (which I think it becoming a pattern for the EFF, I'm afraid).
They've branded it the "Corporate Cover-Up Act" (with "Act" in all caps to possibly fool the general public into thinking it's the actual name of the law?!) and saying it will give "Big Tech and data brokers a green light to spy on us without consent for just about any reason".
But they neglect to inform you that the bill explicitly limits the reasons. Those exceptions are:
- Auditing related to counting ad impressions to unique visitors, verifying positioning and quality of ad impressions, and auditing compliance with this specification and other standards.
- Helping to ensure security and integrity to the extent the use of the consumer’s personal information is reasonably necessary and proportionate for these purposes.
- Debugging to identify and repair errors that impair existing intended functionality.
- Short-term, transient use, including, but not limited to, nonpersonalized advertising shown as part of a consumer’s current interaction with the business, provided that the consumer’s personal information is not disclosed to another third party and is not used to build a profile about the consumer or otherwise alter the consumer’s experience outside the current interaction with the business.
- Performing services on behalf of the business, including maintaining or servicing accounts, providing customer service, processing or fulfilling orders and transactions, verifying customer information, processing payments, providing financing, providing analytic services, providing storage, or providing similar services on behalf of the business.
- Providing advertising and marketing services, except for cross-context behavioral advertising, to the consumer provided that, for the purpose of advertising and marketing, a service provider or contractor shall not combine the personal information of opted-out consumers that the service provider or contractor receives from, or on behalf of, the business with personal information that the service provider or contractor receives from, or on behalf of, another person or persons or collects from its own interaction with consumers.
- Undertaking internal research for technological development and demonstration.
- Undertaking activities to verify or maintain the quality or safety of a service or device that is owned, manufactured, manufactured for, or controlled by the business, and to improve, upgrade, or enhance the service or device that is owned, manufactured, manufactured for, or controlled by the business.
You may think that these exceptions are overly broad, and I may even agree with you. But calling this "any reason" is still deeply disingenuous.
(Disclaimer: I'm not a lawyer. If I was, as I assume many contributors to the EFF are, I would be tempted to be against this bill, because being able to sue businesses for virtually any data collection, even legitimate, on the basis of a 1967 law that was meant to ban phone wiretapping and thus has insanely steep fines? No way the paragons of virtue we know many lawyers to be would salivate at the thought of that!)
> (1) A public utility, or telephone company, engaged in the business of providing communications services and facilities, or to the officers, employees or agents thereof, where the acts otherwise prohibited herein are for the purpose of construction, maintenance, conduct, or operation of the services and facilities of the public utility or telephone company.
> (2) The use of any instrument, equipment, facility, or service furnished and used pursuant to the tariffs of a public utility.
> (3) A telephonic communication system used for communication exclusively within a state, county, city and county, or city correctional facility.
> *(4) A commercial business purpose.*
Emphasis mine.
That seems wildly less limited than you imply.
> (e) “Commercial business purpose” means the processing of personal information that satisfies either of the following criteria:
> (1) Is performed to further a business purpose as defined in subdivision (e) of Section 1798.140 of the Civil Code.
> (2) Is subject to a consumer’s opt-out rights under Sections 1798.120, 1798.121, and 1798.135 of the Civil Code.
Specifically what OP describes is §1798.140(e): https://leginfo.legislature.ca.gov/faces/codes_displaySectio....
So it is fairly limited.
https://codes.findlaw.com/ca/civil-code/civ-sect-1798-140/
Basically SB690 means that a business can spy on us including our most private data and use it for anything that makes them money like selling it to data brokers or to the government.
That said, I see some of those "legitimate business purposes" as things the CCPA was explicitly intending to redefine as illegitimate. In particular, while it says it would still limit third-party data collection for marketing, it would no longer limit when the company itself (e.g. Facebook) does that data collection for itself. Additionally the "analytics services" is standard speak for "all data that can be hoovered up for cross-site tracking", and is specifically exempted as well.
On the face there is certainly clarification that' needed, and some of the exemptions are needed (E.g. security features), but the current bill clearly includes extras that effectively completely revoke everything the CCPA tries to do.
nostrademons•7mo ago
From my (IANAL) read, it looks like somebody realized that CIPA could be construed to criminalize recording IP addresses as wiretapping, and yet basically every website and online service does it to prevent DDoS attacks, abuse, and fulfill legal obligations. And so this bill specifically excludes "identifying the originating number or other dialing, routing, addressing, or signaling information reasonably likely to identify the source of a wire or electronic communication but not the contents of a communication" when done as part of a commercial purpose from being part of the definition of wiretapping.
I know that the EFF's job is to maximize privacy online, and I'd even agree with (and have donated to) that mission. But unless there's some subtle legal argument here, I don't get the uproar. Companies have been collecting IP addresses for the last 30 years, you are not realistically going to stop that practice without breaking the Internet, and so I don't see much of a change from status quo other than not having a law that can be used to fine tech company execs billions of dollars for wiretapping.
meristohm•7mo ago
mindslight•7mo ago
sundarurfriend•7mo ago
As they say in the second sentence of the very first paragraph:
>> S.B. 690, what we’re calling the Corporate Cover-Up Act, is
The linked statute makes far broader exclusions that you imply or would be necessary for what you mention. It just adds "A commercial business purpose" with no provisos or clarification, which invites insanely broad interpretations and effectively nullifies the existing law, just as EFF is saying.
Aloisius•7mo ago
It's in the analyses:
https://leginfo.legislature.ca.gov/faces/billAnalysisClient....
nostrademons•7mo ago
https://getterms.io/blog/california-invasion-of-privacy-act-...
Basically, CIPA is a 1994 law, initially aimed at landline telephones, that forbids wiretapping or recording conversations without the consent of both parties. Starting in 2024, there have been a number of lawsuits that argue that things like cookies and recorded chats should be considered wiretapping. Several of these lawsuits have been dismissed, but some are still pending, and the legislature / corporate lobbyists are trying to get ahead of the problem by explicitly exempting themselves from CIPA.
Personally I think a better solution would be to explicitly enumerate the types of tracking that are considered violations of CIPA, rather than adding a blanket exception for commercial purposes. But I also think that wave of CIPA lawsuits in the last year isn't a great trend either: one (recently dismissed) case actually did try to argue that collecting IP addresses was a "pen register", which would've criminalized running a hobby website.
https://www.mayerbrown.com/en/insights/publications/2025/02/...
Aloisius•7mo ago
CIPA is a 1967 law. It's been amended numerous times though.
> rather than adding a blanket exception for commercial purposes
It's not a blanket exemption. It's limited to specific commercial purposes listed in Section 1798.140(e) or when it allows a consumer to opt-out in a reasonable way.
dszd0g•7mo ago
Instead, it is allowing wiretapping for a "commercial business purpose", basically anything a company can do to make money like sell your private data to a data broker or the government.
Proponents argue that CIPA is not necessary because we have the California Consumer Privacy Act (CCPA) protecting us, but the CCPA is only opt out and you can't opt out of every company or surveillance you don't know about. The current CIPA is opt in where you have to consent to your communications being wiretapped, so SB690 would change the status quo from requiring companies to get your consent to record your communications to you having to opt out of every possible company.
https://www.eff.org/deeplinks/2025/06/californias-corporate-...