[HN Gopher] California's Corporate Cover-Up Act Is a Privacy Nig...
___________________________________________________________________
California's Corporate Cover-Up Act Is a Privacy Nightmare
Author : hn_acker
Score : 54 points
Date : 2025-06-25 18:45 UTC (4 hours ago)
(HTM) web link (www.eff.org)
(TXT) w3m dump (www.eff.org)
| nostrademons wrote:
| I really wish they went into more detail of the legal issues and
| existing law around this area. I had to go into the linked
| statutes to even find out what the this bill _is_ , and
| "California Corporate Cover-Up Act" is their term for it, not on
| the actual bill.
|
| From my (IANAL) read, it looks like somebody realized that CIPA
| could be construed to criminalize recording IP addresses as
| wiretapping, and yet basically every website and online service
| does it to prevent DDoS attacks, abuse, and fulfill legal
| obligations. And so this bill specifically excludes "identifying
| the originating number or other dialing, routing, addressing, or
| signaling information reasonably likely to identify the source of
| a wire or electronic communication but not the contents of a
| communication" when done as part of a commercial purpose from
| being part of the definition of wiretapping.
|
| I know that the EFF's job is to maximize privacy online, and I'd
| even agree with (and have donated to) that mission. But unless
| there's some subtle legal argument here, I don't get the uproar.
| Companies have been collecting IP addresses for the last 30
| years, you are not realistically going to stop that practice
| without breaking the Internet, and so I don't see much of a
| change from status quo other than not having a law that can be
| used to fine tech company execs billions of dollars for
| wiretapping.
| meristohm wrote:
| Perhaps part of the point is to stir action towards not
| accepting the status quo, harmful as it is? We can do better.
| mindslight wrote:
| Our federal government is currently being torn down from the
| goal of " _[stirring] action towards not accepting the status
| quo_. " Details matter, it turns out.
| sundarurfriend wrote:
| > "California Corporate Cover-Up Act" is their term for it, not
| on the actual bill.
|
| As they say in the second sentence of the very first paragraph:
|
| >> S.B. 690, what we're calling the Corporate Cover-Up Act, is
|
| The linked statute makes far broader exclusions that you imply
| or would be necessary for what you mention. It just adds "A
| commercial business purpose" with no provisos or clarification,
| which invites insanely broad interpretations and effectively
| nullifies the existing law, just as EFF is saying.
| Aloisius wrote:
| _> I really wish they went into more detail of the legal issues
| and existing law around this area_
|
| It's in the analyses:
|
| https://leginfo.legislature.ca.gov/faces/billAnalysisClient....
| nostrademons wrote:
| (Replying to my own comment because I've been digging and would
| rather search for truth than argue.) This article has more
| details about why this an issue now:
|
| https://getterms.io/blog/california-invasion-of-privacy-act-...
|
| Basically, CIPA is a 1994 law, initially aimed at landline
| telephones, that forbids wiretapping or recording conversations
| without the consent of both parties. Starting in 2024, there
| have been a number of lawsuits that argue that things like
| cookies and recorded chats should be considered wiretapping.
| Several of these lawsuits have been dismissed, but some are
| still pending, and the legislature / corporate lobbyists are
| trying to get ahead of the problem by explicitly exempting
| themselves from CIPA.
|
| Personally I think a better solution would be to explicitly
| enumerate the types of tracking that are considered violations
| of CIPA, rather than adding a blanket exception for commercial
| purposes. But I also think that wave of CIPA lawsuits in the
| last year isn't a great trend either: one (recently dismissed)
| case actually did try to argue that collecting IP addresses was
| a "pen register", which would've criminalized running a hobby
| website.
|
| https://www.mayerbrown.com/en/insights/publications/2025/02/...
| delichon wrote:
| SS 637.2(d) provides that there is no private right of action to
| sue for "the processing of personal information for a commercial
| business purpose." Anything that would otherwise be actionable
| under the California Invasion of Privacy Act (CIPA) would now be
| exempt if it includes a commercial business purpose,
| retroactively.
|
| This is basically a sneaky repeal of the parts of CIPA that chafe
| big data.
| Aloisius wrote:
| Considering the companies that have been threatened or sued,
| it's far more than "big data."
| sundarurfriend wrote:
| The linked bill [1] is pretty short and readable, so I'd
| encourage people to actually check it out (since the EFF article
| doesn't even quote from it). If you want a diff view, the
| "Today's Law As Amended" tab [2] shows that.
|
| [1]
| https://leginfo.legislature.ca.gov/faces/billNavClient.xhtml...
|
| [2]
| https://leginfo.legislature.ca.gov/faces/billCompareClient.x...
| esbranson wrote:
| Who says Democrats can't get anything done? No one even mentioned
| You Know Who, but that's probably because state media refuses to
| talk about this at all.
|
| > SUPPORT: (Verified 05/29/25)
|
| > California News Publishers Association
|
| > News Media Alliance
|
| Ah, right.
| phendrenad2 wrote:
| Discussed previously:
| https://news.ycombinator.com/item?id=44189442
|
| The more I read about this, the more it seems like the EFF is
| straight-up being dishonest about the bill (which I think it
| becoming a pattern for the EFF, I'm afraid).
|
| They've branded it the "Corporate Cover-Up Act" (with "Act" in
| all caps to possibly fool the general public into thinking it's
| the actual name of the law?!) and saying it will give "Big Tech
| and data brokers a green light to spy on us without consent for
| just about any reason".
|
| But they neglect to inform you that the bill explicitly limits
| the reasons. Those exceptions are:
|
| - Auditing related to counting ad impressions to unique visitors,
| verifying positioning and quality of ad impressions, and auditing
| compliance with this specification and other standards.
|
| - Helping to ensure security and integrity to the extent the use
| of the consumer's personal information is reasonably necessary
| and proportionate for these purposes.
|
| - Debugging to identify and repair errors that impair existing
| intended functionality.
|
| - Short-term, transient use, including, but not limited to,
| nonpersonalized advertising shown as part of a consumer's current
| interaction with the business, provided that the consumer's
| personal information is not disclosed to another third party and
| is not used to build a profile about the consumer or otherwise
| alter the consumer's experience outside the current interaction
| with the business.
|
| - Performing services on behalf of the business, including
| maintaining or servicing accounts, providing customer service,
| processing or fulfilling orders and transactions, verifying
| customer information, processing payments, providing financing,
| providing analytic services, providing storage, or providing
| similar services on behalf of the business.
|
| - Providing advertising and marketing services, except for cross-
| context behavioral advertising, to the consumer provided that,
| for the purpose of advertising and marketing, a service provider
| or contractor shall not combine the personal information of
| opted-out consumers that the service provider or contractor
| receives from, or on behalf of, the business with personal
| information that the service provider or contractor receives
| from, or on behalf of, another person or persons or collects from
| its own interaction with consumers.
|
| - Undertaking internal research for technological development and
| demonstration.
|
| - Undertaking activities to verify or maintain the quality or
| safety of a service or device that is owned, manufactured,
| manufactured for, or controlled by the business, and to improve,
| upgrade, or enhance the service or device that is owned,
| manufactured, manufactured for, or controlled by the business.
|
| You may think that these exceptions are overly broad, and I may
| even agree with you. But calling this "any reason" is still
| deeply disingenuous.
|
| (Disclaimer: I'm not a lawyer. If I was, as I assume many
| contributors to the EFF are, I would be tempted to be against
| this bill, because being able to sue businesses for virtually any
| data collection, even legitimate, on the basis of a 1967 law that
| was meant to ban phone wiretapping and thus has insanely steep
| fines? No way the paragons of virtue we know many lawyers to be
| would salivate at the thought of that!)
| strbean wrote:
| > (b) This section does not apply to any of the following:
|
| > (1) A public utility, or telephone company, engaged in the
| business of providing communications services and facilities,
| or to the officers, employees or agents thereof, where the acts
| otherwise prohibited herein are for the purpose of
| construction, maintenance, conduct, or operation of the
| services and facilities of the public utility or telephone
| company.
|
| > (2) The use of any instrument, equipment, facility, or
| service furnished and used pursuant to the tariffs of a public
| utility.
|
| > (3) A telephonic communication system used for communication
| exclusively within a state, county, city and county, or city
| correctional facility.
|
| > *(4) A commercial business purpose.*
|
| Emphasis mine.
|
| That seems wildly less limited than you imply.
___________________________________________________________________
(page generated 2025-06-25 23:01 UTC)