←back to thread

California's Corporate Cover-Up Act Is a Privacy Nightmare

(www.eff.org)
66 points hn_acker | 7 comments | 25 Jun 25 18:45 UTC | HN request time: 0.612s | source | bottom
1. nostrademons ◴[25 Jun 25 20:02 UTC] No.44381307[source]
I really wish they went into more detail of the legal issues and existing law around this area. I had to go into the linked statutes to even find out what the this bill is, and "California Corporate Cover-Up Act" is their term for it, not on the actual bill.

From my (IANAL) read, it looks like somebody realized that CIPA could be construed to criminalize recording IP addresses as wiretapping, and yet basically every website and online service does it to prevent DDoS attacks, abuse, and fulfill legal obligations. And so this bill specifically excludes "identifying the originating number or other dialing, routing, addressing, or signaling information reasonably likely to identify the source of a wire or electronic communication but not the contents of a communication" when done as part of a commercial purpose from being part of the definition of wiretapping.

I know that the EFF's job is to maximize privacy online, and I'd even agree with (and have donated to) that mission. But unless there's some subtle legal argument here, I don't get the uproar. Companies have been collecting IP addresses for the last 30 years, you are not realistically going to stop that practice without breaking the Internet, and so I don't see much of a change from status quo other than not having a law that can be used to fine tech company execs billions of dollars for wiretapping.

replies(4): >>44381322 #>>44381398 #>>44381416 #>>44381526 #
2. meristohm ◴[25 Jun 25 20:04 UTC] No.44381322[source]
Perhaps part of the point is to stir action towards not accepting the status quo, harmful as it is? We can do better.
replies(1): >>44381856 #
3. sundarurfriend ◴[25 Jun 25 20:12 UTC] No.44381398[source]
> "California Corporate Cover-Up Act" is their term for it, not on the actual bill.

As they say in the second sentence of the very first paragraph:

>> S.B. 690, what we’re calling the Corporate Cover-Up Act, is

The linked statute makes far broader exclusions that you imply or would be necessary for what you mention. It just adds "A commercial business purpose" with no provisos or clarification, which invites insanely broad interpretations and effectively nullifies the existing law, just as EFF is saying.

4. Aloisius ◴[25 Jun 25 20:14 UTC] No.44381416[source]
> I really wish they went into more detail of the legal issues and existing law around this area

It's in the analyses:

https://leginfo.legislature.ca.gov/faces/billAnalysisClient....

5. nostrademons ◴[25 Jun 25 20:28 UTC] No.44381526[source]
(Replying to my own comment because I've been digging and would rather search for truth than argue.) This article has more details about why this an issue now:

https://getterms.io/blog/california-invasion-of-privacy-act-...

Basically, CIPA is a 1994 law, initially aimed at landline telephones, that forbids wiretapping or recording conversations without the consent of both parties. Starting in 2024, there have been a number of lawsuits that argue that things like cookies and recorded chats should be considered wiretapping. Several of these lawsuits have been dismissed, but some are still pending, and the legislature / corporate lobbyists are trying to get ahead of the problem by explicitly exempting themselves from CIPA.

Personally I think a better solution would be to explicitly enumerate the types of tracking that are considered violations of CIPA, rather than adding a blanket exception for commercial purposes. But I also think that wave of CIPA lawsuits in the last year isn't a great trend either: one (recently dismissed) case actually did try to argue that collecting IP addresses was a "pen register", which would've criminalized running a hobby website.

https://www.mayerbrown.com/en/insights/publications/2025/02/...

replies(1): >>44382842 #
6. mindslight ◴[25 Jun 25 21:08 UTC] No.44381856[source]
Our federal government is currently being torn down from the goal of "[stirring] action towards not accepting the status quo." Details matter, it turns out.
7. Aloisius ◴[25 Jun 25 23:42 UTC] No.44382842[source]
> Basically, CIPA is a 1994 law

CIPA is a 1967 law. It's been amended numerous times though.

> rather than adding a blanket exception for commercial purposes

It's not a blanket exemption. It's limited to specific commercial purposes listed in Section 1798.140(e) or when it allows a consumer to opt-out in a reasonable way.