The more I read about this, the more it seems like the EFF is straight-up being dishonest about the bill (which I think it becoming a pattern for the EFF, I'm afraid).
They've branded it the "Corporate Cover-Up Act" (with "Act" in all caps to possibly fool the general public into thinking it's the actual name of the law?!) and saying it will give "Big Tech and data brokers a green light to spy on us without consent for just about any reason".
But they neglect to inform you that the bill explicitly limits the reasons. Those exceptions are:
- Auditing related to counting ad impressions to unique visitors, verifying positioning and quality of ad impressions, and auditing compliance with this specification and other standards.
- Helping to ensure security and integrity to the extent the use of the consumer’s personal information is reasonably necessary and proportionate for these purposes.
- Debugging to identify and repair errors that impair existing intended functionality.
- Short-term, transient use, including, but not limited to, nonpersonalized advertising shown as part of a consumer’s current interaction with the business, provided that the consumer’s personal information is not disclosed to another third party and is not used to build a profile about the consumer or otherwise alter the consumer’s experience outside the current interaction with the business.
- Performing services on behalf of the business, including maintaining or servicing accounts, providing customer service, processing or fulfilling orders and transactions, verifying customer information, processing payments, providing financing, providing analytic services, providing storage, or providing similar services on behalf of the business.
- Providing advertising and marketing services, except for cross-context behavioral advertising, to the consumer provided that, for the purpose of advertising and marketing, a service provider or contractor shall not combine the personal information of opted-out consumers that the service provider or contractor receives from, or on behalf of, the business with personal information that the service provider or contractor receives from, or on behalf of, another person or persons or collects from its own interaction with consumers.
- Undertaking internal research for technological development and demonstration.
- Undertaking activities to verify or maintain the quality or safety of a service or device that is owned, manufactured, manufactured for, or controlled by the business, and to improve, upgrade, or enhance the service or device that is owned, manufactured, manufactured for, or controlled by the business.
You may think that these exceptions are overly broad, and I may even agree with you. But calling this "any reason" is still deeply disingenuous.
(Disclaimer: I'm not a lawyer. If I was, as I assume many contributors to the EFF are, I would be tempted to be against this bill, because being able to sue businesses for virtually any data collection, even legitimate, on the basis of a 1967 law that was meant to ban phone wiretapping and thus has insanely steep fines? No way the paragons of virtue we know many lawyers to be would salivate at the thought of that!)