This "dangerous surveillance bill" simply protects people who are using tracking pixels (commonly used for serving targeted ads) from frivolous lawsuits.
Of course, the EFF doesn't actually tell you what the bill SAYS here, it instead breathlessly, dramatically, announces "SB 690 gives the green-light to dystopian big tech surveillance practices which will endanger the privacy and safety of all Californians".
The fact that EFF has to obfuscate the content of the bill this much says a lot.
Whatever the intent, this bill effectively legalizes wiretapping and pen register'ing (i.e. recording phone numbers and IP:port logs you've communicated with) as long as it's for a "commercial purpose".
Far from merely shielding tracking pixel abusers from "frivolous" lawsuits, this bill legalizes wiretapping all your calls and browsing sessions and selling the recordings to the cops. It even had a retroactive immunity clause, which at least seems to have been stripped out.
Yes, it really is that crazy. Read it yourself here: https://legiscan.com/CA/text/SB690/2025
PS: Your strident defense of the surveillance industry and caustic dismissal of warnings from a well-known and credible civil rights organization makes me wonder where your interests lie. What is your involvement in the industry and what role, if any, did you play in the passage of this bill in the CA Senate?
Okay let's get one thing out of the way: You can't use a narrow legalese-defined definition of "wiretapping" and act like it's the same as the popular definition of wiretapping. You do this when you talk about the "wiretapping" in the bill and say that it "really is that crazy". You might not realize that you're doing this, because it might be so ingrained in your training as, whatever profession you are, but it doesn't fly with me. You MUST choose between one definition or the other, and either way, your argument falls apart.
Secondly, if "someone disagrees with me an organization I like in a strident and caustic way" is enough to make you reach for an ad hominem, then that just shows an unfortunate delusionality on your part. Not really helpful to your cause me-thinks.
> Far from merely shielding tracking pixel abusers from "frivolous" lawsuits <blah blah blah>
It appears that we agree on the substance of my argument. Which is enough for me.
EDIT: After reading a comment below, it seems that you might actually be using the "popular" definition of wiretapping, in which case, please provide an example of a scenario where this law allows something nefarious, taking into account other laws such as the CCPA. I doubt one exists.
If exempting "commercial purposes" from a law results in no harm being done to anyone, then you are arguing the law is shouldn't exist in the first place.
CCPA appears to limitations based on the size of the enterprise, so that doesn't guarantee protection.
So, which state laws prevent someone from wiretapping my communications and then selling it?
Which law prevents someone from wiretapping your communications in New York? Or Florida?
The digest seems to say that two-party consent would no longer be required for business communications. Do I misunderstand it or is it way more expansive than shielding ad tech?
I think it is worse than you are thinking. I agree with kyborens comment saying this allows tapping all calls. I could see an app, a game for example, that would transfer all call audio to the app owner. As long as it is used for a commercial business purpose, it would be ok
But what is a "legitimate business purpose"? And what other laws come into play that prevent the business from using it as they will, such as the CCPA? At this point I feel like everyone is just being willingly ignorant of the facts to spin a certain narrative, because it's more "fun".
They should have narrowed the exemption. As it is the current exemptions are for pretty much the operation of a telephone company and jails. Your local police department is not exempt, they need a warrant. This law specifically is about intentional access to communications you aren't authorized to access. I'm not good with letting that being ok for commercial business purposes.
> They should have narrowed the exemption
Maybe "legitimate business purpose" is doing the heavy lifting here. Let's find out! Let's take another look at the bill:
> The bill would define a commercial business purpose to mean the processing of personal information either performed to further a business purpose or subject to a consumer’s opt-out rights
Let's keep reading, this is fun!
> (e) “Commercial business purpose” means the processing of personal information that satisfies either of the following criteria:
> (1) Is performed to further a business purpose as defined in subdivision (e) of Section 1798.140 of the Civil Code.
Okay, let's look up subdivision (e) of Section 1798.140 of the Civil Code of California... (this is kind of like pointers in C... very cool)
> (e) “Business purpose” means the use of personal information for the business’ operational purposes, or other notified purposes, or for the service provider or contractor’s operational purposes, as defined by regulations adopted pursuant to paragraph (10) of subdivision (a) of Section 1798.185, provided that the use of personal information shall be reasonably necessary and proportionate to achieve the purpose for which the personal information was collected or processed or for another purpose that is compatible with the context in which the personal information was collected. Business purposes are:
> (1) Auditing related to counting ad impressions to unique visitors, verifying positioning and quality of ad impressions, and auditing compliance with this specification and other standards.
> (2) Helping to ensure security and integrity to the extent the use of the consumer’s personal information is reasonably necessary and proportionate for these purposes.
> (3) Debugging to identify and repair errors that impair existing intended functionality.
> (4) Short-term, transient use, including, but not limited to, nonpersonalized advertising shown as part of a consumer’s current interaction with the business, provided that the consumer’s personal information is not disclosed to another third party and is not used to build a profile about the consumer or otherwise alter the consumer’s experience outside the current interaction with the business.
> (5) Performing services on behalf of the business, including maintaining or servicing accounts, providing customer service, processing or fulfilling orders and transactions, verifying customer information, processing payments, providing financing, providing analytic services, providing storage, or providing similar services on behalf of the business.
> (6) Providing advertising and marketing services, except for cross-context behavioral advertising, to the consumer provided that, for the purpose of advertising and marketing, a service provider or contractor shall not combine the personal information of opted-out consumers that the service provider or contractor receives from, or on behalf of, the business with personal information that the service provider or contractor receives from, or on behalf of, another person or persons or collects from its own interaction with consumers.
> (7) Undertaking internal research for technological development and demonstration.
> (8) Undertaking activities to verify or maintain the quality or safety of a service or device that is owned, manufactured, manufactured for, or controlled by the business, and to improve, upgrade, or enhance the service or device that is owned, manufactured, manufactured for, or controlled by the business.
Far from a freewheeling "they can wiretap anything!!!1111" screech I keep seeing here, it seems to me that the definitions are all nicely pinned-down and there isn't a lot of leeway.
Oh and an important note: I'm not a lawyer. It's possible that I've completely bungled this analysis, so don't take it as legal advice. This is just my opinion.
> This "dangerous surveillance bill" simply protects people who are using tracking pixels (commonly used for serving targeted ads) from frivolous lawsuits.
Why should a company's "right" to seek profit through advertising infringe upon my right to privacy on the web?
- [deleted]
"SECTION 1. Section 631 of the Penal Code is amended to read: 631. (a) A person who, by means of a machine, instrument, or contrivance, or in any other manner, intentionally taps, or makes an unauthorized connection, whether physically, electrically, acoustically, inductively, or otherwise, with a telegraph or telephone wire, line, cable, or instrument, including the wire, line, cable, or instrument of an internal telephonic communication system, or who willfully and without the consent of all parties to the communication, or in an unauthorized manner, reads, or attempts to read, or to learn the contents or meaning of a message, report, or communication while the same is in transit or passing over a wire, line, or cable, or is being sent from, or received at any place within this state; or who uses, or attempts to use, in any manner, or for any purpose, or to communicate in any way, information so obtained, or who aids, agrees with, employs, or conspires with any person or persons to unlawfully do, or permit, or cause to be done any of the acts or things mentioned above in this section, is punishable by a fine not exceeding two thousand five hundred dollars ($2,500), or by imprisonment in the county jail not exceeding one year, or by imprisonment pursuant to subdivision (h) of Section 1170, or by both a fine and imprisonment in the county jail or pursuant to subdivision (h) of Section 1170. If the person has previously been convicted of a violation of this section or Section 632, 632.5, 632.6, 632.7, or 636, the offense is punishable by a fine not exceeding ten thousand dollars ($10,000), or by imprisonment in the county jail not exceeding one year, or by imprisonment pursuant to subdivision (h) of Section 1170, or by both that fine and imprisonment. (b) This section does not apply to any of the following: (1) A public utility, or telephone company, engaged in the business of providing communications services and facilities, or to the officers, employees or agents thereof, where the acts otherwise prohibited herein are for the purpose of construction, maintenance, conduct, or operation of the services and facilities of the public utility or telephone company. (2) The use of any instrument, equipment, facility, or service furnished and used pursuant to the tariffs of a public utility. (3) A telephonic communication system used for communication exclusively within a state, county, city and county, or city correctional facility. (4) A commercial business purpose. (c) For purposes of this section, “telephone company” has the same meaning as defined in paragraph (3) of subdivision (c) of Section 638. (d) Except as proof in an action or prosecution for violation of this section, evidence obtained in violation of this section is not admissible in a judicial, administrative, legislative, or other proceeding." Did you read this? It exempts commercial business purposes from the consequences of tapping communications without authorization.
So what you're implying is that my apartment complex can MITM my TLS connections and sell my data? And my window-cleaning company can use lasers to bug my office? And there's no recourse for me? There are no other laws that cover this? Such as at the federal level? Or, are you missing important context and other factors?
Are you implying that the bill is meaningless? If I place a device on your phone or wire tap your phone I would be subject to fine and jail under section 631 of the penal code. Here's Google's summary: "California Penal Code Section 631 primarily addresses wiretapping and eavesdropping, making it illegal to intentionally tap into or connect to a telegraph or telephone line without authorization. It also prohibits reading or attempting to read messages while they are in transit, using information obtained through wiretapping, and aiding or conspiring with others to commit these offenses." With this change section 631 no longer applies to someone doing this for a commercial business purpose. Maybe the reasoning is benign, but I feel like this could be used to violate my privacy and it's not really clear what legitimate business issue this remedies. This is about gaining access to communications you aren't authorized to access. Can you provide any reason we need to let business put an inductive coupler on my phone without letting me know?
> Maybe the reasoning is benign,
They may act like silly old men but they aren't stupid, they know reason and they know the implications - all of them. That's the true intent.
I don't understand why my argument is so hard to understand. Let me try again. I'm not saying the law is meaningless, I'm saying that the specific application of the law that is walked back by this new law is useless except for the purposes of nuisance lawsuits to shake down businesses. Now, I asked you if specific examples would be legal if this change went into effect, which you completely declined to comment on, which tells me you aren't that sure of your position.
It's not hard to understand. It's wrong. Section 631 is about intentionally making an unauthorized connection to a telephone or message transmitted by wire. Unintentional access is not illegal. Any call where all parties consent, it is not illegal. Existing exemptions are only for those providing communication services, collecting tarrifs and jails. Law enforcement can't do this, without a warrant. Tracking pixels aren't covered by 631. Not sure if you are aware, but the jails are exempt because they monitor calls without authorization of all parties. 631 only applies to intentionally accessing communications without the consent of all parties. I see no reason to give any commercial business purpose authorization to monitor my communications in a manner law enforcement is not authorized to. There likely other laws that may apply, but I am good with this one applying. You mention CCPA, it doesn't apply to every business. From my reading your two examples are no longer covered by 631. If this were just for frivolous lawsuits a narrower exemption would have been more acceptable. As it is now, I am completely ok with this being illegal. Remember 631 is about intercepting communications you aren't authorized to access.
See my comment on a sibling response. I dug into the law itself, and it looks (to me) like the scope is severely limited here. It's not a case of simply removing Section 631 protections at the discrimination of the business, there are actual rules about how it can be applied.
Almost forgot your two examples would no longer be subject to the penalties listed in 631. How am I supposed to seek recourse for something I don't even know is happening. The only time I would be able to do anything is if I catch them doing it and the police likely won't help, since it's not illegal.
Well as I said in another comment, it would still be illegal, because the scope is limited. However, my point here was that you're ignoring the fact that there are probably other laws that cover this, redundantly. I guess the concept of redundant laws can be a departure from the usual world of programming, where we try to DRY everything up as much as possible.
- [deleted]