15 Dec 2025
what California got wrong on privacy laws
California has some good points (icymi, one
California band doing a cover of a song by another California band: Uncle John’s
Band performed by Moonalice) but nobody is perfect. Our state got a
lot of ink for doing the first of the long, comprehensive
privacy
laws, then we voted in Proposition 24, but a few mistakes did get made.
Here’s my list of what we got wrong, and maybe the 2026 privacy bill
season will be a chance for other states to do better.
Right to Know mazes. Right to Know (RtK) is essential, so designing the process for doing it is too important to be left entirely to the company that holds the data. Every company can come up with their own, slightly different, process that makes it impractical for people to track down who has what info about them. Some of the maze-running steps I have had to do are listed at CPRA comments, and I have run into more since then.
Now that we know RtK mazes are a thing, there’s no excuse for a state privacy law not to require a single, standardized process as a baseline. A state could require postal RtKs which are guaranteed to be no harder than picking up some RtK forms once, and sending one email, then receiving and mailing one envelope per company. If the company can come up with an online process that’s more convenient than Business Reply Mail, and that people like better, that’s great, but requiring the postal option keeps the mazes from getting too hard.
Toll-free phone numbers for Right to Know. People
don’t want to call your call is important to us
lines and spell
all their personal info. Replace the 800 number with Business Reply
Mail, and save us all some time.
Subsidies for the compliance complex. Notice how
many compliance experts
popped up, pointing out how much
paperwork even the smallest companies will need to do to handle CCPA?
That could have been expected. Making every business do their own
version of the same documents is like making every taxpayer calculate
their own taxes—a subsidy to some well-connected firms and a tax on
everyone else.
Privacy bills should include some money to fund a standard Business Privacy Policy, along with a FAQ and how-to guide, that the state could put up under terms that allow free use by businesses in the state. Every state has some university professor who would apply for a grant to do this. They can borrow from some of the policies being written for IEEE P7012 (MyTerms). Companies that want to get clever can afford to have a special policy made, but normal legit companies should be able to use the normal legit privacy policy.
Inadequate private right of action. California has two flavors of private right of action. CCPA/CPRA only allow for private right of action in the event of a data breach, while CIPA allows for statutory damages even for JavaScript errors. States need something in the middle, where a person who experiences privacy harms can bring a case against anyone whose data practices led to those harms. California might be in the process of getting this right, though, now that we have seen what happened with the Flo case. More: Facts and Fiction on the California Invasion of Privacy Act and the problematic SB 690
Unconscionable contracts. Right now, external researchers struggle to understand Facebook and other Big Tech apps, because the terms of service restrict what research can be done there. An effective privacy law should state that any ToS that purports to limit public-interest research is unconscionable and contrary to public policy.
Missed opportunity to use state licensing for
leverage. States issue licenses for gambling apps, which are a
high-risk use for adversarial targeting—many people choose to limit
their own access to gambling, and surveillance advertising ML
learns
to avoid those limitations. A state-licensed gambling app
should be required to disclose its ad targeting practices and those of
any platform it uses. A platform that won’t provide targeting
transparency will lose out on a lucrative revenue stream until they do,
and in the meantime, people get protected. More: Do
you have a license for that robot bookie?
No protection for people and brands affected by
impersonation: Mark Ritson said it best: Martin
Lewis shouldn’t be alone in calling out Meta’s lucrative scam ads.
Right now, if a Big Tech company runs a scam ad using your name,
likeness, or trademark without permission, and they eventually take it
down, they don’t have to notify you. So the incentive is to run more
deceptive ads, because there’s very little cost to getting caught. A
requirement to disclose the infringing ad, including contact info for
the advertiser, to the offended party would shift the incentives. This
is going to be more relevant as more and more of the ads are
automatically generated by AI
, which will tend to learn
to
borrow trusted trademarks and faces.
That’s about it. Happy holidays and hope to see you next privacy bill season. More: Have you filed your compliance taxes?
Bonus links
FIT
FOR A LAWSUIT?: VPPA Claims Against Zumba Survive Motion to Dismiss
by Tammana Malik. Zumba argued that the complaint failed to allege
the disclosure of
personally identifiable information
as defined
by the VPPA, contending that it did not disclose specific video titles
and that the information shared would not allow an ordinary person to
identify an individual’s video-viewing habits. The court rejected these
arguments. It found that allegations that Zumba disclosed URLs to
webpages containing the video content were sufficient to constitute
disclosure of specific video materials,
even if individual video
titles were not expressly named. The court aligned itself with the
majority of district courts that have held that linking a user
identifier with a URL associated with video content can satisfy the
statute’s requirements.
2025
Word of the Year: Slop We define slop as
digital content of
low quality that is produced usually in quantity by means of artificial
intelligence.
This
free portable Windows tool stopped all the hidden tracking on my PC
by Tashreef Shareef. The settings are scattered across menus,
services, registry entries, and Group Policy, and it’s hard to know if
you’ve caught everything. And that’s precisely what O&O ShutUp10++
fixes. It’s a free, portable tool that brings all Windows telemetry and
privacy controls into one simple interface.