15 Dec 2025

California has some good points (icymi, one California band doing a cover of a song by another California band: Uncle John’s Band performed by Moonalice) but nobody is perfect. Our state got a lot of ink for doing the first of the long, comprehensive privacy laws, then we voted in Proposition 24, but a few mistakes did get made. Here’s my list of what we got wrong, and maybe the 2026 privacy bill season will be a chance for other states to do better.

Right to Know mazes. Right to Know (RtK) is essential, so designing the process for doing it is too important to be left entirely to the company that holds the data. Every company can come up with their own, slightly different, process that makes it impractical for people to track down who has what info about them. Some of the maze-running steps I have had to do are listed at CPRA comments, and I have run into more since then.

Now that we know RtK mazes are a thing, there’s no excuse for a state privacy law not to require a single, standardized process as a baseline. A state could require postal RtKs which are guaranteed to be no harder than picking up some RtK forms once, and sending one email, then receiving and mailing one envelope per company. If the company can come up with an online process that’s more convenient than Business Reply Mail, and that people like better, that’s great, but requiring the postal option keeps the mazes from getting too hard.

Toll-free phone numbers for Right to Know. People don’t want to call your call is important to us lines and spell all their personal info. Replace the 800 number with Business Reply Mail, and save us all some time.

Subsidies for the compliance complex. Notice how many compliance experts popped up, pointing out how much paperwork even the smallest companies will need to do to handle CCPA? That could have been expected. Making every business do their own version of the same documents is like making every taxpayer calculate their own taxes—a subsidy to some well-connected firms and a tax on everyone else.

Privacy bills should include some money to fund a standard Business Privacy Policy, along with a FAQ and how-to guide, that the state could put up under terms that allow free use by businesses in the state. Every state has some university professor who would apply for a grant to do this. They can borrow from some of the policies being written for IEEE P7012 (MyTerms). Companies that want to get clever can afford to have a special policy made, but normal legit companies should be able to use the normal legit privacy policy.

Inadequate private right of action. California has two flavors of private right of action. CCPA/CPRA only allow for private right of action in the event of a data breach, while CIPA allows for statutory damages even for JavaScript errors. States need something in the middle, where a person who experiences privacy harms can bring a case against anyone whose data practices led to those harms. California might be in the process of getting this right, though, now that we have seen what happened with the Flo case. More: Facts and Fiction on the California Invasion of Privacy Act and the problematic SB 690

Unconscionable contracts. Right now, external researchers struggle to understand Facebook and other Big Tech apps, because the terms of service restrict what research can be done there. An effective privacy law should state that any ToS that purports to limit public-interest research is unconscionable and contrary to public policy.

Missed opportunity to use state licensing for leverage. States issue licenses for gambling apps, which are a high-risk use for adversarial targeting—many people choose to limit their own access to gambling, and surveillance advertising ML learns to avoid those limitations. A state-licensed gambling app should be required to disclose its ad targeting practices and those of any platform it uses. A platform that won’t provide targeting transparency will lose out on a lucrative revenue stream until they do, and in the meantime, people get protected. More: Do you have a license for that robot bookie?

No protection for people and brands affected by impersonation: Mark Ritson said it best: Martin Lewis shouldn’t be alone in calling out Meta’s lucrative scam ads. Right now, if a Big Tech company runs a scam ad using your name, likeness, or trademark without permission, and they eventually take it down, they don’t have to notify you. So the incentive is to run more deceptive ads, because there’s very little cost to getting caught. A requirement to disclose the infringing ad, including contact info for the advertiser, to the offended party would shift the incentives. This is going to be more relevant as more and more of the ads are automatically generated by AI, which will tend to learn to borrow trusted trademarks and faces.

That’s about it. Happy holidays and hope to see you next privacy bill season. More: Have you filed your compliance taxes?