REMINDER: WE ARE ON A VACATION SCHEDULE THIS WEEK.

Our morning content is free for all subscribers and guests! Usually our afternoon content is behind a paywall… If you are not yet a paid subscriber, consider upgrading — you are missing a significant portion of what we produce each week, and your support makes it possible. If you want to get it all and support my efforts, please consider a paid subscription!

You can also listen to this post on our podcast feed, So, Does It Matter? SPOKEN. It is available on your favorite podcast app. And you can listen to it here.

⏰ 5-minute read

The Fight Is About Consent

A year ago, after a reader brought Senate Bill 690 to my attention, I wrote about what looked like a quiet but serious effort to weaken California’s privacy protections. It caught my eye because privacy is one of those issues that the public usually learns about too late. By the time people realize how much of their personal information has been collected, shared, stored, sold, or obtained by government, the system has already been built around the assumption that their data is there for the taking.

At the time, SB 690 was moving through the Legislature with little public attention. Supporters described it as a technical modernization of an older law. Critics warned it could make it harder for consumers to defend their privacy rights. Since then, opposition has grown, and that should matter. A growing coalition of privacy advocates, consumer groups, and civil-liberties organizations is warning that lawmakers may be weakening existing protections without providing an adequate replacement.

That should cause legislators to slow down and explain exactly what Californians are gaining in exchange for narrowing protections they already have. If your personal information belongs to you, then no website, company, data broker, or government agency should be entitled to it by default.

California Has Privacy Backward

California politicians frequently portray the state as a national leader on privacy. Maybe in some ways it is. But for most people, that claim probably feels more theoretical than real. Every day, websites gather information about what we read, what we buy, what we search for, where we go, and how we behave online. Most consumers have little idea how much is collected, where it goes, who receives it, or how long it is retained.

The basic problem is that California’s privacy framework still relies too heavily on an opt-out model. Consumers are expected to read lengthy privacy policies, understand complex disclosures, locate obscure settings, and repeatedly take action to protect information that should already be theirs.

The burden should not be on consumers to stop companies from taking their information. The burden should be on companies to obtain permission before collecting it. That is the part of this debate too often buried under old statutes, newer frameworks, commercial-purpose exemptions, and litigation reform. Those details matter, but they should not obscure the basic principle: no one should get your data unless you say yes.

The Wrong Fix For Lawsuit Abuse

Supporters of SB 690 argue that California’s older privacy laws were written for a different era and that the state’s newer privacy framework should serve as the primary vehicle for protecting consumers. The relevant older law was enacted in 1967. Modern websites did not exist. And California does have a serious problem with lawsuit-driven policymaking.

I have spent years criticizing excessive litigation, private-attorney-general abuse, and California’s lawsuit-driven policymaking. But privacy is different, because rights that cannot be meaningfully enforced often become little more than suggestions.

The answer to this problem is not more lawsuits. It is a clearer rule: if a site wants to collect personal data, it must ask first.

If lawmakers want Californians to rely less on older privacy protections and more on the state’s newer privacy framework, then that framework should first be strengthened to provide real affirmative consent and meaningful enforcement. Existing protections should not be weakened unless consumers receive equal or stronger protections in return.

SB 690 appears to move in the opposite direction by creating broader exemptions for businesses that collect and use consumer data without first proving that consumers are receiving stronger protections. If the concern is legal exposure, the cleaner answer is not to narrow the privacy law. It is for websites to use a true opt-in system and obtain real consent before collecting personal data.

A website operator that plainly asks permission and receives explicit approval before acquiring or retaining personal data is not the problem. So the obvious question is why Sacramento is considering weakening the privacy law instead of requiring websites to obtain real consent.

Your Data Should Not Become A Shortcut

This issue is not limited to advertising, marketing, or Big Tech. Once personal information is collected, it can be sold, shared, transferred, exposed through a breach, subpoenaed, or obtained by government agencies.

That is the danger of building a system where data collection is treated as the default. Big Tech benefits because more data means more power, more profiling, and more money. Government benefits because commercially collected information can become available without government having to collect it directly.

Neither should be acceptable.

If law enforcement wants access to personal information, it should go through a lawful process. If a company wants access to personal information, it should ask permission. A free society should not make personal data easy pickings for either corporate giants or government agencies.

This is where the usual partisan categories do not work very well. A conservative should be skeptical of government power. A libertarian should be skeptical of surveillance. Anyone who cares about personal autonomy should be skeptical of a system that lets powerful institutions gather enormous amounts of information and then leaves citizens hoping it will not be misused later.

So, Does It Matter?

The debate over SB 690 ultimately comes down to who controls your personal information. The question is not whether a law enacted in 1967 is old, or whether compliance creates burdens for businesses. The question is whether Californians actually have a right to privacy online.

If lawmakers genuinely believe consumers deserve privacy protection, then the standard should be straightforward: no website should be permitted to collect, share, sell, transfer, or monetize personal information without clear user consent. Not through a buried disclosure. Not through a confusing privacy policy. Not through an opt-out link that most people will never find.

Through a real choice.

Until safeguards like that are in place, California lawmakers should not weaken existing privacy protections. You cannot credibly claim to support the privacy rights of internet users while supporting legislation that reduces existing protections before stronger ones are put in place.

Privacy should be the default setting, not something consumers are forced to fight to keep.