Your Privacy Is Very Important to Us: A Love Letter From the Corporations Writing Your Privacy Law

Somewhere in Washington, a lobbyist is weeping with gratitude. Not over a tax break, not over a defense contract — over a privacy bill. A privacy bill. The kind of thing that, in a sane universe, the data broker industry would be fighting like a cornered raccoon. Instead they are reading the draft aloud to each other at dinner, dabbing their eyes, occasionally pausing to say, "they really get us." 

This is the tell. When the people who profit from selling your private life are happy with the law meant to stop them, you are not looking at a privacy law. You are looking at a hostage situation with very good production values. To understand how the henhouse came to outsource its security policy to the foxes — and to be charged a convenience fee for the privilege — you have to start in 2010, the year money learned to talk and immediately would not shut up. 

How Money Got the Vote You Thought Was Yours

In 2010, the Supreme Court handed down Citizens United v. Federal Election Commission, a 5–4 ruling that torched roughly a century of campaign finance law and decided that corporations and outside groups may spend unlimited sums to influence elections (Brennan Center for Justice). Justice Kennedy's reasoning, boiled down: money is speech, corporations are speakers, and the First Amendment is far too principled to notice the difference between a retiree in Toledo and a multinational holding company headquartered in a Delaware mailbox (Constitution Center). 

The Court was building on Buckley v. Valeo (1976), which had already established the founding theology of modern American politics: spending money to influence voters is "speech," and the only kind of money the government may restrict is the cartoonishly corrupt kind — a briefcase of cash in a parking garage, what the Court chastely calls "quid pro quo corruption" (Brennan Center for Justice). Everything short of the parking garage is, legally speaking, just a spirited exchange of ideas. The ideas happen to cost millions of dollars and arrive exclusively from people who want something, but let us not be cynics. 

The majority left us two promises, both of which have held up about as well as a chocolate teapot. Promise one: independent expenditures "do not give rise to corruption or the appearance of corruption," because money you don't hand a candidate directly is supposedly of little use to him (Brennan Center for Justice amicus brief). Promise two: don't worry, transparency rules will let everyone see who's paying for what (Citizens for Responsibility and Ethics in Washington). 

How did those go? Glad you asked. 

In the decade after the ruling, more than 2,200 corporations openly admitted to roughly $313 million in donations to over 500 super PACs, while 30 corporate trade groups — which famously would rather not say who funds them, thank you — spent another $226 million, for at least $539 million in corporate election spending that we can actually see (Public Citizen). "That we can 

actually see" is the load-bearing phrase of the entire decade, because over the same stretch, dark money groups quietly spent more than $1 billion — the submerged nine-tenths of the iceberg that the famous "transparency" was supposed to float to the surface, now resting comfortably on the seabed (Public Citizen). The U.S. Chamber of Commerce alone accounted for about $143 million of that trade-group spending and has since dropped nearly $956 million on lobbying (Public Citizen). For a single trade group. That's not influence. That's a down payment on a branch of government. 

So the Court was right, in a way that should haunt it: this money does not corrupt the process. You cannot corrupt a vending machine by feeding it dollars. It is simply doing what vending machines do. Citizens United didn't invent the machine — it just bolted a coin slot to the Constitution and slapped a "Protected Speech" sticker on it. Buying the people who write the laws that govern human beings is no longer a scandal you hide. It's a line item, fully deductible, with its own quarterly review. 

Enter the Privacy Bill That Privacy Itself Would Like to File a Restraining Order Against

Periodically, Congress remembers that the public exists, and that the public is upset. And boy, is it upset. A 2024 nationally representative survey found 78 percent of U.S. adults would back a law regulating how companies collect, store, share, and use their personal data — including 79 percent of Republicans and 81 percent of Democrats (Consumer Reports). To be clear, this is a country that cannot agree on pizza toppings, the correct way to merge onto a freeway, or whether a hot dog is a sandwich. And yet four out of five of us, across the aisle, agree that maybe strangers shouldn't auction off our location history. Pew found 72 percent want more regulation of corporate data use against a heroic 7 percent who want less (Pew Research Center). Meanwhile 73 percent feel they have little or no control over what companies do with their data, and 79 percent feel the same about the government (Pew Research Center) — which is the rare case of Americans being right about both. 

So the people spoke, in numbers that would be called a mandate if they'd shown up at a ballot box. Congress, ever responsive, said: we hear you, and we have prepared a law. Sit down. You're going to love it. (You will not love it.) 

On April 22, 2026, Republicans on the House Energy & Commerce Committee's Privacy Working Group introduced the Secure Data Act, a comprehensive federal privacy framework (Mayer Brown). On paper — and oh, what lovely paper — it grants you the right to access, correct, delete, and port your data, plus the right to opt out of targeted ads and the sale of your information (Mayer Brown). It demands affirmative consent before processing sensitive data and limits collection to what's "adequate, relevant, and reasonably necessary" (Mayer Brown). 

Beautiful. A real tearjerker. Now turn to the fine print, where the bill keeps its actual personality. 

Feature 1: A data broker registry, because nothing says "we'll stop you" like a name tag 

The Secure Data Act does not abolish data brokers. It throws them a networking event. Under the bill, a data broker — a company that harvests data on people who aren't even its customers and makes at least half its money selling that data — must post a notice announcing that it is, in fact, a data broker, and register with the FTC within 12 months (Mayer Brown). The FTC then assembles a tidy, searchable public directory of all of them within 18 months (Mayer Brown). 

Marvel at the engineering. The business is trafficking in the intimate details of people who never signed up to be inventory. The remedy is to make the traffickers fill out a form and appear in a directory — like a farmers' market vendor list, except the heirloom tomato is your daughter's commute. The trade is not endangered; it is credentialed. The industry's one nagging fear — wait, are we even allowed to do this? — is now answered by federal statute with a warm, reassuring: yes, and here's your lanyard. 

Feature 2: The 45-day "whoopsie" window 

Enforcement goes to the FTC and state attorneys general. You — the person whose privacy is being sold by the gigabyte — are not invited to sue, because there's no private right of action (Mayer Brown). And here's the kicker: before anyone can come after a violator, the bill grants a 

45-day cure period, during which a company caught red-handed can quietly fix that one violation, mail in some written assurances, and watch the whole thing legally vanish (Mayer Brown). It's a smoke alarm that, on detecting a fire, politely gives the arsonist six weeks to extinguish it before deciding whether a chirp is warranted. Imagine this logic anywhere else. "Officer, I was speeding, but I've since slowed down, and here is a note." "Very good, sir, drive safe." 

Feature 3: A privacy law whose first act of business is repealing a privacy law 

In its single most honest moment, the Secure Data Act repeals the Video Privacy Protection Act (Mayer Brown) — the 1988 statute Congress passed in a fury after a newspaper got hold of a Supreme Court nominee's video rental records, and one of the precious few federal privacy laws that has ever made companies actually pay for leaking your viewing habits. Opening a privacy bill by deleting an existing privacy protection isn't a drafting error. It's an artist signing the canvas. 

Feature 4: It bulldozes the only states doing the job

This is where the strongest privacy laws in America get walked quietly behind the barn. The Secure Data Act broadly preempts state privacy laws, expressly steamrolling any state law "relat[ing] to the provisions of this Act," and even preempting chunks of the Communications Act on personal data for good measure (Mayer Brown). 

Only 19 states have managed to pass comprehensive privacy laws, and the better ones — hi, California — give consumers actual teeth the federal bill is careful not to grow (Consumer Reports). Industry has spent years and fortunes mud-wrestling these state laws one capitol at a time; in 2023, a single corporation spent nearly $1.6 million fighting a California privacy bill 

and related reforms in half a legislative session — triple its prior pace (Open Markets Institute). Preemption is the lazy genius move: instead of fighting fifty state legislatures forever, you get Congress to set a national "floor" that is, on closer inspection, a ceiling with a nice rug over it. The laboratories of democracy were producing the only enforceable protections Americans actually have, so naturally the plan is to condemn the building. 

The Part Where the Government Just Buys Your Diary

Now the magic trick. Watch the hands. 

The Fourth Amendment says the government needs a warrant to rifle through your stuff. In Carpenter v. United States (2018), the Supreme Court confirmed the government generally needs a warrant to pull your cell-site location data from your carrier, because mapping everywhere you go is precisely the kind of search the framers had in mind (Hoover Institution). A warrant. A judge. Probable cause. The full charming machinery of a free society, assembled with care. 

And then someone in government noticed the gift shop. As one legal analysis puts it without flinching: the government can buy business records without a warrant or any cause whatsoever, and the Fourth Amendment simply does not apply, because buying something from a willing seller isn't a "search" — it's retail (Hoover Institution). A separate legal analysis concludes the Constitution permits warrantless government purchases of sensitive, invasive data no matter what privacy you expected, because a purchase isn't "state action" and therefore isn't a search the Fourth Amendment regulates at all (Yale Law & Policy Review). The warrant requirement, it turns out, has a coupon code. 

This is the "data broker loophole," and it is not a thought experiment. The IRS, the Department of Homeland Security, the FBI, the Department of Defense, Customs and Border Protection, and Immigration and Customs Enforcement have all gone shopping for Americans' location and internet-activity data, neatly stepping over the very protection Carpenter announced (NACDL). ICE alone handed millions to data vendors (Criminal Legal News). The Electronic Communications Privacy Act, written three decades before this market existed, left a gap big enough to drive a surveillance program through: agencies can simply purchase what they'd otherwise need a court order to demand (Center for Democracy & Technology). 

So here is the two-stroke engine a corporate-friendly privacy law is so very careful to keep purring: 

The corporations make money selling the intimate details of your life — where you go, what you buy, what you search, who you love. 

The government buys that same data off the shelf and runs surveillance that would require a warrant if it had the bad manners to collect the data itself. 

The Fourth Amendment isn't violated. It's detoured — like a toll road everyone agrees to take the frontage road around. You pay twice: once when your life is harvested, and again when it's used to watch you. At no point does a judge, or your consent, get so much as a cameo. 

And before anyone protests that closing this is hard — there's already a bill. The Fourth Amendment Is Not For Sale Act would simply forbid federal law enforcement and intelligence agencies from buying broker data without a court order (Brennan Center for Justice). The House 

even passed it, 219–199, in April 2024 (LeakCheck). Then it did what decent bills do in a Citizens United economy: it shuffled over to the Senate to die in a quiet room, administration opposed, no floor vote on the calendar (LeakCheck). The bill that's actually moving — the Secure Data Act — leaves the loophole untouched, lovingly preserving the right to "cooperate with law enforcement" and asking only that a privacy notice mention that your data may go to the government (Mayer Brown). You'll be informed you're under surveillance the way you're informed about arbitration clauses: paragraph nine, six-point font, right after "we value your trust." 

The bill that protects you flatlines. The bill that protects the revenue stream sprints. This isn't bad luck. It's a sorting algorithm, and the sort key is money. 

A Postcard From the Front: California's SB 1076

If all this feels too abstract, here is the same heist pulled off at the state level, where the camera is close enough to read the getaway driver's lips. And it showcases the industry's favorite move: never attack a popular privacy law from the front. Sneak around back and "amend" it until it can't stand up. 

In 2023, California passed the Delete Act (SB 362), a genuine consumer win. It ordered the California Privacy Protection Agency to build one free, one-stop button — now live as the Delete Request and Opt-out Platform, or DROP — that lets a Californian fire a single request to delete their data from every registered broker at once (California Privacy Protection Agency). DROP went live January 1, 2026, and as of August 1, 2026, the 500-plus registered brokers must actually honor those deletions (California Privacy Protection Agency). For an industry whose entire profit model is friction — the devout hope that you'll rage-quit somewhere around opt-out number forty-three — a universal one-click delete button is roughly the meteor and they are the dinosaurs. 

So the industry did not storm Sacramento demanding the right to keep selling you. That would be gauche, and worse, on camera. Instead, in 2024, in waltzed Senate Bill 1076, dressed up as a humble technical tune-up to the Delete Act's "accessible deletion mechanism." A legislative analysis put it without makeup: the bill "imposes a series of requirements on consumers and their authorized agents before they can effectively exercise their rights" (California Senate Judiciary Committee analysis). A privacy bill whose actual job was to make privacy harder. It even brought its own little Trojan horse to the gates of Troy and knocked politely. 

And the bill's family tree was right there in the record: SB 1076 was co-sponsored by the Consumer Data Industry Association and cheered on by the Network Advertising Initiative — the data broker and ad-targeting industries, lobbying to "fix" the very law built to leash them (California Senate Judiciary Committee analysis). This is where mePrism — the company I founded and run — joined a coalition of privacy advocates filing opposition with the Senate Judiciary Committee, shoulder to shoulder with the Privacy Rights Clearinghouse (which sponsored the original Delete Act) and Consumer Reports (California Senate Judiciary Committee analysis). The details deserve a wider audience, because they are a clinic in how to strangle a law without leaving prints. 

The CCPA lets you appoint an authorized agent — a service that goes out and exercises your opt out and deletion rights against the hundreds or thousands of companies holding your data, because no mortal has the time to track them all down individually. California's own Attorney General called the right to opt out of data sales "a hallmark of the CCPA," and in January 2023 launched an enforcement sweep specifically against businesses that ignored requests from authorized agents (California Office of the Attorney General). Authorized agents are the one thing that makes mass opt-out work at human scale. Which is, of course, exactly why SB 1076 went for their kneecaps — using two provisions cleverly disguised as gifts: 

A registration mandate. SB 1076 would have forced every authorized agent to register with and be certified by the state before lifting a finger — resurrecting the precise government registration requirement that California regulators had already deliberately deleted from the CCPA years earlier, having correctly diagnosed it as a roadblock. The drafting was so indiscriminate it didn't bother distinguishing companies from individuals, which means a parent would have had to register with the state of California before deleting their own kid's data. A bug, surely. Or, more likely, a feature in a Halloween costume. 

A fee ban, gift-wrapped as generosity. SB 1076 would have barred authorized agents from charging any fee. "Free!" sounds wonderful until you remember that wrangling thousands of brokers — each with its own baroque, broken, or entirely imaginary opt-out process — takes proprietary software, automation, and dogged legal follow-up, none of which runs on enthusiasm. Ban the fee and you don't hand consumers a free service; you simply evict every service from the market and leave each Californian to duel the brokers solo, one at a time, forever — which was the whole point. As the opposition letter warned, the provision "may appear to protect consumer rights... but this Committee should not be fooled." 

There's the magic trick again. The provision that looks most generous — free service! — is the one engineered to be most lethal, because killing the agents kills the only practical way to exercise the right at scale. It's the data broker industry handing you a complimentary lifeboat, neglecting to mention the hole drilled in the hull, and then noting — accurately, with a straight face — that they never charged you a dime for it. 

And here's the ending the brokers don't put on the brochure: it flopped. Staring down that opposition coalition, the author didn't fight for his own bill — he yanked it. The hearing was, per the official record, "canceled at the request of author," and SB 1076 now sits in the legislative morgue marked failed and dead (LegiScan) — a defeat the Electronic Frontier Foundation listed among the session's brightest wins for privacy (Electronic Frontier Foundation). The Delete Act lived. DROP launched right on schedule. The dinosaurs saw the meteor and could not buy a deflection. 

And the through-line snaps perfectly into place. Federally: the warrantless-purchase loophole and the broker registry preserve the racket while the bill that would fix it dies in a Senate cloakroom. At the state level: SB 1076 tried to weld the friction back onto a law expressly built to remove it, betting nobody would read past the friendly title. And the Secure Data Act's signature move — preempting state laws — is the very same fight from orbit. California, with its Delete Act, its DROP button, and its authorized agents, is the strongest real protection in the country, which is exactly why a corporate-friendly federal bill would so dearly love it to stop existing.

What Happens When Everybody Hates a Law and It Passes Anyway

Back to the punchline, which is just the numbers read in the right order. About 78 percent of Americans want a real privacy law (Consumer Reports). About 72 percent want more corporate data regulation, not less (Pew Research Center). In a functioning democracy this is the layup of layups — the bill you pass before lunch and put on a campaign mailer by dinner. 

And yet the version gathering speed is the one that registers the brokers, repeals an existing protection, hands violators a 45-day mulligan, locks citizens out of the courthouse, bulldozes the strong state laws, and leaves the government's data-shopping cart fully stocked. What nearly everyone wants is not what gets written, for the simplest reason in politics: the people who want it are not the people whose "speech" the building is wired to hear. 

That's the whole arc, from a 2010 campaign-finance ruling to a 2026 privacy bill. Citizens United didn't personally draft the Secure Data Act. It did something more durable — it set the exchange rate. Once unlimited corporate spending to bend government became constitutionally protected speech that, by judicial decree, cannot corrupt (Brennan Center for Justice), it became not just legal but normal for the deepest pockets to be the loudest voices in the room. Big Tech spent a record $61.5 million on federal lobbying in 2024, much of it on data and AI (Quorum), and eight of the largest tech and AI firms dropped a combined $36 million in just the first half of 2025 — roughly $320,000 for every single day Congress was in session (Issue One). 

You get one vote, cast every couple of years, in a district that may have been drawn around your house like a chalk outline at a crime scene. The data broker industry gets $320,000 a day in continuous, professionally catered, year-round "speech." The Constitution insists these are the same thing. One of them just happens to come with a microphone the size of a building. 

So the answer to "what happens when data privacy rights are drafted by a government of, by, and for corporations" isn't really a question. It's a caption for the bill already on the table. It will be called a privacy law. It will arrive with a press release about giving Americans control over their data (House Committee on Financial Services). It will offer you rights you can technically exercise by filling out forms with the same companies that already ignored your last form. And beneath all that consumer-friendly chrome, it will leave the two engines that actually matter running at full throttle: the corporate machine that sells your private life, and the government machine that buys the receipt so it never has to ask a judge. 

Everyone will hate it. It may pass anyway. And the joke that needs no punch-up is this: it won't pass despite being hated by 78 percent of the country. It'll pass because being hated by 78 percent of the country is, at today's prices, simply cheaper than $320,000 a day. 

But here's the part the lobbyists would rather you not circle. SB 1076 was exactly the kind of quiet, technical, reassuringly-titled amendment that usually glides through on a Tuesday — and it never even got a vote. Not by magic. A coalition of privacy advocates read the fine print, stood up in Sacramento, and said, out loud and on the record, here is who this bill is actually for — and the author pulled it rather than defend it in the daylight (LegiScan). That's the entire trick to beating these things, and it's almost insultingly simple: read the bill, find the beneficiary, and name them before the vote. It works often enough to be worth doing every single time. 

The henhouse, you'll be relieved to hear, has adopted a brand-new privacy policy. It was drafted, after extensive stakeholder consultation, by the foxes. They want you to know your rights are extremely important to them, and that you may opt out at any time — simply click the link at the bottom of the page, which has been temporarily disabled. For your security.