The law’s chief innovation is requiring consent before companies collect some limited types of sensitive information. Like laws in California, it also includes some individual rights to access and delete information, and it gives people the right to opt out of some types of data sales and targeted ads.

The problem is that it introduces a slew of exceptions that make it unclear whether many big name companies even need to apply. The law was passed so quickly it’s unclear whether these exceptions are accidents or intentional efforts to let companies off the hook for privacy violations. All sorts of companies and types of data are excluded.

The law also purports to include limits on how companies can collect and use data, which are known as data minimization and purposes specification provisions. These are designed to stop practices like phone flashlight apps from secretly selling location data, but the law’s provisions aren’t very restrictive. Many requirements are conditioned on being disclosed to consumers, which sounds empowering in theory, but really just means the privacy policies no one reads will just get longer.