• by Wendy Davis  @wendyndavis, January 18, 2019

A group of privacy experts are warning California lawmakers about potential problems with the state's new privacy law.

The California Consumer Privacy Act, slated to take effect next year, allows consumers to learn what personal information about them is held by businesses, and to opt out of the sale of that information.

Consumer advocacy groups supported the law, but the ad industry and business groups are pressing for changes. Earlier this week, the Association of National Advertisers asked California Attorney General Xavier Becerra to clarify the law by passing regulations that could make the measure more marketer-friendly.

The privacy experts now weighing in say there is an “urgent need for major changes” to the law, which they argue may be unconstitutional.

“In our view, the CCPA needs many substantial changes before it becomes a law that truly benefits California,” reads a letter to state lawmakers, signed by Santa Clara University law professor Eric Goldman on behalf of himself and 40 other privacy experts -- including Michael Rhodes of the Silicon Valley firm Cooley (which represents Facebook, Google and other tech companies) and Berin Szoka of the libertarian group TechFreedom. 

One of the major concerns flagged by the experts is that the measure could regulate businesses that lack significant ties to the state. If so, the law could violate the Constitution, because only Congress is allowed to regulate interstate commerce.

“The CCPA’s purported application to activity outside of California raises substantial Constitutional concerns and potentially exposes the state to expensive and distracting litigation,” the letter states. “More importantly, it causes tremendous uncertainty and possibly wasted expenditures for businesses without real ties to California.”

AT&T raised a similar argument late last year, in comments submitted to the Federal Trade Commission.

Another concern raised in the letter centers on the law's definitions of terms like “personal information.”

The law defines personal information broadly, as data that could be linked to particular consumers or households. The statute specifies that this definition includes browsing history, search history, data regarding interactions with websites, apps and ads. It also includes geolocation data and “audio, electronic, visual, thermal, olfactory, or similar information.”

But the privacy experts who signed the letter say some of those examples -- including thermal and olfactory information, “are nonsensical.”

The Association of National Advertisers has also argued that the law's definition of personal information is too broad. “Any data theoretically is 'capable of being associated with' a particular consumer, which means that there is no reasonable limitation on the scope of the law,” the ANA said in a testimony submitted to Becerra this week.

But consumer groups and digital rights advocates say the new law should be made even stronger. Last month, a coalition of watchdogs and advocacy organizations said the law should also prohibit companies from using data in ways that consumers don't expect. For instance, they said in a letter to state lawmakers, social media companies should be prohibited from “using inferences it makes about individuals’ emotional states to target them with ads.”