The California Office of the Attorney General issued its first opinion interpreting the California Consumer Privacy Act (CCPA) on March 10, 2022, addressing the issue of whether a consumer has a right to know the inferences that a business holds about the consumer. The AG concluded that, unless a statutory exception applies, internally generated inferences that a business holds about the consumer are personal information within the meaning of the CCPA and must be disclosed to the consumer, upon request. The consumer has the right to know about the inferences, regardless of whether the inferences were generated internally by the business or obtained by the business from another source. Further, while the CCPA does not require a business to disclose its trade secrets in response to consumers’ requests for information, the business cannot withhold inferences about the consumer by merely asserting that they constitute a “trade secret.”
Under the CCPA, the definition of “personal information” includes “inferences drawn from any of the information identified in this subdivision to create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.” (Civ. Code, § 1798.140, subd. (o)). The CCPA gives consumers the right to know what personal information a business collects about them. As such, a consumer has the right to request and receive the specific pieces of information “collected about” them. (Civ. Code, § 1798.110, subd. (a)). The precise question that the opinion addressed was whether a consumer’s right to receive the specific pieces of personal information that a business has collected about that consumer applies to internally generated inferences.
The opinion explained that an inference is a personal “characteristic deduced about a consumer,” such as “married” or “likely voter.” For purposes of the CCPA, “inferences” means “the derivation of information, data, assumption, or conclusions from facts, evidence, or another source of information or data.” (Civ. Code, § 1798.140, subd. (m)). The opinion held that inferences are deemed “personal information” for the purposes of CCPA when two conditions are met.
First, the inference must be drawn from any information listed in the definition of “personal information.”
California Civil Code section 1798.14(o) lists the following as personal information:
- personal identifiers (such as names, addresses, account numbers, or identification numbers);
- customer records;
- characteristics of protected classifications (such as age, gender, race, or religion);
- commercial information (such as property records or purchase history);
- biometric information;
- online activity information;
- geolocation data;
- “audio, electronic, visual, thermal, olfactory, or similar information”;
- professional or employment information;
- education information.
Second, the inference must be used to create a profile about the consumer (where a business is using inferences to predict, target or affect consumer behavior).
In its reasoning, the opinion rejected the argument that the wording of the statute “about the consumer” is limited just to personal information collected from the consumer. Inferences can be gathered directly from the consumer, found in public repositories, created internally using proprietary technology, bought, or collected from another source. The AG opinion made clear that, irrespective of their origin, inferences constitute a part of the consumer’s unique identity and become part of the information that the business has “collected about” the consumer. As such, a request from the consumer to know and receive information collected about them must disclose inferences, regardless of how such inferences were obtained or generated by the business. The AG opinion clarified that, if the inference was based on public information, such as government identification numbers, vital records, or tax rolls, the inference must be disclosed to the consumer, even if the public information itself that formed the basis of the inference need not be disclosed.
The opinion offered an example of inferences that may not need to be disclosed, namely inferences that are used solely for internal purposes and that are not used to predict a consumer’s propensity or to create a profile. A business may combine information obtained from a consumer with online postal information to obtain a nine-digit zip code to facilitate a delivery. Such zip code would not need to be disclosed to the consumer because it will not be used to identify or predict the consumer’s characteristics.
A business bears the burden of demonstrating that inferences are trade secrets under applicable law.
The opinion recognized that a consumer’s right to know about the inferences is not absolute and a business may rely on a number of exceptions to the CCPA. For example, the CCPA excludes information that is freely available from government sources, and there are specific exceptions for certain categories of information, such as medical records, credit reporting, banking, and vehicle safety records. Further, a business obligation to respond to a request for personal information may be relieved by several carve-out provisions of Section 1798.145:
- The obligations imposed on businesses by this title shall not restrict a business’ ability to:
- Comply with federal, state, or local laws.
- Comply with a civil, criminal, or regulatory inquiry . . .
- Cooperate with law enforcement agencies . . .
- Exercise or defend legal claims.
- Collect, use, retain, sell, or disclose information that is deidentified . . .
- Collect or sell a consumer’s personal information if every aspect of that conduct takes place solely outside California. . . .
(Civ. Code, § 1798.145, subd. (a)(1)).
Importantly, the opinion clarified that businesses are not required to disclose their trade secrets in response to consumers’ request for information. The opinion recognized that while an algorithm that a company uses to derive its inferences might be a protected trade secret, CCPA only requires a business to disclose an output of its algorithm, not the algorithm itself. The AG further clarified that while CCPA does not require a business to disclose trade secrets, a business does bear the burden of demonstrating that such inferences are trade secrets under applicable law, if such business would like to withhold consumers’ inferences on the ground that they are protected trade secrets. The opinion also recognized that whether a particular inference can be protected as a “trade secret” is fact-specific.
Ramifications of the opinion.
The opinion made clear that the California AG sees inferences as another piece of personal information in the bundle of consumer information that may be subject of commercial exploitation and thus subject to disclosure. While opinions on interpretations of a statute by the Office of the Attorney General are not controlling or binding on a court, they have generally been found as persuasive authority. The opinion also made clear that the California Privacy Rights Act, which becomes effective on January 1, 2023, will not change the AG’s opinion on this issue.
This opinion has an impact on the privacy practices of advertisers, data brokers, and other businesses that use behavioral analytics tools or artificial intelligence to derive personal characteristics, make profiles about consumers, and target consumers based on such particular characteristics. Such businesses need to go through the two-part test described above to determine whether inferences drawn in the context of their business are pieces of personal information and thus subject to the consumer right to know provisions of the CCPA. If the answer is yes, then these inferences must be disclosed upon request.
If a business would like to withhold an inference on the basis that the inference is a trade secret, then the business would also need to analyze whether it can protect such inference as a trade secret. The business would need to show that the inference itself derives “independent economic value” from not being generally known to the public or others who can obtain economic value from its use or disclosure. The business would also need to demonstrate that it has used reasonable efforts to maintain the secrecy of the inference and must identify the inference with “reasonable particularity.” If a business denies a consumer’s request to know “in whole or in part, because of a conflict with federal or state law, or an exception to the CCPA,” the business would need to explain the basis of its denial, as broad assertions of “trade secret” or “proprietary information” would not suffice. (Cal. Code Regs., tit. 11, § 999.313(c)(4)).