The California Attorney General’s Office released its first opinion interpreting the California Consumer Privacy Act (CCPA) on March 10, 2022, addressing the issue of whether a consumer has the right to know of inferences a business holds on the consumer. The GA concluded that, unless a legal exception applies, internally generated inferences that a company holds about the consumer are personal information within the meaning of the CCPA and must be disclosed to the consumer, upon request. The consumer has the right to know about the inferences, whether the inferences were generated internally by the business or obtained by the business from another source. Further, although the CCPA does not require a business to disclose its trade secrets in response to consumer inquiries, the business cannot draw conclusions about the consumer simply by asserting that they constitute a “trade secret”.
Under the CCPA, the definition of “personal information” includes “inferences drawn from any of the information identified in this subsection to create a profile about a consumer reflecting preferences, characteristics, psychological tendencies, predispositions, consumer behavior, attitudes, intelligence, abilities. , and skills. (Civ. Code, § 1798.140, paragraph (o)). The CCPA gives consumers the right to know what personal information a business collects about them. As such, a consumer has the right to request and receive the specific information “collected in regards tothem. (Civ. Code, § 1798.110, clause (a)). The specific issue addressed in the notice was whether a consumer’s right to receive the specific personal information that a business has collected about that consumer applies to internally generated inferences.
The notice explained that an inference is an “inferred personal characteristic of a consumer”, such as “married” or “probable voter”. For the purposes of the CCPA, “inferences” means “the derivation of information, data, assumptions or conclusions from facts, evidence or another source of information or data”. (Civ. Code, § 1798.140, paragraph (m)). According to the notice, inferences are considered “personal information” for CCPA purposes when two conditions are met.
First, the inference must be drawn from any information listed in the definition of “personal information”.
California Civil Code Section 1798.14(o) lists the following as personal information:
- personal identifiers (such as names, addresses, account numbers or identification numbers);
- customer records;
- characteristics of protected classifications (such as age, gender, race or religion);
- commercial information (such as ownership records or purchase history);
- biometric information;
- online activity information;
- geolocation data;
- “sound, electronic, visual, thermal, olfactory or similar information”;
- professional or employment information;
- education information.
Second, the inference should be used to build a profile about the consumer (when a company uses inferences to predict, target, or affect consumer behavior).
In its reasoning, the opinion rejected the argument that the language of the law “relating to the consumer” is limited to personal information collected from the consumer only. Inferences can be collected directly from the consumer, found in public repositories, created internally using proprietary technology, purchased, or collected from another source. The AG’s opinion clarified that, regardless of their origin, inferences become part of the consumer’s unique identity and become part of the information the company has “gathered about” the consumer. As such, a consumer’s request to know and receive information collected about them must disclose inferences, regardless of how those inferences were obtained or generated by the business. The AG’s opinion clarified that, if the inference was based on public information, such as government identification numbers, vital records or tax lists, the inference must be disclosed. to the consumer, even if the public information itself that served as the basis for the inference need not be disclosed.
The notice offered an example of inferences that may not need to be disclosed, namely inferences that are used for internal purposes only and are not used to predict a consumer’s propensity or to create a profile. A business can combine information obtained from a consumer with online postal information to obtain a nine-digit ZIP code to facilitate a delivery. This zip code would not need to be disclosed to the consumer as it will not be used to identify or predict consumer characteristics.
A company bears the burden of demonstrating that inferences are trade secrets under applicable law.
The notice acknowledged that a consumer’s right to know about deductions is not absolute and that a business can rely on a number of exceptions to the CCPA. For example, the CCPA excludes information freely available from government sources, and there are specific exceptions for certain categories of information, such as medical records, credit reports, banking records, and vehicle security records. In addition, the business obligation to respond to a request for personal information may be waived by several exclusion provisions of Section 1798.145:
- The obligations imposed on companies by this title do not limit a company’s ability to:
- Comply with federal, state, or local laws.
- Comply with a civil, criminal or regulatory investigation. . .
- Cooperate with law enforcement. . .
- Exercise or defend legal rights.
- Collect, use, maintain, sell or disclose de-identified information. . .
- Collect or sell a consumer’s personal information if each aspect of that conduct takes place only outside of California. . . .
(Civ. Code, § 1798.145, paragraph (a)(1)).
Importantly, the notice clarifies that companies are not required to disclose their trade secrets in response to consumer demand for information. The notice acknowledged that while an algorithm a company uses to derive its inferences might be a protected trade secret, the CCPA only requires a company to disclose a result of its algorithm, not the algorithm itself. The AG further clarified that while the CCPA does not require a company to disclose trade secrets, the onus is on a company to demonstrate that such inferences are trade secrets under applicable law, if that company wishes withholding consumer inferences on the grounds that they are protected trade secrets. The notice also acknowledged that whether a particular inference can be protected as a “trade secret” depends on the facts.
Ramifications of opinion.
The notice made it clear that California AG considers inferences to be another piece of personal information in the group of consumer information that may be commercially exploited and therefore subject to disclosure. Although opinions on interpretations of a law by the Office of the Attorney General do not control or bind a court, they have generally been considered persuasive authority. The notice also clarified that the California Privacy Rights Act, which takes effect January 1, 2023, will not change the AG’s view on this issue.
This notice impacts the privacy practices of advertisers, data brokers and other companies who use behavioral analysis tools or artificial intelligence to derive personal characteristics, build consumer profiles and target consumers based on these particular characteristics. These businesses must go through the two-part test described above to determine whether inferences drawn in the context of their business are personal information and therefore subject to the right to know provisions of the CCPA. If the answer is yes, then those inferences must be disclosed upon request.
If a business wishes to withhold an inference on the grounds that the inference is a trade secret, it will also need to analyze whether it can protect such inference as a trade secret. The company would have to demonstrate that the inference itself derives “independent economic value” from the fact that it is not generally known to the public or others who may derive economic value from its use or disclosure . The company will also have to demonstrate that it has made reasonable efforts to maintain the secrecy of the inference and must identify the inference with “reasonable particularity”. If a business denies a consumer’s request to know “in whole or in part, because of a conflict with federal or state law, or an exception to the CCPA,” the business will need to explain the basis for its refusal, as general assertions of “trade secret” or “proprietary information” would not suffice. (Cal. Code Regs., tit. 11, § 999.313(c)(4)).