Certain California businesses must disclose upon request the “inferences” they derive about consumers based on the personal information provided and publicly available data, according to an opinion recently issued by the state Attorney General’s Office. The California Consumer Privacy Act of 2018 (CCPA) gives consumers in the state a suite of privacy rights, including the right to know what information a covered business is holding about them and the right to opt out of sales of their personal information. According to an opinion released by Attorney General Rob Bonta and Deputy Attorney General Susan Duncan Lee, the right to know entitles consumers to know what inferences these businesses draw about them, whether the inferences are generated internally by the business or are obtained from another source. However, the opinion also made clear that the CCPA does not require businesses to disclose to consumers any trade secrets related to generating such inferences.
CCPA Application
The opinion (No. 20-303) was issued on March 10 in response to a request for clarification by State Assembly member Kevin Kiley. Specifically, Kiley asked, “Under the California Consumer Privacy Act, does a consumer’s right to know the specific pieces of personal information that a business has collected about that consumer apply to internally generated inferences the business holds about the consumer from either internal or external information sources?”
The CCPA applies to businesses that collect information from California consumers and that:
- Generate gross revenue of more than $25 million a year;
- Buy, receive or share for commercial purposes the information of 50,000 or more consumers a year; or
- Derive 50% or more of their annual revenue from selling consumers’ personal information
The CCPA’s broad definition of “personal information” includes personal identifiers such as a consumer’s name, date of birth, Social Security number and other data, including a consumer’s education, employment, travel, health, credit, banking, IP addresses, online transactions, online searches, and biometric or geolocation data.
The definition of personal information also includes “inferences drawn from any of the information identified . . . to create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.”
What Is an Inference?
An inference is a characteristic deduced about a consumer that may be based on both information the consumer has provided and information a business has collected about a consumer through available sources such as online transactions, social media posts and public records. For example, a business may surmise from this data that a consumer is married, owns a home, shops online or is likely to vote. Among other uses, inferences may facilitate the ability of a business to target advertising and solicitations and pinpoint markets for goods and services.
An inference is covered under the CCPA only when used to create a profile about the consumer. This definition rules out situations in which a business uses inferences for reasons other than predicting, targeting or affecting consumer behavior.
The opinion considers the legislative purpose of including inferences in the CCPA, which focuses on the concern about “the exploitive tendencies of collecting masses of information and using it to identify and affect unwitting consumers.” For example, seemingly unremarkable data, when combined with more personal consumer information, could be used to make more accurate deductions regarding sensitive personal attributes such as age, gender, race, ethnicity, sexual orientation and political views. The opinion noted as an example that an individual’s date and place of birth, combined with information from public databases, can be used to predict their Social Security number.
Collection ‘About’ Versus ‘From’
Inferences are considered personal information under the CCPA regardless of whether the inference is drawn from private or public information. The opinion rejected Kiley’s suggestion that where inferences are generated internally by a business, rather than collected from the consumer, they need not be disclosed to consumers.
According to the Attorney General, the CCPA gives consumers the right to receive all information collected “about” them, not just information collected “from” them. When a business creates, buys or otherwise collects inferences about a consumer, those inferences are part of the consumer’s unique identity and therefore become part of the information that the business has collected “about” the consumer.
Trade Secret Protection
Under California’s Uniform Trade Secrets Act, a trade secret is information that derives independent economic value from not being generally known to the public or others who can obtain economic value from its use or disclosure.
The opinion states that the CCPA does not require a business to disclose trade secrets.
The author declined to address the question of whether an algorithm that a business uses to derive its inferences about consumers might be considered a protected trade secret, saying the question of whether a particular kind or class of internally generated inference might be protected from disclosure fell outside the scope of the opinion. That said, the opinion concluded that the CCPA requires a business to disclose only the individualized products of its algorithm—an inference about a consumer—not the algorithm itself.
Finally, the opinion found that a business that denies a consumer’s inference disclosure request due to an exception to the CCPA must explain the nature of the information requested and the basis for its denial; merely asserting the information is a trade secret or proprietary information is not enough. Ultimately, the legal burden is on the business to prove the existence of a trade secret.
-
Chief Privacy & Security Partner; Chair, Privacy, Security & Data Innovations