December 2, 2022

Volume XII, Number 336

Advertisement

December 01, 2022

Subscribe to Latest Legal News and Analysis

November 30, 2022

Subscribe to Latest Legal News and Analysis

November 29, 2022

Subscribe to Latest Legal News and Analysis

California AG Issues Decision on Disclosure of Inference Data in Response to CCPA Access Requests

On March 10, 2022, in its first formal written opinion interpreting the California Consumer Privacy Act’s (“CCPA’s”) compliance obligations, the California Attorney General (“AG”) confirmed that the CCPA grants a consumer the right to access inferences drawn from personal information collected about the consumer, even if such inferences are generated by the business (unless the business can demonstrate that a statutory exception to the CCPA applies). The opinion also makes clear that the CCPA does not require businesses to disclose trade secrets in response to access requests. The decision interprets the CCPA’s existing language, as opposed to creating new obligations with respect to access requests made pursuant to the CCPA.

The opinion makes a distinction between inferences used to “create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes,” versus inferences not used to create such a profile. Pursuant to the CCPA’s definition of “personal information,” only the former is considered an “inference” and subject to disclosure in response to an access request; inferences drawn for purposes not related to profiling are not subject to the CCPA’s requirements.

Notably, the decision held that even if the underlying information used to create the inference is exempt from disclosure (e.g., because the data is “publicly available”) the inference itself is a separate piece of personal information that must be disclosed to the consumer (unless it separately falls under an exemption to the CCPA).

As noted above, the opinion makes clear that the CCPA does not require businesses to disclose trade secrets. The opinion does, however, caution that a business must explain the basis of its denial of an access request with respect to trade secrets.  The opinion further notes that, under the California Uniform Trade Secrets Act, the burden is on the trade secret holder to prove the existence of a trade secret.

The opinion also makes clear that the upcoming effective date of the California Privacy Rights Act will not change the AG’s conclusions on this matter.

Read the opinion here.

Copyright © 2022, Hunton Andrews Kurth LLP. All Rights Reserved.National Law Review, Volume XII, Number 76
Advertisement
Advertisement
Advertisement

About this Author

In today’s digital economy, companies face unprecedented challenges in managing privacy and cybersecurity risks associated with the collection, use and disclosure of personal information about their customers and employees. The complex framework of global legal requirements impacting the collection, use and disclosure of personal information makes it imperative that modern businesses have a sophisticated understanding of the issues if they want to effectively compete in today’s economy.

Hunton Andrews Kurth LLP’s privacy and cybersecurity practice helps companies manage data and...

212 309 1223 direct
Advertisement
Advertisement
Advertisement