California Attorney General Clarifies that Inferences are Personal Information
On March 10, 2022, California Attorney General Rob Bonta (Attorney General) published the first official opinion interpreting the California Consumer Privacy Act (CCPA) and concluded that the CCPA’s right to know includes a business’ internally generated inferences about a consumer from either internal or external information sources.
Importantly, the opinion clarifies that inferences made from information that is otherwise exempt from the scope of the CCPA – such as publicly available information – are, in fact, personal information. Finally, the opinion weighs in on the tug of war between consumer privacy rights and businesses’ intellectual property and trade secret rights, definitively stating that trade secrets are completely protected from disclosure under the CCPA. These are important conclusions for businesses to consider in order to ensure CCPA compliance in the immediate term and as they ramp up for the implementation of the California Privacy Rights Act of 2020 (CPRA), which becomes fully operative on January 1, 2023, and substantially amends the CCPA.
In short, the Attorney General concluded that “internally generated inferences that a business holds about a consumer are personal information within the meaning of the CCPA, and must be disclosed to the consumer on request.” Opinion No. 20-303 (Opinion), p. 15. This is true even if the information off which the inferences are based is exempt from the CCPA when collected (e.g., publicly available information).
Arguably, though, businesses do not need to delete internally generated inferences in response to a consumer’s request to delete, even if based on personal information collected from the consumer.
Trade secrets are completely protected under the CCPA, but a business bears the burden of demonstrating that the withheld information is a trade secret. The inference itself might not be a trade secret and would have to be disclosed in response to a request to know; however, the algorithm that a company uses to derive its inferences may be a trade secret and, if so, would not have to be disclosed.
The CPRA will address this interplay between trade secret and consumer rights, whereby businesses will be required to disclose meaningful information about the logic involved in automated decision-making under the new concept of “profiling” and its related consumer rights, presenting a potential conflict between consumer rights and trade secret rights that may be addressed in upcoming rulemaking.
Colorado, Virginia and Utah’s omnibus privacy laws do not specifically reference inferences, but neither do they enumerate categories of personal data the way the CCPA does, and their definitions of personal data are broad enough to likely capture some types of consumer inferences. Under the Colorado Privacy Act, both the access and deletion rights apply to internally generated inferences to the extent they are personal data. Under the Virginia Consumer Data Protection Act, a consumer can cause deletion but not obtain a copy of personal data not directly collected from the consumer. Utah’s recently passed Consumer Privacy Act allows consumers to delete and obtain a copy of personal data only if the consumer previously provided it directly to the controller, and thus would not allow consumers to obtain a copy or delete internally generated inferences.