December 1, 2022

Volume XII, Number 335


November 30, 2022

Subscribe to Latest Legal News and Analysis

November 29, 2022

Subscribe to Latest Legal News and Analysis

November 28, 2022

Subscribe to Latest Legal News and Analysis

California Attorney General Clarifies that Inferences are Personal Information

On March 10, 2022, California Attorney General Rob Bonta (Attorney General) published the first official opinion interpreting the California Consumer Privacy Act (CCPA) and concluded that the CCPA’s right to know includes a business’ internally generated inferences about a consumer from either internal or external information sources.

Importantly, the opinion clarifies that inferences made from information that is otherwise exempt from the scope of the CCPA – such as publicly available information – are, in fact, personal information. Finally, the opinion weighs in on the tug of war between consumer privacy rights and businesses’ intellectual property and trade secret rights, definitively stating that trade secrets are completely protected from disclosure under the CCPA. These are important conclusions for businesses to consider in order to ensure CCPA compliance in the immediate term and as they ramp up for the implementation of the California Privacy Rights Act of 2020 (CPRA), which becomes fully operative on January 1, 2023, and substantially amends the CCPA.

Key Takeaways

  • In short, the Attorney General concluded that “internally generated inferences that a business holds about a consumer are personal information within the meaning of the CCPA, and must be disclosed to the consumer on request.” Opinion No. 20-303 (Opinion), p. 15. This is true even if the information off which the inferences are based is exempt from the CCPA when collected (e.g., publicly available information).

  • Arguably, though, businesses do not need to delete internally generated inferences in response to a consumer’s request to delete, even if based on personal information collected from the consumer.

  • Trade secrets are completely protected under the CCPA, but a business bears the burden of demonstrating that the withheld information is a trade secret. The inference itself might not be a trade secret and would have to be disclosed in response to a request to know; however, the algorithm that a company uses to derive its inferences may be a trade secret and, if so, would not have to be disclosed.

  • The CPRA will address this interplay between trade secret and consumer rights, whereby businesses will be required to disclose meaningful information about the logic involved in automated decision-making under the new concept of “profiling” and its related consumer rights, presenting a potential conflict between consumer rights and trade secret rights that may be addressed in upcoming rulemaking.

  • Colorado, Virginia and Utah’s omnibus privacy laws do not specifically reference inferences, but neither do they enumerate categories of personal data the way the CCPA does, and their definitions of personal data are broad enough to likely capture some types of consumer inferences. Under the Colorado Privacy Act, both the access and deletion rights apply to internally generated inferences to the extent they are personal data. Under the Virginia Consumer Data Protection Act, a consumer can cause deletion but not obtain a copy of personal data not directly collected from the consumer. Utah’s recently passed Consumer Privacy Act allows consumers to delete and obtain a copy of personal data only if the consumer previously provided it directly to the controller, and thus would not allow consumers to obtain a copy or delete internally generated inferences.

Check out the detailed analysis prepared by the team here.

© Copyright 2022 Squire Patton Boggs (US) LLPNational Law Review, Volume XII, Number 84

About this Author

Alan L. Friel Data Privacy & Cybersecurity Attorney Squire Patton Boggs Los Angeles, CA

Alan Friel is the deputy chair of the firm’s Data Privacy & Cybersecurity Practice.

Alan is a thought leader in digital media, intellectual property, and privacy and consumer protection law, with three decades of relevant experience to address the intersection of law and technology.

Prior to joining the firm, Alan was a partner at a US law firm, where he led the US Consumer Privacy practice (in which he counseled clients on compliance with the California Consumer Privacy Act (CCPA) and other data privacy regimes), and the retail, restaurant and e-commerce industry...

Kyle R. Fath Cybersecurity Attorney Squire Patton Boggs New York Los Angeles
Of Counsel

Kyle Fath is counsel in the Data Privacy & Cybersecurity Practice. He offers clients a unique blend of deep experience in counselling companies through compliance with data privacy laws, drafting and negotiating technology agreements, and advising on the privacy, IT, and IP implications of mergers & acquisitions and other corporate transactions. His practice has a particular focus on the the ingestion and sharing of data by way of strategic data transactions, data brokers, and vendor relationships, the implications of digital advertising (as companies look toward...

Kyle Dull Data Privacy & Cybersecurity Lawyer Squire Patton Boggs Miami Florida

A former assistant attorney general, Kyle has extensive experience investigating and litigating privacy and advertising law violations. He now draws on that experience to advise clients on their own data privacy, cybersecurity and advertising risks, and is regularly retained by corporations to defend and resolve enforcement actions.

Kyle has a solid understanding of domestic and international privacy laws and counsels digital media companies looking to protect their digital property and avoid potential legal issues by negotiating and drafting licensing, joint venture and data...

+1 305 577 2840