December 1, 2022

Volume XII, Number 335

Advertisement

November 30, 2022

Subscribe to Latest Legal News and Analysis

November 29, 2022

Subscribe to Latest Legal News and Analysis

November 28, 2022

Subscribe to Latest Legal News and Analysis
Advertisement

California Attorney General’s Opinion States that Consumers’ Right to Know Includes Inferences

We all know businesses collect our data. But did you know that businesses can draw inferences from those data to determine whether a consumer is married, or is a homeowner, or is a likely voter? Recently, the question arose whether those inferences constitute personal information under the California Consumer Privacy Act of 2018 (CCPA or the Act) and whether consumers in California have a right to know about those inferences.

Attorney General Rob Bonta recently issued an opinion on a question of law to answer that very question. See Opinion of Rob Bonta, California Attorney General, No. 20-203, March 10, 2022. The question presented under the CCPA was: “Does a consumer’s right to know the specific pieces of personal information that a business has collected about that consumer apply to internally generated inferences the business holds about the consumer from either internal or external information sources?”

The answer is yes, California consumers have a right to know internally-generated inferences unless a business can demonstrate that a statutory exception to the Act applies. The opinion begins by tracing the history of privacy laws over the past twenty years, which ultimately resulted in the enactment of the CCPA. The opinion discusses relevant provisions of the CCPA, including the duties, responsibilities, and enforcement authority of the Attorney General. The recently-enacted amendment to the CCPA, the California Privacy Rights Act (CPRA), set to take effect January 1, 2023, is also discussed as CPRA expands consumer rights, thereby making the law more consistent with European Union rules. The opinion indicates that the CPRA’s enactment does not change the analysis with respect to the opinion regarding inferences.

The substance of the analysis begins with the definition of “personal information” under the CCPA. The opinion notes that the definition of personal information under the CCPA is very broad with numerous sub parts, however, the most relevant language is as follows:

(o)(1) . . . Personal information includes, but is not limited to, the following if it identifies, relates to, describes, is reasonably capable of being associated with, or could be reasonably linked, directly or indirectly, with a particular consumer or household: [. . .]

(K) Inferences drawn from any of the information identified in this subdivision to create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes. Cal. Civ. Code 1798.140 (o)(1)(A)-(K).

The opinion is clear that inferences constitute “personal information” under the CCPA. According to the analysis, if an inference is drawn from any of the personal information collected by a business that is subject to the CCPA, and that information is used to create a profile about a consumer, the inference must be disclosed to the consumer. This leads to the questions: what is an inference and why is this important?

The opinion states that an “inference” means “the derivation of information, data, assumptions, or conclusions from facts, evidence, or another source of information or data. An inference is essentially a characteristic deduced about a consumer (such as “married,” “homeowner,” “online shopper,” or “likely voter”) that is based on other information a business has collected (such as online transactions, social network posts, or public records).” This opinion is clear that the statutory definition of personal information includes inferences, and therefore, consumers are not only entitled to know what specific data points a business collects about them, but also the inferences that those data points create.

Finally, the opinion concludes that businesses are not required to disclose their trade secrets or the proprietary means they may use to create those inferences, however, the caveat is that a business that “withholds inferences on the ground that they are protected trade secrets bears the ultimate burden of demonstrating that such inferences are indeed trade secrets under the applicable law.”

Copyright © 2022 Robinson & Cole LLP. All rights reserved.National Law Review, Volume XII, Number 76
Advertisement
Advertisement
Advertisement

About this Author

Deborah A. George, Robinson Cole, Cybersecurity lawyer
Counsel

Deborah George is a member of the firm’s Business Litigation Group as well as its Data Privacy + Cybersecurity Team.

Deb advises clients on and focuses her practice on data privacy and security, cybersecurity, and compliance with related state and federal laws. She also has experience providing counsel in civil litigation and employment law matters.  She has significant experience offering advice and counsel on legal issues related to human services agencies, including Medicaid, as well as  drafting and reviewing contracts, business associate agreements, and data use agreements. ...

401.709.3363
Advertisement
Advertisement
Advertisement