California Attorney General’s Opinion States that Consumers’ Right to Know Includes Inferences
Thursday, March 17, 2022
California Consumers’ Right to Know Includes Inferences
Print Mail Download i

We all know businesses collect our data. But did you know that businesses can draw inferences from those data to determine whether a consumer is married, or is a homeowner, or is a likely voter? Recently, the question arose whether those inferences constitute personal information under the California Consumer Privacy Act of 2018 (CCPA or the Act) and whether consumers in California have a right to know about those inferences.

Attorney General Rob Bonta recently issued an opinion on a question of law to answer that very question. See Opinion of Rob Bonta, California Attorney General, No. 20-203, March 10, 2022. The question presented under the CCPA was: “Does a consumer’s right to know the specific pieces of personal information that a business has collected about that consumer apply to internally generated inferences the business holds about the consumer from either internal or external information sources?”

The answer is yes, California consumers have a right to know internally-generated inferences unless a business can demonstrate that a statutory exception to the Act applies. The opinion begins by tracing the history of privacy laws over the past twenty years, which ultimately resulted in the enactment of the CCPA. The opinion discusses relevant provisions of the CCPA, including the duties, responsibilities, and enforcement authority of the Attorney General. The recently-enacted amendment to the CCPA, the California Privacy Rights Act (CPRA), set to take effect January 1, 2023, is also discussed as CPRA expands consumer rights, thereby making the law more consistent with European Union rules. The opinion indicates that the CPRA’s enactment does not change the analysis with respect to the opinion regarding inferences.

The substance of the analysis begins with the definition of “personal information” under the CCPA. The opinion notes that the definition of personal information under the CCPA is very broad with numerous sub parts, however, the most relevant language is as follows:

(o)(1) . . . Personal information includes, but is not limited to, the following if it identifies, relates to, describes, is reasonably capable of being associated with, or could be reasonably linked, directly or indirectly, with a particular consumer or household: [. . .]

(K) Inferences drawn from any of the information identified in this subdivision to create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes. Cal. Civ. Code 1798.140 (o)(1)(A)-(K).

The opinion is clear that inferences constitute “personal information” under the CCPA. According to the analysis, if an inference is drawn from any of the personal information collected by a business that is subject to the CCPA, and that information is used to create a profile about a consumer, the inference must be disclosed to the consumer. This leads to the questions: what is an inference and why is this important?

The opinion states that an “inference” means “the derivation of information, data, assumptions, or conclusions from facts, evidence, or another source of information or data. An inference is essentially a characteristic deduced about a consumer (such as “married,” “homeowner,” “online shopper,” or “likely voter”) that is based on other information a business has collected (such as online transactions, social network posts, or public records).” This opinion is clear that the statutory definition of personal information includes inferences, and therefore, consumers are not only entitled to know what specific data points a business collects about them, but also the inferences that those data points create.

Finally, the opinion concludes that businesses are not required to disclose their trade secrets or the proprietary means they may use to create those inferences, however, the caveat is that a business that “withholds inferences on the ground that they are protected trade secrets bears the ultimate burden of demonstrating that such inferences are indeed trade secrets under the applicable law.”

Copyright © 2024 Robinson & Cole LLP. All rights reserved.

Current Legal Analysis

More from Robinson & Cole LLP

FTC Votes to Finalize Rule Banning Non-Compete Agreements Nationwide
by: Ian T. Clarke-Fisher , Trevor L. Bradley
Cisco Releases Updates to Vulnerabilities in Firewall Platforms
by: Linn F. Freedman
USPTO Issues Guidance on Use of AI Based Tools
by: Daniel J. Lass
California Trap & Trace Class Actions on the Rise in the Age of Website Trackers
by: Kathryn M. Rattigan
Aid Package Signed by President Biden Includes Divestiture of TikTok Requirement
by: Linn F. Freedman
Privacy Tip #395 – GM Faces Class Action for Collecting + Disclosing Drivers’ Data Without Consent
by: Linn F. Freedman
AI, Government Contractors, and Employment Discrimination
by: Data Privacy & Cybersecurity Robinson Cole
Chicago’s Application of Parking Regulations Violates RLUIPA
by: Eden (Hunter) Yerby
The Department of Education Releases Significant Revisions to Title IX Regulations
by: Kathleen E. Dion , Seth B. Orkand
Privacy Tip #394 – Colorado Amends Privacy Law to Include Neurodata
by: Linn F. Freedman

Upcoming Legal Education Events

 

NLR Logo

We collaborate with the world's leading lawyers to deliver news tailored for you. Sign Up to receive our free e-Newsbulletins

 

Sign Up for e-NewsBulletins