June 25, 2022

Volume XII, Number 176

Advertisement
Advertisement

June 24, 2022

Subscribe to Latest Legal News and Analysis

June 23, 2022

Subscribe to Latest Legal News and Analysis

June 22, 2022

Subscribe to Latest Legal News and Analysis

In First CCPA “Opinion”, California AG Clarifies Scope of Access Requests

The California AG recently issued an opinion interpreting the scope of information that should be provided to consumers in an access request. In responding to access requests, companies must provide a list of all personal information that it has about that consumer. The AG opinion clarifies that inferences a company draws from personal information should be included in such a response.

The CCPA defines inferences as the “derivation of information, data, assumption, or conclusions from facts, evidence, or another source of information or data.” For example, if a consumer indicates that they pay homeowner taxes, a company would likely conclude that the consumer is a homeowner. Or, if a consumer purchases an “I voted” shirt a company may conclude that the consumer is a likely voter. The AG provides a two-step test to help determine what information is an inference. First, is the information derived from personal information? If yes, and the company can use this information to create a profile about the consumer, or to predict a characteristic, then that information is an inference. Companies are not required to disclose the inputs or algorithms that form the inferences. Notably, the AG stated that even if the underlying information is exempt from disclosure (for example, the original data was not personal information since it was publicly available), the inference of this information will be subject to an access request.

Putting it Into Practice. Businesses subject to the CCPA (and the forthcoming CPRA) should revisit their individual rights request policies and procedures. Specifically, to verify that inferences are being included when responding to an access request.

Copyright © 2022, Sheppard Mullin Richter & Hampton LLP.National Law Review, Volume XII, Number 83
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement

About this Author

Julia Kadish is an attorney in the Intellectual Property Practice Group in the firm's Chicago office.

Areas of Practice

Julia's practice focuses on data breach response and preparedness, reviewing clients' products and services for privacy implications, drafting online terms and conditions and privacy policies, and advising clients on cross-border data transfers and compliance with US and international privacy regulations and standards. She also workes on drafting and negotiating software licenses, data security exhibits, big data licenses, professional...

312.499.6334
Dhara Shah Law Clerk Chicago Shephard Mullin Richter & Hampton LLP
Law Clerk

Dhara Shah is an law clerk in the Intellectual Practice Group in the firm’s Chicago office.

312-499-6336
Advertisement
Advertisement
Advertisement