On March 10, 2022, the California Office of Attorney General Rob Bonta (OAG) issued an opinion (the Opinion) interpreting the California Consumer Privacy Act (CCPA) and concluding that consumers have a right to know “internally generated inferences” drawn from the consumer when they are derived from personal information and are used to create a profile about that consumer, regardless of whether the inferences are based on personal information obtained from the consumer, are generated internally by the business (e.g., through proprietary process), or are obtained from another source. However, the Opinion also clarified that the CCPA does not require businesses to disclose any trade secrets related to the development of such inferences when responding to consumer requests.
Background
The CCPA is a comprehensive state privacy law that provides California consumers with a number of rights related to their personal information, including the right to know what specific pieces of personal information covered businesses hold about them. It is the first law of its kind in the United States, and several states, including Colorado, Virginia, and, most recently, Utah, have since followed in California’s footsteps in enacting comprehensive state privacy laws.
The CCPA applies to businesses that collect information from consumers in California that either: have gross revenues exceeding $25 million a year; buy, receive, or share for commercial purposes the information of 50,000 or more California residents, households, or devices a year; or derive 50 percent or more of their annual revenue from selling California residents’ personal information.
A business subject to the CCPA must give consumers control over their personal information. “Personal information” is broadly defined as “information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” Cal. Civ. Code section 1798.140(o)(1). This is important to note, as this broad definition accounts for information linkable to an individual irrespective of whether it is collected from devices, automobiles, home appliances, and via cookies and pixels on websites or other common means, subject to a few exceptions under the law.
What “right to know” does the consumer have?
The “right to know” includes two components. First, at the time of collection, a business must inform the consumer about what personal information it collects (and for what purpose). This is typically done via a privacy policy. Second, the business must provide the consumer with the ability to access the personal information that a business has collected about them, which is referred to as a “data subject access request” (DSAR). Given this, it is important that businesses have an understanding of the data that likely constitutes personal information as a business will generally be required to provide this data to the consumer in the event the consumer submits a DSAR.
Within the definition of “personal information,” the CCPA explicitly lists examples of what constitutes personal information including personal identifiers (such as real names, aliases, online identifiers, email addresses, social security numbers), biometric information (such as fingerprints and voiceprints), and Internet activity information (such as browsing history and search history).
The definition of “personal information” also includes “inferences” drawn from the pieces of information listed in the CCPA when used to “create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.” Notably, the Opinion sets out that “inferences” are subject to access requests, irrespective of whether the inferences were generated from public or private sources.
What are inferences?
The CCPA defines an inference as “the derivation of information, data, assumptions, or conclusions from facts, evidence, or another source of information or data.” As summarized in the Opinion, “[a]n inference is essentially a characteristic deduced about a consumer (such as ‘married,’ ‘homeowner,’ ‘online shopper,’ or ‘likely voter’) that is based on other information a business has collected.” Unlike other forms of personal information, such as a consumer’s name or address, an internally generated inference is not collected from or known by the consumer. Rather, an internally generated inference is information created by the business about the consumer, and, according to the OAG, “[i]n almost every case, the source as well as the substance of these inferences is invisible to consumers,” which can arguably have a significant impact on consumer engagement, offers, and messaging.
The OAG recognized that businesses may independently “create inferences using their own proprietary methods,” for example, through proprietary algorithms or technology. And although the business may be required to disclose the inference, the Opinion provides that the “CCPA does not require businesses to disclose their trade secrets in response to consumers’ requests for information.” Businesses should exercise caution in denying verified DSARs on this basis however, and should generally provide a more meaningful and understandable reason for the denial rather than a blanket assertion of “trade secret.”
The Opinion states that when a business receives a verified DSAR, the business must disclose the internally generated inferences when two conditions are met: (1) the inferences are derived from the consumer’s personal information and (2) the inferences are used by the business to create a profile about the consumer. On the first condition, the Opinion clarifies that it does not matter how the business generates the inference or the source of the information the inference is based on. Specifically, the Opinion states that “it does not matter whether the business gathered the information from the consumer, found the information in public repositories, bought the information from a broker, inferred the information through some proprietary process of the business’s own invention, or any combination thereof.” The inference is still considered personal information that may be subject to disclosure in response to a verified DSAR.
Notably, the Opinion emphasized that the inference must be disclosed in response to a DSAR “regardless of whether the information was based upon public information.” The OAG highlighted that even if the public information does not have to be disclosed as part of the access request, the inference itself, once drawn, becomes personal information and must be disclosed. For example, if an inference is drawn as a result of a consumer’s publicly available employment status, the inference itself would have to be included in the response to the verifiable access request even if the employment status does not need to be disclosed.
On the second condition, the Opinion explains that the fact that the inference must be used to “create a profile” about a consumer is meant to narrow the set of inferences that need to be disclosed. The intent for this limitation is to rule out situations where a “business is using inferences for reasons other than predicting, targeting, or affecting consumer behavior.” To clarify, the OAG gives an example of an inference that may not be required to be disclosed: when a business combines information obtained from a consumer with online postal information to obtain a zip code to allow for delivery and then deletes the zip code and does not use it to “identify or predict the characteristics of a consumer.”
Thus, businesses that draw inferences from personal information should take the additional step to determine whether they are using the inference to create a profile to “predict, target, or affect consumer behavior.” The OAG takes the position that consumers have a right to know if a business is making these deductions and creating profiles about a consumer because if so, such inferences are subject to the access request under the law.
The Opinion provides some helpful clarity as to one of the many ambiguous layers of the CCPA that was subject to differing interpretations. It also demonstrates the OAG’s intention to provide consumers with more information and control with respect to what information is collected and how it is used with a particular focus on personal information that is used for profiling and marketing.
Key takeaways
- Industry effects
Several industries, such as advertisers and data brokers, rely on internally generated inferences and profiling as a part of their business. Businesses in these industries should ensure that their compliance programs treat inferences as personal information, including granting access to inferences when responding to DSARs pursuant to the CCPA.
- Potential enforcement priority
The Opinion goes into detail about potential harms the OAG believes internally generated inferences can cause, and the OAG refers to internally generated inferences as being “at the heart of the problems that the CCPA seeks to address.” The OAG’s relatively strong language could suggest that compliance around internally generated inferences will be an enforcement priority for the OAG going forward.