The California Attorney General’s office (OAG) recently released its first formal written opinion on the scope of the rights granted to consumers under the California Consumer Privacy Act (CCPA), specifically, the right for a consumer to know about the personal information that a business collects from them. The opinion comes in response to a question submitted by California Assembly member Kevin Kiley as to whether a consumer’s right to know the specific pieces of personal information that a business has collected about that consumer applies to internally generated inferences the business holds about them. The OAG asserted that the right to know does apply to such inferences, albeit with certain key exceptions.

The CCPA provides for the right of consumers to “request that a business that collects personal information about the consumer disclose to the consumer,” among other things, the “specific pieces of personal information it has collected about the consumer.” Critically for the OAG opinion, the CCPA defines “personal information” to include “[i]nferences drawn from any of the information identified . . . to create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.”

Taking these provisions into account, the OAG concluded that the CCPA “purposefully gives consumers a right to receive inferences, regardless of whether the inferences were generated internally by the responding business or obtained by the responding business from another source.” The OAG opinion explains that inferences are “personal information,” which must be disclosed whenever

  1. the inference is drawn from information collected pursuant to CCPA and
  2. the inference is used to “create a profile about a consumer” or “predict a salient consumer characteristic.”

As to the first element, the CCPA covers a broad range of information—including, as the OAG observed, “many kinds of information that are a matter of public record” (e.g., information found on property listings). Noting, then, that this clause “draws no distinction” between sources of such information, the OAG asserted that inferences constitute personal information “regardless of whether they have been generated internally . . . or received from another source.”

As to the second element, the OAG found that this language “narrows the set of inferences that must be disclosed,” limiting the disclosure requirement to inferences used for “predicting, targeting, or affecting consumer behavior.”

Finally, the OAG stated that the CCPA does not require businesses to disclose trade secrets, referring to language in the CCPA and CPRA explicitly noting “that trade secrets should not be disclosed in response to a verifiable consumer request.” The OAG went on, however, to note that a denial of any request for information on this basis must explain the nature of the information at issue and the basis for the denial. Critically, a blanket assertion of “trade secret” will not suffice; instead, the response must be “meaningful and understandable.”

While OAG opinions are advisory and are not legally binding on courts, agencies, businesses, or individuals, they do offer important guidance and are often treated as persuasive authority by courts. Accordingly, businesses subject to the CCPA should be conscious of the following implications of the opinion:

  • Publicly available information does not qualify as “personal information” and so does not have to be disclosed. As stated by the OAG, however, inferences based on public information must be disclosed “even if the public information itself need not be disclosed in response to a request for personal information.” Thus, the act of creating inferences eliminates this shield on the disclosure requirement.
  • On the other hand, the disclosure requirement does not extend to inferences that aren’t made about a consumer’s propensities. For example, as posed by the OAG, combining consumer-supplied information with online postal information to obtain a 9-digit zip code in order to facilitate delivery would not be included, so long as the zip code is deleted and isn’t used to predict characteristics of the consumer.
  • Trade secrets are only given limited protection from disclosure:
    • Where a business claims a given inference is a trade secret, the OAG opinion offers little guidance other than that the justification for doing so must be “meaningful and understandable,” which presents certain risks, particularly since, as the OAG observed, the business “bears the ultimate burden of demonstrating that such inferences are indeed trade secrets.”
    • Where a business claims that the algorithm or process that derives such inference is a trade secret, the inferences themselves obtain no protection from disclosure, and the business is subject to the risk (however small) of reverse engineering of the protected process.

This broad understanding that internal inferences are considered personal information could arguably be interpreted to extend to the other rights and obligations imposed by the CCPA such as the right to opt out of the sale of personal information, the requirement to provide notice of categories of personal information collected, and the bar on retaining information “longer than is reasonably necessary” all of which either cover information “about the consumer” or simply “personal information” more generally in the text of the CCPA. One provision that may not be swept in, however, is the requirement to delete information, which is limited only to “personal information about the consumer which the business has collected from the consumer” (emphasis added), particularly because the OAG opinion expressly contrasted information collected “about” the consumer from information collected “from” the consumer in defining the former as “personal information.” Given the uncertainty, the safest course of action at this stage may be for businesses to consider internally generated inferences as personal information for all purposes when complying with the CCPA’s requirements.