The California AG recently released its first Opinion interpreting the California Consumer Privacy Act (CCPA), highlighting a brewing conflict over the inferences that businesses generate about their consumers. This Opinion addresses the question of whether Right to Know requests extend to these inferences. It states that businesses are obligated to disclose inferences (1) derived from either public or private personal information (2) that are used by the business for the purpose of creating a profile about the consumer. While the Office of the Attorney General acknowledged that the CCPA does not require businesses to reveal trade secrets, the Opinion raised serious questions as to whether inferences may qualify as trade secrets and, if so, the scope of a business’s compliance obligations.
The Opinion begins by providing a definition for the term inference and a framework for determining when an inference constitutes personal information that may be subject to a Right to Know request. The term inference means “the derivation of information, data assumptions, or conclusions from facts, evidence, or another source of information or data.” Essentially, “a characteristic deduced about a consumer that is based on other information a business has collected.
Generally, business are required to disclose personal information that a business holds about a consumer subsequent to a verifiable request. “Inferences draw from any of the information identified in this subdivision to create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes” are expressly included under the CCPA’s definition of personal information. Therefore, the Office of the Attorney General found that an inference is personal information subject to a Right to Know Request when (1) the inference is drawn from “any information in this subdivision,” and (2) “when the inference is used to create a profile about a consumer.”
The OAG looked to the language of the statute to determine the scope of the first prong. The listed information includes, but is not limited to personal identifiers; customer records; characteristics of protected classifications; commercial information; online activity; geolocation data; professional or employment information; education information; and inferences drawn from any of the above. Because the statute does not specify the sources of these categories of information, the OAG found that inferences derived from these categories satisfy the first prong of the test regardless of whether they are derived from information collected directly from the consumer or information collected from public records.
Next, the OAG considered when an inference is used to create a profile about a consumer. It found that this prong is satisfied where a business processes personal information to make an inference about the consumer’s propensities for purposes of predicting, targeting, or affecting consumer behavior. An inference would not be created for the purpose of creating a profile about a consumer where, for example, a business combines information obtained from a consumer with online postal information to infer a nine-digit zip code to facilitate a delivery. If this zip code is merely deleted and not used to identify or predict the characteristics of a consumer, the OAG would not view the zip code as a disclosable inference.
In addition to this statutory analysis, the OAG pointed to the legislative purpose of the CCPA and the potential harms associated with the use of inferences. It repeated the Senate Judiciary Committee’s analysis of Cambridge Analytica, and highlighted that “Cambridge Analytica is far from the only example of mischief resulting from the creation and use of inferences by businesses.” It found that because of these inferences, “marketing tactics are so tailored that they feel intrusive or unsettling to consumers.” Therefore, “inferences appear to be at the heart of the problems that the CCPA seeks to address.
Finally, and perhaps most importantly, the OAG’s opinion addresses the issue of trade secrets. Many businesses that decline to disclose inferences in a response to a Right to Know request do so arguing that the inferences constitute trade secrets, which are not subject to CCPA disclosure requirements. Although the OAG confirmed that trade secrets are not subject to disclosure, it raised doubts over whether inferences may qualify as trade secrets.
The Opinion states that “the Attorney General was not presented with any concrete examples of situations where inferences are themselves trade secrets, or where the disclosure of inferences would expose a business’s trade secrets.” A trade secret “is essentially information that derives independent economic value from not being generally known to the public or others who can obtain economic value from its use or disclosure, and as to which the owner exerts reasonable efforts to maintain secrecy.” The holder of the trade secret bears the responsibility of establishing its existence with reasonable particularity. The Opinion highlights that while the algorithm a company uses to derive its inferences might qualify as a protected trade secret, the inferences themselves might not. The CCPA only requires a business to disclose individualized products of its secret algorithms, not the algorithms themselves.
While it does not go so far as to say that inferences can never qualify as trade secrets, the Opinion strongly suggests that the OAG is prepared to challenge businesses that refuse to disclose inferences. Given the OAG’s recent activity in sending non-compliance warnings, businesses would be wise to consider how to defend inferential findings as trade secrets not subject to a right to know request.