Keypoint: In its first CCPA interpretive opinion, the Attorney General’s office confirmed that businesses responding to requests to know must disclose internally generated inferences they hold about a consumer from either internal or external information sources.
On March 10, 2022, the California Attorney General’s office issued a first-of-its-kind interpretive opinion on the California Consumer Privacy Act’s (CCPA) application.
The Opinion states that, unless an exception applies, a consumer “has the right to know internally generated inferences about that consumer” held by the business from either external or internal sources. The Office reached this Opinion based on a plain reading of the CCPA’s text. A few questions result, including whether inferences based on otherwise exempt information must be disclosed.
Below is a further analysis of the Opinion.
The Attorney General issued its Opinion in response to a request made by California Assembly Member Kevin Kiley. CCPA § 1798.155 allows businesses to seek the opinion of the Attorney General on how to comply with the CCPA. Assembly Member Kiley made this request, however, pursuant to California Government Code § 12519, which states the Attorney General “shall” give a written opinion to lawmakers “upon any question of law relating to their respective offices.”
Here, Assembly Member Kiley presented the following question:
Under the California Consumer Privacy Act, does a consumer’s right to know the specific pieces of personal information that a business has collected about that consumer apply to internally generated inferences the business holds about the consumer from either internal or external information sources?
In answering the question in the affirmative, the Office observed that the CCPA’s definition of “personal information” specifically includes “inferences drawn from any of the information identified in this subdivision to create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.” Thus, the Attorney General concluded that “‘[i]nferences’ themselves are ‘personal information’ for purposes of the CCPA (and therefore disclosable)” so long as the inference is (1) drawn “from any of the information identified in this subdivision” and (2) used “to create a profile about a consumer.”
With respect to the first requirement, inferences must be drawn from any of the other data elements identified in § 1798.140(o)(1), including names, email addresses, age, race, gender, customer records, online activity, and geolocation, among others.
With respect to the second requirement, inferences must be used to create a consumer profile. Therefore, using a consumer’s address to draw an inference as to the consumer’s zip code would not be covered but using information to make an inference as to a consumer’s propensities would be.
Notably, the Opinion states that inferences drawn entirely from publicly available information still need to be disclosed. This is an interesting conclusion insofar as publicly available information itself is not subject to the CCPA. According to the Office, “the inference must be disclosed to the consumer, even if the public information itself need not be disclosed in response to a request for personal information.” Although not discussed in the Opinion, this conclusion raises questions about other types of data exempt from the CCPA. For example, if a financial institution uses personal information subject to the Gramm-Leach-Bliley Act to create a covered inference, is that inference still exempt from the CCPA?
Further, in reaching its conclusion, the Opinion confirms that the CCPA’s request to know extends to all information a business collects “about a consumer” and not just information the business collects directly from the consumer. By contrast, the CCPA’s request to delete (which the Opinion does not mention) only extends to “personal information about the consumer which the business has collected from the consumer.” Therefore, there may be circumstances in which businesses need to disclose the inference, but not delete it.
The Opinion also notes that businesses do not need to disclose trade secrets when disclosing inferences although the Office states that it has never been presented with “any concrete examples of situations where inferences are themselves trade secrets, or where the disclosure of inferences would expose a business’s trade secrets.”
Finally, the Opinion states that the “amendments to the CCPA introduced by the CPRA do not change the conclusions presented in this opinion.”