California AG Issues First CCPA Opinion: Consumers’ “Right to Know” Includes Businesses’ Internally Generated Inferences

The California Office of the Attorney General (OAG) recently concluded that the California Consumer Privacy Act (CCPA) generally requires a covered business to disclose, upon request, its inferences about a consumer—whether generated internally or obtained from another source—unless the business can demonstrate that a statutory exception applies. In its first formal opinion (No. 20-303) under the CCPA, OGC has thus taken an expansive view of a consumer’s CCPA “right to know” the specific pieces of personal information that a business collects. 

Takeaways

CCPA-covered businesses should carefully consider whether the information they process about California consumers includes inferences that meet OAG’s two-part test for disclosure (see discussion below), and whether any statutory exceptions to disclosure apply. Businesses that process inferences should also review their procedures for responding to consumers’ requests to know specific pieces of information to ensure continued compliance with the CCPA.

OAG clarifies that none of the CCPA amendments contained in the California Privacy Rights Act (CPRA)—the successful 2020 ballot initiative that will amend and expand the CCPA when it becomes operative on January 1, 2023 and enforceable on July 1, 2023—will impact the conclusions that OAG drew in its opinion. Provided the exemptions for employee and business contact information currently applicable under the CCPA are not extended beyond January 1, 2023, and unless a general exception applies, this means that covered businesses might also need to disclose inferences made in order to create a profile about their employees or business partners.

OAG’s Opinion

Before beginning its analysis, OAG outlines the evolution of the CCPA and underscores the significance of “inferences,” defined in the CCPA as “the derivation of information, data, assumptions, or conclusions from facts, evidence, or another source of information or data.” Citing academic studies, OAG remarks that seemingly innocuous data, when coupled with other data points, may reveal much more personal characteristics about a consumer. For example, common consumer-provided information (such as a date and place of birth), when coupled with information from publicly accessible databases, has been shown to accurately predict an individual’s Social Security number, and cell phone usage data (such as battery statistics) to accurately predict an individual’s creditworthiness.

Against this backdrop, OAG concludes that the CCPA was intentionally drafted to give a requesting consumer the right to receive inferences that a covered business made about him or her, regardless of the source of the inference. Specifically, OAG reasons that:

• A plain reading of the CCPA supports the conclusion that a consumer’s right to know includes a covered business’s internally generated inferences about that consumer.

  OAG begins its analysis with the CCPA’s definition of “personal information,” which contains a non-exhaustive list of categories that constitute personal information under the Act. These categories include, among others, inferences drawn from any of the other categories “to create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.” 

  Thus, inferences themselves become personal information when two conditions are met:

1. The inference is drawn from information identified in the definition of “personal information.” Personal information includes any information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. Personal information may consist of:
   1. Personal identifiers (e.g., names, addresses, account numbers, or identification numbers);
   2. Customer records;
   3. Characteristics of protected classifications (e.g., age, gender, race, or
   4. religion);
   5. Commercial information (e.g., property records or purchase history);
   6. Biometric information;
   7. Online activity information;
   8. Geolocation data;
   9. Audio, electronic, visual, thermal, olfactory, or similar information;
   10. Professional or employment information;
   11. Education information; and
   12. Inferences drawn from any of the above.

   OAG highlights that this list includes some categories of information typically obtained directly from consumers and others that are a matter of public record, and that the statute makes no distinction between them.[1] Thus, with respect to a consumer’s request to know, it does not matter whether the business obtained the information directly from the consumer, found it elsewhere, purchased it from a data broker, inferred it using a proprietary internal process, or a combination thereof. If the business holds personal information about a consumer, it must disclose it upon request.

2. The business uses the personal information to create a profile about a consumer. This condition limits the information that a business is required to disclose. OAG notes that a business need not disclose inferences that it uses for reasons other than predicting, targeting, or affecting consumer behavior (e.g., a business is not required to disclose an inference made by combining information obtained from a consumer with online postal information to generate that consumer’s nine-digit Zip code and facilitate a delivery).
   

   However, if a business processes personal information to make an inference about a consumer’s propensities, it must disclose the inference to the consumer. This principle applies even if the business is not required to disclose the underlying personal information used to generate the inference (e.g., in the case of personal information obtained from public records).

• Legislative history and intent also support this conclusion.

  OAG then suggests that the California Senate Judiciary Committee’s analysis of the CCPA, prior to its enactment, supports OAG’s conclusion regarding the extent of consumers’ right to know inferences. In its deliberations regarding the bill, the Committee focused in particular on the scandal surrounding Cambridge Analytica, the political consulting firm that acquired approximately 87 million individuals’ personal information and used it to send targeted messages in an attempt to influence the 2016 U.S. presidential election.

  Noting that this example is one of many, OAG concluded that inferences are “one of the key mechanisms by which information becomes valuable to businesses, making it possible to target advertising and solicitations, and to find markets for goods and services,” and that they “appear to be at the heart of the problems that the CCPA seeks to address.”

OAG summarily rejected an argument, raised by the California Assembly member who requested the opinion, that the CCPA should not require businesses to disclose internally generated inferences to consumers because such inferences are not “collected from” the consumer within the meaning of the CCPA. OAG disagreed, reasoning that the CCPA gives consumers the right to receive all information collected about the consumer, not only information collected from the consumer.

Exceptions

• Trade secrets. OAG clarifies that the CCPA does not require businesses to disclose trade secrets in response to a consumer’s request to know specific pieces of personal information. However, OAG also notes that it did not encounter any examples in which inferences themselves constituted trade secrets. While an algorithm that a company uses to derive its inferences may be a protected trade secret, the CCPA only requires the business to disclose individualized outputs of the algorithm, not the algorithm itself. Additionally, a business that denies a request in whole or in part because of a statutory exception must explain the nature of the information and the basis for the denial. A blanket assertion of “trade secret” or “proprietary information” would not suffice.
• General exceptions. Notwithstanding OAG’s opinion, general exceptions to the CCPA also apply with respect to inferences. The CCPA does not restrict a business’s ability to, among other exceptions, comply with federal, state, or local laws; comply with a civil, criminal, or regulatory inquiry; cooperate with law enforcement agencies; exercise or defend legal claims; or collect, use, retain, sell, or disclose deidentified information.

[1] Note, however, that the CCPA’s definition of “personal information” specifically exempts “information that is lawfully made available from federal, state, or local government records.” Cal. Civ. Code § 1798.140(o)(2).