The California Office of Attorney General (OAG) on March 10, 2022, issued its first opinion interpreting the California Consumer Privacy Act (CCPA), addressing when businesses must disclose internally generated "inferences" in response to a consumer's request to "know" the personal information that the business has collected about the consumer.1
The CCPA gives consumers the right to request the "specific pieces" of "personal information" that a business has collected about the consumer, including "inferences drawn from any of the information" listed in the definition of "personal information" when such inferences are used "to create a profile about a consumer."2 But the statute does not make clear whether businesses "collect" such "inferences" when they generate them internally and, if they do, whether inferences that will be treated as "personal information" must be derived from personal information collected from private entities or whether they can be drawn from public records as well.3
The opinion resolves this issue and states that in response to specific consumer requests, businesses must disclose any inferences that the business has drawn about the consumer based on information that the business has collected about the consumer—regardless of whether such information was collected directly from the consumer or from other sources and regardless of whether such sources were public or private entities. Moreover, the business cannot withhold such inferences by merely asserting that they constitute "trade secrets."
Businesses Must Disclose Internally Generated "Inferences"
The CCPA defines an "inference" as the "derivation of information, data, assumptions, or conclusions from facts, evidence, or another source of information or data."4 OAG explained that inferences could include "a characteristic deduced about a consumer (such as 'married,' 'homeowner,' 'online shopper,' or 'likely voter') that is based on other information a business has collected (such as online transactions, social network posts, or public records)," and it established the following two-part test for determining when "inferences" are "personal information" that must be disclosed to consumers under the CCPA upon request.
First, the inference must be derived from an analysis of the following types of information that are listed in the definition of "personal information"
- Customer records;
- Characteristics of protected classification under California or federal law;
- Commercial information (including personal property or other products or services purchased, obtained, or considered);
- Biometric information;
- Browsing history and other online electronic network activity;
- Geolocation data;
- Audio, electronic, visual, and similar information;
- Professional or employment-related information;
- Education information; or
- Sensitive personal information (as of January 1, 2022, when the CPRA becomes effective).5
It makes sense that "inferences" would retain the character of the information from which they were derived—in this case, "personal information" as defined in the statute. And OAG made clear that businesses would be deemed to "collect" such inferences that are derived internally from other information that the business has collected.6
OAG went further, however, and stated that inferences were "personal information" and subject to disclosure even if derived from public records so long as the underlying information from those public records fit into the categories listed above. OAG reasoned that because the CCPA does not state whether the information listed above must be obtained from private sources (or whether businesses may obtain such information from private and public sources) and because this list includes "many kinds of information that are a matter of public record (such as information on property listings and tax rolls)," any inferences businesses derive from this type of information contained in public records therefore also become "personal information" that businesses must disclose to consumers.7
But the CCPA does address whether the data elements listed above may be obtained from public sources. Specifically, the CCPA's definition of "personal information" expressly excludes "publicly available information," which it defines broadly to include:
[I]nformation that is lawfully made available from federal, state, or local government records, or information that a business has a reasonable basis to believe is lawfully made available to the general public by the consumer or from widely distributed media; or information made available by a person to whom the consumer has disclosed the information if the consumer has not restricted the information to a specific audience.8
OAG ignored the conflict that its interpretation creates and merely stated that "[u]nder the CCPA, the inference must be disclosed to the consumer, even if the public information itself need not be disclosed in response to a request for personal information."9
Second, the inference must be used to create a profile about a consumer or "predict a salient consumer characteristic"10
The opinion limited the scope of inferences that must be disclosed to those that are used to predict, target, or otherwise affect consumer behavior. Inferences that are used solely for internal purposes—to complete the mailing address on file for a consumer, for instance—are not covered. But if the inference is used to determine a consumer's "propensities," it "becomes part of the consumer's profile and must be disclosed."11
Businesses Bear Burden of Showing "Inferences" Are Trade Secrets
OAG also considered whether "inferences" generated internally using a business's own proprietary analytics were "trade secrets" that businesses may withhold under the CCPA. It declined to treat "inferences" categorically as "trade secrets" but did not rule out the possibility that they could be under certain circumstances.
Ultimately, OAG concluded that a business "bears the ultimate burden of demonstrating that such inferences are indeed trade secrets under applicable law."12 Businesses must do more than simply assert that the information is a "trade secret" and cannot withhold the information on the basis that the underlying algorithm might be protected as a trade secret.13
Judicial Review of OAG's Opinion
Although official interpretations of a statute by the attorney general are not controlling or binding on a court or agency, they are entitled to great respect and weight and have been found persuasive in the absence of controlling authority. Given the novelty of the CCPA, the OAG's opinion will remain in force until a legal proceeding is commenced and litigated to determine how much weight it carries. California does not provide a separate process for seeking review of the attorney general's opinions.
In addition to complying with OAG's framework for disclosing "inferences," companies subject to the CCPA have several other issues to consider:
How to Treat Inferences Derived From De-identified and Aggregate Information
OAG clarified that inferences a business derives from "personal information" collected about a consumer become part of that consumer's "personal information." But by including inferences drawn from information that is not "personal information" under the CCPA—namely, "publicly available information"—OAG left open whether inferences drawn from "de-identified" or "aggregate" consumer information would be treated as "personal information."
After all, both of those types of information, too, are expressly carved out from the definition of "personal information."14 Perhaps "publicly available information" can be distinguished because, unlike "aggregate" or "de-identified" data, "publicly available information" can be linked to an identifiable natural person.
Obligations for Companies That Perform Analytics
Companies that analyze data on behalf of businesses may now find themselves potentially subject to obligations that they did not previously have because under the OAG opinion, deriving an inference from information that constitutes "personal information" amounts to creating new "personal information" that consumers have a right to access, delete, and so forth.
The opinion may particularly impact companies that develop and use artificial intelligence and machine-learning tools for consumer behavior analytics.
Protection for Trade Secrets
OAG made clear that the CCPA does not require businesses to disclose trade secrets. But businesses that want to withhold "inferences" on the ground that they constitute trade secrets must show that the information they seek to withhold has "independent economic value" precisely because it is not "generally known to the public or others who can obtain economic value from its use or disclosure," and that the business has used "reasonable efforts" to maintain the secrecy of the information.15
1 Opinion of Attorney General Rob Bonta, No. 20-303 (Mar. 10, 2022) (OAG Opinion). While the CCPA allows businesses to request opinions from OAG regarding compliance, OAG provided this particular opinion under its traditional authority to give opinions to certain public officials regarding questions of law. See Cal. Gov. Code § 12519. OAG issued the opinion in response to a question presented by California Assemblymember Kevin Kiley.
2 Cal. Civ. Code § 1798.140(v)(1)(K) (characterizing "inferences" as "personal information" when used to create a "profile about a consumer reflecting the consumer's preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes").
3 Assemblymember Kiley suggested that inferences were not covered because they were generated internally and not collected "from" consumers. OAG Opinion at 13.
4 Cal. Civ. Code § 1798.140(r).
5 Cal. Civ. Code § 1798.140(v)(1). This list also includes "inferences" which we omitted for purposes of this discussion.
6 OAG Opinion at 13 (stating that "[w]hen a business creates (or buys or otherwise collects) inferences about a consumer, those inferences constitute a part of the consumer's unique identity and become part of the body of information that the business has 'collected about' the consumer").
7 OAG Opinion at 11. OAG went on to state, without qualification, that all inferences used to create profiles are "personal information": "We emphasize that, once a business has made an inference about a consumer, the inference becomes personal information." Id. at 12.
8 Cal. Civ. Code § 1798.140(v)(2)
9 OAG Opinion at 12 (emphasis added). OAG referenced an analysis of the CCPA conducted by the California Senate Judiciary Committee, which—OAG noted—was concerned about the "exploitative tendencies of collecting masses of information and using it to identify and affect unwitting consumer." Id.
10 OAG Opinion at 11.
11 Id. at 12.
12 Id. at 15.
13 Id. at 14. OAG noted that the California Privacy Rights Act specifically directs the California Privacy Protection Agency to issue regulations regarding the disclosure of "trade secrets" and that in the meantime, businesses may rely on the carve-out in section 1798.145(a)(1), which allows businesses to process personal information necessary "to comply with federal, state, or local laws" to withhold trade secrets. Id.
14 See Cal. Civ. Code § 1798.40(v)(3).
15 OAG Opinion at 14, citing the California Uniform Trade Secrets Act, Cal. Civ. Code § 3426.1.