In the first of its kind “opinion” from the California Office of the Attorney General (“OAG”), the agency addressed the question of whether a consumer’s “right to know” what personal information a business holds about the consumer under the California Consumer Privacy Act (“CCPA”) extends to internally generated inferences that a business has on the consumer, from either internal or external information sources. The OAG answered this question in the affirmative and stated that a consumer has the right to know internally generated inferences about the consumer when the inferences: (i) are derived from information that is otherwise considered personal information under the law; and (ii) used by the business for the purpose of creating a profile about that consumer. (The OAG did clarify, however, that disclosing inferences to consumers does not require businesses to disclose their trade secrets.)
This opinion has broad ramifications for data brokers, advertisers, and other entities that rely on consumer profiles as part of their business operations. The OAG clearly states here that the CCPA’s rights do not only apply to the information that a business collects from a consumer but also to the information that a business develops about a consumer (that would otherwise meet the definition of personal information under the law). This means that businesses relying on inferences must assess how this inference data is implicated in potential data subject rights requests they receive pursuant to the CCPA. The timing of this guidance, combined with the detailed harms of inference data identified by the OAG in its opinion, indicate that this topic may be an enforcement priority for the agency moving forward.
An inference is as “derivation of information, data, assumptions, or conclusions from facts, evidence, or another source of information or data.” For clarity, an inference is a characteristic or attribute that describes an individual such as “expectant parent”, “homeowner” or “likely to vote”. With the proliferation of big data and artificial intelligence, businesses have been able to collect and process an unprecedented and increasingly granular amount of consumer data and create such inferences from them. In its opinion, the OAG cites an academic paper from 2018 that showed that as little as 4 applications installed by a user constitutes sufficient data in order to re-identify such a user in a dataset with 95% accuracy. In the same vein, social media usage profiles such as “likes”, or similar such behavioral data can be used to predict age, gender, race, sexual orientation, and political views.
B. Selected highlights from OAG’s opinion.
With this data as backdrop, the OAG determined that under the CCPA, consumers have a right to know what inferences are drawn about them. The OAG first looked to the definition of personal information under the CCPA for its analysis. Under section 1798.140(v) of the CCPA, personal information “includes, but is not limited to, the following if it identifies, relates to, describes, is reasonably capable of being associated with, or could be reasonably linked, directly or indirectly, with a particular consumer or household.” The definition includes an array of subdivisions such as age, name, and address which are provided directly by the consumer and commercial information such as property and rent records which can be attained indirectly. Specifically, subdivision (k) of personal information includes “[i]nferences drawn from any of the information identified in this subdivision to create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes” (emphasis added).
Under this textual interpretation, the OAG creates a two-pronged analysis to determine whether consumers have a right to know the respective inferences that companies collect and store about such consumers. Prong (1), the definition prong, is whether the inference is drawn from the information identified in one of the subdivisions defined as personal information. The information can be both direct, such as gender and race, or indirect, such as property records. Prong (2), the profile prong, is whether such information is used to create a profile about a consumer.
For example, assume a business collects a consumer’s age and online activity of browsing to spas and resorts. If the business then proceeds to create a profile of the user as a “traveler” in order to establish targeted advertising to vacation resorts, that consumer can exercise their right to know this information under the CCPA because (1) collecting age and online activity meets the definition prong and (2) creating a “traveler” profile meets the profile prong.
The OAG emphasizes that “once a business has made an inference about a consumer, the inference becomes personal information—one more item in the bundle of information that can be bought, sold, traded, and exploited beyond the consumer’s power of control.” Further, for purposes of responding to a consumer’s request to know, “it does not matter whether the business gathered the information from the consumer, found the information in public repositories, bought the information from a broker, inferred the information through some proprietary process of the business’s own invention, or any combination thereof.”
C. The OAG responds to arguments against disclosure.
The OAG next responds to arguments against the disclosure of inferences. The first argument is that inferences need not be disclosed to consumers because inferences are information that has been generated internally by a business, rather than collected from the consumer within the meaning of Civil Code section 1798.110, subdivision (a). Subdivision (a) states that: “a consumer shall have the right to “request that a business … disclose . . . [t]he specific pieces of personal information it has collected about that consumer.” The OAG disagrees explaining that the CCPA is explicit in that it gives consumers the right to receive all information collected “about” the consumer, not just information “collected from” the consumer. As such, inferences include information collected about consumers rather than from consumers and further creates that consumer’s unique identity. “When a business creates (or buys or otherwise collects) inferences about a consumer, those inferences constitute a part of the consumer’s unique identity and become part of the body of information that the business has ‘collected about’ the consumer.” Thus, inferences must be disclosed to the consumer upon request.
A second argument suggests that internally generated inferences constitute a business’s intellectual property. The OAG again disagrees, responding that inferences themselves are not necessarily trade secrets. The algorithm used to derive the inferences may be protected as a trade secret, but the CCPA only requires businesses to disclose the product of the algorithm rather than the algorithm itself. Additionally, under California’s Uniform Trade Secret Act, the burden is on the company to prove the existence of a trade secret and the “improper means” by which it was attained. The opinion affirms that “[a] blanket assertion of ‘trade secret’ or ‘proprietary information’ or the like would not suffice.”
Thus, based on its opinion and as the OAG continues its investigative sweep and efforts of sending notices of alleged noncompliance to CCPA, businesses will need to consider whether they fall under the OAG’s two-pronged analysis and if so, be prepared to respond to this broader range of verifiable consumer requests.