Internal Inferences Must Be Disclosed to Consumers Under CCPA
In an opinion released on March 10, 2022, California Attorney General Rob Bonta addressed the applicability of the “right to know” under the California Consumer Privacy Act (CCPA) (pdf) to internal inferences that organizations develop about individuals. The opinion clarified that these inferences are personal information for the purposes of the “right to know,” and must therefore be disclosed to individuals upon their request.
This is important because today’s social and commercial networks depend not only on facts but also on well-reasoned guesses about the preferences of individual consumers. Now, companies must disclose this information to consumers when they submit a right-to-know request.
What does the CCPA say about internal inferences?
Before digging into the California AG’s opinion on this topic, it is important to start with the language of CCPA that gave rise to this confusion. The CCPA is clear that inferences are personal information. The CCPA’s definition of personal information specifically includes:
“inferences drawn … to create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.”
As for the “right to know”, the CCPA says:
“A consumer shall have the right to request that a business that collects personal information about the consumer disclose to the consumer … the specific pieces of personal information it has collected about that consumer.”
These inferences are not necessarily based only on information shared by a consumer with a company. They can be made from public information, aggregated information, or other information that does not meet the definition of personal information.
The question then becomes: Does a consumer have the right to know inferences that the company made rather than collected from an external source when a consumer submits a right-to-know request?
There are definitions of “collect” and “infer” in the CCPA, but they do not resolve the question of whether this information must be shared with a consumer when the consumer makes a request to a company.
What does the opinion say about disclosing internal inferences?
The opinion states the “right to know” does apply to inferences an organization generates about the consumer. Although the analysis cites both the plain language of the law and the legislative history, the key is the need to treat internally-generated inferences the same as inferences purchased or otherwise collected from a third party. Further, the source of the information used to make the inferences does not matter. As the opinion states:
“for purposes of responding to a request to know, it does not matter whether the business gathered the information from the consumer, found the information in public repositories, bought the information from a broker, inferred the information through some proprietary process of the business’s own invention, or any combination thereof. If the business holds personal information about a consumer, the business must disclose it to the consumer on request.”
What about proprietary information and trade secrets?
The algorithms used to develop particular inferences may be proprietary. Is it possible to reverse the inference process in such a way as to discover the proprietary algorithm? If so, does the CCPA provide any protection to the organization owning the algorithm?
The final section of the opinion mentions a concern that arose repeatedly during the rule-making process: organizations might be required to disclose their intellectual property or trade secrets as a result of the ruling. The opinion is clear that, as a general rule, the “right to know” would not require an organization to disclose trade secrets, such as proprietary algorithms. On the other hand, it notes that the Attorney General has not been shown any concrete cases in which the inferences themselves constituted trade secrets. An organization withholding inferences from a “right to know” request would have the burden of showing that those inferences were trade secrets.
What does this mean for my organization?
Organizations subject to CCPA should include inferences in their response to any “right to know” requests. In theory, this should not be difficult. After all, the internal inferences would have to refer to a specific, identified individual, so they should be easy to find. Organizations should also consider whether to extend the ruling to other consumer rights, especially the “right to delete.” The opinion does not address these rights, but the same reasoning should apply. Organizations may also want to review their privacy notices, security controls, data breach plans, and record retention schedules to be sure inferences are appropriately treated as personal information.
Team
- Senior Cybersecurity / Data Privacy Analyst
- Principal | Cybersecurity & Data Privacy Practice Chair