Yesterday, the California AG issued a rare written opinion on a question of law arising under CCPA. Specifically, the AG addressed the treatment by businesses of internally generated inferences. The opinion is important because it provides further insight into the AG’s enforcement priorities and interpretation of obligations under CCPA. We’ve read the opinion, and provided our initial thoughts and analysis below.
- What happened?
On March 10, the Office of the California AG issued a 15 page written opinion on internally generated inferences. The opinion is apparently a response to California Assemblymember Kevin Kiley’s request to clarify whether consumers have the right to obtain inferences generated about them as part of an access request.
- What is an inference?
Under CCPA, “inference” is defined as “the derivation of information, data, assumptions, or conclusions from facts, evidence, or another source of information or data.” According to the opinion, “an inference is essentially a characteristic deduced about a consumer (such as ‘married,’ ‘homeowner,’ ‘online shopper,’ or ‘likely voter’) that is based on other information a business has collected (such as online transactions, social network posts, or public records).”
- What does the opinion say?
At a high level, the opinion provides a history of CCPA and states the AG’s position that inferences generated by a business, whether internally or received from another source, may be personal information under CCPA, and, where they are personal information, require the same treatment as other types of personal information. Specifically, if a business holds generated inferences about a consumer, and receives a verifiable access request from the consumer, the business must disclose the generated inferences as part of its response to the consumer. The AG reaches this conclusion based on its reading of the plain language of CCPA and understanding of the legislative history.
- When must a business disclose generated inferences in response to an access request?
According to the opinion, an inference is disclosable personal information under CCPA where two conditions exist:
- the inference is drawn from any of the types of information identified in subdivision (o) of CCPA (e.g., names, addresses, identification numbers, customer records, geolocation data, etc.); and
- the inference is used to create a profile about a consumer.
With respect to (1), the AG finds that this condition is easily satisfied as most inferences are drawn from the types of information identified in subdivision (o).
With respect to (2), the AG finds that this condition is quite fact specific. According to the AG, inferences made for “predicting, targeting, or affecting consumer behavior” satisfy this condition. The AG provides some examples of inferences, and specifies that “when a business processes personal information to make an inference about the consumer’s propensities, then the inference itself becomes part of the consumer’s profile, and must be disclosed.”
- How does the AG treat inferences generated from public information?
The AG makes clear that inferences generated from public information, “such as government identification numbers, vital records, or tax rolls[,]” must be disclosed. According to the AG, “the inference must be disclosed to the consumer, even if the public information itself need not be disclosed in response to a request for personal information.”
- Is there a legal distinction between “collecting” and “generating” for purposes of CCPA?
According to the opinion, no. The AG takes the position that “[w]hen a business creates (or buys or otherwise collects) inferences about a consumer, those inferences constitute a part of the consumer’s unique identity and become part of the body of information that the business has ‘collected about’ the consumer.”
- Are there any exceptions to the disclosure obligation for generated inferences?
The opinion recognizes that access requests are subject to the express exceptions stated within CCPA, and specifically highlights that CCPA does not require businesses to reveal their trade secrets. However, the AG points out that there are limitations to these exceptions. For example, inferences are not necessarily trade secrets. According to the AG, “[w]hile the algorithm that a company uses to derive its inferences might be a protected trade secret, CCPA only requires a business to disclose individualized products of its secret algorithm, not the algorithm itself.” Also, a business must explain the basis for its denial of a request, and cannot rely on “[a] blanket assertion of ‘trade secret’ or ‘proprietary information’ or the like[.]”
- How does CPRA impact the opinion?
The AG states that the amended CPRA does not change the conclusions in the opinion.
- Any other takeaways?
To my knowledge, this is one of the first public substantive written opinions issued by the California AG about the CCPA (outside of the rulemaking process). Notably, the AG issued the opinion pursuant to its traditional authority to give opinions to public officials upon request, and not pursuant to the CCPA statutory language allowing businesses to seek opinions. Although I don’t know for certain, as of this writing, I suspect that the AG wanted to address this topic without opening the floor to public opinion.
Moreover, the opinion is notable because it aligns with the AG’s (and the CCPA’s) focus on targeted advertising. The opinion dedicates pages to explaining the history of CCPA and Cambridge Analytica, as well as the dangers of inferences, including with respect to transparency issues and discriminatory practices. Ultimately, the opinion boils down to the following quote on page 13: “In light of all these circumstances, inferences appear to be at the heart of the problems that the CCPA seeks to address.”
In sum, businesses that hold generated inferences about consumers should carefully review this opinion, and understand their obligations under the law.