California AG’s First Formal CCPA Opinion Directs Businesses to Disclose Internally-Generated Inferences and Expresses Skepticism Around Trade Secret Claims
In its first formal opinion interpreting the California Consumer Privacy Act (the “Opinion”), the California Attorney General (OAG) has expansively interpreted CCPA to mean that inferences created internally by a business, including those based on data that is not included in the definition of personal information, constitute “specific pieces” of personal information “collected by a business” which must be produced to consumers upon request. The Opinion, which was issued on March 10, 2022 in response to a request for clarification submitted by Assemblyman Kevin Kiley, also addressed arguments that such inferences could constitute trade secrets and signaled the OAG’s unwillingness to accept “blanket assertions” that inferences constitute trade secrets or proprietary information, requiring instead that businesses explain why an inference constitutes a trade secret with greater particularity. We highlight below some of the more instructive elements of the opinion that provide insight into potential future enforcement.
Inferences Are “Specific Pieces” of Personal Information Collected About Consumers
CCPA defines as a category of personal information “inferences drawn from any of the information identified in [CCPA section 1798.140(o)] to create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.” The statute also provides that consumers may request that a business disclose to the consumer “the specific pieces of personal information [the business] has collected about that consumer.” Cal. Civ. Code sec. 1798.110(a)(5). In the Opinion, the OAG interprets CCPA to mean that inferences can constitute “specific pieces” of personal information that a business must provide to a consumer, even if the inferences were not “collected” by the business, but instead generated internally by the business. Opinion at 13. The OAG’s position in this regard expressly rejects Assemblyman Kiley’s argument to the contrary, that internally-generated inferences are not collected “from” a consumer and, therefore, should not be among the types of data that can be provided in response to a data subject request. Opinion at 13. While not highlighted by the OAG, the CCPA definition of “collects” notably states that it “includes receiving information from the consumer, either actively or passively, or by observing the consumer’s behavior.” (Emphasis added.) Therefore, collection of information “about” a consumer is taken in the CCPA to include inferences that were created by observing a consumer’s behavior.
Inferences for Profiling Are “Disclosable Inferences” Under CCPA
The Opinion clarifies that only inferences that are used to “create a profile” are “disclosable” in response to a data subject request. For example, if a business combines information obtained from a consumer with online postal information to obtain a zip code to facilitate a delivery, the Opinion concludes that this process might not give rise to a disclosable inference if the zip code is deleted and not used to identify or predict the characteristics of the consumer. Opinion at 12. On the other hand, when a business uses personal information to make an inference about the consumer’s propensities, then “the inference itself becomes a part of the consumer’s profile, and must be disclosed.” Opinion at 12. The key element of a disclosable inference is that the data be used to create a profile, which “rules out situations where a business is using inferences for reasons other than predicting, targeting, or affecting consumer behavior.” Opinion at 12.
Disclosable Inferences Include Those Based Upon Publicly Available Information
The Opinion also states that inferences constituting personal information may, in some cases, be drawn from information that itself is not personal information under CCPA. After a detailed statutory analysis of the text, the OAG concludes that inferences may be based on all information in section 1798.140(o), which includes “personal information” and information that does not constitute personal information, specifically “publicly available information.” Opinion at 11. Inferences based “in whole or part on publicly available information, such as government identification numbers, vital records, or tax rolls” are in scope, if used to create profiles about consumers. Opinion at 12. This approach is significant as it seemingly contradicts the CCPA language that inferences are “drawn from any of the information identified in [CCPA Section 1798.140(o)],” and CCPA section 1798.140(o) explicitly states that “personal information does not include publicly available information.”
The OAG’s Skepticism About Treating Inferences as Trade Secrets
The Opinion rejects Assemblyman Kiley’s suggestion that internally-generated inferences constitute de facto trade secrets or intellectual property that would not be subject to disclosure under CCPA. This approach is consistent with the comments provided by the OAG in the CCPA Final Statement of Reasons that was published alongside the final issuance of the initial CCPA Regulations in 2020. While an algorithm used to derive inferences might be a protected trade secret, “the CCPA only requires a business to disclose the individualized products of its secret algorithm.” Opinion at 14. Further, if a business believes disclosure of information constitutes a trade secret, it cannot do so with a “blanket assertion of ‘trade secret’,” but must do so “in a meaningful and understandable way” that “explains the nature of the information and the basis for the denial [of the disclosure request].” Opinion at 15. Unfortunately, the Opinion does not provide much clarity on how a business should do this in practice.
CCPA Section 1798.185(a)(3) provides the OAG authority to establish by regulations “any exceptions necessary to comply with state or federal law, including, but not limited to, those relating to trade secrets and intellectual property rights…with the intention that trade secrets should not be disclosed in response to a verifiable consumer request.” (Emphasis added.) Intellectual property concerns were consistently raised throughout the public comment period when the OAG was drafting the CCPA regulations, and specific regulations to address intellectual property were denied as part of the OAG’s response to the public comments. The Opinion appears to wave off business’s long-standing concerns about the lack of clarity in CCPA regulations around trade secrets, noting that the OAG “has not found it necessary to promulgate regulations specifically related to intellectual property.” Opinion at 14. If anything, the Opinion underscores the OAG’s skepticism about trade secret arguments and signals it will may scrutinize such claims. Additionally, the OAG appears to signal concerns that “reverse engineering” does not qualify as an “improper means” by which a trade secret would be obtained. Opinion at 14. The Opinion explains that under California’s Uniform Trade Secrets Act, the holder of the secret must prove both the existence of the trade secret and “somebody’s use of improper means to obtain it,” but that “’improper means’ does not include reverse engineering.” Opinion at 14.
Implications for CCPA and CPRA Enforcement
While the Opinion does not include a substantial discussion about the impact of the California Privacy Rights Act (CPRA) on the issues addressed, the Opinion demonstrates the OAG’s general disdain for business models that rely upon profiling, a subject that is featured prominently in CPRA’s amendments to CCPA that go into effect on January 1, 2023. The Opinion draws a straight line from what it characterizes as the “exploitive tendencies of collecting masses of information and using it to identify and affect unwitting consumers” tied to recent controversial profiling activities and to other “example[s] of mischief resulting from the creation and use of inferences by businesses,” including targeted advertising that “feel[s] intrusive or unsettling” to consumers and the use of “discriminatory automated decisions” that secretly prevent consumers from seeing “certain ads, offers, or listings.” Opinion at 13. It concludes that “in light of all of these circumstances, inferences appear to be at the heart of the problems the CCPA seeks to address.” Opinion at 13.
This Opinion, taken together with the CCPA Regulations’ Final Statement of Reasons demonstrates that the OAG refuses to meaningfully engage in the negative impact of the CCPA on trade secrets, despite the statutory exortion. Rather, the OAG has established the grounds for case-by-case assessment and assertion of legal rights that creates uncertainty for corporate proprietary information interests. It remains to be seen whether the coming CPRA regulation will do any better.