Mar 292022

California AG’s First Formal CCPA Opinion Directs Businesses to Disclose Internally-Generated Inferences and Expresses Skepticism Around Trade Secret Claims

Colleen Theresa Brown, Alan Charles Raul, Lauren Kitces and Sheri Porath Rockwell
, , , ,

In its first formal opinion interpreting the California Consumer Privacy Act (the “Opinion”), the California Attorney General (OAG) has expansively interpreted CCPA to mean that inferences created internally by a business, including those based on data that is not included in the definition of personal information, constitute “specific pieces” of personal information “collected by a business” which must be produced to consumers upon request.  The Opinion, which was issued on March 10, 2022 in response to a request for clarification submitted by Assemblyman Kevin Kiley, also addressed arguments that such inferences could constitute trade secrets and signaled the OAG’s unwillingness to accept “blanket assertions” that inferences constitute trade secrets or proprietary information, requiring instead that businesses explain why an inference constitutes a trade secret with greater particularity.  We highlight below some of the more instructive elements of the opinion that provide insight into potential future enforcement.

Inferences Are “Specific Pieces” of Personal Information Collected About Consumers

CCPA defines as a category of personal information “inferences drawn from any of the information identified in [CCPA section 1798.140(o)] to create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.”  The statute also provides that consumers may request that a business disclose to the consumer “the specific pieces of personal information [the business] has collected about that consumer.” Cal. Civ. Code sec. 1798.110(a)(5).  In the Opinion, the OAG interprets CCPA to mean that inferences can constitute “specific pieces” of personal information that a business must provide to a consumer, even if the inferences were not “collected” by the business, but instead generated internally by the business.  Opinion at 13.  The OAG’s position in this regard expressly rejects Assemblyman Kiley’s argument to the contrary, that internally-generated inferences are not collected “from” a consumer and, therefore, should not be among the types of data that can be provided in response to a data subject request. Opinion at 13. While not highlighted by the OAG, the CCPA definition of “collects” notably states that it “includes receiving information from the consumer, either actively or passively, or by observing the consumer’s behavior.” (Emphasis added.) Therefore, collection of information “about” a consumer is taken in the CCPA to include inferences that were created by observing a consumer’s behavior.

Inferences for Profiling Are “Disclosable Inferences” Under CCPA

The Opinion clarifies that only inferences that are used to “create a profile” are “disclosable” in response to a data subject request.   For example, if a business combines information obtained from a consumer with online postal information to obtain a zip code to facilitate a delivery, the Opinion concludes that this process might not give rise to a disclosable inference if the zip code is deleted and not used to identify or predict the characteristics of the consumer.  Opinion at 12.  On the other hand, when a business uses personal information to make an inference about the consumer’s propensities, then “the inference itself becomes a part of the consumer’s profile, and must be disclosed.” Opinion at 12.  The key element of a disclosable inference is that the data be used to create a profile, which “rules out situations where a business is using inferences for reasons other than predicting, targeting, or affecting consumer behavior.” Opinion at 12.

Disclosable Inferences Include Those Based Upon Publicly Available Information

The Opinion also states that inferences constituting personal information may, in some cases, be drawn from information that itself is not personal information under CCPA.  After a detailed statutory analysis of the text, the OAG concludes that inferences may be based on all information in section 1798.140(o), which includes “personal information” and information that does not constitute personal information, specifically “publicly available information.”  Opinion at 11.  Inferences based “in whole or part on publicly available information, such as government identification numbers, vital records, or tax rolls” are in scope, if used to create profiles about consumers.  Opinion at 12. This approach is significant as it seemingly contradicts the CCPA language that inferences are “drawn from any of the information identified in [CCPA Section 1798.140(o)],” and CCPA section 1798.140(o) explicitly states that “personal information does not include publicly available information.”

The OAG’s Skepticism About Treating Inferences as Trade Secrets 

The Opinion rejects Assemblyman Kiley’s suggestion that internally-generated inferences constitute de facto trade secrets or intellectual property that would not be subject to disclosure under CCPA.  This approach is consistent with the comments provided by the OAG in the CCPA Final Statement of Reasons that was published alongside the final issuance of the initial CCPA Regulations in 2020.  While an algorithm used to derive inferences might be a protected trade secret, “the CCPA only requires a business to disclose the individualized products of its secret algorithm.”  Opinion at 14.  Further, if a business believes disclosure of information constitutes a trade secret, it cannot do so with a “blanket assertion of ‘trade secret’,” but must do so “in a meaningful and understandable way” that “explains the nature of the information and the basis for the denial [of the disclosure request].” Opinion at 15.  Unfortunately, the Opinion does not provide much clarity on how a business should do this in practice.

CCPA Section 1798.185(a)(3) provides the OAG authority to establish by regulations “any exceptions necessary to comply with state or federal law, including, but not limited to, those relating to trade secrets and intellectual property rights…with the intention that trade secrets should not be disclosed in response to a verifiable consumer request.”  (Emphasis added.)  Intellectual property concerns were consistently raised throughout the public comment period when the OAG was drafting the CCPA regulations, and specific regulations to address intellectual property were denied as part of the OAG’s response to the public comments. The Opinion appears to wave off business’s long-standing concerns about the lack of clarity in CCPA regulations around trade secrets, noting that the OAG “has not found it necessary to promulgate regulations specifically related to intellectual property.”  Opinion at 14. If anything, the Opinion underscores the OAG’s skepticism about trade secret arguments and signals it will may scrutinize such claims.  Additionally, the OAG appears to signal concerns that “reverse engineering” does not qualify as an “improper means” by which a trade secret would be obtained.  Opinion at 14.  The Opinion explains that under California’s Uniform Trade Secrets Act, the holder of the secret must prove both the existence of the trade secret and “somebody’s use of improper means to obtain it,” but that “’improper means’ does not include reverse engineering.”  Opinion at 14.

Implications for CCPA and CPRA Enforcement

While the Opinion does not include a substantial discussion about the impact of the California Privacy Rights Act (CPRA) on the issues addressed, the Opinion demonstrates the OAG’s general disdain for business models that rely upon profiling, a subject that is featured prominently in CPRA’s amendments to CCPA that go into effect on January 1, 2023.  The Opinion draws a straight line from what it characterizes as the “exploitive tendencies of collecting masses of information and using it to identify and affect unwitting consumers” tied to recent controversial profiling activities and to other “example[s] of mischief resulting from the creation and use of inferences by businesses,” including targeted advertising that “feel[s] intrusive or unsettling” to consumers and the use of “discriminatory automated decisions” that secretly prevent consumers from seeing “certain ads, offers, or listings.”  Opinion at 13.  It concludes that “in light of all of these circumstances, inferences appear to be at the heart of the problems the CCPA seeks to address.” Opinion at 13.

This Opinion, taken together with the CCPA Regulations’ Final Statement of Reasons demonstrates that the OAG refuses to meaningfully engage in the negative impact of the CCPA on trade secrets, despite the statutory exortion.  Rather, the OAG has established the grounds for case-by-case assessment and assertion of legal rights that creates uncertainty for corporate proprietary information interests.  It remains to be seen whether the coming CPRA regulation will  do any better.

This post is as of the posting date stated above. Sidley Austin LLP assumes no duty to update this post or post about any subsequent developments having a bearing on this post.

Colleen Theresa Brown

Washington, D.C.

cbrown@sidley.com

Alan Charles Raul

Washington, D.C., New York

araul@sidley.com

Lauren Kitces

Washington, D.C.

lkitces@sidley.com

Sheri Porath Rockwell

Century City

sheri.rockwell@sidley.com

You might also like
A New Wave of Class Actions: The Genetic Information Privacy Act

Largely dormant for the last 25 years, Illinois’ Genetic Information Privacy Act (GIPA) has been sharing the limelight recently with its sibling, the Biometric Information Privacy Act. (BIPA). GIPA includes a number of restrictions related to the use and disclosure of genetic testing and genetic information, and it provides a private right of action and permits recovery of steep statutory damages. In 2023 alone, over 50 GIPA complaints were filed, and new suits continue to be filed in 2024. In this article, published on AML Law.com, Sidley lawyers Kathleen Carlson, Lawrence Fogel, and Colleen Brown explore some of GIPA’s emerging issues and unanswered questions.

EU Formally Adopts Cyber Law for Connected Products

On 12 March 2024, the European Parliament approved the EU Cyber Resilience Act (“CRA”) with a large majority of 517-12 votes in favor of the legislation (with 78 abstentions). The CRA aims to ensure that “products with digital elements” (“PDE”) i.e., connected products such as smart devices, and remote data processing solutions, are resilient against cyber threats and provide key information in relation to their security properties.

Regulatory Update: National Association of Insurance Commissioners Spring 2024 National Meeting

The National Association of Insurance Commissioners (NAIC) held its Spring 2024 National Meeting (Spring Meeting) March 15 through 18, 2024. This Sidley Update summarizes the highlights from this meeting in addition to interim meetings held in lieu of taking place during the Spring Meeting. Highlights include proposed updates to the regulatory review process for affiliated investment management agreements, continued discussion of considerations related to private equity ownership of insurers, and continued development of accounting principles and investment limitations related to certain types of bonds and structured securities.