The Californian Attorney General was asked to clarify whether a consumer’s “right to know” under the CCPA included internally generated inferences the business holds about the consumer. The response was that, yes, a consumer does that the right to that information.
A consumer has the right to know internally generated inferences about them regardless of whether the inferences were generated internally by the responding business or obtained by the responding business from another source. The CCPA gives consumers the right to receive all information collected “about” them. When a business creates, buys, or collects inferences about a consumer those inferences constitute part of the consumer’s unique identity. They also become part of the information that the business has “collected about” the consumer.
Inferences also fall under personal information for the purposes of the CCPA when two conditions exist. Firstly, the inference is drawn from any information identified under section 1798.140(o), including:
- Personal identifiers
- Customer records
- Characteristics of protected classifications (e.g. age, gender, race, or religion)
- Commercial information (e.g., property records, purchase history)
- Biometric information
- Online activity information
- Geolocation data
- Audio, electronic, visual, thermal, olfactory, or similar information
- Professional or employment information
- Education information
Secondly, the personal information must be used to create a profile about the customer, for example, where a business is using inferences to predict, target or affect consumer behaviour.
A request to know must be responded to regardless of whether the business:
- Gathered the information from the consumer
- Found the information in public repositories
- Bought the information from a broker
- Inferred the information through some proprietary process of the business’ own invention
- Or any combination of the above
Disclosable v Non-Disclosable
There is still some information that is not disclosable under CCPA. A disclosable inference is personal information a business processes to make an inference about the consumer’s behaviour. An inference like this becomes a part of the consumer’s profile.
An example of a non-disclosable inference would be a business combining information obtained from the customer and combined with online postal information to obtain a nine-digit zip code to facilitate a delivery. This would end up being deleted and is not used to identify or predict the consumer’s characteristics.
Businesses are not required to disclose their trade secrets in response to consumers’ requests for information. For example, if a business has an algorithm that a company uses to derive its inferences, then the algorithm might be a protected trade secret. The CCPA only requires the business to disclose the individualized products of its secret algorithm, not the algorithm itself.
The Attorney General also advised that any business that withholds inferences on the ground that they are protected trade secrets bears the ultimate burden of demonstrating that such inferences are indeed trade secrets under the applicable law.
Managing data requests as a company can be difficult and confusing. Find out how Value Privacy’s experts can manage your data and privacy needs saving you time and money.