The California Office of the Attorney General (OAG) recently concluded that the California Consumer Privacy Act (CCPA) generally requires a covered business to disclose, upon request, its inferences about a consumer—whether generated internally or obtained from another source—unless the business can demonstrate that a statutory exception applies. In its first formal opinion (No. 20-303) under the CCPA, OGC has thus taken an expansive view of a consumer’s CCPA “right to know” the specific pieces of personal information that a business collects.
CCPA-covered businesses should carefully consider whether the information they process about California consumers includes inferences that meet OAG’s two-part test for disclosure (see discussion below), and whether any statutory exceptions to disclosure apply. Businesses that process inferences should also review their procedures for responding to consumers’ requests to know specific pieces of information to ensure continued compliance with the CCPA.
OAG clarifies that none of the CCPA amendments contained in the California Privacy Rights Act (CPRA)—the successful 2020 ballot initiative that will amend and expand the CCPA when it becomes operative on January 1, 2023 and enforceable on July 1, 2023—will impact the conclusions that OAG drew in its opinion. Provided the exemptions for employee and business contact information currently applicable under the CCPA are not extended beyond January 1, 2023, and unless a general exception applies, this means that covered businesses might also need to disclose inferences made in order to create a profile about their employees or business partners.
Before beginning its analysis, OAG outlines the evolution of the CCPA and underscores the significance of “inferences,” defined in the CCPA as “the derivation of information, data, assumptions, or conclusions from facts, evidence, or another source of information or data.” Citing academic studies, OAG remarks that seemingly innocuous data, when coupled with other data points, may reveal much more personal characteristics about a consumer. For example, common consumer-provided information (such as a date and place of birth), when coupled with information from publicly accessible databases, has been shown to accurately predict an individual’s Social Security number, and cell phone usage data (such as battery statistics) to accurately predict an individual’s creditworthiness.
Against this backdrop, OAG concludes that the CCPA was intentionally drafted to give a requesting consumer the right to receive inferences that a covered business made about him or her, regardless of the source of the inference. Specifically, OAG reasons that:
OAG begins its analysis with the CCPA’s definition of “personal information,” which contains a non-exhaustive list of categories that constitute personal information under the Act. These categories include, among others, inferences drawn from any of the other categories “to create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.”
Thus, inferences themselves become personal information when two conditions are met:
OAG highlights that this list includes some categories of information typically obtained directly from consumers and others that are a matter of public record, and that the statute makes no distinction between them.[1] Thus, with respect to a consumer’s request to know, it does not matter whether the business obtained the information directly from the consumer, found it elsewhere, purchased it from a data broker, inferred it using a proprietary internal process, or a combination thereof. If the business holds personal information about a consumer, it must disclose it upon request.
However, if a business processes personal information to make an inference about a consumer’s propensities, it must disclose the inference to the consumer. This principle applies even if the business is not required to disclose the underlying personal information used to generate the inference (e.g., in the case of personal information obtained from public records).
OAG then suggests that the California Senate Judiciary Committee’s analysis of the CCPA, prior to its enactment, supports OAG’s conclusion regarding the extent of consumers’ right to know inferences. In its deliberations regarding the bill, the Committee focused in particular on the scandal surrounding Cambridge Analytica, the political consulting firm that acquired approximately 87 million individuals’ personal information and used it to send targeted messages in an attempt to influence the 2016 U.S. presidential election.
Noting that this example is one of many, OAG concluded that inferences are “one of the key mechanisms by which information becomes valuable to businesses, making it possible to target advertising and solicitations, and to find markets for goods and services,” and that they “appear to be at the heart of the problems that the CCPA seeks to address.”
OAG summarily rejected an argument, raised by the California Assembly member who requested the opinion, that the CCPA should not require businesses to disclose internally generated inferences to consumers because such inferences are not “collected from” the consumer within the meaning of the CCPA. OAG disagreed, reasoning that the CCPA gives consumers the right to receive all information collected about the consumer, not only information collected from the consumer.
[1] Note, however, that the CCPA’s definition of “personal information” specifically exempts “information that is lawfully made available from federal, state, or local government records.” Cal. Civ. Code § 1798.140(o)(2).