California AG’s First CCPA Opinion Takes a Broad View of the Right to Access Inferences

1. First, inferences must be drawn from “information identified in” the definition of “personal information,” Civil Code section 1798.140(o).
The information may be obtained directly from consumers (such as address and income), found in public repositories, bought from a data broker, or inferred through an algorithm. The inference does not have to be made by the business itself. It may be generated internally or received from another source. The opinion shows little deference to the exemption for public records when it comes to inferences. The opinion asserts that “information in public repositories” is personal information but acknowledges (in a footnote) that information in public records is not. The opinion sweeps this tension aside by concluding that “once a business has made an inference about a consumer, the inference becomes personal information—one more item in the bundle of information that can be bought, sold, traded, and exploited beyond the consumer’s power of control.” The bottom line is that even if the underlying information is exempt from disclosure because it is publicly available information from government records, an inference based on the information must be disclosed to the consumer, as the inference itself is not available in government records.2. Second, the inference must be used to create a profile about a consumer, such as by identifying or predicting the consumer’s characteristics. To illustrate an inference that does not give rise to a profile, OAG gives a trivial example: inferences derived when a business combines information “obtained from a consumer with online postal information to obtain a nine-digit zip code.” It is unclear how this is an inference at all, as opposed to a look-up of existing information.
On the other hand, an inference that is used for predicting, targeting, or affecting consumer behavior must be disclosed in an access request. OAG anticipates and refutes two potential arguments that inferences would not have to be disclosed.- First, CCPA states that personal information must be disclosed that is collected “about” a consumer, not necessarily collected “from” a consumer. This means that businesses must broadly disclose to consumers inferences they make about the consumer, regardless of the source of the information. Although not addressed in the opinion, this differs from the right to delete, which only applies to information collected “from” a consumer.
- Second, OAG argues that while businesses are not required to disclose trade secrets, individual inferences are not trade secrets. OAG agrees that companies are not required to disclose the inputs or algorithms that form the inferences, but expects companies to produce inferences in response to access requests.
- OAG acknowledges that CCPA does not require businesses to disclose their trade secrets. The opinion finds that the “most relevant” exception in the CCPA to support this conclusion is that “the obligations imposed on businesses by this title shall not restrict a business’ ability to … comply with federal, state, or local laws.”
- Along the same lines, the opinion makes it clear that OAG recognizes key statutory exceptions, such as the exception allowing businesses to comply with applicable law or exercise or defend legal claims. OAG labels these exceptions as “carve-out” provisions “designed to relieve businesses from undue burdens and common legal binds.”
- For those interested in how OAG interprets CCPA, OAG commits to interpret the law by “examining the text, giving the language its usual meaning in order to understand the intent of legislators. The words of a statute must be construed in context and section relating to the same subject must be harmonized to the extent possible.”
- Finally, the opinion spends considerable time reviewing the history and purpose of CCPA, citing to the Cambridge Analytica data breaches, EU passage of GDPR, and legislative history addressing “exploitative tendencies of collecting masses of information and using it to identify and affect unwitting consumers.” This background provides insight into the perceived harms OAG seeks to safeguard through enforcement of CCPA.
