Your rights of access under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA) include inferences derived from the your personal information, California Attorney General Rob Bonta said in a new opinion.

The Question:

Assemblymember Kevin Kiley asked whether a consumer’s right to receive the specific pieces of personal information that a business has collected about that consumer applies to internally generated inferences.

The Answer:

• The plain language of the statute, as well as the legislative history, persuaded the AG that the CCPA purposefully gives consumers a right to receive inferences, regardless of whether the inferences were generated internally by the responding business or obtained by the responding business from another source (including from public information that would not need to be disclosed itself).
• At the same time, the CCPA does not require businesses to disclose their trade secrets in response to consumers’ requests for information. While the algorithm that a company uses to derive its inferences might be a protected trade secret, the CCPA only requires a business to disclose individualized products of its secret algorithm, not the algorithm itself.
• A business that withholds inferences on the ground that they are protected trade secrets bears the ultimate burden of demonstrating that such inferences are indeed trade secrets under the applicable law. This needs to be specific. A blanket assertion of "trade secret" or "proprietary information" or the like would not suffice.

The details:

• An inference is essentially a characteristic deduced about a consumer (such as “married,” “homeowner,” “online shopper,” or “likely voter”) that is based on other information a business has collected (such as online transactions, social network posts, or public records).
• Inferences appear to be at the heart of the problems that the CCPA seeks to address as they are one of the key mechanisms by which information becomes valuable to businesses, making it possible to target advertising and solicitations, and to find markets for goods and services.
• CCPA gives consumers the right to receive all information collected “about” the consumer, not just information collected from the consumer.
• Some businesses create inferences using their own proprietary methods, and then sell or transfer the inferences to others for commercial purposes.
• Studies show that a person’s date and place of birth, in combination with public databases, can be used to predict their social security number; phone data can be used to predict friendships with 95 percent accuracy; data about mobile phone behavior (such as running out of battery) can be used to predict credit-worthiness; and Facebook “likes” can be used to predict a wide array of sensitive personal attributes such as age, gender, race, ethnicity, sexual orientation, political views and personality traits.
• For purposes of responding to a request to know, it does not matter whether the business gathered the information from the consumer, found the information in public repositories, bought the information from a broker, inferred the information through some proprietary process of the business’s own invention, or any combination thereof. If the business holds personal information about a consumer, the business must disclose it to the consumer on request.
• Once a business has made an inference about a consumer, the inference becomes personal information — one more item in the bundle of information that can be bought, sold, traded, and exploited beyond the consumer’s power of control. Accordingly, inferences satisfy the first condition of the “personal information” inquiry regardless of whether they have been generated internally by the responding business or received from another source.
• When a business processes personal information to make an inference about the consumer’s propensities, then the inference itself becomes part of the consumer’s profile and must be disclosed.
• A business might draw an inference about a consumer based in whole or in part on publicly available information, such as government identification numbers, vital records or tax rolls. Under the CCPA, the inference must be disclosed to the consumer, even if the public information itself need not be disclosed in response to a request for personal information.
• When a business creates (or buys or otherwise collects) inferences about a consumer, those inferences constitute a part of the consumer’s unique identity and become part of the body of information that the business has “collected about” the consumer.
• While the algorithm that a company uses to derive its inferences might be a protected trade secret, the CCPA only requires a business to disclose individualized products of its secret algorithm, not the algorithm itself.
• The burden is on the trade secret holder to prove both the existence of a trade secret, and somebody’s use of improper means to obtain it. “Improper means” does not include reverse engineering.
• CCPA does not requires businesses to disclose trade secrets. The AG's office believes the most relevant language in the law is this: "The obligations imposed on businesses by this title shall not restrict a business’ ability to: Comply with federal, state, or local laws." According to the opinion, CPRA allows the AG to make “any exceptions necessary to comply with state or federal law, including those relating to trade secrets and intellectual property rights . . . with the intention that trade secrets should not be disclosed in response to a verifiable consumer request."
• However, a business that denies a request “in whole or in part, because of a conflict with federal or state law, or an exception to the CCPA” must explain the nature of the information and the basis for its denial. A blanket assertion of “trade secret” or “proprietary information” or the like would not suffice. The general purpose of the regulations is that a business must respond to requests in a meaningful and understandable way.

[View source.]