CCPA Covered Businesses Must Disclose Most Inferences Drawn from Consumers’ Personal Information | Fisher Phillips

While it is clear that the California Consumer Privacy Act (CCPA) imposes certain disclosure requirements on companies with respect to specific personal data collected about consumers, companies often forget that they also have certain disclosure requirements with respect to information created by the company about consumers.

on March 10, 2022, The California Attorney General issued an opinion Clarify whether consumers have the right under the CCPA to be informed of “internally generated inferences” created by businesses from internal or external sources of information. In short, the California Attorney General held that consumers have the right to be informed of inferences made about them. While the Attorney General’s Opinion is a good reminder that “inferences” are specifically identified under the definition of “personal information,” the Attorney General’s Opinion also provides insight into what types of inferences must be disclosed and what types of information are withheld be able.

What is “internally generated inference”? Businesses seeking an answer to this question must first understand the main purpose of the CCPA.

Businesses covered by the CCPA must disclose collected consumer personal information

The primary purpose of the CCPA is to provide California residents the right to know what “personal information” companies collect and have some level of control over what companies do with it. “Personal Information,” broadly defined by the CCPA, includes multiple items such as names, aliases, addresses, or social security numbers. Other examples include information about education, employment, banking, credit, biometric data, or consumer geolocation data. Interestingly, and probably one of the most relevant in relation to the Attorney General’s opinion, the CCPA also covers consumer interactions with websites, such as: B. Browsing history and search history. CCPA-supported businesses must disclose the information about a consumer that the business can see with its own eyes. But what about her assumptions drawn from this personal information?

An “internally generated inference” is personal data that the business assumes about a consumer

Pregnancy prediction is a notable example of an “internally generated inference”. in 2012, The New York Times reported that one company could and did accurately predict whether a consumer was pregnant based on a consumer’s shopping behavior. In other words, the consumer never told the company that she was pregnant. Instead, the company assigned consumers a “Pregnancy Prediction” score based on whether they bought or didn’t buy 25 products. Based on this score, the company could target the consumer with pregnancy-related ads and coupons. While a pregnancy conclusion is an extreme example, data analysis can accurately predict several other consumer characteristics, such as: B. a consumer’s political party and voting behavior, whether a consumer wants to buy a home, or whether an employee is allegedly about to be fired. The Attorney General’s Opinion recalls that these types of conclusions must be disclosed to consumers in general.

Most conclusions must be disclosed, but not all

While companies should err on the side of disclosure, the attorney general suggested that not all conclusions need to be disclosed. In particular, the Attorney General explained that inferences are used “for reasons other than predicting, targeting or influencing consumer behavior” do not have to be disclosed. As an example, the Attorney General found that if a business uses multiple pieces of personal information to derive a consumer’s zip code to facilitate a transaction, and the business deletes the zip code after the transaction is complete, the business would not need to disclose that it has derived the zip code of the consumer. However, to derive the zip code, keep in mind that the company likely collected various other personal information that would need to be disclosed.

Whether the conclusion was drawn from public or private information is irrelevant

Whether the company uses private information, public information, or a combination of both, the conclusions drawn from the information must be disclosed. Businesses must treat the conclusion as a separate category of “personal information.”

Companies are not required to disclose trade secrets

Some companies might claim that a conclusion made about a consumer falls within the definition of a trade secret. While the Attorney General did not comment on whether such an inference constitutes a trade secret, the Attorney General noted that the CCPA does not require companies to disclose the method used to reach the inference. Should a business decide to take the position that a conclusion about a consumer qualifies as a trade secret, businesses must be prepared to seek relief in a court of law by providing a detailed description of why the conclusion as such is to be classified. The court would likely balance the interests of the individual consumer/consumers in general with the interests of the business in protecting the information in question.

What’s next and what should companies do to prepare?

While amendments to the CCPA come into effect on January 1, 2023 via the California Privacy Rights Act (CPRA), the Attorney General pointed out that his opinion on “internally generated conclusions” will not change with the implementation of the CPRA. With this in mind, we recommend that businesses covered by the CCPA take the following steps: (1) conduct a complete and thorough data inventory, which includes cataloging inferences about employees, job applicants, and all other consumers, and (2) conduct an attorney’s review and update your company’s “Notice at Collection” made available to employees, job applicants and all other consumers.

Leave a Comment