Privacy & Information Security Law Blog

On March 10, 2022, in its first formal written opinion interpreting the California Consumer Privacy Act’s (“CCPA’s”) compliance obligations, the California Attorney General (“AG”) confirmed that the CCPA grants a consumer the right to access inferences drawn from personal information collected about the consumer, even if such inferences are generated by the business (unless the business can demonstrate that a statutory exception to the CCPA applies). The opinion also makes clear that the CCPA does not require businesses to disclose trade secrets in response to access requests. The decision interprets the CCPA’s existing language, as opposed to creating new obligations with respect to access requests made pursuant to the CCPA.

The opinion makes a distinction between inferences used to “create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes,” versus inferences not used to create such a profile. Pursuant to the CCPA’s definition of “personal information,” only the former is considered an “inference” and subject to disclosure in response to an access request; inferences drawn for purposes not related to profiling are not subject to the CCPA’s requirements.

Notably, the decision held that even if the underlying information used to create the inference is exempt from disclosure (e.g., because the data is “publicly available”) the inference itself is a separate piece of personal information that must be disclosed to the consumer (unless it separately falls under an exemption to the CCPA).

As noted above, the opinion makes clear that the CCPA does not require businesses to disclose trade secrets. The opinion does, however, caution that a business must explain the basis of its denial of an access request with respect to trade secrets.  The opinion further notes that, under the California Uniform Trade Secrets Act, the burden is on the trade secret holder to prove the existence of a trade secret.

The opinion also makes clear that the upcoming effective date of the California Privacy Rights Act will not change the AG’s conclusions on this matter.

Read the opinion here.