Employee Benefits Compliance

California Consumer Privacy Act (CCPA) Covered Businesses Must Disclose Most Inferences Drawn from Consumers’ Personal Information

Originally published by Fisher Phillips (authors: Usama KahfAndrew Wellman) the Leavitt Group preferred partner for employment law. Some content by Leavitt Group.

While it is clear that the California Consumer Privacy Act (CCPA) imposes certain disclosure obligations on businesses regarding  personal information collected about consumers, businesses often forget that they also have certain disclosure obligations regarding information created by the business about consumers.

On March 10, 2022, the California Attorney General issued an opinion clarifying whether consumers, under the CCPA, have the right to know about “internally generated inferences” created by businesses from either internal or external information sources. In short, the California Attorney General opined that consumers do have the right to know about inferences made about them. While the Attorney General’s opinion is a good reminder that “inferences” are explicitly identified under the definition of “personal information,” the Attorney General’s opinion also provides insight on what types of inferences must be disclosed and what types of information can be withheld.

What are “internally generated inferences?” Businesses seeking the answer to this question must first understand the primary purpose of the CCPA.

CCPA Covered Businesses Must Disclose Collected Consumer Personal Information

The primary purpose of the CCPA is to provide California residents the right to know what “personal information” businesses collect and to have some level of control over what businesses do with it.

“Personal information,” broadly defined by the CCPA, includes:

  • Names / Aliases,
  • Addresses,
  • Social security numbers,
  • Information regarding consumers’ education,
  • Employment,
  • Banking,
  • Credit,
  • Biometric data, or,
  • Geolocation data.

Interestingly, and likely one of the most relevant in regard to the opinion issued by the Attorney General, the CCPA also covers consumers’ interactions with websites, such as browsing history and search history. CCPA covered businesses must disclose the information about a consumer that the business can see with its own eyes. But what about the assumptions drawn from that personal information?

An “Internally Generated Inference” is Personal Information that the Business Assumes About A Consumer

Pregnancy prediction is one notable example of an “internally generated inference.” In 2012, The New York Times reported that a company could, and did, accurately predict whether a consumer was pregnant by the consumer’s shopping patterns. In other words, the consumer never told the business that she was pregnant. Instead, the business assigned a “pregnancy prediction” score to consumers based on the purchase or non-purchase of 25 products. Based on that score, the company could target the consumer with pregnancy related advertisements and coupons. While a pregnancy inference is an extreme example, data analytics can accurately predict several other consumer characteristics, such as a consumer’s political party and voting behavior, whether a consumer is seeking to purchase a home, or purportedly whether an employee is about to resign. The Attorney General’s opinion is a reminder that these types of inferences generally must be disclosed to consumers.

Most Inferences Must be Disclosed, But Not All

While businesses should err on the side of disclosing, the Attorney General suggested that not all inferences must be disclosed. Specifically, the Attorney General stated that inferences being used “for reasons other than predicting, targeting, or affecting consumer behavior” need not be disclosed. As an example, the Attorney General noted that if a business uses several pieces of personal information to infer a consumer’s zip code for purposes of facilitating a transaction, and the business deletes the zip code after completion of the transaction, the business would not have to disclose that it inferred the consumer’s zip code. However, to infer the zip code, keep in mind that the business likely collected various pieces of other personal information that would have to be disclosed.

Whether the Inference Was Drawn from Public or Private Information is Irrelevant

Regardless of whether the business uses private information, public information, or a combination of both, the inference drawn from the information must be disclosed. Businesses must treat the inference as a separate category of “personal information.”

Businesses Are Not Required to Disclose Trade Secrets

Some businesses might contend that an inference drawn about a consumer falls within the definition of a trade secret. While the Attorney General did not opine on whether such an inference constitutes a trade secret, the Attorney General opined that the CCPA does not require businesses to disclose the method used to draw the inference. Should a business decide to take the position that an inference drawn about a consumer qualifies as a trade secret, businesses must be prepared to seek relief from a Court by providing a detailed description explaining why the inference qualifies as such. The Court would likely weigh the interests of the individual consumer/consumers in general with the interests of the business in protecting the information at issue.

What’s Next and What Should Businesses Do to Prepare?

While amendments to the CCPA will become operative on January 1, 2023 via the California Privacy Rights Act (CPRA), the Attorney General indicated that his opinion regarding “internally generated inferences” will not change with the implementation of the CPRA. In light of this, we recommend that CCPA covered businesses take the following steps: (1) conduct a full and thorough data inventory, which would include cataloging inferences made about employees, job applicants, and all other consumers, and (2) have an attorney review and update your businesses’ “Notice At Collection” that is provided to employees, job applicants, and all other consumers.

If you’re unsure whether your business collects personal information, including by your businesses’ use of “internally generated inferences,” contact your Leavitt Group representative who can connect you to Fisher Phillips for a special arrangement available to Leavitt Group clients. At Leavitt Group, we are your Trusted Advisors for all of your insurance and compliance needs. Let us help!