CA AG Issues Interpretation of CCPA Re: Data Collectors’ Internally Generated Personal Information

On March 10, 2022, the California Office of the Attorney General (“CA AG”) issued an opinion (20-303) that the California Consumer Privacy Act’s (“CCPA”) provision mandating that consumers be informed, upon request, regarding the specifics of the personal information collected and stored by an organization applies to “internally generated inferences” that the business holds from internal or external information sources.

According to the CA AG, the definition of “inference” under the CCPA is “the derivation of information, data, assumptions, or conclusions from facts, evidence, or another source of information or data.” The CA AG warns that in each of the examples it has examined, “seemingly innocuous data points, when combined with other data points across masses of data, may be exploited to deduce startlingly personal characteristics.” Such information as a person’s personal information like their date and place of birth, as well as their habitual phone practices or social media, may be used to make specific and sensitive consumer predictions and inferences.

Additionally, when a consumer requests disclosure of the consumer's personal information, the company must disclose all information retained, regardless of the source of information. As such, “it does not matter whether the business gathered the information from the consumer, found the information in public repositories, bought the information from a broker, inferred the information through some proprietary process of the business’s own invention, or any combination thereof.”

The only way that a covered entity can avoid the disclosure requirements is if the entity can demonstrate that applicability of a statutory exception. The CA AG clarifies that the covered entity will not be required to disclose trade secrets in response to a consumer’s request for information.