The California AG recently issued an opinion interpreting the scope of information that should be provided to consumers in an access request. In responding to access requests, companies must provide a list of all personal information that it has about that consumer. The AG opinion clarifies that inferences a company draws from personal information should be included in such a response.
The CCPA defines inferences as the “derivation of information, data, assumption, or conclusions from facts, evidence, or another source of information or data.” For example, if a consumer indicates that they pay homeowner taxes, a company would likely conclude that the consumer is a homeowner. Or, if a consumer purchases an “I voted” shirt a company may conclude that the consumer is a likely voter. The AG provides a two-step test to help determine what information is an inference. First, is the information derived from personal information? If yes, and the company can use this information to create a profile about the consumer, or to predict a characteristic, then that information is an inference. Companies are not required to disclose the inputs or algorithms that form the inferences. Notably, the AG stated that even if the underlying information is exempt from disclosure (for example, the original data was not personal information since it was publicly available), the inference of this information will be subject to an access request.
Putting it Into Practice. Businesses subject to the CCPA (and the forthcoming CPRA) should revisit their individual rights request policies and procedures. Specifically, to verify that inferences are being included when responding to an access request.