720-891-1663

Return to list of client alerts

An Inference is PII – Even from Public Information

The California Consumer Privacy Act or CCPA gives consumers rights regarding their data. Among these rights are the right to get a copy of the data you, as a business, have collected about them.

The law says this includes “inferences drawn from any of the information” listed in the definition of personal information when these inferences are used to create a profile about a consumer – say that a person is pregnant and therefore they would be shown pregnancy related ads.

But when money is involved, the lawyers get creative. Specifically, is an inference that a company creates internally, as opposed to getting from another data source – does that count as “collected“. Also, what if those inferences are drawn from public records – say property ownership rolls. Since public information is excluded from what companies need to disclose to consumers, are inferences made internally from those public records disclosable?

The California AG has cleared up this question.

The opinion resolves this issue and states that in response to specific consumer requests, businesses must disclose any inferences that the business has drawn about the consumer based on information that the business has collected about the consumer—regardless of whether such information was collected directly from the consumer or from other sources and regardless of whether such sources were public or private entities. Moreover, the business cannot withhold such inferences by merely asserting that they constitute “trade secrets.”

https://www.dwt.com/blogs/privacy–security-law-blog/2022/03/california-ccpa-inferences-disclosures

If the inference is not drawn from personal information, then it doesn’t have to be disclosed. So what categories of information are considered personal? Here is the list:

  • Identifiers;
  • Customer records;
  • Characteristics of protected classification under California or federal law;
  • Commercial information (including personal property or other products or services purchased, obtained, or considered);
  • Biometric information;
  • Browsing history and other online electronic network activity;
  • Geolocation data;
  • Audio, electronic, visual, and similar information;
  • Professional or employment-related information;
  • Education information; or
  • Sensitive personal information (as of January 1, 2022, when the CPRA becomes effective)

So to clarify things. If an inference is drawn from personal information, the inference is considered personal information.

We are going to see a lot more of these interpretations in the next months and years, so keep track of them. Credit: Davis Wright Tremaine LLP

Copyright © 2024 CyberCecurity, All rights reserved. Privacy Policy