On March 10, 2022, California Attorney General Rob Bonta released an opinion about a business’s disclosure requirements for “inferred data” (also termed “internally generated inferences”) within the context of an individual’s right of access request (“Data Subject Access Request” or “DSAR”).
The California Consumer Privacy Act (CCPA) defines “inferred data” as “[i]nferences drawn from any [consumer personal] information to create a profile about a consumer reflecting the consumer’s preference, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.”2
Initially, inferred data was not included as a data element in a DSAR because the language of CCPA only required a business to disclose personal information it collected from a consumer –– not inferred data that the business gleaned from the collection of that data.
The relevant CCPA DSAR clause states a consumer has a right to know “[t]he specific pieces of personal information [the business] has collected about that consumer (emphases added).”3 CCPA’s definition of “collects” as does not include inferred data elements.4 The language “it has collected” implied that businesses were only required to disclose personal data that it collected from a consumer. Therefore, the plain language of the statute was interpreted as not requiring businesses to disclose their internally generated inferred data in DSARs.
Then, the California Attorney General published his opinion on whether businesses subject to CCPA must include inferred data when a consumer submits a DSR. Citing legislative history, technological advancements, and the unsettling Facebook-Cambridge Analytica occurrence involving the 2016 presidential election, the resounding decision was yes –– with limited exceptions, including trade secret protection.5
This article focuses on the trade secret portion of the Attorney General’s opinion and advocates for the treatment of inferred data elements as protectible trade secrets.
Should Inferred Data Elements be Protected Trade Secrets?
The California Attorney General noted that while the algorithm a business uses to derive its inferences might be a protected trade secret, the CCPA only requires a business to disclose the product of its algorithm.
Under California’s adoption of the Uniform Trade Secret Act, inferred data elements should be considered trade secrets because (1) they are not readily ascertainable to competitors; (2) they confer a competitive advantage to a business because inferred data elements enhance a user’s experience and engagement with the business by curating applicable content to users, such as recommending new music based on previous listening history; and (3) their secrecy is maintained by a business from disclosure to outside sources. Importantly, the secrecy element is not forfeited when the holder discloses its trade secret to another when such customer data is protected by confidentiality provisions. Therefore, even though a business may share customer data with a third party, such customer data maintains its secrecy because it is subject to confidentiality protections in a data processing agreement.6
Trade secrets can be customer lists, processes, computer software or commercial methods. Neither reverse engineering nor independent derivation alone are considered misappropriation of a trade secret through improper means.6
Even if inferred data elements are not protected trade secrets, a business’s algorithm could be in jeopardy considering the broad scope of a DSAR disclosure. If a business is required to disclose specific data elements and inferred data elements, a data subject (albeit one with nefarious intentions) could reverse engineer a business’s algorithm to deduce inferred data elements from the specific data elements. A business could not successfully sue this malicious data subject because reverse engineering is not misappropriation by improper means. Admittedly, this scenario would be uncommon, but it is not inconceivable.
The California Attorney General recognized how a business’s trade secrets could be in jeopardy, but he did not opine on how a business would defend its trade secret. He wrote, “[i]t is beyond the scope of this opinion to address whether any particular kind or class of internally generated inference might be protected from disclosure because it constitutes a trade secret.”7 This is hardly persuasive. It is entirely within the scope of his opinion to address how a business can protect its trade secrets while disclosing inferred data in a DSAR, yet the Attorney General does not.
The Attorney General merely instructs a business what it cannot do when invoking a trade secret exemption to a DSAR. A business that withholds inferences on the basis that they are protected trade secrets bears the ultimate burden of demonstrating that such inferences are indeed trade secrets. Businesses are left to their own devices to determine how it will protect its trade secrets while complying with CCPA. It is likely that a business must seek relief from a court by providing a description of why an inference qualifies as a trade secret, and the court will likely balance the interests of the consumer with that of the business’s right to protect the information. This result is overly litigious and should not be encouraged.
Thus, a business is left with two options. First, fulfill the DSAR pursuant to the California Attorney General’s opinion, but risk exposure to its algorithm. Second, withhold inferences in a DSAR, and risk a non-compliance notice from the California Attorney General or risk legal fees while it seeks judicial relief.
However, other options could be available. First, the CCPA could mandate that inferred data be destroyed rather than disclosed. Theoretically, this would protect the business from trade secret disclosure, and the consumer would no longer be profiled by the business. Second, the CCPA could mandate for an individual to choose whether she wanted access to specific data elements or inferred data elements, but not both sets of data within one year. Theoretically, most individuals are likely more concerned with inferred data elements than specific data elements, so opting for such disclosure would promote a consumer’s privacy rights and mitigate reverse engineering concerns.
Although the inclusion of inferred data in a DSAR is a win for privacy proponents, businesses must be permitted to protect their trade secrets. The California Attorney General’s opinion hinders a business’s ability to protect its trade secrets. The CCPA explicitly exempts trade secret disclosures, and the Attorney General all but nullifies the trade secret exemption from a DSAR. Thus, California Attorney General Rob Bonta should publish a second opinion regarding additional measures a business can take to protect its trade secrets while disclosing inferred data to consumers upon their submission of a DSAR.
- Joseph Riley Sell is a J.D. and Privacy Law Certificate Candidate for the Class of 2022 at Santa Clara University School of Law.
- Cal. Civ. Code § 1798.140(v)(1)(K)
- Id. at § 1798.110(a)(1).
- Id. at § 1798.140(e).
- OAG Opinion No. 20-303.
- Uniform Trade Secrets Act; Cal. Civ. Code § 3426.1(d)(2)
- OAG Opinion No. 20-303 at 14.