California AG says “inferences” are personal information. Here’s why that matters

Things are getting personal in California.

In a move that could strengthen California’s privacy laws, assumptions or “inferences” a company makes about someone based on their digital footprint are considered “personal information,” according to an opinion issued by California Attorney General Rob Bonta earlier this month, meaning that internally generated inferences about a consumer must be disclosed to Californians if requested.

The opinion has clarified and strengthened the “right to know” aspect of the California Consumer Privacy Act (CCPA), signed into law in 2018 and put into effect on January 1, 2020, and is the first comprehensive privacy law at the state level in the country.

• California has since doubled down, with a ballot measure that passed in 2020, Proposition 24, or the Consumer Privacy Rights Act, which further strengthens the original law. It goes into effect in 2023.

Broadly speaking, the CCPA gives Californians the right to know what personal information is collected about them by businesses and how it’s used (advertising, it’s pretty much always advertising), giving them the opportunity to opt out of having it sold or shared. They can also request that it be deleted.

FWIW: The CCPA considers information that “could be reasonably linked, directly or indirectly, with a particular consumer or household” as personal. Crucially, data that is “deidentified” and “aggregate consumer information” is exempt.

Bonta’s opinion is written in response to a request made by California Assemblymember Kevin Kiley, who asked if a consumer’s right to know what info has been collected about them includes “internally generated inferences.”

According to Bonta’s interpretation of the law, the answer is yes. Under the CCPA, “inferences drawn from any of the information identified…to create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes” are defined as personal information and therefore must be disclosed to consumers if they ask.

Uh, in English: If a company knows you’re a 40-year-old Santa Monica resident shopping for sandals online and that most people between the ages of 35 and 50 in California who buy sandals also buy sunscreen, it can assume you might be interested in sunscreen and target you with a relevant advertisement. That assumption would be considered personal information under the CCPA.

It gets chilling quickly if you consider people searching for anything related to a medical condition, as a company could assume a person has diabetes based on their browsing history, “regardless of whether that’s true or not, because you as a customer don’t have insights into their algorithm,” said Ana Milicevic, principal and co-founder of Sparrow Advisers. “It’s a chain of powerlessness from a consumer perspective that’s propagating.”

• The OAG cited research that found that with just “four points containing a timestamp and location taken from cell-phone data,” researchers could track 95% of people. Another study found that spending behavior could be predicted by tracking cell-phone use.

Still, this is a non-binding opinion, explained Usama Kahf, a partner and privacy attorney at Fisher Phillips. Anyone, either advertisers or data brokers, could challenge it, ultimately leaving it to the courts to decide.

That being said, the CCPA is pretty explicit, dictating that in addition to notifying consumers of data collection and its potential usage, consumers have the right to be notified of the categories of personal information companies are collecting when or before they even do so.

“Before you collect my data, you’ve got to tell me what you’re collecting, [and] where you’re going to use it,” he told Marketing Brew.

Sympathy for algorithmic destruction

Related, unrelated: Earlier this month, the Federal Trade Commission found that WW, formerly known as Weight Watchers, was illegally collecting data on kids under 13. As part of a settlement, the FTC ordered WW to delete any algorithms built using that data.

This kind of enforcement is known as algorithmic destruction, or disgorgement, the greatest album Metallica never made. Children are specifically protected under the Children’s Online Privacy Protection Act (COPPA), one of the only federal privacy laws that exist.

What the heck does this have to do with California? There are only so many ways to enforce privacy laws. Under the CCPA, the Attorney General’s office can seek civil penalties of $2,500 for each violation and $7,500 for each “intentional” violation. With the FTC showing an interest in “algorithmic destruction,” could states potentially take a similar approach? 

“That would be an overreach in terms of potential remedies, but it’s quite possible,” said Kahf, emphasizing that the main agency responsible for enforcement is still being built. “It’s a lot of shooting from the hip at this point.”