Under California's privacy law, can a consumer demand to know the inferences a business has made about them, like 'likely voter' or 'pregnant'?

Plain-English summary

The California Consumer Privacy Act (CCPA), enacted in 2018 and effective January 2020, lets California consumers ask covered businesses what information they hold about them. Assemblymember Kevin Kiley asked whether that "right to know" reaches the inferences a business derives, things like "likely voter," "pregnant," "homeowner," or "online shopper" that a business deduces from other data points to build a profile of the consumer.

Attorney General Rob Bonta said yes. The CCPA's definition of "personal information" in Civil Code section 1798.140(o)(1)(K) explicitly includes "[i]nferences drawn from any of the information identified in this subdivision to create a profile about a consumer reflecting the consumer's preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes." That makes inferences themselves a category of personal information, regardless of whether the business generated them in-house, bought them from a data broker, or scraped them from public records. The right to know, in section 1798.110(a), reaches all personal information collected "about" the consumer, not just information collected from the consumer.

The opinion does carve out trade secrets. The CCPA's section 1798.145(a)(1) preserves businesses' ability to comply with state and federal laws, including the California Uniform Trade Secrets Act. The AG distinguished between the inference itself (the conclusion about a specific consumer, which is disclosable) and the algorithm or proprietary process that generated it (which may be a trade secret protected from disclosure). A business that withholds an inference on trade-secret grounds bears the burden to establish the trade secret with reasonable particularity, not just label its work product proprietary.

The 2020 voter-approved Consumer Privacy Rights Act (CPRA), now the active operative version of the law, did not change this analysis.

What this means for you

Verify the cited Civil Code sections have not been amended since 2022 (the CPRA changes that took effect 2023 are highly relevant) before relying on a specific procedure.

If you are a California consumer

You can ask any covered business (gross revenues over $25 million, or that processes personal information of 50,000+ people, or that derives 50% of revenue from selling personal information) for the specific pieces of personal information it has collected about you, and that includes the inferences it has drawn. The business has 45 to 90 days to respond, must provide as much as it can even if it cannot give you everything, and must explain its basis if it denies any part of the request. A blanket "trade secret" or "proprietary information" denial is not enough.

If you run a CCPA-covered business

Build your right-to-know response to include inferences. The audit you do for a request should sweep your customer profile system, your CRM tags, your behavioral segments, your model outputs, and any third-party-acquired enrichment data. You can withhold information that constitutes a trade secret, but you have the burden to establish that the specific inference (not just your overall scoring system) is itself a trade secret under Civil Code section 3426.1. A categorical refusal will not survive the AG's enforcement scrutiny or a private suit.

If you are a data broker or build inference models for sale

The opinion is not limited to internally generated inferences. The AG was explicit: "it does not matter whether the business gathered the information from the consumer, found the information in public repositories, bought the information from a broker, inferred the information through some proprietary process of the business's own invention, or any combination thereof." Customer-facing businesses that buy inference data from you may need to disclose those inferences to consumers, which has knock-on effects for your contracts, your downstream attribution, and the contractual flow of disclosure obligations.

If you are a privacy officer building or revising a CCPA disclosure workflow

Make the inference disclosure mechanically straightforward. The CCPA regulations expect responses to be easy to read and understandable, not raw database dumps. Build presentation templates that label inferences in plain language ("we have categorized you as: likely homeowner, household income $75K-$100K, parent of school-age children") and explain at the category level where the inference came from. Keep your trade-secret claims targeted: identify the specific element you are withholding and the specific reason it qualifies as a trade secret.

Common questions

Q: What is an "inference" under the CCPA?
A: Civil Code section 1798.140(m) defines "inference" as "the derivation of information, data, assumptions, or conclusions from facts, evidence, or another source of information or data." In practice, it is a deduced characteristic ("likely voter," "homeowner," "in-market for a car," "interested in fitness") that a business derives from other data points the business has collected.

Q: Does the CCPA right to know cover inferences from public records?
A: The underlying public record itself may be excluded from the personal information definition, but the inference drawn from public information is still disclosable. The AG made the distinction explicit: even if the public information itself need not be disclosed, the inference must be.

Q: Can a business refuse to disclose its scoring algorithm?
A: Yes. The algorithm or process used to derive inferences is a separate question from the inferences themselves. If the algorithm is a protected trade secret under California's Uniform Trade Secrets Act, the CCPA does not require disclosure. The business must still produce the resulting individual-level inference about the consumer.

Q: What if the business sold the inference to a third party already?
A: The CCPA's separate "right to know what is sold or shared" (section 1798.115) covers transferred information, including inferences. The right to know what the business currently holds (section 1798.110) covers what is still in the business's possession.

Q: Did the 2020 Consumer Privacy Rights Act change this analysis?
A: No. The AG explicitly noted that the CPRA's amendments to the CCPA do not change the conclusion about inferences. The CPRA's main contributions were a separate rulemaking agency (the California Privacy Protection Agency), expanded protections for sensitive personal information, a right to correct inaccurate personal information, and additional restrictions on how long businesses can retain data.

Q: How long does a business have to respond to a right-to-know request?
A: 45 days under section 1798.130(a)(2), with a permissible extension to 90 days for good cause.

Background and statutory framework

The CCPA was the first comprehensive state consumer privacy law in the country. It traces its origins to the Cambridge Analytica scandal and a 2018 California ballot measure that the Legislature preempted by enacting the CCPA itself. The law took effect January 1, 2020, with Attorney General enforcement authority kicking in July 1, 2020. In November 2020, voters approved Proposition 24 (the Consumer Privacy Rights Act), which amended and built on the CCPA and took full effect January 1, 2023.

The CCPA's core consumer rights are:

• Right to know: what personal information a business collects, how it uses it, and to whom it discloses it (sections 1798.100, 1798.110, 1798.115)
• Right to delete: with statutory exceptions for operational and legal necessity (section 1798.105)
• Right to opt out of sale: via a "Do Not Sell My Personal Information" mechanism (section 1798.120)
• Right to non-discrimination: consumers who exercise CCPA rights cannot be charged different prices or given different service (section 1798.125)

"Personal information" is defined in section 1798.140(o) to include 11 enumerated categories: identifiers, customer records, characteristics of protected classifications, commercial information, biometric information, online activity, geolocation, audio/visual/thermal/olfactory information, professional/employment, education, and inferences drawn from any of the above. The definition expressly excludes "deidentified" information and "aggregate consumer information."

Section 1798.145 contains carve-outs that preserve the business's ability to comply with other laws, cooperate with law enforcement, exercise legal claims, and handle deidentified information. Subdivision (a)(1) is the trade-secret hook the AG used: it preserves compliance with state and federal laws, which includes California's Uniform Trade Secrets Act in Civil Code section 3426.1 et seq.

The AG also relied on the legislative history of the CCPA, which specifically referenced the Cambridge Analytica scandal and the use of derived inferences to target political advertising during the 2016 presidential election. The Senate Judiciary Committee's analysis of the CCPA bill cited those practices as evidence of why consumer control over inferences was central to the legislative design.

Citations and references

Statutes:
- California Civil Code section 1798.100 et seq. (CCPA)
- California Civil Code section 1798.140(o) (definition of "personal information")
- California Civil Code section 1798.140(m) (definition of "inference")
- California Civil Code section 1798.110 (right to know)
- California Civil Code section 1798.130 (response procedures and timing)
- California Civil Code section 1798.145(a)(1) (trade secret/legal compliance carve-out)
- California Civil Code section 1798.155 (enforcement)
- California Civil Code section 3426.1 (Uniform Trade Secrets Act)
- California Code of Regulations, title 11, sections 999.300 to 999.341 (CCPA regulations)
- California Government Code section 12519 (Attorney General opinion authority)
- HIPAA, 42 U.S.C. section 1320d
- Gramm-Leach-Bliley Act, 15 U.S.C. sections 6801-6809
- Children's Online Privacy Protection Act, 15 U.S.C. sections 6501-6506

Cases:
- In re: Facebook, Inc. Consumer Privacy User Profile Litigation, 402 F.Supp.3d 767 (N.D. Cal. 2019) (Cambridge Analytica context)
- Dyna-Med, Inc. v. Fair Employment & Housing Com., 43 Cal.3d 1379 (1987) (statutory interpretation)

Source

• Landing page: https://oag.ca.gov/opinions/yearly-index
• Original PDF: https://oag.ca.gov/system/files/opinions/pdfs/20-303.pdf

Original opinion text

TO BE PUBLISHED IN THE OFFICIAL REPORTS
OFFICE OF THE ATTORNEY GENERAL
State of California

OPINION
of
ROB BONTA
Attorney General
SUSAN DUNCAN LEE
Deputy Attorney General

ROB BONTA
Attorney General

No. 20-303
March 10, 2022

THE HONORABLE KEVIN KILEY, ASSEMBLYMEMBER, has requested an opinion on a question of law arising under the California Consumer Privacy Act of 2018.

QUESTION PRESENTED AND CONCLUSION

Under the California Consumer Privacy Act, does a consumer's right to know the specific pieces of personal information that a business has collected about that consumer apply to internally generated inferences the business holds about the consumer from either internal or external information sources?

Yes, under the California Consumer Privacy Act, a consumer has the right to know internally generated inferences about that consumer, unless a business can demonstrate that a statutory exception to the Act applies.

BACKGROUND

The California Consumer Privacy Act of 2018 (Civil Code, sections 1798.100 et seq.) is the first law of its kind in the nation. It allows consumers in California the ability to find out what information a covered business is holding about them, and to opt out of certain transfers and sales of their personal information.

The question before us asks for clarification of one of the provisions in the CCPA, having to do with the consumer's right to request and receive specific pieces of information collected about them. Before we proceed with a detailed analysis of the question, however, we will take a moment to introduce the general contours of this statutory scheme.

How the CCPA Came To Be

Information privacy law has been developing for decades in the United States, along with the development of internet commerce. In 1998, the Federal Trade Commission published a report titled "Privacy Online: A Report to Congress," which noted that "[g]overnment studies in the United States and abroad recognize certain core principles of fair information practice, widely accepted as essential to ensuring fair collection, use, and sharing of personal information in a manner consistent with consumer privacy interests." Those core principles are: notice, choice, access, security, enforcement, and parental controls for children's information.

For the next 20 years, information privacy law developed largely on a sector-by-sector basis, with federal statutory schemes designed to regulate the information practices of entities holding large amounts of sensitive consumer information. Well-known examples of such programs include the Health Insurance Portability and Accountability Act, governing information practices of health care providers and insurers; the Gramm-Leach-Bliley Act, governing information practices of financial institutions; and the Children's Online Privacy Protection Act, governing the use of information collected from children under 13. Despite these statutory schemes, more than eight in ten adults in the United States feel they have little or no control over the information collected about them online, according to a 2019 poll by the Pew Research Center.

Starting in 2014, a British political consulting firm called Cambridge Analytica (now defunct) surreptitiously obtained personal information about roughly 87 million Facebook users. Cambridge Analytica then used the information to send targeted political messages during the 2016 presidential campaign. When Cambridge Analytica's conduct began receiving significant press coverage in 2018, there arose a public perception that the time had come to give consumers greater control over the privacy of their personal information. In this environment, and hard on the heels of the European Union's adoption of a privacy-protective general regulation, advocates in California proposed a comprehensive consumer-privacy ballot measure for the November 2018 ballot. After the proposal gathered momentum, as well as enough signatures to qualify for the ballot, the California Legislature stepped in, proposing legislative action to take the place of the citizens' initiative. The resulting bill became the CCPA. A series of amendments to the statute were adopted late in 2018.

Subsequently, in November 2020, voters approved the Consumer Privacy Rights Act of 2020, amending and building on the CCPA. The CPRA will become fully operative on January 1, 2023. None of the amendments to the CCPA introduced by the CPRA changes the conclusions presented in this opinion.

Relevant Provisions of the CCPA

The CCPA applies to businesses that collect information from consumers in California and that either: have gross revenues exceeding $25 million a year; buy, receive, or share for commercial purposes the information of 50,000 or more people a year; or derive 50 percent or more of their annual revenue from selling consumers' personal information. The CCPA defines "personal information" as including "information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household." The definition exempts information that is "deidentified," as well as "aggregate consumer information," thus creating a powerful incentive for businesses to store information in forms that reduce the risk of exposing individual consumers' personal information.

The definition of "personal information" is broad, specifically including personal identifiers (such as name, date of birth, Social Security number), as well as information about education, employment, travel, health, credit, banking, Internet Protocol addresses, online transactions, online searches, biometric data, or geolocation data. Most relevant to our present purposes, the definition also includes "inferences drawn from any of the information identified in this subdivision to create a profile about a consumer reflecting the consumer's preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes."

The CCPA endows California residents with new rights of control over the personal information that covered businesses hold about them. California consumers now have:

• The right to know what personal information a business collects about them, and how the business uses and shares that information.
• The right to delete the personal information that a business collects from them (with specified exceptions for operational and legal necessity).
• The right to opt out of the sale of their personal information.
• The right to non-discrimination, meaning that consumers who exercise their rights under the CCPA are entitled to receive the same service and price as consumers who do not.

Businesses have corresponding duties. First, a business must provide notice of what categories of personal information it will collect about the consumer and of the purposes for which that information will be used. This notice must be provided at or before the point at which the business collects information from the consumer. If the business sells personal information, then the notice at collection must include a "Do Not Sell My Personal Information" button that allows consumers to opt out of the sale of their personal information. A business's privacy policies must inform consumers of their rights to know, to delete, to opt out, and not to be discriminated against. Businesses must provide fresh notices to consumers when their information practices change.

Businesses have a duty to respond to verifiable consumer requests within 45 to 90 days. If a business is unable to comply completely with a request, it is still obliged to provide as much information as it can. For instance, if a business cannot provide specific pieces of information to the consumer, it must provide information about the categories of information it collects. If a business cannot provide either specific or category information to the consumer, it must refer the consumer to its privacy policy. Furthermore, if a business denies a consumer's request to know "in whole or in part, because of a conflict with federal or state law, or an exception to the CCPA," the business must explain the basis for its denial.

There are a number of significant exceptions to the CCPA. First, the CCPA does not apply to government entities or nonprofit organizations, and excludes information that is freely available from government sources, such as vital statistics, real estate records, and professional licenses. The CCPA also contains a set of nuanced exceptions for certain categories of information, such as medical records, credit reporting, banking, and vehicle safety records, that apply when the information is governed by another privacy-protecting statute.

Section 1798.145 also incorporates carve-out provisions designed to relieve businesses from undue burdens and common legal binds:

(a) The obligations imposed on businesses by this title shall not restrict a business' ability to:

(1) Comply with federal, state, or local laws.
(2) Comply with a civil, criminal, or regulatory inquiry . . .
(3) Cooperate with law enforcement agencies . . .
(4) Exercise or defend legal claims.
(5) Collect, use, retain, sell, or disclose information that is deidentified . . .
(6) Collect or sell a consumer's personal information if every aspect of that conduct takes place solely outside California. . . .

Some of these provisions are relevant to our analysis of the question, below.

Regulation, Enforcement, and the Future of the CCPA

The Legislature enacted the CCPA late in 2018 and the statute became operative January 1, 2020. The delayed operative date allowed time for the business community and privacy professionals to adjust to the new rules and for the administrative rulemaking process to run its course. The Legislature adopted a number of amendments to the Act before it became operative.

The CCPA directed the Attorney General to adopt regulations by July 1, 2020, as needed to address an extensive list of issues including refining definitions and establishing procedures for businesses to verify and comply with requests. Most relevant for present purposes is the provision authorizing the Attorney General to establish "any exceptions necessary to comply with state or federal law, including, but not limited to, those relating to trade secrets and intellectual property rights."

Throughout 2019 and well into 2020, the Department of Justice gathered and analyzed a mass of information and public comment in preparation for proposing final regulations. The Attorney General submitted proposed regulations and supporting materials to the Office of Administrative Law for its consideration in June 2020, and the regulations became operative on August 14, 2020. A set of amendments to the regulations went into effect March 15, 2021. The regulations do not specifically address the question presented here.

The Attorney General's power to enforce the CCPA took effect on July 1, 2020. The Attorney General has authority to seek injunctive relief and civil penalties, with enhanced penalties for intentional violations of the statute. Consumers have a limited private right of action under the statute for a data breach caused by a business's failure to use reasonable security measures, but not for any other violations of the statute.

The Consumer Privacy Rights Act of 2020, which was approved by voters as Proposition 24 in November 2020, amends and builds on the CCPA. The CPRA goes into effect on January 1, 2023, and enforcement is slated to begin July 1, 2023 under the newly formed California Privacy Protection Agency. The new agency will have rulemaking authority under the CPRA, as well as power to enforce the CPRA through administrative actions. The Attorney General will retain authority to enforce the statute through civil investigative and enforcement powers. The CPRA will adjust the threshold size for businesses covered by the statute, exempting more small businesses going forward. The new law will also expand consumer privacy rights in ways generally consistent with the European Union rules, including enhanced protection for sensitive personal information, and a right to request corrections to inaccurate personal information. The amendments to the CCPA introduced by the CPRA do not change the conclusions presented in this opinion.

ANALYSIS

Introduction

Assemblymember Kiley asks whether a consumer's right to receive the specific pieces of personal information that a business has collected about that consumer applies to internally generated inferences. For purposes of the CCPA, "inference" means "the derivation of information, data, assumptions, or conclusions from facts, evidence, or another source of information or data." An inference is essentially a characteristic deduced about a consumer (such as "married," "homeowner," "online shopper," or "likely voter") that is based on other information a business has collected (such as online transactions, social network posts, or public records). Some businesses create inferences using their own proprietary methods, and then sell or transfer the inferences to others for commercial purposes. Examples drawn from academic papers in 2018 show that seemingly innocuous data points, when combined with other data points across masses of data, may be exploited to deduce startlingly personal characteristics. Studies show, among other things, that a person's date and place of birth, in combination with public databases, can be used to predict their social security number; phone data can be used to predict friendships with 95 percent accuracy; data about mobile phone behavior (such as running out of battery) can be used to predict credit-worthiness; and Facebook "likes" can be used to predict a wide array of sensitive personal attributes such as age, gender, race, ethnicity, sexual orientation, political views, and personality traits.

As discussed below, the plain language of the statute, as well as the legislative history, persuade us that the CCPA purposefully gives consumers a right to receive inferences, regardless of whether the inferences were generated internally by the responding business or obtained by the responding business from another source. At the same time, the CCPA does not require businesses to disclose their trade secrets in response to consumers' requests for information.

The CCPA Generally Requires Businesses to Disclose Internally Generated Inferences to Consumers.

As always when we undertake to interpret a statute, we start by examining the text, giving the language its usual meaning in order to understand the intent of the legislators. The words of a statute must be construed in context and sections relating to the same subject must be harmonized to the extent possible. Here, the logical entry point to the text is the CCPA's definition of "personal information." Personal information, as noted briefly above, includes "information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household." But that is just the beginning of the definition. The section goes on from there to add both breadth and specificity, extending to eleven subparts. The language most relevant to our analysis directs that:

(o)(1) . . . Personal information includes, but is not limited to, the following if it identifies, relates to, describes, is reasonably capable of being associated with, or could be reasonably linked, directly or indirectly, with a particular consumer or household:

[. . .]

(K) Inferences drawn from any of the information identified in this subdivision to create a profile about a consumer reflecting the consumer's preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.

This text makes the initial stage of our analysis straightforward. "Inferences" are themselves "personal information" for purposes of the CCPA (and therefore disclosable) when two conditions exist. First, the inference is drawn "from any of the information identified in this subdivision." Second, the inference is used to "create a profile about a consumer," or in other words to predict a salient consumer characteristic.

As to the first condition, an inference must be drawn from "information identified in this subdivision," that is, subdivision (o) of Civil Code section 1798.140. Subdivision (o) identifies a vast array of information, including but not limited to: personal identifiers; customer records; characteristics of protected classifications; commercial information; biometric information; online activity information; geolocation data; "audio, electronic, visual, thermal, olfactory, or similar information"; professional or employment information; education information; and inferences drawn from any of the above.

We can see that this array includes not only information typically obtained directly from consumers (such as address and income), but also many kinds of information that are a matter of public record (such as information on property listings and tax rolls). Subdivision (o) draws no distinction between public and private sources. It follows that, for purposes of responding to a request to know, it does not matter whether the business gathered the information from the consumer, found the information in public repositories, bought the information from a broker, inferred the information through some proprietary process of the business's own invention, or any combination thereof. If the business holds personal information about a consumer, the business must disclose it to the consumer on request.

We emphasize that, once a business has made an inference about a consumer, the inference becomes personal information, one more item in the bundle of information that can be bought, sold, traded, and exploited beyond the consumer's power of control. Accordingly, inferences satisfy the first condition of the "personal information" inquiry regardless of whether they have been generated internally by the responding business or received from another source.

The second condition of a disclosable inference, that the personal information must be used to "create a profile about a consumer," narrows the set of inferences that must be disclosed. It rules out situations where a business is using inferences for reasons other than predicting, targeting, or affecting consumer behavior. For instance, a business might combine information obtained from a consumer with online postal information to obtain a nine-digit zip code to facilitate a delivery and completion of a particular transaction. But if the zip code is merely deleted and not used to identify or predict the characteristics of a consumer, in our view that would not give rise to a disclosable inference within the meaning of the statute. On the other hand, when a business processes personal information to make an inference about the consumer's propensities, then the inference itself becomes part of the consumer's profile, and must be disclosed.

A business might draw an inference about a consumer based in whole or in part on publicly available information, such as government identification numbers, vital records, or tax rolls. Under the CCPA, the inference must be disclosed to the consumer, even if the public information itself need not be disclosed in response to a request for personal information.

Our reading of the text is confirmed by evidence of legislative purpose. The Senate Judiciary Committee's analysis of the CCPA bill spotlights the Legislature's concern about the exploitive tendencies of collecting masses of information and using it to identify and affect unwitting consumers. The analysis specifically referred to the practices of Cambridge Analytica, in which a certain app, presented to Facebook users as a personality test, was used to gather masses of personal information. The information was then used to draw inferences about millions of individuals, including their political party and voting behavior, and those inferences were used to target political advertising for the purpose of influencing the outcome of the 2016 presidential election.

But Cambridge Analytica is far from the only example of mischief resulting from the creation and use of inferences by businesses. Inferences are one of the key mechanisms by which information becomes valuable to businesses, making it possible to target advertising and solicitations, and to find markets for goods and services. In some cases, marketing tactics are so tailored that they feel intrusive or unsettling to consumers. In other cases, consumers may never know that they are being excluded from seeing certain ads, offers, or listings based on discriminatory automated decisions. In almost every case, the source as well as the substance of these inferences is invisible to consumers. In light of all these circumstances, inferences appear to be at the heart of the problems that the CCPA seeks to address.

The Requestor's letter suggests an argument that inferences need not be disclosed to consumers because inferences are information that has been generated internally by a business, not collected from the consumer within the meaning of Civil Code section 1798.110, subdivision (a). That subdivision states: "A consumer shall have the right to request that a business that collects personal information about the consumer disclose to the consumer . . . [t]he specific pieces of personal information it has collected about that consumer." We disagree with that argument.

Tellingly, the CCPA gives consumers the right to receive all information collected "about" the consumer, not just information collected from the consumer. When a business creates (or buys or otherwise collects) inferences about a consumer, those inferences constitute a part of the consumer's unique identity and become part of the body of information that the business has "collected about" the consumer. Thus, in light of the plain meaning of section 1798.140, subdivision (o), inferences must be disclosed to the consumer upon request.

The CCPA Does Not Require Businesses to Disclose their Trade Secrets

The opinion request also suggests that internally generated inferences may constitute a business's intellectual property. A similar concern came up repeatedly during the rulemaking process, with commenters suggesting that disclosure of internally generated inferences could reveal trade secrets. But the Attorney General was not presented with any concrete examples of situations where inferences are themselves trade secrets, or where the disclosure of inferences would expose a business's trade secrets. While the algorithm that a company uses to derive its inferences might be a protected trade secret, the CCPA only requires a business to disclose individualized products of its secret algorithm, not the algorithm itself.

It is beyond the scope of this opinion to address whether any particular kind or class of internally generated inference might be protected from disclosure because it constitutes a trade secret. Under California's Uniform Trade Secrets Act, a trade secret is essentially information that derives independent economic value from not being generally known to the public or others who can obtain economic value from its use or disclosure, and as to which the owner exerts reasonable efforts to maintain secrecy. In order to show the existence of a trade secret, an owner must identify the secret with "reasonable particularity." The Act permits a person to sue for injunctive relief and damages when their protected trade secrets are obtained by "improper means." Under the Act, the burden is on the trade secret holder to prove both the existence of a trade secret, and somebody's use of improper means to obtain it. "Improper means" does not include reverse engineering.

While we cannot answer fact-specific questions about whether particular inferences could be protected as trade secret, we can answer the general legal question whether the CCPA requires businesses to disclose trade secrets: It does not. We believe the most relevant language is this: "The obligations imposed on businesses by this title shall not restrict a business' ability to: Comply with federal, state, or local laws." The CPRA amends the scope of the Attorney General's rulemaking slightly, to include "any exceptions necessary to comply with state or federal law, including those relating to trade secrets and intellectual property rights . . . with the intention that trade secrets should not be disclosed in response to a verifiable consumer request."

California law protects intellectual property, including trade secrets, as demonstrated by its adoption of the Uniform Trade Secrets Act. The text of both the CCPA and the CPRA contain language indicating an intent to protect intellectual property. When a trade secret exists, the CCPA will not require its disclosure to a consumer. However, a business that denies a request "in whole or in part, because of a conflict with federal or state law, or an exception to the CCPA" must explain the nature of the information and the basis for its denial. A blanket assertion of "trade secret" or "proprietary information" or the like would not suffice; the general import of the regulations is that a business must respond to requests in a meaningful and understandable way.

In sum, we conclude that internally generated inferences that a business holds about a consumer are personal information within the meaning of the CCPA, and must be disclosed to the consumer on request. A business that withholds inferences on the ground that they are protected trade secrets bears the ultimate burden of demonstrating that such inferences are indeed trade secrets under the applicable law.