Guidance on the Right to Know under the CCPA
Businesses ask and the Attorney General answers. California Attorney General Rob Bonta published an opinion on Thursday, March 10, 2022 to assist businesses in their determination of what materials to provide in response to a consumer’s right to know request.
Specifically, the question asked was:
Under the California Consumer Privacy Act, does a consumer’s right to know the specific pieces of personal information that a business has collected about that consumer apply to internally generated inferences the business holds about the consumer from either internal or external information sources?
This question stems from the text of Section 1798.110(a)(5), which states:
(a) A consumer shall have the right to request that a business that collects personal information about the consumer disclose to the consumer the following:
(5) The specific pieces of personal information it has collected about that consumer.
The conclusion that the Attorney General’s Office arrived at is that, yes, a consumer has the right to know even internally generated inferences about them, unless a business can demonstrate that a statutory exception to the Act applies.
This guidance from the Attorney General’s Office is extremely important for businesses. The plain reading of the California Consumer Privacy Act (CCPA) is ambiguous. Collected personal information could be read to mean include internally generated inferences as requiring disclosure under the Right to Know.
Had the language of the CCPA been regarding personal information ‘assembled’ rather than ‘collected’, it would clearly include internally generated inferences, because the creation of inferences is an act of assembly itself. Assembly calls to mind a more creative process than collection. Collection calls to mind the gathering of discrete items. Assembly calls to mind both gathering and creation of items.
Because a reasonable person could interpret the language either way, the clarification from the Attorney General’s Office is very useful. It ensures that businesses who wish to comply with the law, now know that they have to include internally generated inferences in their Right to Know disclosures.
With the knowledge that inferences either internally or externally generated constitute personal information that must be disclosed in a right to know request, some businesses may have to update their compliance efforts. Clarip’s automated data mapping tool can help businesses find the data that they now know they must provide to consumers while fulfilling right to know requests. Clarip also provides automated data subject request fulfillment, including right to know requests. For other compliance problems, we can help too, with consent management, vendor management, Data Risk Intelligence, and website scanning, among others! Visit us at www.clarip.com or call us at 1-888-252-5653 to learn more.
Email Now:
Mike Mango, VP of Sales
mmango@clarip.com