Since its passage almost three years ago, the California Consumer Privacy Act (“CCPA”) has offered California-based consumers certain rights over the personal information companies collect and process about them.
While responding to any request to exercise CCPA rights creates its own set of challenges, one right in particular – the right to request a copy of the personal information a business has stored about a consumer – can, at first glance, conflict with a company’s interest in protecting its proprietary information. A plain reading of the text defining the right could require a company to disclose its user-level metrics or the output of proprietary algorithms linked to a user’s record. The law’s broad definition of personal information – information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household – would not exclude these categories of proprietary information either. Finally, none of the law’s exemptions squarely address the protection of proprietary information.
Rationale for Protecting Proprietary Information from Disclosure
When responding to these requests, companies need a basis for protecting their proprietary information from disclosure.
Some companies have come to rely on one of the CCPA’s exemptions that permit a company to withhold personal information if disclosure would restrict its ability to comply with “federal, state, or local laws” or “exercise or defend legal claims.” Companies take the view that some data that the CCPA would otherwise define as “personal information” are trade secrets, and disclosure of that data would bar the company from relying on trade secret protections under federal, state or local laws, and prevent the company from exercising its legal claim that the proprietary information is in fact a trade secret.
Trade secrets are generally defined as information (i) the secrecy of which is protected by “reasonable measures” and (ii) that derives independent economic value from not being generally known or ascertainable by another person who can obtain economic value from its use or disclosure. Trade secrets cover a broad spectrum of information companies seek to protect. Unique metrics, outputs of proprietary algorithms and other similar user-level derived information are typical examples of trade secrets. The disclosure of this information would hinder a company’s ability to defend its trade secrets because the very disclosure destroys their secret nature. It would be impossible for a company to both preserve its trade secrets and disclose a copy of trade secret information that the CCPA deems personal in response to a CCPA request.
There is support for not disclosing trade secret information in response to a CCPA request. While, in its commentary accompanying its 2020 CCPA regulations, the California Attorney General’s office questioned whether personal information could be a trade secret or intellectual property, the California Privacy Rights Act resolved that uncertainty in favor of trade secret protection. Specifically, the CPRA directed the California Attorney General to adopt regulations to “establish any exceptions necessary to comply with state or federal law, including, but not limited to, those relating to trade secrets and intellectual property rights,” “with the intention that trade secrets should not be disclosed in response to a verifiable consumer request” by July 1, 2022.
In light of the CPRA’s approach to trade secret protections, it is unlikely that California regulators would pursue enforcement actions against companies that rely on the CPRA approach to protect proprietary information from disclosures in response to CCPA requests.
Practical Approach to Preparing Responses to Requests for Copies of Personal Information
Responses to CCPA Requests
To create a scalable process for preparing responses to CCPA rights requests that both comply with the law’s requirements and protect proprietary information, companies should begin by creating a catalog of all reasonably attainable personal information held about or associated with individuals who are eligible to submit requests to the company.
With that catalog in hand, the company can determine which data elements it would need to provide in response to an individual’s CCPA request, and which data elements the company could exclude because the data is a trade secret or otherwise is exempt from disclosure (e.g., information that relates to other individuals or certain categories of sensitive information, such as Social Security numbers).
Examples of personal information that the exemptions may protect from disclosure include:
- Materials that contain other individuals’ personal information;
- Internal company metrics;
- Proprietary algorithm outputs;
- Internal customer support notes;
- Customer feedback used to inform product or service development; and
- Sensitive personal information, such as financial account numbers, health insurance or medical identification numbers, account passwords, or any security questions and answers.
Responses to Requests from Across the Globe
Multinational companies are striving to create scalable and reliable procedures that both comply with governing data privacy laws and protect their valuable and propriety data. Increasingly, they are taking a holistic and risk-based approach to data privacy compliance that looks for common ground between intersecting data privacy regulations. When developing their approaches, these companies carefully weigh the business burden against their compliance obligations and risk of enforcement.
For example, the European General Data Protection Regulation also has an exception for information that companies need to produce in response to individuals’ access requests that is a protected trade secret. It limits an individual’s right to obtain a copy of personal data collected by a company if access to that personal data would adversely affect the rights and freedoms of others – such as privacy, trade secrets, or intellectual property rights. However, the scope of the exception differs from California’s exception. Specifically, European regulators have required companies to take the additional step of demonstrating how the disclosure to the individual in question would threaten their trade secrets. So while companies have a path to harmonizing privacy request response process across the globe to protect proprietary information, this harmonization is not without risk.