Since the California Consumer Privacy Act (CCPA) went live on January 1, 2020, businesses have been working to develop procedures for lawfully complying with requests from California consumers relating to their personal information. Such requests may provoke a vexing question for which there currently is no definitive answer in the CCPA: What is the business obligated to do if information that would be responsive to a consumer request includes legally protectible trade secret data either owned by the business or held subject to confidentiality restrictions imposed by third-party data sources?
Generally, the CCPA allows California consumers to request that a business disclose the specific pieces of personal information the business has collected. “Personal information” (PI) is broadly defined to include data elements such as IP address, device identifier, browsing history and other internet activity, geolocation data, and inferences drawn about the consumer’s psychological or behavioral attributes. The consumer also may request that the business delete any PI about the consumer that the business has collected.
If a business is able to verify the identity of the consumer making the CCPA request, it must comply with the request unless one of the enumerated exceptions applies. Unexcused failure to do so exposes the business to a civil action by the California Attorney General for injunctive relief and civil penalties of up to $7,500 for each violation. In addition, although the CCPA does not create a private right of action for privacy violations, enterprising attorneys have brought putative class action suits that bootstrap alleged CCPA violations into causes of action for negligence and unfair competition.
So, what happens if the personal information covered by the consumer request arguably includes trade secret data? Given the scope of consumer information routinely collected and retained by many businesses, the broad definition of PI in the Act, and the equally broad definition of a “trade secret” under both state and federal law, such overlaps may be inevitable.
Suppose, for example, a business collects information about a consumer’s purchase history and uses proprietary algorithms to generate inferences about the consumer’s preferences for certain products and services. When paired with geolocation data, these inferences could be used to push digital advertisements or promotions when the consumer comes within range of a product or service that is likely to be of interest. The accuracy and comprehensiveness of a business’s inferences drawn about its consumers could confer a significant competitive advantage over other businesses – and thus prove to be a valuable trade secret. In general, consumer profile inferences for a given individual would be considered responsive to a CCPA access request.
The federal Defense of Trade Secrets Act (DTSA) defines a trade secret as information (i) whose secrecy is protected by “reasonable measures” and (ii) that derives “independent economic value” from not being generally known or ascertainable by another person who can obtain economic value from its use or disclosure. The information can be tangible or intangible, stored, compiled, or memorialized physically, electronically, graphically, photographically, or in writing. Possession of the information must give the enterprise either an actual or a potential economic advantage over competitors who do not know it.
Examples of trade secrets are virtually limitless. From the digitally stored Google search algorithm, to the formula for Coca-Cola secured in a vault, to a simple customer list in the business owner’s locked file cabinet, trade secrets run the gamut. And the owner of the trade secret may enforce its exclusive rights in that information without need for registration or other formal governmental action. For so long as the information remains (1) valuable, and (2) not known to competitors, the owner’s exclusive rights in the information may be enforced (viz. Coca-Cola).
The essential attribute of any legally protectable trade secret is, of course, that the owner of the information must keep it secret. A third party who acquires trade secret information “through improper means,” or receives and exploits such information knowing that it has been acquired by improper means, is liable to both criminal and civil penalties. But the DTSA excludes from the definition of “improper means” any form of “lawful acquisition.” If, in a company’s response to a legitimate CCPA request, a consumer receives information that the disclosing company holds as a trade secret, that information would be “lawfully acquired” under the DTSA. (Note that a CCPA request made for the specific purpose of acquiring trade secret information for improper competitive use would not be considered “legitimate.”) Because the consumer receiving her own personal information ostensibly would not derive a financial benefit from the disclosure, the business’s disclosure of trade secret PI to the individual consumer in response to a CCPA request would not seem to destroy the trade secret status of the information so disclosed.
But that does not end the analysis. The consumer’s disclosure of that trade secret information to other parties could very well produce that result. The CCPA expressly contemplates that the consumer may share with others PI received in response to a disclosure request, requiring that if PI is provided electronically, it must be in a “readily useable format that allows the consumer to transmit this information to another entity without hindrance.” Importantly, downstream recipients of the PI presumably would not be liable for misappropriation – that is, their acquisition of the data would not violate the trade secret owner’s rights – since the consumer first obtained the PI lawfully and without improper intent, and then also lawfully disclosed the information to one or more third parties.
At first blush, it may seem unlikely that consumers would routinely or broadly share their own PI with others. But given the value of such information in today’s data-driven environment, it is not hard to imagine an ingenious enterprise soliciting such disclosures in order to assemble a database that would have economic value to a variety of willing buyers. However it may happen, the fact remains that a trade secret disclosed pursuant to a CCPA request may not remain a secret for long, and the owner of the secret may have no legal recourse against the downstream recipients. Therefore, it is imperative that businesses approach such disclosures thoughtfully.
Faced with this dilemma, what options are available to businesses that seek to protect their trade secrets while also complying with CCPA requirements?
Responding to Disclosure Requests That May Include Trade Secret PI
Although the CCPA does not provide a clear-cut safe harbor to address this dilemma, we see two potential arguments that would support a decision to withhold trade secret data when responding to a consumer request. Businesses that choose to withhold trade secret PI should inform the requestor and explain the basis for denying the request. The business must still disclose other requested pieces of PI not subject to the exception.
First, the CCPA sets forth a number of exceptions, including that CCPA obligations shall not restrict a business’s ability to exercise or defend legal claims. As discussed above, revealing trade secret data in response to a CCPA request could initiate a series of otherwise lawful subsequent disclosures that ultimately may forfeit any “trade secret” status. At that point, the disclosing company’s ability to “exercise or defend” any trade secret rights in the disclosed information would be lost.
Given that nothing on the face of the CCPA or the legislative history indicates that the “legal claims” referenced in this exception are limited to claims actively being litigated, a business could reasonably take the position that it is excluding PI that reveals trade secrets from its response because such disclosure may impair its ability to exercise or defend a trade secrets claim. Indeed, the CCPA provides a compliance safe harbor not only when the exercise of legal claims is rendered impossible, but also when such exercise is merely restricted. Accordingly, a business could argue that, even in the absence of an actual or anticipated onward disclosure that destroys “trade secret” status, the potential for loss of trade secret protection constitutes a restriction on the business’s ability to exercise a future claim for trade secrets misappropriation. Therefore, a business could withhold trade secret PI on the basis that disclosure would restrict its ability to exercise legal claims premised on the data’s trade secret status.
To prepare for potential regulatory enforcement inquiries or litigation surrounding this decision, a business should take a number of steps. First, businesses should clearly designate what is trade secret information on a uniform basis companywide. Second, to furnish a sound basis for potential misappropriation claims, businesses should include comprehensive secrecy obligations in employee handbooks, vendor and service agreements, and other documents governing the handling of trade secrets. Lastly, businesses should retain all records related to trade secrets for at least three years past the expiration of the underlying employment, vendor, or service relationship, to account for the three-year statute of limitations for a misappropriation claim under the DTSA.
Second, Section 196 provides that the CCPA is intended to supplement federal and state law, “but shall not apply if such application is preempted by, or in conflict with, federal law . . .” Analogous to the discussion in the preceding paragraph, a business could argue that the CCPA cannot be construed to require disclosure of trade secret information, because if so applied, the CCPA would conflict with requirements under the federal DTSA imposed on parties seeking to maintain and enforce trade secret rights.
An alternative to withholding the trade secret data entirely would be a blended approach. This may make sense where the data in question, while arguably protectible as a trade secret, is of limited commercial importance, and/or the nature of the data makes damaging downstream disclosure unlikely. An example would be a disclosure request that implicates a customer list containing the PI of many individuals. In this case, the protectible trade secret fundamentally consists of the database as a whole, not the PI of a single individual on the list. The responding business may elect to disclose the specific pieces of PI pertaining to that single individual, taking comfort in the proposition that disclosure in response to a CCPA request does not itself affect the PI’s trade secret status. Disclosure to a single consumer who does not obtain economic value from the PI does not detract from the business’s “reasonable measures to keep such information secret.”
This interpretation does not itself eliminate the risk of downstream disclosure by the consumer. And any attempt by the disclosing business to contractually restrict the consumer’s right to make such downstream disclosures would, at least for PI directly provided to the business by the consumer, be prohibited.
However, contractual restrictions on the consumer’s downstream disclosure for commercial purposes may be permitted if limited to trade secret PI that is inferred or derived by the business using proprietary know-how (for example, a consumer preference profile), or that is sourced from analytics vendors. This may be permissible given businesses’ broad discretion to place restrictions on downstream use of their intellectual property, including trade secrets. On the other hand, such restrictions may conflict with the privacy principle of transparency.
Responding to Deletion Requests That May Include Trade Secret PI
The CCPA affords more flexibility with respect to deletion requests, providing that a business or service provider is not required to delete PI that is necessary to: complete a transaction for which the data was collected or otherwise perform a contract with the consumer; enable solely internal uses reasonably aligned with the consumer’s expectations; or comply with a legal obligation. Any of these exclusions from a duty to delete could potentially apply where a business seeks to retain trade secret data notwithstanding a consumer’s deletion request.
The Way Forward
These issues may be clarified in the next round of implementing regulations from the California Attorney General, as Section 185 specifically requires the AG to adopt regulations relating to trade secrets and other intellectual property rights. But important questions may well remain.
To draw from an analogous legal regime, Recital 63.5 of the EU’s General Data Protection Regulation addresses this tension between access rights and trade secret rights by providing that access rights “should not adversely affect the rights or freedoms of others, including trade secrets or intellectual property. . .”. This guidance, while a useful principle, suggests a fact-intensive analysis based on the specific circumstances of each disclosure and whether that would “adversely affect” trade secret rights.
The AG may issue regulations to a similar effect. But on a parallel track, efforts are underway to mount a ballot initiative (the “California Privacy Rights Act of 2020” or CPRA) to replace the CCPA with a substantially revised statutory structure referred to as “CCPA 2.0.” The CCPA 2.0 would expressly exempt trade secrets from disclosure in response to an access request. While the CPRA has gathered enough signatures to appear on the November 2020 ballot, the proposed legislation as currently drafted would not go into effect until January 2023.
So, until the AG adopts clarifying regulations or we receive further guidance from the courts, businesses will have to navigate the competing considerations of CCPA compliance versus trade secret protection in light of the principles and strategies discussed above. This will require a careful balancing of the commercial importance of the trade secret data to the business, the anticipated risk that disclosure to a particular consumer may lead to damaging further dissemination, and the potential adverse consequences if the decision not to disclose the data is found to violate the CCPA.