A California resident has created an account on your company's online food delivery platform and placed several orders in the past month. Later she submits a data subject request to access her personal information under the California Privacy Rights Act.
Assuming that the CPRA is in force, which of the following data elements would your company NOT have to provide to the requester once her identity has been verified?
Under the California Privacy Rights Act (CPRA), a California resident has the right to access their personal information held by a company. Personal information includes data that identifies, relates to, describes, or can be linked, directly or indirectly, to a particular consumer. This would include the loyalty account number, email address, and time stamp for the creation of the account, as these are all directly tied to the individual's use of the service. However, inferences made about the individual for the company's internal purposes are typically considered proprietary business information and may not necessarily have to be disclosed under a data subject access request. These inferences can be used for analytics or business intelligence and may not be considered part of the personal information that the individual has a right to access.
Inferences, depending on how they are generated and used, may be considered proprietary or be part of the internal analytics and thus not subject to the same access rights as directly identifiable information.
Agree with Stevenciu
I believe it is C, as the time stamp itself is not personal information and there is no sense of the consumer getting his hand on.