The Varying Scope of the Trade Secret Exception
By William J. O’Reilly
Introduction
Each of the three state data privacy acts taking effect in 2023 carve out an exception for data that can be considered a “trade secret”.[1]> At first blush any exception raises red flags, but this one may have a big enough impact to justify that trepidation. Many businesses could claim that collecting and making inferences about private data is their “trade”, making them exempt from a citizen seeking to exercise their rights. Further, Data Brokers—who should be the most limited by these laws—likely fit neatly into this exception. While the exact scope of the trade secret exception varies by state, past statutes and case law indicate the trade secret exception will fulfil privacy advocates’ fear. However, this can be an opportunity for judiciaries to change and protect citizen rights by interpreting such an exception narrowly, consistent with the respective legislature’s purpose. This narrow interpretation is necessary for the full protection of privacy rights.
Connecticut
The Connecticut Data Privacy Act (CTDPA) ‘trade secret’ exception largely applies to three rights of Connecticut residents. These rights are Connecticut residents’ right to confirm that a controller processes their information, their right to access their data, and their right to receive their data in a portable format.[2] Importantly, a denial of those rights is appealable to the Attorney General.[3] This exception does not apply to all privacy rights, and an appeal process empowers citizens. However, the impact that the exception have on the affected rights is sizeable.
In order to understand the scope, it is helpful to understand what a trade secret is. Connecticut defines a trade secret in a different statute and that definition is adopted by the Data Privacy Act.[4] This definition is typical of each definition used by the three states enacting privacy laws this year.[5]
“[‘Trade Secret’] means information, including . . . compilation, program, . . . process, . . . or customer list that: (1) Derives independent economic value, actual or potential, from not being generally known to, and not being readily ascertainable by proper means by, other persons who can obtain economic value from its disclosure or use, and (2) is the subject of efforts that are reasonable under the circumstances to maintain its secrecy.”[6]
Effectively, a trade secret is any information that a business takes steps to keep secret because the value of that information increases when it is secret.
Connecticut expands on this definition in its case law, establishing that lists of donors and customers constitutes a trade secret as long as it meets the other elements of the statute.[7] This definition easily could expand to include lists of personal information collected by a business. Another indicator that the Connecticut Supreme Court may lean toward a broader trade secret definition is that they have previously emphasized the importance of protecting trade secrets in contested cases.[8] A historical inclination to protect trade secrets combined with a clear statutory exception will limit judicial enforcement of those rights.
Without more judicial interpretation it is difficult to know how broad the trade secret exception will be for citizens of Connecticut seeking to exercise their rights under the CTDPA. While the trade secret exception is limited in scope to a few rights, it is likely to burden those rights significantly. Despite this sizable imposition, the Connecticut version of the exception may be the narrowest.
Colorado
The Colorado statute itself only makes an exception for trade secrets in the right to portability.[9] However, the Colorado Department of Law’s Consumer Protection Section is empowered by the Colorado Data Privacy Act to make rules for carrying out the act and those rules both expand and limit the exception.[10] The Consumer Protection section of those rules requires the right of access to be fulfilled despite the presence of a trade secret but allows such fulfillment to be “in a format or manner that would not reveal trade secrets, such as in a nonportable format.”[11]> Regarding the right of portability, controllers must provide as much information as possible without revealing a trade secret.[12] When outlining the right a consumer has to be informed of decisions made based on profiling, Colorado regulations reiterate that this divulsion cannot force revelation of a trade secret.[13] Of less concern, the rules also do not require trade secrets to be revealed in requests for consent that identify profiling operations by controllers.[14]
While these limitations seem narrower than Connecticut’s exception, Colorado’s definition of a trade secret is slightly broader. Certain categories of personal data are included specifically as a possible trade secret in Colorado’s definition: “‘trade secret’ means . . . information, . . . listing of names, addresses, or telephone numbers . . . which is secret and of value.”[15] Caselaw expands this definition, so that trade secrets can be the combination of publicly known information if the combination is unique and gives competitive advantage[16] which may include combinations of private information. This takes away the two largest weaknesses in the trade secret definition: the fact that personal information is just a piece of a list or that it is scraped public information and is not a secret.
Colorado’s regulations require companies to do their best to give citizens knowledge about their information— as long as it does not reveal a trade secret. It seems that a diligent searcher would struggle to find personal data that is not a trade secret. This nuanced approach sharply contrasts with Colorado’s neighbor to the west, Utah.
Utah
Utah’s statute has the broadest exception for trade secrets. It states simply, “[n]othing in this chapter requires a controller, processor, third party, or consumer to disclose a trade secret.”[17] There is no limitation to specific rights like Connecticut.[18] There is little or no language requiring a controller to meet the right as much as possible without revealing a trade secret like Colorado.[19] A company would merely have to show how a piece of information somehow involved a trade secret to deny any right guaranteed to Utah Citizens.[20] Because of that exception it is necessary to look to the definition of a trade secret and to caselaw to limit this exception and protect privacy.
Uniquely, Utah includes a definition of trade secret in their privacy act, instead of requiring reference to an outside statute.[21] Utah’s definition requires, like Connecticut, that information derives economic value from being secret, and that the information holder took effort to keep that information secret.[22]
Because Utah’s definition is specific to the statute there is a possibility of new judicial interpretation of the definition in this new context. Privacy advocates are hopeful that courts will interpreting the trade secret statute to put the burden on the claimant of the trade secret, e.g., the controller or processer of personal data.[23] That burden would not be trivial because companies cannot just point to “broad areas of technology” when they claim a trade secret.[24]Unfortunately, the fact that any or all of the personal information is public will not weaken a trade secret claim.[25] Further, Utah has left unresolved the specific issue of whether personal information could count as a trade secret, although personal information is sufficiently likely to be a trade secret to survive a motion for summary judgment.[26] Since personal information is often scraped from public sources and there is a possibility that personal information is already considered a trade secret, burden shifting seems an inadequate counter to the potentially broad trade secret exception.
Conclusion
In each state trade secrets have broad protections, and so amount to a broad exception to privacy rights. This exception will cause the statutes to fail in their purpose of protecting privacy. On their face these laws seem to target Data Brokers and protect privacy; however, by creating an exception that Data Brokers fit squarely into, the laws undermine their own efficacy. A new judicial interpretation, however unlikely, is required to balance the privacy interests and the business interests so that these laws can actually fulfill their purpose.
[1] 2023 Conn. Acts 22-15 § 4(a)(1), (4) (Reg. Sess.); Colo. Rev. Stat. § 6-1-1306(1)(e) (2023); Utah Code Ann. § 13-61-304(5) (LexisNexis 2023).
[2] 2023 Conn. Acts 22-15 § 4(a)(1), (4), (c)(2), (d) (Reg. Sess.).
[3] Id.
[4] Id. at §1(30).
[5] See Colo. Rev. Stat. § 18-4-408 (2023), and Utah Code Ann. § 13-61-201 (LexisNexis 2023).
[6] Conn. Gen. Stat. § 35-51 (2023).
[7] Univ. of Conn. v. Freedom of Info. Comm’n, 36 A.3d 663, 669 (Conn. 2012).
[8] See Brown & Brown, Inc. v. Blumenthal, 1 A.3d 21, 31-32 (Conn. 2010).
[9] Colo. Rev. Stat. § 6-1-1306(1)(e) (2023).
[10] Colo. Rev. Stat. § 6-1-1313(1) (2023).
[11] 4 Colo. Code Regs. § 904-3-4.04(E).
[12] Id. at 4.07(B)(1).
[13] 4 Colo. Code Regs. § 904-3-9.03(B).
[14] Id. at 9.05(D).
[15] Colo. Rev. Stat. § 18-4-408 (2023) (“To be a trade secret the owner thereof must have taken measures to prevent the secret from becoming available to persons other than those selected by the owner to have access thereto for limited purposes”).
[16] Hawg Tools, LLC v. Newsco Int’l Energy Servs., 411 P.3d 1126, 1130 (quoting Electrology Lab., Inc. v. Kunze, 169 F. Supp. 3d 1119, 1153 (D. Colo. 2016)).
[17] Utah Code Ann. § 13-61-304(5) (LexisNexis 2023).
[18] See supra note 2.
[19] See supra note 11.
[20] Utah Code Ann. § 13-61-201(1) (LexisNexis 2023) requires controllers to comply subject to the other provisions, which provisions include the trade secrets exception. This is subject to interpretation. A controller will have to provide notice of identifying a trade secret either under Utah Code Ann. § 13-61-(2)(a)(ii) (LexisNexis 2023) or Utah Code Ann. § 13-61-201(3) (LexisNexis 2023) but there is no specification of what this notice may contain nor encouragement to respond to the request as best as they are able.
[21] This definition is virtually the same as the definition in Utah’s Trade Secrets Act. Utah Code Ann. § 13-24-2(4) (LexisNexis 2023).
[22] “‘Trade secret’ means information, including a . . .process, that: (a) derives independent economic value, actual or potential, from not being generally known to, and not being readily ascertainable by proper means by, other persons who can obtain economic value from the information’s disclosure or use; and (b) is the subject of efforts . . . to maintain the information’s secrecy.” Utah Code Ann. § 13-61-101(36) (LexisNexis 2023).
[23] “The plaintiff bears the burden of proving the existence of a trade secret, and ‘there is no presumption in his or her favor.’” USA Power, LLC v. PacifiCorp, 372 P.3d 629, 648 (Utah 2016) (quoting CDC Restoration & Constr., LC v. Tradesmen Contractors, LLC, 274 P.3d 317 (Utah Ct. App. 2012)).
[24] USA Power, LLC, 2016 UT 20, ¶ 49, 372 P.3d 629, 649 (Sup.Ct.).
[25] Id. at 651.
[26] Legacy Res., Inc. v. Liberty Pioneer Energy Source, Inc., 322 P.3d 683, 685 (Utah 2013) (finding the possibility that Liberty misappropriated a trade secret when it used the information of Legacy’s investors outside the bounds within which Legacy gave Liberty that information).