The California Privacy Protection Agency (CPPA) has issued a Final Statement of Reasons for amended California Consumer Privacy (CCPA) regulations.

Key Points:

The amendments were “necessary” (used 135 times), just “clarify” what is already there (used 89 times); many changes are “non substantial” (used 34 times), “consistent with” the provisions of the law (used 29 times) or are there to “provide guidance” to businesses (used 16 times).

Like the financial impact statement, the FSOR’s main takeaway is that the obligations in the amendments are just clarifications or what is already there and do not create anything new (so you should already be compliant).

Importantly, what does this mean for how the CPPA will approach CPRA enforcement?

Additional points:

  • The relevant “consumer(s)” for the reasonable expectations analysis is the consumer(s) whose personal information is collected or processed.
  • A notice/disclosure is not sufficient and cannot cure an incompatible purpose. That can only be cured with a true opt-in consent.
  • Whether the source of personal information is the consumer themselves or another person affects whether the consumer reasonably expects the purpose of the collection or processing.
  • Disclosures to consumers about the purpose of collection or processing can assist with shaping reasonable consumer expectations. In the example, the specificity, explicitness, and clarity of the disclosures in the pop-up notice (i.e., that the phone number collected would be used to verify the consumer’s identity when they log in) and the prominence of the disclosure (i.e., via a pop-up notice prior to collection) affect the consumer’s reasonable expectations about the purpose of collection or processing (i.e., limited to identity verification, and not for marketing purposes (Note: DPC Meta Cases, anyone?).
  • If the “other disclosed purpose” is one of those “business purpose(s),” it may be more likely to satisfy the compatibility requirement, though it ultimately would be a context and fact-specific determination.
  • Certain amendments/examples work to harmonize the application of the CCPA with other privacy frameworks (specifically mentioning: Colorado CPA Rules, ICO Guide on Purpose Limitation).
  • Insufficient guidance would weaken consumers’ control over their personal information and the goals of CCPA to limit businesses’ collection, use, retention and sharing of consumers’ personal information to only what is necessary. CCPA also intends for consumers to benefit from businesses’ use of personal information, which excessive data collection and processing undermines.
  • Implementing measures to ensure that personal information that is the subject of a request to correct remains corrected factors into whether a business, service provider or contractor has complied with a consumer’s request to correct in accordance with the CCPA and these regulations.
  • Specific mention on supporting GPC for your opt-out signal compliance, with a reference to the Sephora decision.
  • The requirement to apply the request to opt-out of sale/sharing to pseudonymous profiles associated with that browser or device also appreciates how businesses may currently use probabilistic identifiers to identify a particular consumer or device linked to a consumer or family.
  • The language “pursuant to the written contract with the business” ties the service provider’s and contractor’s obligations to the contract they have with the business and acknowledges that service providers and contractors may not be obtaining personal information directly from the business.
  • Sensitive personal information that is collected or processed without the purpose of inferring characteristics about a consumer is not subject to requests to limit.
  • With respect to the personal information a service provider or contractor collects pursuant to its written contract with the business, the contract must prohibit a service provider or contractor from combining or updating personal information that it collects pursuant to its written contract with the business with personal information that it received from another source “or collected from its own interaction with the consumer,” unless expressly permitted by the CCPA or these regulations.
  • The consumer should receive the same privacy protections, regardless of whether their personal information is processed by the business or a service provider or contractor.