• Products
    • Products

      • Governance Suite Use Spirion’s suite to enhance data security posture management
      • Sensitive Data Platform Scan, classify, remediate using SaaS solution
      • Sensitive Data Finder Automate Subject Rights Request processing
      • Sensitive Data Watcher Actively monitor and understand your data
      • Sensitive Data Manager Scan, classify, remediate using on-premise solution
    • Learn more

      • Data Risk Assessment Audit how your organization protects its sensitive data before a data breach occurs
      • Incident Response Data Risk Assessment Incident response assessment for swift and accurate data breach mitigation
      • Interrogated Platforms More data sources than anyone including both unstructured and structured data
      • Integrated Solutions Explore connections with IRM/DRM, SIEM, DLP, NGFW, CASB, and other security apps
      • Spirion Marketplace Integrate with security tools and explore resources to boost data protection
    • Sensitive Data Governance Framework

      Our framework outlines key stages of readiness to safeguard sensitive data and maintain compliance.
      Review Framework
  • Solutions
    • Industry Solutions

      • eCommerce
      • Finance
      • Healthcare
      • Higher Education
      • Manufacturing
      • Telecommunications
    • Security & Privacy Use Cases

      • DISCOVER: Sensitive data-at-rest is data-at-risk
      • CLASSIFY: Unify data governance efforts with context-rich classification
      • UNDERSTAND: Prioritize your data protection efforts with a DRA
      • CONTROL: Reduce the risk and cost of a data breach
      • COMPLY: Accelerate PCI-DSS compliance
      • COMPLY: Safeguard PII data to pass GLBA audits
    • Compliance

      • Overview
      • GDPR
      • CCPA
      • CMMC
      • CPRA
      • GLBA
      • HIPAA
      • The New York SHIELD Act
      • PCI DSS
      • Other
    • Cloud, servers, endpoints - wherever sensitive data lives, Spirion protects it.

      Everywhere is our territory.
  • Resources
    • Insights

      • Blog
      • Case Studies, White Papers, & Research
      • Podcast
    • Core Expertise

      • How to take a data-centric approach to security
      • What are cyber insurance requirements?
      • What is data lifecycle management?
      • What is data loss prevention?
      • What is a data risk assessment?
      • What is endpoint security?
      • What is a sensitive data governance framework?
    • Core Capabilities

      • Data Discovery Software Tools: Capabilities and Benefits
      • What is sensitive data discovery?
      • What is semantic data discovery?
      • What is data classification?
      • What is data remediation?
    • Cloud, servers, endpoints - wherever sensitive data lives, Spirion protects it.

      Everywhere is our territory.
  • Partners
  • Support
    • Support

    • Customer Success
    • Professional Services
    • Technical Support
    • Service Level Addendum (SLA)
    • Customer Support Policy
  • Company
    • Company

    • About Us
    • Careers
    • Leadership
    • News
    • Our History
  • Search
  • Customer Portal
  • Contact
 Watch demo now
Watch demo now
  • Products
    • Governance Suite
    • Sensitive Data Platform
    • Sensitive Data Finder
    • Sensitive Data Manager
    • Sensitive Data Watcher
    • Learn more
      • Sensitive Data Governance Framework
      • Spirion Data Risk Assessment
      • Platforms Interrogated
      • Integrated Solutions
      • Spirion Marketplace
  • Solutions
    • Industry Solutions
      • eCommerce
      • Finance
      • Healthcare
      • Higher Education
      • Manufacturing
      • Telecommunications
    • Security Use Cases
      • DISCOVER: Sensitive data-at-rest is data-at-risk
      • CLASSIFY: Unify data governance efforts with context-rich classification
      • UNDERSTAND: Prioritize your data protection efforts with a DRA
      • CONTROL: Reduce the risk and cost of a data breach
      • COMPLY: Accelerate PCI-DSS compliance
      • COMPLY: Safeguard PII data to pass GLBA audits
    • Compliance
      • Overview
      • GDPR
      • CCPA
      • CMMC
      • CPRA
      • GLBA
      • HIPPA
      • The New York SHIELD Act
      • PCI DSS
      • Other
  • Resources
    • Insights
      • Blog
      • Case Studies, White Papers, & Research
      • Podcast
      • Upcoming Events
    • Core Expertise
      • How to take a data-centric approach to security
      • What are cyber insurance requirements?
      • What is data lifecycle management
      • What is data loss prevention?
      • What is a data risk assessment?
      • What is endpoint security?
      • What is a sensitive data governance framework?
    • Core Capabilities
      • Data Discovery Software Tools: Capabilities and Benefits
      • What is sensitive data discovery?
      • What is semantic data discovery?
      • What is data classification?
      • What is data remediation?
  • Partners
  • Support
    • Customer Success
    • Professional Services
    • Technical Support
    • Service Level Addendum (SLA)
    • Customer Support Policy
  • Company
    • About Us
    • Become a Partner
    • Careers
    • Newsroom
    • Our approach
    • Privacy at Spirion
    • Our History
  • Customer Portal
  • Contact
Watch demo now
  • CCPA Summary and Key Issues

  • Consent
  • Enforcement
  • Financial Incentives
  • Jurisdictional Thresholds
  • Information Security
  • Marketing and Advertising
  • Notices to Consumers
  • Personal Information
  • Privacy Policy
  • Requests for Disclosure of Personal Information
  • Requests for Deletion
  • Service Providers
  • Sales of Minors’ Information
  • Sales to Third Parties
  • Verification of Requestors
Download View CCPA Act

Marketing and Advertising

The Statute

In contrast to Article 21(2) and (3) of the GDPR, there is no per se right to opt-out of advertising or marketing under the CCPA. However, the right to opt-out of sales of personal information under §§1798.120(a) and (b) and under §1798.115(d) effectively creates such a right. California consumers will likely face challenges with entirely opting out of the use of their personal data in the context of marketing and advertising. This is so owing to the web of relationships among companies that process personal information connected to Internet marketing and advertising – in many, if not most cases, a business will not necessarily know all of those companies.

Also in contrast to the GDPR and other EU law 1, browser cookies do not require any special considerations by businesses; they, along with web “beacons,” advertising identifiers, and other technology related to advertising or marketing are all a species of “unique identifier” or “unique personal identifier,” defined by §1798.140(x) as a

means a persistent identifier that can be used to recognize a consumer, a family, or a device that is linked to a consumer or family, over time and across different services, including, but not limited to, a device identifier; an Internet Protocol address; cookies, beacons, pixel tags, mobile ad identifiers, or similar technology; customer number, unique pseudonym, or user alias; telephone numbers, or other forms of persistent or probabilistic identifiers that can be used to identify a particular consumer or device.

The closest analog in the GDPR to such identifiers is located in Recital 30, which states that

[n]atural persons may be associated with online identifiers provided by their devices, applications, tools and protocols, such as internet protocol addresses, cookie identifiers or other identifiers such as radio frequency identification tags. This may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them. [emphasis added]

The Regulations

The CCPA Regulations also do not offer any additional consideration for cookies or other unique identifiers. It does cite unique identifiers in its definition of a “household,” stating that “’[h]ousehold’ means a person or group of people who: (1) reside at the same address, (2) share a common device or the same service provided by a business, and (3) are identified by the business as sharing the same group account or unique identifier.” 2 [emphasis added]


1. EU Directive 2009/136/EC, the EU “cookie law,” extensively regulates the use of cookies.
2. The CCPA Regulations §999.301(k).

Ready to get started?

Schedule a personalized demo with one of our data security experts to see Spirion data protection solutions in action.

Watch demo now
Discover, protect and comply.

Protect sensitive information with a solution that is customizable to your organizational needs. When your job is to protect sensitive data, you need the flexibility to choose solutions that support your security and privacy initiatives.

Governance Suite →

Industry Solutions

Not knowing where sensitive client financial data resides and failing to take the right security precautions can be a costly mistake for your organization. Find out how Data privacy is treated in your sector.

Read more →

  • Products
    • Sensitive Data Platform
    • Sensitive Data Finder
    • Sensitive Data Watcher
  • Solutions
    • What is sensitive data discovery?
    • What is data loss prevention?
    • What is data classification?
    • Security Use Cases
  • Compliance
    • News
    • Services
  • Need Help?
    • Customer Portal
    • 646-863-8301​​​​​​​​​​​​​​​​​​​​​
    • 3030 North Rocky Point Drive West,
      Suite 470
      Tampa, FL 33607
LATEST BLOG POSTS
  • Ransomware Prevention Checklist: 7 Steps to Secure Your Data
  • Why accurate data discovery is essential to comprehensive data protection
  • Mastering Data Breach Evaluation with Spirion’s Incident Response

© 2023 Spirion, LLC. All Rights Reserved

  • Legal
  • Privacy
  • Sitemap