The Statute
In contrast to Article 21(2) and (3) of the GDPR, there is no per se right to opt-out of advertising or marketing under the CCPA. However, the right to opt-out of sales of personal information under §§1798.120(a) and (b) and under §1798.115(d) effectively creates such a right. California consumers will likely face challenges with entirely opting out of the use of their personal data in the context of marketing and advertising. This is so owing to the web of relationships among companies that process personal information connected to Internet marketing and advertising – in many, if not most cases, a business will not necessarily know all of those companies.
Also in contrast to the GDPR and other EU law 1, browser cookies do not require any special considerations by businesses; they, along with web “beacons,” advertising identifiers, and other technology related to advertising or marketing are all a species of “unique identifier” or “unique personal identifier,” defined by §1798.140(x) as a
means a persistent identifier that can be used to recognize a consumer, a family, or a device that is linked to a consumer or family, over time and across different services, including, but not limited to, a device identifier; an Internet Protocol address; cookies, beacons, pixel tags, mobile ad identifiers, or similar technology; customer number, unique pseudonym, or user alias; telephone numbers, or other forms of persistent or probabilistic identifiers that can be used to identify a particular consumer or device.
The closest analog in the GDPR to such identifiers is located in Recital 30, which states that
[n]atural persons may be associated with online identifiers provided by their devices, applications, tools and protocols, such as internet protocol addresses, cookie identifiers or other identifiers such as radio frequency identification tags. This may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them. [emphasis added]
The Regulations
The CCPA Regulations also do not offer any additional consideration for cookies or other unique identifiers. It does cite unique identifiers in its definition of a “household,” stating that “’[h]ousehold’ means a person or group of people who: (1) reside at the same address, (2) share a common device or the same service provided by a business, and (3) are identified by the business as sharing the same group account or unique identifier.” 2 [emphasis added]
1. EU Directive 2009/136/EC, the EU “cookie law,” extensively regulates the use of cookies.
2. The CCPA Regulations §999.301(k).
