• Search Engine Land
  • Sections
    • SEO
    • SEM
    • Local
    • Retail
    • Google
    • Bing
    • Social
    • Resources
    • More
    • Home
  • Search Engine Land
  • SEO
  • SEM
  • Local
  • Retail
  • Google
  • Bing
  • Social
  • Resources
  • Live
  • More
  • Events
  • SUBSCRIBE

Search Engine Land

Search Engine Land
  • SEO
  • SEM
  • Local
  • Retail
  • Google
  • Bing
  • Social
  • Resources
  • More
  • Newsletters
  • Home
Social

Facebook CCPA compliance challenges: Limited Data Use

What you need to know about how Facebook's handling of California user data might affect your business.

Simon Poulton on July 2, 2020 at 12:28 pm
  • More

Clarification July 8: Compliance exemptions exist for companies with less than $25 million in annual revenue. This is an important note, and the author of this article has provided an update to reflect exemptions and actions brands should take depending on their exception status (see below). For more see this article on our sister site, MarTech Today: Think CCPA doesn’t apply to you? You should probably think again

The California Consumer Privacy Act (CCPA) went into effect on January 1, 2020, and businesses have been working to make sure they are in compliance before the window for litigation opens on July 1. This isn’t new news: at this point, we’ve been talking about this for over 2 years. And lo! Here we are, two years later, and confusion around compliance requirements abounds.

Part of the challenge with CCPA compliance is the lack of clarity around what is required from different types of businesses—especially when data-sharing relationships exist, like the ones between every advertiser and Facebook.

This week, Facebook announced a new feature called Limited Data Use (LDU). As of July 1, LDU has been automatically enabled for all Facebook business accounts, limiting the way user data can be stored and processed in the Facebook ecosystem for all users Facebook identifies as residents of the state of California. The feature automatically detects if a user resides in California, and applies limited data use rules (more on those later). But that feature will only stay on until July 31—then Facebook requires businesses to update their pixel to include an LDU parameter.

If you do not take action by July 31, your business will take on sole responsibility for compliance (and all associated risks with non-compliance).

It seems every article that even mentions CCPA requires the author to announce multiple times that they are not a lawyer, and this is not legal advice. This is true of this article as well. I’m not a lawyer (sorry, Mum & Dad!) so please consult legal counsel with regards to compliance measures for your specific organization.

Many businesses might not be aware that they need to update their Facebook pixel to avoid potential liability under CCPA because other advertising platforms (such as Google Ads) have offered centralized opt-out buttons or other solutions. At this time, the LDU parameter is not included within the Facebook pixel by default, and you need to refer to a specific developer documentation page to review the scope of requirements. 

Here’s everything we know right now:

How does Facebook’s Limited Data Use tool ensure CCPA compliance?

Facebook LDU enables advertisers on the platform to specify which users’ data should be subject to CCPA data management regulations. The company has outlined the specific ways user data will be limited in their list of state-specific terms, which includes language indicating advertisers are solely liable for compliance with CCPA. 

The feature requires a simple modification to the existing Facebook PageView pixel so that Facebook can automatically detect whether or not a user is in California. Specifically, developers will need to include a string within the Facebook pixel for ‘dataProcessingOptions’ that will allow your business to specify its degree of CCPA compliance. 

The string will allow for an advertiser to control if it is identifying a user in California or if would prefer for Facebook to handle the auto-identification. Of course, the ambiguity here comes from the fact that CCPA is an “opt-out” focused law, rather than “opt-in” like GDPR. So when should you enable LDU? At all times? Only when a user identifies they don’t want to be tracked? That has been left up to the individual advertisers to decide—and to assume the associated risk. 

Reminder: If no action is taken before August 1, your brand will not be in compliance.

implementation options for facebook limited data use CCPA
Example image showing the various implementation methods.

How will Facebook CCPA compliance affect my business’s digital marketing?

Not all of the consequences of CCPA compliance on Facebook are clear at this time, but we do know that Facebook will be limiting how the platform uses personal information (PII) to unify user identities. As a result, we expect to see customer behavior tracking and audience targeting get more challenging for digital marketers.

We also believe the changes will lead to performance declines on the platform, because they will impact the efficacy of advanced customer matching, offline conversion tracking, and retargeting for residents of California. 

But the major immediate effect is on retargeting. When enabled, Facebook LDU will mean your business cannot include users in a behavioral (website pixel-based) retargeting campaign. To make it clear: if 100% of your users are California residents, you will have 0 users in your audience pool when you have LDU enabled. Since Facebook has automatically enabled this between July 1 – 31, 2020, this is already happening right now. 

How should my business implement Facebook LDU?

It’s important to emphasize one thing we briefly touched on above before answering this question: CCPA compliance is focused on empowering users to opt-out of tracking (as opposed to GDPR, which requires users to opt-in to tracking). That means if a user visits your website, you can serve them with a cookie consent banner that gives them the option to opt-out. Under CCPA, if the user chooses to opt-out, your business needs to stop tracking them.

While very few users choose to opt-in to tracking, the numbers are much better when it comes to opting out. That means there are a couple of courses of action open to you when it comes to Facebook CCPA compliance, depending on your tolerance for risk.

Facebook has been vague in communications around CCPA compliance, which means you (and your business) are solely responsible for assessing the risk. We’ve identified three possible paths to take, ranged from lowest risk to highest, with pros and cons for each:

should your business limit data use on facebook for CCPA compliance?

Risk Averse: This is the baseline because it carries no risk for the business. Your business does not need to set up an explicit opportunity to opt-out of tracking, instead enabling the LDU string on all instances of the PageVIew tag firing if a user has been identified as a California resident. 

  • Pros: Zero risk, 100% of California residents will be covered.
  • Cons: All California residents will be excluded from remarketing campaigns (as well as other data targeting functions) so you will likely see a large performance hit. 

Risk Tolerant: This middle course of action is slightly riskier, especially since we’re still learning how the CCPA is being interpreted. Your business needs to offer users the choice to opt-out of tracking using a cookie compliance solution like CookieBot or OneTrust. You would then only enable LDU for the users who opt out, which will also disable the Facebook pixel from firing. This is a strange situation to be in because disabling the pixel from firing would function in the same way as enabling LDU.

  • Pros: Low risk, and likely that most California users will not opt-out, which means you can track behavior and retarget ads as usual.
  • Cons: Potentially complicated to configure, and unclear how LDU would be utilized given an opt-out would limit the pixel from firing in totality (which could have the same net impact as the risk averse course of action).

High Risk: Do nothing and see what happens. If you are contemplating not enabling LDU on the Facebook pixel and not offering an opt-out to site visitors, we highly recommend speaking with your legal team regarding the risks, potential liability, and penalties associated with CCPA non-compliance.

  • Pros: All users who are California residents can be included in remarketing lists and tracking.
  • Cons: Very high risk with strong possibility of penalization. 

It’s worth noting that if you choose any implementation outside of the Risk Averse recommendation, you run the risk of processing data that belongs to a user that has opted out in another browser or previous session if the cookie has been purged.

There is no perfect solution right now; all of these approaches present their own challenges. I live and breathe this stuff and still find myself asking questions like: 

  • What impact will a universal LDU application for everyone in California approach have on suppression lists?
  • How can we persist a user’s decision to limit tracking when we have limited time to store that option within a persistent cookie between sessions? 

Here’s some further food for thought from tech lawyer Steve Blickensderfer (this is also not legal advice):

If companies do not keep the "Limited Data Use" feature turned "on" after the transition period (approx. 30-60 days), then that could result in the accidental "selling" of personal data under the #CCPA. Food for thought. 🤔 /fin

— Steve Blickensderfer (@sblicken) June 24, 2020

Do I have to do anything if my business is not in California?

CCPA applies to businesses targeting residents of California, regardless of where the business is located. If your business is marketing to California residents on Facebook, you must be in compliance or open your business to liability and possible penalties.

The full impact of the limitations, of course, depends on how heavily a business’s market is skewed toward California residents. But it’s worth noting that we believe that similar limitations are likely to be passed nationwide in the near future, and more stringent regulations already apply to the EU under GDPR.

In closing, it’s become more and more apparent that the current practice of simultaneously seeking consumer privacy protections through both technical (ITP, ETP) and legislative means has made compliance a struggle. Basically, this process makes it impossible for a business to know whether or not they’re in violation of a law without first accessing all of a user’s data to ensure they’re not using it incorrectly. The future of effective privacy protection may in fact be more radical than anything we’re seeing right now: a world where there’s no “privacy” at all, in which all of our data is freely available to businesses but we expressly dictate how they can use it.

Until then, you need to take action by July 31, 2020. We’ll continue to provide updates around CCPA compliance as we learn more about the limitations and how the law is being interpreted in the courts.

————————————————–

More on CCPA

Following is an update to reflect exemptions and actions brands should take depending on their exception status. 

Which businesses must comply with the CCPA? 

There are a number of exceptions to CCPA compliance requirements mainly focused on small businesses to limit the burden associated with compliance. Dickinson-Wright provides a thorough overview on their site (last updated June 2018). Of note, companies qualify to be CCPA compliant if they meet any one of these three criteria (per the CCPA Code):

  • Have $25 million or more in annual revenue; or
  • Possess the personal data of more than 50,000 “consumers, households, or devices” or
  • Earn more than half of its annual revenue selling consumers’ personal data.

Thinking about this the other way around, if your business does not meet any of the criteria outlined above, then you may be exempt from CCPA compliance. If you believe your business is exempt, we recommend that you speak with your legal counsel to confirm this as it will drastically change the actions you will need to take. 

What Actions Should Brands Take?

The first question you need to answer is, “Does CCPA apply to my company?” Determine if your company is required to be compliant with CCPA guidelines. Note, the personal data of 50,000 “consumers, households, or devices” can be considered highly ambiguous, so you’ll want to think about all of the ways you currently store user data. 

Exempt

If your business is not required to be compliant with CCPA, then you will not be subject to the functions enforced by Limited Data Use. Once you have confirmed that this is the case, you can Enable Full Use of Customer Data within Facebook. (By toggling on “Enable Full Use of Consumer Data”, you will be manually overriding the automatic feature put in place by Facebook)

If you are exempt, or compliant, you can disable Limited Data Use prior to July 31st by “Enabling” this setting within the Facebook UI.

Non-Exempt

If your business is required to comply with CCPA requirements, then we recommend taking the following actions:

  1. Legal Review: Speak with your legal team about your organization’s broader approach to CCPA compliance. This will include things like your Privacy Policy, or “Do Not Sell My Information” form requirements. 
  2. Technical Compliance: In order to give users in California the ability to opt-out of sharing/selling their personal data, we recommend implementing a web compliance tool. Web compliance tools allow you to give users options regarding tracking and data processing. There are many solutions available, but we recommend the following three options: 
    1. CookieBot: https://www.cookiebot.com/en/
    2. OneTrust: https://www.onetrust.com/ 
    3. Clym: https://www.clym.io/ 
  3. Limited Data Use Flag: Review which actions a user may take that would change the way you may share their data with Facebook. Specifically, are they opting-out of tracking? If so, you will either need to block tracking completely, or you will need to apply a “Limited Data Use” flag to the pixel. 
    1. CCPA is an opt-out law: This means that by default a user is opted into sharing their data, so the default state should not be to have an LDU flag unless your legal team believes otherwise
    2. Blocking all tracking: If you allow a user to block all tracking, this should work in the same way as applying a Limited Data Use flag in your pixel. 
    3. It’s not just the pixel: All of the ways you pass data back to Facebook need to be accounted for (which a good web compliance tool will be able to handle for you) – the technical specs for other forms of data passback can be reviewed here.
  4. Enable Full Use of Customer Data within Facebook: Once you are compliant with CCPA guidelines and have decided if & when you want to update your pixel to include the LDU flag, you can Enable Full Use of Customer Data within Facebook. 

Opinions expressed in this article are those of the guest author and not necessarily Search Engine Land. Staff authors are listed here.



About The Author

Simon Poulton
Simon has had a passion for finding creative ways to measure real-world challenges from an early age. Combining an affinity for psychology, statistics, and digital marketing, he is currently the VP of Digital Intelligence at Wpromote. Simon regularly speaks at industry events, including SMX West, SMX East, Cleveland Research Group's eCommerce Catalyst for Change, and SMX Advanced on a variety of topics related to data-driven digital marketing.

Related Topics

Channel: SocialFacebookFacebook AdvertisingLegalLegal: PrivacySocial Media Marketing

We're listening.

Have something to say about this article? Share it with us on Facebook, Twitter or our LinkedIn Group.

Get the daily newsletter search marketers rely on.

Processing...Please wait.

See terms.

ATTEND OUR EVENTS

Lorem ipsum doler this is promo text about SMX events.

Available On-Demand: SMX Create

May 18-19, 2021: SMX London

June 8-9, 2021: SMX Paris

June 15-16, 2021: SMX Advanced

June 21-22, 2021: SMX Advanced Europe

August 17, 2021: SMX Convert

November 9-10, 2021: SMX Next

December 14, 2021: SMX Code

Available On-Demand: SMX

Available On-Demand: SMX Report

×


Learn More About Our SMX Events

Discover actionable tactics that can help you overcome crucial marketing challenges. Our next conference will be held:

Next Event: Sept. 14-15, 2021

Available On-Demand: March 2021

Available On-Demand: October 2020

×

Attend MarTech - Click Here


Learn More About Our MarTech Events

White Papers

  • Gartner Magic Quadrant for Digital Experience Platforms
  • Selecting a Customer Data Platform For Your Organization: The 2020 Gartner Market Guide
  • The Complete Guide to Web Core Vitals
  • The New Era of Automation in SEO
  • Nielsen Annual Marketing Report: Era of Adaptation
See More Whitepapers

Webinars

  • Drive Customer Engagement with the Power of Personalization
  • 7 Use Cases That Prove Why You Should Implement DAM
  • Accelerate Your SEO & Content Marketing Program with 4 Key Milestones
See More Webinars

Research Reports

  • Local Marketing Solutions for Multi-Location Businesses
  • Enterprise Digital Asset Management Platforms
  • Identity Resolution Platforms
  • Customer Data Platforms
  • B2B Marketing Automation Platforms
  • Call Analytics Platforms
See More Research

Attend SMX For Only $199

h
Receive daily search news and analysis.

Channels

  • SEO
  • SEM
  • Local
  • Retail
  • Google
  • Bing
  • Social

Our Events

  • SMX
  • MarTech

Resources

  • White Papers
  • Research
  • Webinars

About

  • About Us
  • Contact
  • Privacy
  • Marketing Opportunities
  • Staff

Follow Us

  • Facebook
  • Twitter
  • LinkedIn
  • Newsletters
  • RSS
  • Youtube

© 2021 Third Door Media, Inc. All rights reserved.

Your privacy means the world to us. We share your personal information only when you give us explicit permission to do so, and confirm we have your permission each time. Learn more by viewing our privacy policy.Ok