Facebook CCPA compliance challenges: Limited Data Use
What you need to know about how Facebook's handling of California user data might affect your business.
The California Consumer Privacy Act (CCPA) went into effect on January 1, 2020, and businesses have been working to make sure they are in compliance before the window for litigation opens on July 1. This isn’t new news: at this point, we’ve been talking about this for over 2 years. And lo! Here we are, two years later, and confusion around compliance requirements abounds.
Part of the challenge with CCPA compliance is the lack of clarity around what is required from different types of businesses—especially when data-sharing relationships exist, like the ones between every advertiser and Facebook.
This week, Facebook announced a new feature called Limited Data Use (LDU). As of July 1, LDU has been automatically enabled for all Facebook business accounts, limiting the way user data can be stored and processed in the Facebook ecosystem for all users Facebook identifies as residents of the state of California. The feature automatically detects if a user resides in California, and applies limited data use rules (more on those later). But that feature will only stay on until July 31—then Facebook requires businesses to update their pixel to include an LDU parameter.
If you do not take action by July 31, your business will take on sole responsibility for compliance (and all associated risks with non-compliance).
It seems every article that even mentions CCPA requires the author to announce multiple times that they are not a lawyer, and this is not legal advice. This is true of this article as well. I’m not a lawyer (sorry, Mum & Dad!) so please consult legal counsel with regards to compliance measures for your specific organization.
Many businesses might not be aware that they need to update their Facebook pixel to avoid potential liability under CCPA because other advertising platforms (such as Google Ads) have offered centralized opt-out buttons or other solutions. At this time, the LDU parameter is not included within the Facebook pixel by default, and you need to refer to a specific developer documentation page to review the scope of requirements.
Here’s everything we know right now:
How does Facebook’s Limited Data Use tool ensure CCPA compliance?
Facebook LDU enables advertisers on the platform to specify which users’ data should be subject to CCPA data management regulations. The company has outlined the specific ways user data will be limited in their list of state-specific terms, which includes language indicating advertisers are solely liable for compliance with CCPA.
The feature requires a simple modification to the existing Facebook PageView pixel so that Facebook can automatically detect whether or not a user is in California. Specifically, developers will need to include a string within the Facebook pixel for ‘dataProcessingOptions’ that will allow your business to specify its degree of CCPA compliance.
The string will allow for an advertiser to control if it is identifying a user in California or if would prefer for Facebook to handle the auto-identification. Of course, the ambiguity here comes from the fact that CCPA is an “opt-out” focused law, rather than “opt-in” like GDPR. So when should you enable LDU? At all times? Only when a user identifies they don’t want to be tracked? That has been left up to the individual advertisers to decide—and to assume the associated risk.
Reminder: If no action is taken before August 1, your brand will not be in compliance.
How will Facebook CCPA compliance affect my business’s digital marketing?
Not all of the consequences of CCPA compliance on Facebook are clear at this time, but we do know that Facebook will be limiting how the platform uses personal information (PII) to unify user identities. As a result, we expect to see customer behavior tracking and audience targeting get more challenging for digital marketers.
We also believe the changes will lead to performance declines on the platform, because they will impact the efficacy of advanced customer matching, offline conversion tracking, and retargeting for residents of California.
But the major immediate effect is on retargeting. When enabled, Facebook LDU will mean your business cannot include users in a behavioral (website pixel-based) retargeting campaign. To make it clear: if 100% of your users are California residents, you will have 0 users in your audience pool when you have LDU enabled. Since Facebook has automatically enabled this between July 1 – 31, 2020, this is already happening right now.
How should my business implement Facebook LDU?
It’s important to emphasize one thing we briefly touched on above before answering this question: CCPA compliance is focused on empowering users to opt-out of tracking (as opposed to GDPR, which requires users to opt-in to tracking). That means if a user visits your website, you can serve them with a cookie consent banner that gives them the option to opt-out. Under CCPA, if the user chooses to opt-out, your business needs to stop tracking them.
While very few users choose to opt-in to tracking, the numbers are much better when it comes to opting out. That means there are a couple of courses of action open to you when it comes to Facebook CCPA compliance, depending on your tolerance for risk.
Facebook has been vague in communications around CCPA compliance, which means you (and your business) are solely responsible for assessing the risk. We’ve identified three possible paths to take, ranged from lowest risk to highest, with pros and cons for each:
Risk Averse: This is the baseline because it carries no risk for the business. Your business does not need to set up an explicit opportunity to opt-out of tracking, instead enabling the LDU string on all instances of the PageVIew tag firing if a user has been identified as a California resident.
- Pros: Zero risk, 100% of California residents will be covered.
- Cons: All California residents will be excluded from remarketing campaigns (as well as other data targeting functions) so you will likely see a large performance hit.
Risk Tolerant: This middle course of action is slightly riskier, especially since we’re still learning how the CCPA is being interpreted. Your business needs to offer users the choice to opt-out of tracking using a cookie compliance solution like CookieBot or OneTrust. You would then only enable LDU for the users who opt out, which will also disable the Facebook pixel from firing. This is a strange situation to be in because disabling the pixel from firing would function in the same way as enabling LDU.
- Pros: Low risk, and likely that most California users will not opt-out, which means you can track behavior and retarget ads as usual.
- Cons: Potentially complicated to configure, and unclear how LDU would be utilized given an opt-out would limit the pixel from firing in totality (which could have the same net impact as the risk averse course of action).
High Risk: Do nothing and see what happens. If you are contemplating not enabling LDU on the Facebook pixel and not offering an opt-out to site visitors, we highly recommend speaking with your legal team regarding the risks, potential liability, and penalties associated with CCPA non-compliance.
- Pros: All users who are California residents can be included in remarketing lists and tracking.
- Cons: Very high risk with strong possibility of penalization.
It’s worth noting that if you choose any implementation outside of the Risk Averse recommendation, you run the risk of processing data that belongs to a user that has opted out in another browser or previous session if the cookie has been purged.
There is no perfect solution right now; all of these approaches present their own challenges. I live and breathe this stuff and still find myself asking questions like:
- What impact will a universal LDU application for everyone in California approach have on suppression lists?
- How can we persist a user’s decision to limit tracking when we have limited time to store that option within a persistent cookie between sessions?
Here’s some further food for thought from tech lawyer Steve Blickensderfer (this is also not legal advice):
Do I have to do anything if my business is not in California?
CCPA applies to businesses targeting residents of California, regardless of where the business is located. If your business is marketing to California residents on Facebook, you must be in compliance or open your business to liability and possible penalties.
The full impact of the limitations, of course, depends on how heavily a business’s market is skewed toward California residents. But it’s worth noting that we believe that similar limitations are likely to be passed nationwide in the near future, and more stringent regulations already apply to the EU under GDPR.
In closing, it’s become more and more apparent that the current practice of simultaneously seeking consumer privacy protections through both technical (ITP, ETP) and legislative means has made compliance a struggle. Basically, this process makes it impossible for a business to know whether or not they’re in violation of a law without first accessing all of a user’s data to ensure they’re not using it incorrectly. The future of effective privacy protection may in fact be more radical than anything we’re seeing right now: a world where there’s no “privacy” at all, in which all of our data is freely available to businesses but we expressly dictate how they can use it.
Until then, you need to take action by July 31, 2020. We’ll continue to provide updates around CCPA compliance as we learn more about the limitations and how the law is being interpreted in the courts.