Monday, 23 Dec 2024

Facebook CCPA compliance challenges: Limited Data Use

What you need to know about how Facebook’s handling of California user data might affect your business.

The California Consumer Privacy Act (CCPA) went into effect on January 1, 2020, and businesses have been working to make sure they are in compliance before the window for litigation opens on July 1. This isn’t new news: at this point, we’ve been talking about this for over 2 years. And lo! Here we are, two years later, and confusion around compliance requirements abounds.

Part of the challenge with CCPA compliance is the lack of clarity around what is required from different types of businesses—especially when data-sharing relationships exist, like the ones between every advertiser and Facebook.

This week, Facebook announced a new feature called Limited Data Use (LDU). As of July 1, LDU has been automatically enabled for all Facebook business accounts, limiting the way user data can be stored and processed in the Facebook ecosystem for all users Facebook identifies as residents of the state of California. The feature automatically detects if a user resides in California, and applies limited data use rules (more on those later). But that feature will only stay on until July 31—then Facebook requires businesses to update their pixel to include an LDU parameter.

If you do not take action by July 31, your business will take on sole responsibility for compliance (and all associated risks with non-compliance).

It seems every article that even mentions CCPA requires the author to announce multiple times that they are not a lawyer, and this is not legal advice. This is true of this article as well. I’m not a lawyer (sorry, Mum & Dad!) so please consult legal counsel with regards to compliance measures for your specific organization.

Many businesses might not be aware that they need to update their Facebook pixel to avoid potential liability under CCPA because other advertising platforms (such as Google Ads) have offered centralized opt-out buttons or other solutions. At this time, the LDU parameter is not included within the Facebook pixel by default, and you need to refer to a specific developer documentation page to review the scope of requirements.

Here’s everything we know right now:

How does Facebook’s Limited Data Use tool ensure CCPA compliance?

Facebook LDU enables advertisers on the platform to specify which users’ data should be subject to CCPA data management regulations. The company has outlined the specific ways user data will be limited in their list of state-specific terms, which includes language indicating advertisers are solely liable for compliance with CCPA.

The feature requires a simple modification to the existing Facebook PageView pixel so that Facebook can automatically detect whether or not a user is in California. Specifically, developers will need to include a string within the Facebook pixel for ‘dataProcessingOptions’ that will allow your business to specify its degree of CCPA compliance.

The string will allow for an advertiser to control if it is identifying a user in California or if would prefer for Facebook to handle the auto-identification. Of course, the ambiguity here comes from the fact that CCPA is an “opt-out” focused law, rather than “opt-in” like GDPR. So when should you enable LDU? At all times? Only when a user identifies they don’t want to be tracked? That has been left up to the individual advertisers to decide—and to assume the associated risk.

Reminder: If no action is taken before August 1, your brand will not be in compliance.

implementation options for facebook limited data use CCPA
Example image showing the various implementation methods.

How will Facebook CCPA compliance affect my business’s digital marketing?

Not all of the consequences of CCPA compliance on Facebook are clear at this time, but we do know that Facebook will be limiting how the platform uses personal information (PII) to unify user identities. As a result, we expect to see customer behavior tracking and audience targeting get more challenging for digital marketers.

We also believe the changes will lead to performance declines on the platform, because they will impact the efficacy of advanced customer matching, offline conversion tracking, and retargeting for residents of California.

But the major immediate effect is on retargeting. When enabled, Facebook LDU will mean your business cannot include users in a behavioral (website pixel-based) retargeting campaign. To make it clear: if 100% of your users are California residents, you will have 0 users in your audience pool when you have LDU enabled. Since Facebook has automatically enabled this between July 1 – 31, 2020, this is already happening right now.

How should my business implement Facebook LDU?

It’s important to emphasize one thing we briefly touched on above before answering this question: CCPA compliance is focused on empowering users to opt-out of tracking (as opposed to GDPR, which requires users to opt-in to tracking). That means if a user visits your website, you can serve them with a cookie consent banner that gives them the option to opt-out. Under CCPA, if the user chooses to opt-out, your business needs to stop tracking them.

While very few users choose to opt-in to tracking, the numbers are much better when it comes to opting out. That means there are a couple of courses of action open to you when it comes to Facebook CCPA compliance, depending on your tolerance for risk.

Facebook has been vague in communications around CCPA compliance, which means you (and your business) are solely responsible for assessing the risk. We’ve identified three possible paths to take, ranged from lowest risk to highest, with pros and cons for each:

should your business limit data use on facebook for CCPA compliance?

Risk Averse: This is the baseline because it carries no risk for the business. Your business does not need to set up an explicit opportunity to opt-out of tracking, instead enabling the LDU string on all instances of the PageVIew tag firing if a user has been identified as a California resident.

  • Pros: Zero risk, 100% of California residents will be covered.
  • Cons: All California residents will be excluded from remarketing campaigns (as well as other data targeting functions) so you will likely see a large performance hit.

Risk Tolerant: This middle course of action is slightly riskier, especially since we’re still learning how the CCPA is being interpreted. Your business needs to offer users the choice to opt-out of tracking using a cookie compliance solution like CookieBot or OneTrust. You would then only enable LDU for the users who opt out, which will also disable the Facebook pixel from firing. This is a strange situation to be in because disabling the pixel from firing would function in the same way as enabling LDU.

  • Pros: Low risk, and likely that most California users will not opt-out, which means you can track behavior and retarget ads as usual.
  • Cons: Potentially complicated to configure, and unclear how LDU would be utilized given an opt-out would limit the pixel from firing in totality (which could have the same net impact as the risk averse course of action).

High Risk: Do nothing and see what happens. If you are contemplating not enabling LDU on the Facebook pixel and not offering an opt-out to site visitors, we highly recommend speaking with your legal team regarding the risks, potential liability, and penalties associated with CCPA non-compliance.

  • Pros: All users who are California residents can be included in remarketing lists and tracking.
  • Cons: Very high risk with strong possibility of penalization.

It’s worth noting that if you choose any implementation outside of the Risk Averse recommendation, you run the risk of processing data that belongs to a user that has opted out in another browser or previous session if the cookie has been purged.

There is no perfect solution right now; all of these approaches present their own challenges. I live and breathe this stuff and still find myself asking questions like:

  • What impact will a universal LDU application for everyone in California approach have on suppression lists?
  • How can we persist a user’s decision to limit tracking when we have limited time to store that option within a persistent cookie between sessions?

Here’s some further food for thought from tech lawyer Steve Blickensderfer (this is also not legal advice):

Do I have to do anything if my business is not in California?

CCPA applies to businesses targeting residents of California, regardless of where the business is located. If your business is marketing to California residents on Facebook, you must be in compliance or open your business to liability and possible penalties.

The full impact of the limitations, of course, depends on how heavily a business’s market is skewed toward California residents. But it’s worth noting that we believe that similar limitations are likely to be passed nationwide in the near future, and more stringent regulations already apply to the EU under GDPR.

In closing, it’s become more and more apparent that the current practice of simultaneously seeking consumer privacy protections through both technical (ITP, ETP) and legislative means has made compliance a struggle. Basically, this process makes it impossible for a business to know whether or not they’re in violation of a law without first accessing all of a user’s data to ensure they’re not using it incorrectly. The future of effective privacy protection may in fact be more radical than anything we’re seeing right now: a world where there’s no “privacy” at all, in which all of our data is freely available to businesses but we expressly dictate how they can use it.

Until then, you need to take action by July 31, 2020. We’ll continue to provide updates around CCPA compliance as we learn more about the limitations and how the law is being interpreted in the courts.

————————————————–

More on CCPA

Following is an update to reflect exemptions and actions brands should take depending on their exception status.

Which businesses must comply with the CCPA? 

There are a number of exceptions to CCPA compliance requirements mainly focused on small businesses to limit the burden associated with compliance. Dickinson-Wright provides a thorough overview on their site (last updated June 2018). Of note, companies qualify to be CCPA compliant if they meet any one of these three criteria (per the CCPA Code):

  • Have $25 million or more in annual revenue; or
  • Possess the personal data of more than 50,000 “consumers, households, or devices” or
  • Earn more than half of its annual revenue selling consumers’ personal data.

Thinking about this the other way around, if your business does not meet any of the criteria outlined above, then you may be exempt from CCPA compliance. If you believe your business is exempt, we recommend that you speak with your legal counsel to confirm this as it will drastically change the actions you will need to take.

What Actions Should Brands Take?

The first question you need to answer is, “Does CCPA apply to my company?” Determine if your company is required to be compliant with CCPA guidelines. Note, the personal data of 50,000 “consumers, households, or devices” can be considered highly ambiguous, so you’ll want to think about all of the ways you currently store user data.

Exempt

If your business is not required to be compliant with CCPA, then you will not be subject to the functions enforced by Limited Data Use. Once you have confirmed that this is the case, you can Enable Full Use of Customer Data within Facebook. (By toggling on “Enable Full Use of Consumer Data”, you will be manually overriding the automatic feature put in place by Facebook)

If you are exempt, or compliant, you can disable Limited Data Use prior to July 31st by “Enabling” this setting within the Facebook UI.

Non-Exempt

If your business is required to comply with CCPA requirements, then we recommend taking the following actions:

  1. Legal Review: Speak with your legal team about your organization’s broader approach to CCPA compliance. This will include things like your Privacy Policy, or “Do Not Sell My Information” form requirements.
  2. Technical Compliance: In order to give users in California the ability to opt-out of sharing/selling their personal data, we recommend implementing a web compliance tool. Web compliance tools allow you to give users options regarding tracking and data processing. There are many solutions available, but we recommend the following three options:
    1. CookieBot: https://www.cookiebot.com/en/
    2. OneTrust: https://www.onetrust.com/
    3. Clym: https://www.clym.io/
  3. Limited Data Use Flag: Review which actions a user may take that would change the way you may share their data with Facebook. Specifically, are they opting-out of tracking? If so, you will either need to block tracking completely, or you will need to apply a “Limited Data Use” flag to the pixel.
    1. CCPA is an opt-out law: This means that by default a user is opted into sharing their data, so the default state should not be to have an LDU flag unless your legal team believes otherwise
    2. Blocking all tracking: If you allow a user to block all tracking, this should work in the same way as applying a Limited Data Use flag in your pixel.
    3. It’s not just the pixel: All of the ways you pass data back to Facebook need to be accounted for (which a good web compliance tool will be able to handle for you) – the technical specs for other forms of data passback can be reviewed here.
  4. Enable Full Use of Customer Data within Facebook: Once you are compliant with CCPA guidelines and have decided if & when you want to update your pixel to include the LDU flag, you can Enable Full Use of Customer Data within Facebook.