The information available in this article is for informational purposes only and not for the purpose of providing legal advice.

Palisades MediaGroup does not provide legal advice, please consult your legal counsel accordingly.

The California Consumer Privacy Act (CCPA) provides California consumers with new rights and more control over the personal information and data that businesses collect about them. Included in this act is the right for consumers to opt-out of the sale of their personal information. This provision impacts the foundation of the digital media process, especially when data-sharing relationships exist, like the ones between an advertiser and Facebook.

The law went into effect on January 1, 2020, and marketers, media entities, and social networks have been working to ensure compliance in time for the window for litigation which opened on July 1. For reference, CCPA applies to for-profit businesses that do business in California and meet any of the following:

  • Have $25 million or more in gross annual revenue.
  • Possess the personal data of more than 50,000 “consumers, households, or devices”.
  • Earn more than half of its annual revenue selling consumers’ personal data.

Facebook Response

To support CCPA compliance efforts, Facebook initiated “Limited Data Use” (LDU) by default on all business accounts from July 1st-July 31st. The LDU setting automatically detects if a user resides in California, and restricts the way user data can be stored, processed, and used within the Facebook ecosystem. Data sources impacted by this setting include the following:

  • Facebook Pixel
  • Offline Conversions
  • App Events API
  • App Events via Facebook SDK
  • Audience Network Ad Request and Bidding via Audience Network SDK
  • Conversions API (formerly known as Server-Side API)

Any campaigns which use these data streams for direct targeting or passive optimizations will likely notice degradation in KPIs. Examples include retargeting lists, awareness campaigns utilizing algorithmic optimization, and Facebook Custom Audiences from customer lists.

During the default window, advertisers are encouraged to re-confirm CCPA compliance and make necessary updates to pixeling to ensure continued compliance for opt-out consumers. On or before August 1st, your brand will need to decide if continued opt-in is legally necessary or if your CCPA preparation and compliance allows you to opt-out.

Included in the roll-out of LDU are updated Facebook terms which include a new provision for State Specific Terms , establishing a legal framework that puts the burden of CCPA compliance and liability on advertisers and establishes Facebook as a Service Provider. By opting out of LDU the advertiser agrees to be solely liable for compliance with the California Consumer Privacy Act.

Compliance Steps

There are a few courses of action when it comes to Facebook CCPA compliance, depending on your tolerance for risk. We have outlined three potential options and their implications, ranging from the lowest risk to highest.

  • Low Risk: Enable LDU for all California users in perpetuity
    • Implication - All California residents will be excluded from remarketing campaigns and other data targeting functions. This will greatly impact performance and available targeting options within Facebook advertising campaigns.
  • Moderate Risk: Selectively enable LDU or block data-tracking for consumers
    who have opted out of tracking.
    • Implication - Requires Facebook pixel configuration by advertiser to
      ensure it does not track opt-out consumers. The process could be
      potentially complicated to configure but ensures full data use for all
      non-opt-out consumers.
  • High risk: Allow the default LDU setting to lapse after 7/31 and use Facebook
    data in campaigns.
    • Implication - Very high risk as opt-out consumers will be tracked/targeted
      with significant liability.

With any of these options, legal counsel should be consulted to determine the appropriate next steps and impact on business liability. In addition, counsel should provide opinion on the added State Specific Terms and their impact on the chosen path forward with Facebook Advertising.

Technical Compliance

To be in compliance with LDU and CCPA, advertisers need to provide a mechanism to signal Facebook of users who have opted-out from tracking with the Facebook pixel. The signal is sent through an array called Data Processing Options, and it can optionally include a consumer's country and state. If the advertiser doesn’t set the parameters to US and California, Facebook will determine if a person is in California and apply the chosen LDU setting.

In order to give California consumers the ability to opt-out of sharing/selling their personal data, and if you have not already, you may consider implementing a web compliance tool to be in compliance with Facebook requirements in Limited Data Use. Web compliance tools allow you to give users options regarding tracking and data processing. There are many solutions available, below are a few examples:

It’s important to note that LDU is not just the Facebook pixel: All of the ways you pass data back to Facebook need to be accounted for – the technical specs for other forms of data passback can be reviewed here.

For further consideration, please review Facebook’s Limited Data Use Developer tools and Facebook product specific information if you decide to use LDU.

Potential Path to Data Use

Depending on the chosen compliance path, data-use can still be possible within the Facebook Advertising platform, but the liability under CCPA necessitates a detailed review of data practices before re-enabling. If all proper process is in place and vetted by your legal team to enable consumers to opt-out of tracking, and this signal and be sent to Facebook through the process noted in Facebook’s technical specs, an advertiser can selectively opt-out of LDU and enable advanced targeting, measurement, and media optimizations for Facebook Ads. In all cases, Advertisers will need to agree to the new Facebook State Specific Terms to continue to deliver campaigns.

POV for Brands

Facebook has been vague in communications around CCPA compliance, which means your legal team will be responsible for assessing the risk and support from their team may be limited. Now that the full window for litigation is open and Facebook has shifted data liability from their platform to the advertiser this is all the more important. While the law specifically relates to selling data, this created questions in the market as selling encompasses any exchange of personal information “for monetary or other valuable consideration.”

The phrase other valuable consideration leaves room for interpretation especially given Facebook’s shift to a service provider and value gained for media delivery. It is believed that no money needs to change hands for data to be sold, but what that could mean remains to be understood. Full review by the advertiser’s legal counsel will be crucial to determine next steps in your utilization of Facebook ads in your media campaign. We are here to support our clients in further discussions with legal counsel and provide background on the implications of LDU within Facebook advertising campaigns.