Small Advertisers and Facebook's CCPA Function- What you need to know
Coming from a company that once claimed it did not sell personal information, Facebook’s introduction of CCPA controls in late June surprised many by introducing a “Limited Data Use” (LDU) capability on several Facebook features.
Facebook turned on the LDU feature during the month of July, after which LDU will be turned off automatically until a business enables it. Below I write on the effects of LDU and how your business might react to comply with the CCPA if it utilizes Facebook campaigns, pixels, or other features.
First, Are You Subject to the CCPA?
If your business is not subject to the CCPA and probably won’t be for a while, then crack a beverage and watch this all unfold. If you (i) have less than $25 million in annual revenue, (ii) don’t collect the personal information of more than 50,000 individuals, households, or devices (some of which are in California), or (iii) don’t sell personal information to obtain a majority of your revenue, you do not need to utilize Facebook’s CCPA controls because you’re not subject to the CCPA (*cough* not legal advice *cough*). You might still use LDU if, for example, you committed to not selling consumer information on your website or privacy policy.
The rest of this post assumes you are subject to the CCPA; if you’re not sure, email me at codevilla@skandslegal.com.
What LDU Does
Essentially, enabling LDU means that if Facebook receives an “opt-out” flag from a California consumer, Facebook will not sell that consumer’s information. This plays out in different ways depending on whether you use Facebook’s pixel, Server-Side API, App Events API, or Offline Conversions.
It is unclear exactly what Facebook processes LDU disables, and I suspect Facebook is being deliberately obtuse on this point to protect its business. However, the practical effect of LDU has been a negative impact on campaign performance, effectiveness, retargeting, and measurement. We know LDU specifically impacts Facebook’s ability to customer match and behaviorally target consumers. If your business is subject to the CCPA and leans heavily on these features to advertise in California, consider alternate advertising methods.
LDU’s effects make intuitive sense: Facebook needs to monetize or exchange consumer information with other companies to fully measure a consumer’s behavior on its platform and others. LDU effectively removes a consumer from the complex advertising measurement ecosystem, so Facebook can tell you less information on that consumer.
Should You Enable LDU? Then What?
If your brand or e-commerce business advertises on Facebook and you’re subject to the CCPA, at minimum you must design a way for California consumers to send an LDU flag to Facebook communicating the consumer’s decision to opt out of sale of their personal information. This might take the form of a “Do Not Sell My Personal Information” button on your home page or app, but technical implementation will be more complex depending on what Facebook features you use. Your technical implementation will also be more complex if you choose to present the opt-out feature only to California consumers, though Facebook has indicated it might help with that distinction. See more about technical implementation here.
Importantly, your business’ opt-out mechanism should apply to all sales of personal information, not just to Facebook advertising. For example, if you use Google for advertising, you may wish to enable Restricted Data Processing depending on how much you share with Google. Just which activities in the advertising ecosystem constitute “sales” for CCPA purposes is unclear, however, and requires counsel to parse through.
To get a better picture of your CCPA responsibilities, map your data; determine every service provider you utilize while running your business and what information you share with them, then analyze each relationship to determine whether you’re selling information or whether that entity is a service provider. If you’re not sure what third parties do with the information you share, read your contract and/or call a lawyer. Even if you are not selling information, those third parties might be selling the information you share with them, so the CCPA still requires you to notify California consumers and give them a chance to opt out of that sale.
Additionally, if you only use Facebook pixel and you’re subject to the CCPA, implement a cookie banner enabling California consumers to opt-out of cookies and pixels that are not essential for site functioning. This is different than a “Do Not Sell My Personal Information” button, and mercifully easier to implement.
Finally, call a privacy lawyer and talk about proper disclosure of all the above and other steps necessary to comply with the CCPA. You can reach me at codevilla@skandslegal.com.