Facebook CCPA compliance in California

Credit: Terms Feed

If you're running Facebook ads in California you need to know new policies that are going to affect if your ads are running or not.

The California Consumer Privacy Act

The California Consumer Privacy Act (CCPA) began on January 1, 2020, and as a result, many online platforms are making changes to how data is collected from residents of California.

July 1, 2020 was the deadline for businesses to become compliant with the new policy changes before the California Attorney General started enforcing this new law.

Regardless of where your business is located, if you run ads in California, you are affected.

Here are the cliff notes version of the CCPA:

• Any business who collects a consumer data & personal information is required to disclose the categories and purposes of the personal info collected. Also a business can't collect added categories of personal information outside of what was disclosed.
• The customers / consumers / the public can opt-out of their data being sold to third parties.
• Consumers have the right to request companies to delete any personal info about the consumer that the company collected (with some exceptions).

Note: This applies to all businesses with revenue over $25 million, those that have information from over 50,000 users, and/or businesses who earn more than half their revenue from selling this user data.

How CCPA Affects Facebook Advertisers 

Remember the Cambridge Analytica scandal? In 2019 Facebook settled with the FTC for $5 billion due to data privacy breaches.

Additionally Facebook released a document showing data of 6 million Californians may have been shared, costing Facebook something like $17 billion minimum in fines.

CCPA is like the GDPR update made in Europe in 2018 with one big difference: unlike GDPR where users can “opt-in” to have their data collected, CCPA gives users the option to  “opt-out” of having their data collected (and sold) and places that responsibility on companies and advertisers to decide.

How does Facebook’s Limited Data Use tool ensure CCPA compliance?

Facebook LDU enables advertisers on the platform to specify which users’ data should be subject to CCPA data management regulations. The company has outlined the specific ways user data will be limited in their list of state-specific terms, which includes language indicating advertisers are solely liable for compliance with CCPA. 

The feature requires a simple modification to the existing Facebook PageView pixel so that Facebook can automatically detect whether or not a user is in California. Specifically, developers will need to include a string within the Facebook pixel for ‘dataProcessingOptions’ that will allow your business to specify its degree of CCPA compliance. 

The string will allow for an advertiser to control if it is identifying a user in California or if would prefer for Facebook to handle the auto-identification. Of course, the ambiguity here comes from the fact that CCPA is an “opt-out” focused law, rather than “opt-in” like GDPR. So when should you enable LDU? At all times? Only when a user identifies they don’t want to be tracked? That has been left up to the individual advertisers to decide—and to assume the associated risk. 

Limited Data Use Feature

Starting July 1st Facebook rolled out the Limited Data Use (LDU) policy. This limits the way Facebook user data is stored and processed for all California residents.

Well, now the LDU is now auto-enabled for every Facebook business account and all personal information shared through the following Facebook features:

• Facebook Pixel
• Server-Side API
• App Events API
• Offline Conversions

Facebook’s Limited Data Use feature protects Facebook advertisers from violating consumer privacy laws outlined in CCPA. Advertisers have until October 20, 2020 to update the Facebook Pixel to be compliant with CCPA. Action is required to extend the transition period. If no action is taken, the LDU will end on August 1, 2020.

LDU Facebook Events in Ads Manager

The LDU is applied to every Facebook event by default. Data collection for these events is limited to California residents and won't be captured and used in products that used all of customer data in the past.

This is the pop up warning in Ads Manager you may see:



If your company doesn’t meet the CCPA requirements or you don’t run Facebook ads to California residents, you can choose to enable full data use to make sure that all Facebook events (flagged or unflagged) will collect the full amount of data collected.

Before taking any action – first determine if your business is even affected by CCPA. If not, you may just disable the LDU setting in Facebook so that your company can continue to collect data from the California residents you run ads to.

Search Engine Land, made this helpful graphic to breakdown the ins and outs:

What Actions Should Brands Take?

The first question you need to answer is, “Does CCPA apply to my company?” Determine if your company is required to be compliant with CCPA guidelines. Note, the personal data of 50,000 “consumers, households, or devices” can be considered highly ambiguous, so you’ll want to think about all of the ways you currently store user data. 

Exempt

If your business is not required to be compliant with CCPA, then you will not be subject to the functions enforced by Limited Data Use. Once you have confirmed that this is the case, you can Enable Full Use of Customer Data within Facebook. (By toggling on “Enable Full Use of Consumer Data”, you will be manually overriding the automatic feature put in place by Facebook)

Non-Exempt

If your business is required to comply with CCPA requirements, then we recommend taking the following actions:

1. Legal Review: Speak with your legal team about your organization’s broader approach to CCPA compliance. This will include things like your Privacy Policy, or “Do Not Sell My Information” form requirements. 
2. Technical Compliance: In order to give users in California the ability to opt-out of sharing/selling their personal data, we recommend implementing a web compliance tool. Web compliance tools allow you to give users options regarding tracking and data processing. There are many solutions available, but we recommend the following three options: 
   1. CookieBot: https://www.cookiebot.com/en/
   2. OneTrust: https://www.onetrust.com/ 
   3. Clym: https://www.clym.io/ 
3. Limited Data Use Flag: Review which actions a user may take that would change the way you may share their data with Facebook. Specifically, are they opting-out of tracking? If so, you will either need to block tracking completely, or you will need to apply a “Limited Data Use” flag to the pixel. 
   1. CCPA is an opt-out law: This means that by default a user is opted into sharing their data, so the default state should not be to have an LDU flag unless your legal team believes otherwise
   2. Blocking all tracking: If you allow a user to block all tracking, this should work in the same way as applying a Limited Data Use flag in your pixel. 
   3. It’s not just the pixel: All of the ways you pass data back to Facebook need to be accounted for (which a good web compliance tool will be able to handle for you) – the technical specs for other forms of data passback can be reviewed here.
4. Enable Full Use of Customer Data within Facebook: Once you are compliant with CCPA guidelines and have decided if & when you want to update your pixel to include the LDU flag, you can Enable Full Use of Customer Data within Facebook. 

Ensure Facebook Pixel is LDU Complaint

For businesses who have a Facebook Pixel deployed via Google Tag Manager and have a dedicated Analytics/Development team member, you'll have to change the Facebook pixel's PageView event. (Hardcoded Facebook pixels can be updated the same way by a web developer.)

Changes to other Facebook pixel events in addition to the pageview event code may be needed but that depends on the amount of risk you want to take.

These modifications to the ‘dataProcessingOptions’ will allow Facebook to determine whether or not the user is a California resident and the degree of CCPA compliance your business has opted for.

Facebook wrote up some documentation on how their pixel should be updated to detail the dataProcessingOptions method before you call fbq(‘init’).

To disabled the Limited Data Use Mode use:

fbq(‘dataProcessingOptions’, []);

fbq(‘init’, ‘{pixel_id}’);

fbq(‘track’, ‘PageView’);

To enable LDU mode using geolocation, use:

fbq(‘dataProcessingOptions’, [‘LDU’], 0, 0);

To enable LDU for users and specify user geography:

fbq(‘dataProcessingOptions’, [‘LDU’], 1, 1000);

How Facebook Advertisers Feel The Impact of LDU

Retargeting campaigns will probably be the most affected by the LDU.

With LDU automatically enabled across all accounts on July 1, Californians are no longer included in pixel-based retargeting campaigns. If you already have retargeting campaigns set up that run in California these may be affected.

For example, if you're running ads to an audience on the west coast, and 75% of that audience is in California the LDU will take away your ability to see the other 25% of your audience and you can't use their data for retargeting ad campaigns.

Looking forward, there also may be a blow back onto conversion attribution window settings for Facebook users in California as well, and the issue of how this same info will be tabulated in Google Analytics.

Maybe Dean Kamen can invent a solution that protects user privacy but also doesn't stifle businesses who need ads run on Facebook to keep their doors open?

What do you think of the new LDU policy? If you need a Facebook ad policy expert, feel free to schedule a call here.

New Solution to Facebook Ad Policy Violations

After years of working at Facebook, I understand exactly what ad copy in your funnel is triggering the automations and how to get compliant.

Get solid answers directly from the source instead guessing, googling, and playing roulette. Schedule a call with me and I can easily tell you proven reasons why the automations flag you and how to become compliant.

You'll be swapping out walking in a minefield of ad flags, to have a sure path to having your Facebook ad accounts protected from being disabled.

My clients have included the social media marketing agencies of Tony Robbins, Harv Eker, and Dean Graziosi. I'm featured on the Queen of Facebook Mari Smith's Marketing Essentials Course.

Save energy and money - how much is it costing you to not know why Facebook is shutting you down? Talk today. 



If you want to skip the line before this offer ends, immediately secure an expert-level Facebook consulting call from someone at Facebook. Book a call with me now!

If you're ok with waiting a bit longer, and entering the waitlist to see if you're eligible - Schedule a call or contact me via email.