Desiree Blank headshot Posted by Desiree Blank November 02, 2020

Understanding CCPA Compliance with Facebook: Limited Data Use

Have you seen a drop in your Facebook conversion numbers recently? The new Limited Data Use (LDU) feature for Facebook could be the reason. The LDU feature is Facebook’s solution for complying with the California Consumer Protection Act (CCPA) that went into effect on January 1, 2020 with enforcement happening since July 1. The Limited Data Use feature and CCPA compliance on Facebook can all be a bit confusing, so we’re sharing a quick overview of the feature and its implications, your options for CCPA compliance, and how to reduce the impact to your digital marketing efforts. 

About CCPA 

The CCPA is a privacy law providing California citizens with certain rights over their personal data. There are 5 major components to the CCPA. They give California residents the right to: 

  1. Know what personal information is being collected on them 
  2. Know whether their personal information is being shared and with whom 
  3. Opt out of the sale of their personal information 
  4. Access the personal information you’ve collected
  5. Receive equality in service and price, even if they’ve exercised their privacy rights

These rights apply to all California citizens, so any company doing business in California may be required by law to comply. Your business must comply if it meets any of the following criteria: 

  • Makes more than $25 million in annual gross revenue 
  • Buys, receives, sells, or shares the personal information of 50,000 or more consumers, households, or devices per year 
  • Earns 50% or more of its annual revenue from the selling of consumers’ personal data 

Related eBook: How to make your website compliant with the CCPA

About the Limited Data Use feature

In July/August, Facebook introduced their Limited Data Use (LDU) feature to address CCPA compliance. The feature works by adding parameters that allow advertisers to specify which users’ data should be subject to CCPA data management regulations. 

When a California resident exercises their “do not sell” rights on your website, there needs to be a way for Facebook to flag and exclude that person’s data. You can configure LDU based on:

  1. How users are identified as California residents, and
  2. When their data use should be limited.

How should I implement it? 

There are a few different ways to implement LDU with varying impacts on your digital marketing. Your main options are listed below: 

  • Enable LDU for all California users. When the LDU feature is fully enabled, Facebook will identify users that come from California and exclude the entire group from marketing campaigns. It’s a very conservative approach, essentially treating all your California traffic as if they’ve opted out. Most businesses only see a minor number of opt-out requests, so this can have a huge negative impact on your marketing goals. 
  • Only enable LDU for users who have opted out. With this option, you’re responsible for accurately identifying who has opted out of data sharing and including the LDU parameter to your Data Processing Options array. You’ll need a way to consistently identify the users that have exercised their data rights on your “do not sell my information” link, otherwise you risk reducing your potential audience. There are different steps in the developer documentation depending on which Facebook product you’re using. 
  • Use a Consent Management Platform (easiest). If you use a Consent Management Platform like Crownpeak, our platform will identify visitors who are from California automatically and provide them the option to opt out of data sharing. When the visitor opts out, the Facebook pixel is immediately blocked, and their data doesn’t get passed onto Facebook. This option allows you to continue to remarket to the remaining California residents, reducing the impact on your marketing initiatives.

The right option for your organization depends on the level of risk tolerance and available implementation bandwidth. CCPA compliance has never been easy, but it’s important to take the necessary steps to protect your organization. 

Request a demo to see how our Universal Consent Platform and dedicated Customer Success team can help your business get compliant fast with global privacy laws.