Facebook’s Limited Data Use feature protects Facebook advertisers from violating consumer privacy laws outlined in CCPA. Advertisers have until October 20, 2020 to update the Facebook Pixel to be compliant with CCPA. Action is required to extend the transition period. If no action is taken, the LDU will end on August 1, 2020.
At this point, you might be thinking one of the following:
- I already know about CCPA, how does it affect Facebook Advertising?
- I already know about CCPA and its effect on Facebook Advertising, what can I do about it?
- What is this CCPA you speak of? Continue reading below.
The California Consumer Privacy Act (CCPA) went into effect on January 1, 2020, and as a result, many digital platforms are making changes to how data is collected from users in California. Businesses had until July 1, 2020 to become compliant before the California Attorney General started enforcing the new law.
Note: This affects businesses advertising in California regardless of where the business itself is located.
CCPA is not dissimilar to the GDPR update made in Europe in 2018; however, unlike GDPR where users can “opt-in” to have their data collected, CCPA allows users to “opt-out” of having their data collected (and sold) and places the responsibility on businesses and advertisers to decide.
There’s a lot that goes into the CCPA, but at its core:
- A business that collects a consumer’s personal information will be required to disclose the categories and purposes of personal information that is collected, and are not allowed to collect additional categories of personal information outside of what has been disclosed.
- Consumers can opt-out of their data being sold to third parties.
- Consumers have the right to request that a business delete any personal information about the consumer that the business has collected (with some exceptions).
- It applies to all businesses with revenue over $25 million, those that have information from over 50,000 users, and/or businesses who earn more than half their revenue from selling this user data.
You might have heard that in 2019 Facebook settled with the FTC for $5 billion due to data privacy breaches, including the Cambridge Analytica scandal. And in another instance, Facebook released a document showing that PII of 6 million Californians may have been improperly shared, likely costing them $17 billion minimum in fines (one breached record can cost between $2,500 – $7,500).
As of July 1, Facebook announced a feature called Limited Data Use (LDU), which limits the way user data is stored and processed for all California residents. LDU is now automatically enabled for all Facebook business accounts and all personal information shared through the following Facebook products during a transition period from July 1 through July 31:
- Facebook Pixel
- Server-Side API
- App Events API
- Offline Conversions
- LDU will be applied to all Facebook events by default unless otherwise flagged. Data collection for these events will be limited for California residents and therefore will not be captured and used in features that used full customer data in the past.
- If your business doesn’t meet the CCPA requirements or you don’t advertise to California residents, you can choose to enable full data use to ensure that all Facebook events (flagged or unflagged) will collect the full amount of data collected.
Disclaimer: We are not lawyers and cannot provide legal advice. This is our interpretation of information made available by Facebook. Seer is not providing advice on whether or not to enable/disable this function and to what degree but to provide readers with the facts and instruction on HOW to be compliant if they so choose.
- Facebook for Business: Helping Businesses Comply with the California Consumer Privacy Act
- Help Center: Limiting how data is used for users in California
- Developer documentation: Data Processing Options for Users in California
For now, we know this update will have the largest impact on retargeting campaigns for Facebook advertisers (as well as any efforts that rely on retargeting audiences).
With LDU automatically enabled across all accounts on July 1, California residents are no longer being included in pixel-based retargeting campaigns. This could have a huge effect on your performance if you rely on California audiences.
To be clear here, if your Facebook audience is made up of 50% California residents, the enabled LDU will make it so that you aren’t able to see that half of your audience on Facebook and won’t be able to use that data for retargeting purposes.
Beyond these immediate advertising concerns, there is speculation of other repercussions as result of these new settings, including conversion attribution issues from users in California on Facebook and how that data will register in Google Analytics. We are in the process of digging more into this both internally at Seer and with our Facebook partners, and will provide an update to this post once confirmed.
Before getting started – determine if your company is affected by CCPA. If not, you may want to disable the LDU setting in Facebook so that you can continue to collect data from California.
If you are not ready to make the update, you can extend the LDU to October 20, 2020.
This update would need to be made via the Events Manager. Once you’ve navigated to the Events Manager, go to the Data Sources tab, select your pixel, then select Settings and use the Transition Period Settings section.
Note that if you don’t update this to extend the transition period, the LDU will go away on August 1, 2020 and you will be collecting California data and therefore, not compliant with CCPA.
By August 1 (or October 20), Businesses and Advertisers must decide whether they want to continue to enable LDU at all times, or only at select times like when a user specifically selects to not be tracked.
Simon Poulton from WPromote, writing at Search Engine Land, made this helpful graphic to breakdown the ins and outs:
Image source: Search Engine Land
If your Facebook Pixel is deployed through Google Tag Manager and you have a dedicated Analytics/Development resource, modifications for the Facebook PageView pixel are needed. (Hardcoded Facebook pixels can also be updated the same way by a web developer.)
Modifications can also be made to other facebook events in addition to the pageview pixel but that is dependent on the advertiser and the level of risk they’d like to assume.
These modifications to the ‘dataProcessingOptions’ will allow Facebook to determine whether or not the user is a California resident and the degree of CCPA compliance your organization has decided on.
According to documentation by Facebook, the pixel should be updated to specify the dataProcessingOptions method before you call fbq(‘init’).
To explicitly disable Limited Data Use (LDU) mode, use:
To enable LDU mode using geolocation, use:
fbq(‘dataProcessingOptions’, [‘LDU’], 0, 0);
Note: This is recommended for MOST companies who do NOT have a cookie consent platform. This method puts the responsibility of filtering out California traffic on Facebook.
To enable LDU for users and specify user geography:
fbq(‘dataProcessingOptions’, [‘LDU’], 1, 1000);
Note: This is recommended if your company has a cookie consent platform. This puts the responsibility of filtering out California traffic on that platform. A value of “1000” should only be sent for California-based users, indicating that they are subject to CCPA and should be filtered out (reference).
Since publishing this post, we’ve got more than a few questions about updating the Facebook Base Pixel to be CCPA compliant both internally and externally.
Here’s what we know so far:
- If the website is already CCPA compliant and allows users to opt out, does the Facebook Base Pixel still need to be updated?
- If you find that the site is in compliance (via a third party tool) and you don’t want Facebook to control the flow of data from CA residents, you can remove the LDU from the pixels.
- Does the Facebook pixel need to be updated for advertisers outside of the US?
- Just because California isn’t your primary target audience, users do travel and can be mistakenly advertised to. As to err on the side of caution, we’d recommend updating the site/pixel to be CCPA compliant.
- If my company is a nonprofit, I don’t have to do anything, right?
- Wrong-ish. For the month of July, LDU was enabled across the board to all advertisers, whether or not you are affected by CCPA. In this case you are not affected by CCPA but aren’t collecting valuable California data. You want to go into the Facebook Events Manager and disable the LDU to collect data once again. That being said, once August 1 comes around the LDU will be disable and require no action from you.
- We are seeing some very low impressions and conversions reported from California YTD. Was this data potentially retroactively removed?
- CCPA was effective on January 2, 2020. As a result, we’ve seen less volume from California in general but data is not being retroactively removed.
- How does this affect retargeting audiences?
- If the user agrees to be target to, then there won’t be an issue getting them into your targeting audience.
- Otherwise, you may want to consider Dynamic Ads for Broad Audience or breaking out California from the current ad set.
Managing this on your own? Not sure how to get started?
Reach out to Seer to start talking about an engagement to get you on the path to compliance. If you are a Seer client, we’ll update this for you before deadline once we’ve determined the level of compliance you’d like to apply.