Facebook wants to help your business comply with the California Consumer Privacy Act (CCPA) by introducing a new feature, Limited Data Use. When enabled, this feature limits how California user data is processed by Facebook to comply with this law.
Limited Data Use transition period
Facebook notes they have already been limiting the use of California user data since CCPA went into effect at the start of 2020. Beginning July 1, 2020, they will automatically apply the new Limited Data Use feature to all California user data by default. The Limited Data Use feature seems to be a more complete compliance with CCPA.
Facebook warns, “When Limited Data Use is enabled, businesses may notice an impact to campaign performance and effectiveness, and retargeting and measurement capabilities will be limited.” This will only apply to ads that target California users where Limited Data Use in in effect.
Overriding Limited Data use in Facebook Pixel Events Manager settings
For July 1-31, 2020, you can select an option in your Facebook events manager to enable full use of data relative to Limited Data Use (i.e., no CCPA treatment of data) for California users. This setting is not enabled by default. Only engage this option if CCPA does not apply to your business. However, if you enable Limited Data Use in your Facebook pixel initialization code, it will override this events manager setting.
Data processing options deadline
Starting August 1, 2020, Facebook will *only* apply the Limited Data Use feature if it is explicitly engaged via code-level data processing options in your Facebook Pixel, Server-Side API, Offline Conversions API, Manual Upload UI, App Events API, Graph API, Mobile SDKs and Audience Network SDK. If your digital property only sends signals to Facebook via a pixel, that’s all you will need to address.
Don’t forget to address instances where you send signals to Facebook with an image tag. And, if you use a third party service like Zapier to send signals to Facebook, be sure to adjust settings relative to this matter.
Content management systems, and e-commerce platforms like Shopify, often offer integrated Facebook pixel solutions. If they do not consider this issue, and CCPA applies to your business, you may need to disengage their integrated solution and manage your Facebook pixel via a tag management solution like Google Tag Manager so you can engage the data processing options in your Facebook pixel initialization.
If you already engage a service like OneTrust to manage your GDPR compliance solution, it will support CCPA compliance as well. But, it only addresses whether or not the Facebook pixel will fire in general. It will not address the data processing options in your Facebook pixel initialization. That’s still on you.
Our recommendations
If CCPA does NOT apply to your business
- Immediately enable full use of customer data in your Facebook pixel Events Manager settings. This will prevent you from seeing an impact to campaign performance and effectiveness, and limitations on retargeting and measurement capabilities, for ads targeting California users.
- Before August 1, 2020, add the data processing option to your Facebook pixel initialization code to explicitly NOT enable Limited Data Use mode. Do the same for all utilized Facebook Business Tools.
- Make your CCPA posture & related data treatment clear in your digital property privacy policy.
If CCPA DOES apply to your business
- Make sure you do NOT enable full use of customer data in your Facebook pixel Events Manager settings.
- Before August 1, 2020, add a data processing option to your Facebook pixel initialization code explicitly enabling Limited Data Use mode. Do the same for all utilized Facebook Business Tools. See NOTE (1) below.
- Make your CCPA posture & related data treatment clear in your digital property privacy policy.
NOTE (1) (added 07/08/2020): CCPA is an opt-out law, meaning a consumer must opt-out before the business needs to enable Limited Data Use mode when the Facebook pixel is initialized. The most risk averse posture is to simply enable Limited Data Use mode every time the Facebook pixel fires (this mode will *not* impact data treatment for non-California users). However, if you give California users the option to explicitly opt-out, you can alternatively only enable Limited Data Use mode if they opt-out.
More on data processing options
As noted, Limited Data Use is only effective for people in California. This is determined by setting country & state parameters to US and California with signals sent to Facebook. If those parameters are not set, Facebook will use the public facing IP address associated with the user’s device to determine their location. For the Facebook server-side API, if you do not send country & state parameters, you’ll need to record & send the user’s IP Address or Facebook will not be able to determine the user’s location (i.e., the Limited Data Use feature can’t do its job).
Facebook will apply Limited Data Use by default for App Events sent via the Facebook SDK (versions below 7.1.0 for iOS and Android and versions below 7.21.0 for Unity) until a date to be determined.
Does CCPA apply to my business?
CCPA applies to any business on the planet that:
- Pursues a profit,
- Operates in California,
- Determines the “purposes and means” of the processing of consumers’ personal information (e.g. it decides why, and controls how), and
- Complies with one or more of the following:
- It has an annual gross revenue of more than $25 million;
- It annually buys, sells, receives or shares personal information from at least 50,000 devices, consumers or households;
- It makes at least 50 percent of its annual revenue by selling consumers’ personal information.
Parent companies and subsidiaries with the same brand must also comply even if they do not separately exceed the applicable thresholds.
How courts will interpret this law is yet to be seen. For example, is the $25 million limit for annual gross revenues only for California revenue alone, or global revenue?
There are other questions that will only be answered by court interpretations. Rest assured, just like with ADA compliance, there are teams of lawyers ready to file CCPA law suits to facilitate courts answering these questions much sooner than later.
Important distinctions in CCPA
Personal information does not include de-identified or aggregate consumer information:
“Aggregate consumer information” means information that relates to a group or category of consumers, from which individual consumer identities have been removed, that is not linked or reasonably linkable to any consumer or household, including via a device.
A business is not selling personal information, if:
The business uses or shares with a service provider personal information of a consumer that is necessary to perform a business purpose if both of the following conditions are met:
(i) The business has provided notice of that information being used or shared in its terms and conditions consistent with Section 1798.135.
(ii) The service provider does not further collect, sell, or use the personal information of the consumer except as necessary to perform the business purpose.