After being announced in 2018, the California Consumer Privacy Act (CCPA) has been rolled out and is creating headaches for advertisers who are still trying to figure out what 'compliance' actually means.
The California Consumer Privacy Act (CCPA) is a data privacy law that regulates how businesses all over the world are allowed to handle the personally identifiable information (PII) of Californian residents.
It covers companies doing business in California or with California residents. It is a little similar to GDPR, however, while GDPR is “opt in” for information sharing, CCPA is “opt out.”
Some of the basic rules are as follows:
Companies qualify to be CCPA compliant if they meet any one of these three criteria:
Q&A With Gallantway:
🤔 Q: Do I have to do anything if my business isn't in California but I'm running Facebook ads in California?
🦉 Gallantway: If you are targeting residents of California we would recommend you more about how CCPA works.
😊 Q: Got it. What about if we're not targeting users of California?
🦉 Gallantway: You will need to make your own decision on this. We would suggest reading more about this as it is likely to affect you and your customers in the future.
Facebook has just announced a new feature called Limited Data Use (LDU). LDU enables advertisers on the platform to specify which users’ data should be subject to CCPA data management regulations.
💡 As of July 1st, LDU has been automatically enabled for all Facebook business accounts, limiting the way user data can be stored and processed in the Facebook ecosystem for all users that Facebook identifies as residents of the state of California.
The feature automatically detects if a user resides in California, and applies limited data use rules. This feature will only stay active until July 31st. From then Facebook requires businesses to update their pixel to include an LDU parameter.
Note: If you do not take action by July 31, your business will take on sole responsibility for compliance.
CCPA compliance is focused on empowering users to opt-out of tracking (as opposed to GDPR, which requires users to opt-in to tracking).
That means if a user visits your website, you can serve them with a cookie consent banner that gives them the option to opt-out. Under CCPA, if the user chooses to opt-out, your business needs to stop tracking them.
While very few users choose to opt-in to tracking, the numbers are much better when it comes to opting out. That means there are a couple of courses of action open to you when it comes to Facebook CCPA compliance, depending on your companies tolerance for risk.
🟩 Risk Averse:
This is the baseline because it carries zero risk.
Your business does not need to set up an explicit opportunity to opt-out of tracking. Instead, you can enable the LDU string on all instances of the PageView tag.
🟧 Risk Tolerant:
This middle course of action is slightly riskier. Your business needs to offer users the choice to opt-out of tracking using a cookie compliance solution like CookieBot or OneTrust.
You would then only enable LDU for the users who opt-out, which will also disable the Facebook pixel from firing.
🟥 High Risk:
Make no changes. This carries the highest level of risk.
If you are contemplating not enabling LDU on the Facebook pixel and not offering an opt-out to site visitors, we suggest speaking with your legal team regarding the risks.