The California Consumer Privacy Act (CCPA): What it Means for Advertisers

July 13, 2020

What is Happening?


After being announced in 2018, the California Consumer Privacy Act (CCPA) has been rolled out and is creating headaches for advertisers who are still trying to figure out what 'compliance' actually means.

The California Consumer Privacy Act (CCPA) is a data privacy law that regulates how businesses all over the world are allowed to handle the personally identifiable information (PII) of Californian residents.

It covers companies doing business in California or with California residents. It is a little similar to GDPR, however, while GDPR is “opt in” for information sharing, CCPA is “opt out.”

Some of the basic rules are as follows:

  • 📒 Businesses must be transparent about what data they collect, the purpose for it, and any third parties it is being shared with
  • 🛑 A business must delete the data if it’s requested by the user
  • 👩‍👩‍👧‍👦 Consumers can opt-out of their data being sold
  • 👮‍♂️ CA authorities can fine for violations
  • 💵 Businesses can offer financial incentives for being allowed to collect data

Does My Company Need to Comply?

Companies qualify to be CCPA compliant if they meet any one of these three criteria:

  1. Have $25 million or more in annual revenue
  2. Possess the personal data of more than 50,000 “consumers, households, or devices”
  3. Earn more than half of its annual revenue selling consumers’ personal data

Q&A With Gallantway:

🤔 Q: Do I have to do anything if my business isn't in California but I'm running Facebook ads in California?
🦉 Gallantway: If you are targeting residents of California we would recommend you more about how CCPA works.
😊 Q: Got it. What about if we're not targeting users of California?
🦉 Gallantway: You will need to make your own decision on this. We would suggest reading more about this as it is likely to affect you and your customers in the future.


What Does This Have to do With Facebook Ads?


Facebook has just announced a new feature called Limited Data Use (LDU). LDU enables advertisers on the platform to specify which users’ data should be subject to CCPA data management regulations.

💡 As of July 1st, LDU has been automatically enabled for all Facebook business accounts, limiting the way user data can be stored and processed in the Facebook ecosystem for all users that Facebook identifies as residents of the state of California.

The feature automatically detects if a user resides in California, and applies limited data use rules. This feature will only stay active until July 31st. From then Facebook requires businesses to update their pixel to include an LDU parameter.

Note: If you do not take action by July 31, your business will take on sole responsibility for compliance.

OK. How Should my I Implement Facebook LDU?


CCPA compliance is focused on empowering users to opt-out of tracking (as opposed to GDPR, which requires users to opt-in to tracking).

That means if a user visits your website, you can serve them with a cookie consent banner that gives them the option to opt-out. Under CCPA, if the user chooses to opt-out, your business needs to stop tracking them.

While very few users choose to opt-in to tracking, the numbers are much better when it comes to opting out. That means there are a couple of courses of action open to you when it comes to Facebook CCPA compliance, depending on your companies tolerance for risk.


🟩 Risk Averse:
This is the baseline because it carries zero risk.

Your business does not need to set up an explicit opportunity to opt-out of tracking. Instead, you can enable the LDU string on all instances of the PageView tag.

  • Pros: Zero risk, 100% of California residents will be covered.
  • Cons: All California residents will be excluded from remarketing campaigns (as well as other data targeting functions).


🟧 Risk Tolerant:
This middle course of action is slightly riskier. Your business needs to offer users the choice to opt-out of tracking using a cookie compliance solution like CookieBot or OneTrust.

You would then only enable LDU for the users who opt-out, which will also disable the Facebook pixel from firing.

  • Pros: Low risk, and likely that most California users will not opt-out, which means you can track behaviour and retarget ads as usual.
  • Cons: Potentially complicated to configure, and unclear how LDU would be utilised given an opt-out would limit the pixel from firing.


🟥 High Risk:
Make no changes. This carries the highest level of risk.

If you are contemplating not enabling LDU on the Facebook pixel and not offering an opt-out to site visitors, we suggest speaking with your legal team regarding the risks.

  • Pros: All users who are California residents can be included in remarketing lists and tracking.
  • Cons: Possibility of penalisation.


Want Even More Infomation?