How to manage privacy requirements for CCPA and Facebook Limited Data Use
Privacy is a new field that may be impacting your ecommerce business in ways you haven’t realized, especially on Facebook. In this blog post, Dean Shapero, the CEO of Loginhood, explains privacy’s impact on marketing performance and how you can fix it.
- There is a new privacy law called the California Consumer Privacy Act (CCPA).
- If over half of your sales come from targeted advertising like Facebook lookalikes or site retargeting, CCPA applies to your business.
- Facebook’s response to CCPA is known as Limited Data Use (LDU) and requires all businesses advertising on Facebook to comply.
- Facebook is requiring technical changes to let them know if someone has opted-out of targeted advertising.
- If a business doesn’t tell Facebook if a user is opted-in or opted-out, Facebook is automatically assuming California users have opted-out to reduce their liability. This leads to many users becoming ‘invisible’ to your campaigns.
- Facebook’s algorithm is favoring campaigns that inform them of someone’s LDU status, regardless of their location.
- Loginhood manages all privacy requirements and informs Facebook of someone’s opt-out status.
Why Am I Seeing Volatile Performance on Facebook?
There’s been much discussion of erratic customer acquisition costs on Facebook, but much less information on the tech giant’s new privacy restriction, known as Limited Data Use, which is causing much of this chaos. Facebook’s Limited Data Use is a restriction that limits the data that can be used in targeting tactics, such as lookalike audiences, unless proper privacy procedures are put on a business’s website.
How exactly does Limited Data Use work? Before we get into this feature, it's important to understand the new privacy regulation that has come into effect this year that has caused Facebook’s change.
What is the California Consumer Privacy Act (CCPA)?
The California Consumer Privacy Act (CCPA) is the first major data privacy law in the United States. This regulation became official on January 1st, 2020, but it contained a six-month greivancy period, so it did not become enforceable until July 1st, 2020.
As any new law, CCPA has led to a lot of confusion on what’s required and to what businesses CCPA applies. Let’s start with the most important question: does CCPA apply to your business? Here are the thresholds that trigger CCPA compliance:
- Over 50% of your revenue comes from data targeting: Yes! This can include Facebook targeted campaigns. This means if over half of your revenue comes from Facebook marketing tactics like lookalike audiences and site retargeting, CCPA applies to your business
- Your website receives over 50,000 site visitors from California a month
- Your business makes over $25m in annual revenue
What is required for CCPA compliance?
Now that we’ve established whether CCPA applies to your business, what does CCPA even require? Here’s what you need to include on your site:
- Right of Notice: site visitors must be given a ‘cookie banner’ or some similar tool that shows them what vendors are collecting data on your website. If you’ve ever actually clicked into a cookie banner, you’ll notice vendors like Facebook, Google Analytics and others listed. This serves CCPA’s Right of Notice clause.
- Right of Access: site visitors must also be able to request access to the data collected about them. This would include things like in what platforms you’re storing their email address.
- Right of Deletion: site visitors can also request deletion of this data.
- Right of ‘Do Not Sell’: site visitors can ‘opt-out’ of targeted advertisements. ‘Sale’, as its defined by CCPA, doesn’t actually mean selling someone’s data. It means using someone’s data in ‘an exchange of value’, which applies to using data for targeted advertising campaigns.
What is Facebook Limited Data Use?
TL;DR: Facebook says it can’t be compliant, so now you have to be.
In response to CCPA, Facebook has implemented their own privacy restriction called Limited Data Use. This passes compliance responsibility to anyone advertising on their platform. To continue targeting tactics like lookalike audiences and site retargeting, Facebook is requiring businesses to put in CCPA compliance requirements on their website and an additional parameter in their Facebook pixel called ‘data processing options’. The data processing option parameter informs Facebook of the following:
- Whether a user is located in California (so if CCPA applies to them)
- Whether California users have remained opted-in so Facebook can continue using their data for advertising (the default under CCPA), or if the user has opted-out and their pixel ID should be removed from targeting tactics.
What is required for Limited Data Use?
First and foremost, a business should implement the CCPA requirements listed above. Implement a privacy tool like a cookie banner where a site visitors can opt-out of data targeting. When a user visits your site, your privacy tool should pass their location into the data processing parameter to inform Facebook whether CCPA applies to each specific site visitor.
CCPA’s default status is that all users are opted-into data tracking. This means that the data processing option parameter remains empty by default.
Facebook’s Limited Data Use parameter indicating that the site visitors is in California and is opted-in for targeted advertising:
When a user goes into your privacy to select ‘Do Not Sell My Data’, this opts them out of data tracking and targeting campaigns. At this point, the data processing parameter should update to show ‘LDU’, which informs Facebook that the user has asked to be removed from targeted advertising.
Facebook’s Limited Data Use parameter indicating that the site visitors is in California and has opted-out:
How do I implement these requirements?
Next, select the marketing platforms your business uses, like Facebook, and the technologies you use to collect data, like Google Analytics.
After choosing your technology partners, implement your Facebook pixel ID. This lets Loginhood communicate a user’s opt-out status for Facebook Limited Data Use. You can also customize the privacy manager with any of your site’s branding to create a native site experience.
Finally, click ‘enable’ on the Shopify app and your privacy manager will be in place! This immediately starts communicating with Facebook to inform LDU status, enabling the continuation of compliant, data targeted campaigns.
For questions, reach out to firstname.lastname@example.org.