What FB’s “Limited Data Use” means for your marketing team’s CCPA compliance efforts

It’s been a long time since Facebook was on the receiving end of good press – heavy is the head that wears the social media crown. A quick win, in my view, would be to openly and proactively assist its many advertisers trying to comply with the California Consumer Privacy Act (CCPA).

The CCPA is the first major data privacy regulation in the US and a GDPR-lite for residents of California. But it’s quickly become a de facto standard for the entire United States, and many of tech’s leading lights have gone ahead and rolled out CCPA-level privacy protection for consumers all over the country.

So how does this relate to Facebook? The rollout of its Limited Data Use (LDU) feature for Facebook Business is a stopgap measure to prevent the accidental transfer of personal information to Facebook for advertising that may be deemed a “data sale”. In other words, it’s a measure for CCPA compliance – temporarily (read on to see why).

Per Facebook’s own messaging, Limited Data Use is a feature that

“…businesses can use to limit how we use the data they send to Facebook… When a business applies this feature, it will direct Facebook to process information about people in California as the business’s Service Provider. That means we will limit how this information is processed as specified in our State-Specific Terms.”

Here’s a summary of how you use LDU, and some pros/cons that every business should be aware of to avoid any privacy pitfalls.

Disclaimer: I’m not a lawyer and this does not constitute legal advice, rather the advice of a software engineer that has spent the last few years thinking only about data privacy regulations and code. 

LDU: How Is It Implemented?

The LDU feature is auto-applied for the month of July only. After that businesses assume legal responsibility for implementing this feature, and it’s worth noting that’s not entirely straightforward.  Developers will need to include a string appended to the Facebook pixel for  ‘dataProcessingOptions’ that will allow your business to specify its degree of CCPA compliance.

What this means is that you’re on the hook for deciding how to implement this and the degree of risk you accept for your CCPA compliance.  Close review of third-party data processing practices is a key process for any business to undertake – something I noted last week in Harvard Business Review.

At a technical level, it’s pretty straightforward to implement LDU…

To enable LDU using geolocation:

fbq(‘dataProcessingOptions’,[‘LDU’], 0, 0);

To enable LDU for users and specify included geographic regions:

fbq(‘dataProcessingOptions’,[‘LDU’], 0, 1000);

To NOT enable LDU mode, use:

fbq(‘dataProcessingOptions’,[]);
fbq(‘init’,’{pixel_id}’);
fbq(‘track’, ‘PageView’);

The technical implementation is the good news. The bad news is you’ve got to take responsibility for how you implement this, and the risk rests with your business for the decisions you make. So let’s quickly look at the ways in which you could/should implement this and their pros and cons…

LDU Approach 1: Ultra Safe

In this approach, you would have no explicit opt-out mechanism and instead enable LDU for all California users.

Pros: Total compliance and zero risks.
Cons: You’re by default electing to remove all California residents from your remarketing even if they have not opted out.

LDU Approach 2: Managed Risk

In this approach, you would enable LDU only when a user explicitly opts out of tracking.

Pros: Low(ish) risk and enables you to use some California users’ data.
Cons: Requires a consent management solution that ties directly to how pixels are controlled on your site on a per user basis.

LDU Approach 3: High Risk

In this approach, you do nothing at all.

Pros: Don’t be silly.
Cons: Read Pros, above.

LDU: Final Thoughts

From a personal perspective, I believe passionately in respectful technology systems that naturally do the right thing for their users, and in that respect it’s positive to see Facebook’s LDU implementation. However, Facebook’s comparably infinite resources and engineering might make it disappointing to see that they’ve passed the buck on sophisticated data processing decisions to their business customers to evaluate the risk and manage their privacy compliance.

Don’t fall into the trap of assuming that Facebook’s scale/sophistication means they’ve got this resolved for you – quite the opposite, Facebook is making your use of their ad platforms your problem from a risk perspective. Ensure you evaluate what data you’re collecting and how you manage user controls for this, whether it’s Facebook or any other ad platform.

And of course, if you want to solve this with as little friction as possible, contact our privacy specialists to set up a demo of Ethyca.