It’s been a long time since Facebook was on the receiving end of good press – heavy is the head that wears the social media crown. A quick win, in my view, would be to openly and proactively assist its many advertisers trying to comply with the California Consumer Privacy Act (CCPA).
It’s been a long time since Facebook was on the receiving end of good press – heavy is the head that wears the social media crown. A quick win, in my view, would be to openly and proactively assist its many advertisers trying to comply with the California Consumer Privacy Act (CCPA).
The CCPA is the first major data privacy regulation in the US and a GDPR-lite for residents of California. But it’s quickly become a de facto standard for the entire United States, and many of tech’s leading lights have gone ahead and rolled out CCPA-level privacy protection for consumers all over the country.
So how does this relate to Facebook? The rollout of its Limited Data Use (LDU) feature for Facebook Business is a stopgap measure to prevent the accidental transfer of personal information to Facebook for advertising that may be deemed a “data sale”. In other words, it’s a measure for CCPA compliance – temporarily (read on to see why).
Per Facebook’s own messaging, Limited Data Use is a feature that
“…businesses can use to limit how we use the data they send to Facebook… When a business applies this feature, it will direct Facebook to process information about people in California as the business’s Service Provider. That means we will limit how this information is processed as specified in our State-Specific Terms.”
Here’s a summary of how you use LDU, and some pros/cons that every business should be aware of to avoid any privacy pitfalls.
Disclaimer: I’m not a lawyer and this does not constitute legal advice, rather the advice of a software engineer that has spent the last few years thinking only about data privacy regulations and code.
The LDU feature is auto-applied for the month of July only. After that businesses assume legal responsibility for implementing this feature, and it’s worth noting that’s not entirely straightforward. Developers will need to include a string appended to the Facebook pixel for ‘dataProcessingOptions’ that will allow your business to specify its degree of CCPA compliance.
What this means is that you’re on the hook for deciding how to implement this and the degree of risk you accept for your CCPA compliance. Close review of third-party data processing practices is a key process for any business to undertake – something I noted last week in Harvard Business Review.
At a technical level, it’s pretty straightforward to implement LDU…
To enable LDU using geolocation:
fbq(‘dataProcessingOptions’,[‘LDU’], 0, 0);
To enable LDU for users and specify included geographic regions:
fbq(‘dataProcessingOptions’,[‘LDU’], 0, 1000);
To NOT enable LDU mode, use:
fbq(‘dataProcessingOptions’,[]); fbq(‘init’,’{pixel_id}’); fbq(‘track’, ‘PageView’);
The technical implementation is the good news. The bad news is you’ve got to take responsibility for how you implement this, and the risk rests with your business for the decisions you make. So let’s quickly look at the ways in which you could/should implement this and their pros and cons…
In this approach, you would have no explicit opt-out mechanism and instead enable LDU for all California users.
Pros: Total compliance and zero risks.
Cons: You’re by default electing to remove all California residents from your remarketing even if they have not opted out.
In this approach, you would enable LDU only when a user explicitly opts out of tracking.
Pros: Low(ish) risk and enables you to use some California users’ data.
Cons: Requires a consent management solution that ties directly to how pixels are controlled on your site on a per user basis.
In this approach, you do nothing at all.
Pros: Don’t be silly.
Cons: Read Pros, above.
From a personal perspective, I believe passionately in respectful technology systems that naturally do the right thing for their users, and in that respect it’s positive to see Facebook’s LDU implementation. However, Facebook’s comparably infinite resources and engineering might make it disappointing to see that they’ve passed the buck on sophisticated data processing decisions to their business customers to evaluate the risk and manage their privacy compliance.
Don’t fall into the trap of assuming that Facebook’s scale/sophistication means they’ve got this resolved for you – quite the opposite, Facebook is making your use of their ad platforms your problem from a risk perspective. Ensure you evaluate what data you’re collecting and how you manage user controls for this, whether it’s Facebook or any other ad platform.
And of course, if you want to solve this with as little friction as possible, contact our privacy specialists to set up a demo of Ethyca.
Ethyca hosted its second P.x session with the Fides Slack Community earlier this week. Our Senior Software Engineer Thomas La Piana gave a live walkthrough of the open-source privacy engineering platform, Fides 2.0. He demonstrated how users can easily deploy Fides and go from 0 to full DSR automation in less than 15 minutes. If you weren’t able to attend, here are the three main points addressed during the session.
Introducing consent management in Fides 2.0. With the coming state privacy laws in 2023, your business needs to have granular control over users’ data and their consent preferences. Learn more about how Fides can enable this for your business, for free.
Ethyca launched its privacy engineering meetup, P.x, where Fides Slack Community members met and interacted with the Fides developer team. Two of our Senior Software Engineers, Dawn and Steve, gave presentations and demos on the importance of data minimization, and how Fides can make data minimization easier for teams. Here, we’ll recap the three main points of discussion.
We enjoyed two great days of security and privacy talks at this year’s Symposium on Usable Privacy and Security, aka SOUPS Conference! Presenters from all over the world spoke both in-person and virtually on the latest findings in privacy and security research.
At Ethyca, we believe that software engineers are becoming major privacy stakeholders, but do they feel the same way? To answer this question, we went out and asked 337 software engineers what they think about the state of contemporary privacy… and how they would improve it.
The UK’s new Data Reform Bill is set to ease data privacy compliance burdens on businesses to enable convenience and spark innovation in the country. We explain why convenience should not be the end result of a country’s privacy legislation.
Our team of data privacy devotees would love to show you how Ethyca helps engineers deploy CCPA, GDPR, and LGPD privacy compliance deep into business systems. Let’s chat!
Get a Demo