13 July 2020
Facebook has introduced a new mechanism called "Limited Data Use" (LDU). LDU affects Facebook's "Business Tools," including the Facebook Pixel, which businesses use for "retargeting" ads at Facebook users (and others) across the web.
LDU is a somewhat last-minute attempt to help businesses comply with the California Consumer Privacy Act (CCPA). We're going to talk you through what LDU is, why it is necessary, and how to implement it.
You might not believe you're covered by the CCPA. But the fact that Facebook has introduced LDU implies that purely by virtue of using Facebook Business Tools your business may need to comply with this important law.
Before we get into how to implement LDU for your own Facebook marketing products, let's consider an overview of what LDU is all about.
Limited Data Use (LDU) is a new mechanism for businesses using Facebook Business Tools.
By using Facebook Business Tools, you and Facebook gather personal information about Facebook users (and non-users). Facebook uses this information to personalize advertising for these individuals across the web.
Facebook will apply LDU to users that have opted out of the sale of their personal information under the CCPA. Once LDU is applied to a user, Facebook will alter the way in which it processes their personal information.
Facebook has introduced LDU in an effort to help its business clients, and itself, comply with the CCPA, specifically the CCPA's "right to opt out."
The use of third-party cookies and tracking pixels is increasingly being interpreted as a "sale" of personal information under the CCPA.
On this basis, California consumers must be able to opt out of the sale of the personal information that is collected by these technologies.
Facebook may have introduced LDU out of concern that if it fails to provide a way for businesses to let users opt out of its retargeting programs, it could put its customers and itself in violation of the CCPA.
With LDU, Facebook has provided a means of identifying which of the users who interact with your Facebook marketing campaign are located in California.
Once you have offered California users a way to opt out of the sale of their personal information, you can communicate your California users' opt-out statuses to Facebook. LDU will then stop the "sale" of these users' personal information.
In its State-Specific Terms, Facebook states that it will act "as a Service Providerwith respect to Personal Information shared about people in California" when LDU is applied.
It's not exactly clear what Facebook means by this, but we can make certain inferences through understanding the CCPA.
Facebook implies that by changing how it processes the personal information of opted-out California users, and by "acting as a Service Provider," it will discharge certain CCPA duties not to "buy" or "sell" their personal information to or from you as a marketer.
Instead, it will be processing their personal information for "business purposes."
Facebook also states that it will "be prohibited from retaining, using, or disclosing" the personal information of opted-out users for any reasons other than the relevant "business purposes."
We'll be explaining this in more detail later in this article, but you can also read more in our articles: CCPA: What Constitutes "Sharing for Business Purposes?" and CCPA: What Constitutes a "Sale" of Personal Information?
Businesses can use LDU in respect of the following Facebook products:
All of these products are covered by the Facebook Business Tools Terms, but the State-Specific Terms governing LDU will take precedence where applicable.
In its guidance on LDU, Facebook says:
"Businesses may notice an impact to campaign performance and effectiveness, and retargeting and measurement capabilities will be limited."
It is possible that a significant proportion of users will opt out of Facebook retargeting. This will, most likely, reduce the effectiveness of your Facebook marketing campaigns, as Facebook will no longer target these users with ads.
But considering the alternatives, failing to act would be incredibly risky.
It still isn't totally clear whether using third-party cookies and tracking pixels, such as those used by Facebook and its marketers, constitutes "selling" personal information under the CCPA.
In its State-Specific Terms, which govern the use of LDU, Facebook gives its official line on this question:
"You and Facebook agree that the existence of these State-Specific Terms does not constitute an admission that sharing of Personal Information constitutes a Sale."
However, Facebook has introduced this mechanism for a reason.
There is increasing evidence that using third-party marketing and analytics technologies does fit the definition of a "sale."
Cookies, IP addresses, and online identifiers are recognized as personal information under the CCPA.
"Selling" is defined very broadly, and can include any communication of personal information for "valuable consideration." This doesn't only mean money. It could include the benefits your business receives from Facebook's marketing services (e.g. increased sales).
Section 999.315 of the CCPA Proposed Regulations (available here) suggests the following as an appropriate means of facilitating "the right to opt out:"
"[...] user-enabled privacy controls, such as a browser plugin or privacy setting or other mechanism, that communicate or signal the consumer's choice to opt-out of the sale of their personal information"
It is possible that Facebook developed the LDU mechanism as a response to this part of the Proposed Regulations, which would imply that Facebook does understand its marketing operations to fall under the scope of the CCPA.
The fact that activities such as Facebook marketing may constitute a "sale" of personal information under the CCPA has highly significant implications.
This is because of the second of the CCPA's three thresholds, threshold "B," which states that the CCPA applies to any business operating for-profit in California if:
"It, alone or in combination, annually buys, receives for the business' commercial purposes, sells, or shares for commercial purposes, alone or in combination, the personal information of 50,000 or more [California] consumers, households, or devices."
If Facebook marketing does indeed constitute "selling" personal information, this would bring thousands of businesses under the scope of the CCPA.
If a business operates a marketing campaign in it which shares personal information with Facebook, Google, or another marketing provider, and that campaign affects more than 50,000 California residents per year, this would bring the business under the scope of the CCPA.
This could apply to many small businesses that have nothing close to the gross annual revenues of $25 million required under threshold "A."
Facebook's LDU process is a highly significant step towards CCPA compliance on Facebook's part. Whether or not it is a legally valid solution remains to be seen.
This matters for you, as a business using Facebook's marketing products, because liability under the CCPA does not fall (solely) on Facebook, but on you, as the business that "determines the purposes and means of the processing of personal information."
Because, as part of your Facebook marketing campaign, you decide why and how personal information is processed, you are responsible for ensuring that your service providers (including Facebook) process that personal information in a legally-compliant way.
Through its State-Specific Terms, Facebook appears to have created a valid "service provider contract" that would allow you to engage the company as a service provider.
Facebook will stop any commercial receipt or disclosure of personal information when LDU is applied to a user.
Therefore, it appears that Facebook's LDU solution could be a means by which businesses can work towards CCPA compliance when combined with a cookie consent solution. We'll discuss implementing a cookie consent solution below.
Facebook provides guidance for developers regarding how to implement LDU across its various platforms.
We're going to give an overview of how to implement an opt-out mechanism that will allow you to communicate your California users' choices to Facebook.
Facebook also sets out three core obligations for businesses under its State-Specific Terms:
Let's walk through how you can meet each of these obligations.
Facebook has introduced a deadline by which businesses must implement LDU, and a transition period to allow businesses some additional time in which to make the necessary changes.
Here's the list of products and the associated transition periods, from Facebook:
One way to work towards fulfilling your CCPA obligations is to implement a cookie consent solution and configure it to offer all users with an IP address originating in California a cookie opt-out.
This will allow you to enable LDU for all California users who opt out.
This isn't likely to be a high proportion of users, and you will be able to continue using Facebook's business tools on non-California users.
The CCPA's "opt-out" means you can assume every California resident using your website or app is happy for you to share their personal information with Facebook so you can target them with personalized advertising, provided you have given them the choice to opt out.
If you use a retargeting tool such as the Facebook Pixel on a website, you can use a "cookie banner" as one of the ways in which to do this. The Facebook Pixel is not, strictly, a "cookie" but is a similar type of tracking technology.
Here's an example of an opt-out cookie banner from Activision:
Activision's cookie banner invites the user to decline cookies if they wish to opt out of personalization.
This banner could actually serve as an "opt-in" banner that would also be compliant under the EU General Data Protection Regulation (GDPR), except for the fact that the Activision site sets cookies regardless of whether the user clicks "Accept."
The following cookie banner, from Twitter, would not qualify as an opt-out under the CCPA:
Twitter informs users that accepting cookies is a precondition of using its services. There is a danger in this approach in violating the CCPA's "right to non-discrimination," which prohibits businesses from offering a reduced service to consumers who exercise their CCPA rights.
There is no suggestion here that Twitter violates the CCPA. This example is for illustrative purposes only.
Once you know which of your California users has opted out of cookies, you can:
See Facebook's own guidance for further information, including how to implement LDU on mobile-based business tools and APIs.
A cookie banner is one way of offering consumers the choice to opt out. There is another compulsory means of meeting your "opt-out" obligations under the CCPA.
The CCPA also requires every covered business to provide a link reading "Do Not Sell My Personal Information" or "Do Not Sell My Info" on its home page and/or app.
This link must lead to a page where users can easily exercise the right to opt out of the sale of their personal information, whether via cookies or other means.
Here's an example from T-Mobile:
Clicking the link leads to the following page, where users can opt out of the sale of their personal information:
The methods above will help you provide one of the CCPA's four types of consumer notices: "notice of the right to opt out."
The CCPA, and Facebook's State-Specific Terms, also require you to provide the following three types of consumer notice:
The CCPA imposes a range of other obligations, from only engaging service providers under a contract to maintaining reasonable security procedures and practices to safeguard consumers' personal information.
For more information about the broader range of requirements under the CCPA, see our article CCPA Compliance Requirements.
Facebook's LDU mechanism represents a way for businesses to offer California consumers a choice about whether they are subject to Facebook's retargeting technologies.
To take this important step towards CCPA compliance, ensure that you:
Provide all other relevant CCPA notices, including:
This article is not a substitute for professional legal advice. This article does not create an attorney-client relationship, nor is it a solicitation to offer legal advice.