Facebook has a mechanism called "Limited Data Use" (LDU). LDU affects Facebook's "Business Tools," including the Facebook Pixel, which businesses use for "retargeting" ads at Facebook users (and others) across the web.

LDU is an attempt to help businesses comply with the California Consumer Privacy Act (CCPA) and its CPRA amendments.

You might not believe you're covered by the CCPA (CPRA). But the fact that Facebook has introduced LDU implies that purely by virtue of using Facebook Business Tools your business may need to comply with this important law.

In this article, we're going to walk you through what LDU is, why it is necessary, and how to implement it.

Overview of LDU

Before we get into how to implement LDU for your own Facebook marketing products, let's consider an overview of what LDU is all about.

What is Facebook Limited Data Use (LDU)?

Limited Data Use (LDU) is a mechanism for businesses using Facebook Business Tools.

By using Facebook Business Tools, you and Facebook gather personal information about Facebook users (and non-users). Facebook uses this information to personalize advertising for these individuals across the web.

Facebook will apply LDU to users that have opted out of the sale of their personal information under the CCPA (CPRA). Once LDU is applied to a user, Facebook will alter the way in which it processes their personal information.

Why Has Facebook Introduced LDU?

Facebook has introduced LDU in an effort to help its business clients, and itself, comply with the CCPA (CPRA), specifically the "right to opt out."

The use of third-party cookies and tracking pixels is increasingly being interpreted as a "sale" of personal information under the CCPA (CPRA).

On this basis, California consumers must be able to opt out of the sale of the personal information that is collected by these technologies.

Facebook may have introduced LDU out of concern that if it fails to provide a way for businesses to let users opt out of its retargeting programs, it could put its customers and itself in violation of the CCPA (CPRA).

How Could LDU Help With CCPA (CPRA) Compliance?

How Could LDU Help With CCPA Compliance?

With LDU, Facebook has provided a means of identifying which of the users who interact with your Facebook marketing campaign are located in California.

Once you have offered California users a way to opt out of the sale of their personal information, you can communicate your California users' opt-out statuses to Facebook. LDU will then stop the "sale" of these users' personal information.

How Does Facebook Change its Practices for Opted-Out Users?

In its State-Specific Terms, Facebook states that it will act "as a Service Provider with respect to Personal Information shared about people in California" when LDU is applied.

It's not exactly clear what Facebook means by this, but we can make certain inferences through understanding the CCPA (CPRA).

Facebook implies that by changing how it processes the personal information of opted-out California users, and by "acting as a Service Provider," it will discharge certain CCPA (CPRA) duties not to "buy" or "sell" their personal information to or from you as a marketer.

Instead, it will be processing their personal information for "business purposes."

Facebook also states that it will "be prohibited from retaining, using, or disclosing" the personal information of opted-out users for any reasons other than the relevant "business purposes."

We'll be explaining this in more detail later in this article, but you can also read more in our articles: CCPA: What Constitutes "Sharing for Business Purposes?" and CCPA: What Constitutes a "Sale" of Personal Information?

Which Facebook Marketing Products are Covered by LDU?

Businesses can use LDU in respect of the following Facebook products:

  • App Events API
  • App Events via Facebook SDK
  • Audience Network Ad Request and Bidding via Audience Network SDK
  • Facebook Pixel
  • Offline Conversions
  • Server-Side API

All of these products are covered by the Facebook Business Tools Terms, but the State-Specific Terms governing LDU will take precedence where applicable.

Will This Make Facebook Marketing Less Effective?

Will This Make Facebook Marketing Less Effective?

In its guidance on LDU, Facebook says:

"Businesses may notice an impact to campaign performance and effectiveness, and retargeting and measurement capabilities will be limited."

It is possible that a significant proportion of users will opt out of Facebook retargeting. This will, most likely, reduce the effectiveness of your Facebook marketing campaigns, as Facebook will no longer target these users with ads.

But considering the alternatives, failing to act would be incredibly risky.

For more information about the consequences of violating the CCPA (CPRA), see our articles: CCPA Penalties: What We Know So Far, and The CCPA's Private Right of Action.

Is Facebook Retargeting Really "Selling" Personal Information?

It still isn't totally clear whether using third-party cookies and tracking pixels, such as those used by Facebook and its marketers, constitutes "selling" personal information under the CCPA (CPRA).

In its State-Specific Terms, which govern the use of LDU, Facebook gives its official line on this question:

"You and Facebook agree that the existence of these State-Specific Terms does not constitute an admission that sharing of Personal Information constitutes a Sale."

However, Facebook has introduced this mechanism for a reason.

There is increasing evidence that using third-party marketing and analytics technologies does fit the definition of a "sale."

Cookies, IP addresses, and online identifiers are recognized as personal information under the CCPA (CPRA).

"Selling" is defined very broadly, and can include any communication of personal information for "valuable consideration." This doesn't only mean money. It could include the benefits your business receives from Facebook's marketing services (e.g. increased sales).

Section 999.315 of the CCPA Proposed Regulations (available here) suggests the following as an appropriate means of facilitating "the right to opt out:"

"[...] user-enabled privacy controls, such as a browser plugin or privacy setting or other mechanism, that communicate or signal the consumer's choice to opt-out of the sale of their personal information"

It is possible that Facebook developed the LDU mechanism as a response to this part of the Proposed Regulations, which would imply that Facebook does understand its marketing operations to fall under the scope of the CCPA (CPRA).

Does This Mean I Might be Covered by the CCPA (CPRA)?

The fact that activities such as Facebook marketing may constitute a "sale" of personal information under the CCPA (CPRA) has highly significant implications.

This is because of the second of the CCPA/CPRA's three thresholds, threshold "B," which states that the CCPA (CPRA) applies to any business operating for-profit in California if:

"It, alone or in combination, annually buys, receives for the business' commercial purposes, sells, or shares for commercial purposes, alone or in combination, the personal information of 100,000 or more [California] consumers, households, or devices."

If Facebook marketing does indeed constitute "selling" personal information, this would bring thousands of businesses under the scope of the CCPA (CPRA).

If a business operates a marketing campaign in it which shares personal information with Facebook, Google, or another marketing provider, and that campaign affects more than 100,000 California residents per year, this would bring the business under the scope of the CCPA (CPRA).

This could apply to many small businesses that have nothing close to the gross annual revenues of $25 million required under threshold "A."

Is LDU a CCPA/CPRA-Compliant Opt-Out Solution?

Is LDU a CCPA-Compliant Opt-Out Solution?

Facebook's LDU process is a highly significant step towards CCPA (CPRA) compliance on Facebook's part. Whether or not it is a legally valid solution remains to be seen.

This matters for you, as a business using Facebook's marketing products, because liability under the CCPA (CPRA) does not fall (solely) on Facebook, but on you, as the business that "determines the purposes and means of the processing of personal information."

Because, as part of your Facebook marketing campaign, you decide why and how personal information is processed, you are responsible for ensuring that your service providers (including Facebook) process that personal information in a legally-compliant way.

Through its State-Specific Terms, Facebook appears to have created a valid "service provider contract" that would allow you to engage the company as a service provider.

Facebook will stop any commercial receipt or disclosure of personal information when LDU is applied to a user.

Therefore, it appears that Facebook's LDU solution could be a means by which businesses can work towards CCPA (CPRA)compliance when combined with a cookie consent solution. We'll discuss implementing a cookie consent solution below.

How to Implement Facebook LDU

How to Implement Facebook LDU

Facebook provides guidance for developers regarding how to implement LDU across its various platforms.

We're going to give an overview of how to implement an opt-out mechanism that will allow you to communicate your California users' choices to Facebook.

Facebook also sets out three core obligations for businesses under its State-Specific Terms:

  1. Provide appropriate CCPA/CPRA-compliant notices to California consumers
  2. Do not share with Facebook any personal information of any California consumer who has opted out, except where LDU is enabled for that consumer
  3. "Be solely liable" for your CCPA (CPRA) compliance

Let's walk through how you can meet each of these obligations.

One way to work towards fulfilling your CCPA obligations is to implement a cookie consent solution and configure it to offer all users with an IP address originating in California a cookie opt-out.

This will allow you to enable LDU for all California users who opt out.

This isn't likely to be a high proportion of users, and you will be able to continue using Facebook's business tools on non-California users.

If you use a retargeting tool such as the Facebook Pixel on a website, you can use a "cookie banner" as one of the ways in which to allow users to opt out. The Facebook Pixel is not, strictly, a "cookie" but is a similar type of tracking technology.

Here's an example of an opt-out cookie banner from Activision:

Activision Cookie Consent banner

Activision's cookie banner invites the user to decline cookies if they wish to opt out of personalization.

This banner could actually serve as an "opt-in" banner that would also be compliant under the EU General Data Protection Regulation (GDPR), except for the fact that the Activision site sets cookies regardless of whether the user clicks "Accept."

The following cookie banner, from Twitter, would not qualify as an opt-out under the CCPA (CPRA):

Twitter Cookie Consent banner

Twitter informs users that accepting cookies is a precondition of using its services. There is a danger in this approach in violating the CCPA/CPRA's "right to non-discrimination," which prohibits businesses from offering a reduced service to consumers who exercise their CCPA (CPRA) rights.

There is no suggestion here that Twitter violates the CCPA (CPRA). This example is for illustrative purposes only.

Once you know which of your California users has opted out of cookies, you can:

  • Stop the Facebook Pixel tag from firing for opted-out users (along with any other cookies), and/or
  • Communicate the identity of the opted-out users to Facebook so it can apply LDU (remember that you will need to take appropriate action in respect of any other cookies operating on your site)

See Facebook's own guidance for further information, including how to implement LDU on mobile-based business tools and APIs.

Provide a "Do Not Sell My Information" Page

Provide a

A cookie banner is one way of offering consumers the choice to opt out. There is another compulsory means of meeting your "opt-out" obligations under the CCPA (CPRA).

The CCPA (CPRA) also requires every covered business to provide a link reading "Do Not Sell My Personal Information" or "Do Not Sell My Info" on its home page and/or app.

This link must lead to a page where users can easily exercise the right to opt out of the sale of their personal information, whether via cookies or other means.

Here's an example from T-Mobile:

T-Mobile website footer with Do Not Sell page link highlighted

Clicking the link leads to the following page, where users can opt out of the sale of their personal information:

T-Mobile Do Not Sell page with On and Off toggle highlighted

Provide Other CCPA (CPRA) Notices

The methods above will help you provide one of the CCPA/CPRA's consumer notices: "notice of the right to opt out."

The CCPA (CPRA), and Facebook's State-Specific Terms, also require you to provide the following consumer notice:

  • Privacy Policy: A comprehensive account of how you have collected, used, disclosed, and sold consumers' personal information, updated every 12 months. Your Privacy Policy must also contain information about the CCPA's consumer rights.
  • Notice at collection: When you collect personal information from California consumers, you must provide notice of the types of personal information you are collecting, why, and how long you will be retaining it for. In the context of Facebook marketing, you could link to your notice at collection within your cookie banner.
  • Notice of financial incentives: The CCPA (CPRA) requires businesses offering "financial incentive schemes" for the provision of personal information to disclose certain facts about their schemes, including how they estimate the value of that personal information.

Fulfill Other CCPA (CPRA) Obligations

The CCPA (CPRA) imposes a range of other obligations, from only engaging service providers under a contract to maintaining reasonable security procedures and practices to safeguard consumers' personal information.

For more information about the broader range of requirements under the CCPA (CPRA), see our article CCPA/CPRA Compliance Requirements.

Summary of Facebook's LDU Process

Facebook's LDU mechanism represents a way for businesses to offer California consumers a choice about whether they are subject to Facebook's retargeting technologies.

To take this important step towards CCPA (CPRA) compliance, ensure that you:

  • Implement a cookie consent banner that allows users the choice to opt out of the sale of their personal information
  • Communicate users' preferences to Facebook so that it can apply LDU
  • Provide all other relevant CCPA (CPRA) notices, including:

    • "Do Not Sell My Personal Information" page
    • Privacy Policy
    • Notice at collection
    • Notice of financial incentives (if applicable)
  • Comply with all other obligations under the CCPA (CPRA)

Privacy Policy Generator
Comprehensive compliance starts with a Privacy Policy.

Comply with the law with our agreements, policies, and consent banners. Everything is included.

Generate Privacy Policy