The California Consumer Privacy Act (CCPA) went into effect earlier this month on July 1, 2020 and grants California residents the right to control how businesses collect and process their personal data. With the law now officially in effect, we are starting to see more tech giants finally respond to these new regulations.
Most notably, Facebook has now dictated how they will handle any personal data being used on their platform. Unsurprisingly, Facebook has decided that advertisers on the platform must handle this themselves and remove Facebook from any liability.
Facebook’s new feature in response to CCPA is called Limited Data Use (LDU). LDU has actually been automatically enabled for all Facebook business accounts since July 1st. This limits how user data is stored and processed in the Facebook ecosystem for all consumers that Facebook identifies as California residents or in California.
Facebook will stop automatically doing this on October 20th. At that point, businesses need to include a new LDU parameter to handle this process themselves to verify their CCPA compliance status, or they will be automatically opted out from all CA data.
This can lead to significant complications since many small businesses who advertise on Facebook don’t have compliance practices in place yet. Without these compliance practices, your conversions from Facebook advertising are in jeopardy. So how can your business properly comply? We’ve outlined some of the steps below:
- Provide site visitors with notice of what data is being collected and how it is being used
If you have noticed significantly more cookie notice banners across the Internet, this is the underlying cause. Most businesses are utilizing some means of user data collection on their websites, so consumers must be informed of these practices. FYI: having a FB pixel on your site counts as data collection.
It’s important to note that there is no ordinance on how these banners must appear. At Loginhood, we believe in turning these necessary popups into better user experiences for consumers and boosting their relationship with the business as a result.
- Enable access to a ‘Do Not Sell My Data’ button
This is one of the fundamental pillars of CCPA and the clause that is generally the most discussed. Consumers must be given a way to inform the business that they do not want their data used for any action that could be considered a sale. ‘Sale’ is a very vague term according in the context of CCPA, with it being defined as “selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means… for monetary or other valuable consideration.”
In many privacy experts’ opinions, this could include things like displaying targeted advertising on your site or even using site retargeting to drive a sale of your products.
- Enable a mechanism for consumers to request access and deletion of their data.
Another key element of CCPA is the right for consumers to know what data has been collected on them and the ability to request deletion of this data. Typically, businesses are handling this with a form input where a consumer can submit these requests. Consistent with every other aspect of CCPA, there isn’t much specific guidance on how a business should format and provide this information to consumers, which allows some flexibility in the potential presentation.
- Update the Facebook pixel on your website
This is where the Limited Data Use functionality comes in. Facebook has a new parameter that will allow a business to inform Facebook if a consumer has opted-out to the sale of their data. This would remove them from any retargeting campaigns and other data usage mechanics
- Switch on Facebook’s Compliance Acceptance
Facebook introduced a new switch under “Events Manager Settings”, which requires businesses to take responsibility for the above mentioned data policy. Through triggering this switch, the brand states that “the company is not subject to CCPA regulation” or “you comply with the law and process your data until Facebook receives it” or “you have completed the restricted Data Use implementations for all data sources.” Do not flip that switch until your company can ensure you’ve completed these steps and your site visitors have these options in place to only collect privacy-compliant data.
As a reminder, businesses fall under the mandate of CCPA if they have annual gross revenues of $25 million or more, buy or sell more than 50,000 individuals’ data, or make more than half of their annual revenues from selling customer data. Except, as we’ve explored above, these terms are extremely vague. For example, some experts believe running Facebook retargeting campaigns on more than 50,000 California residents would require the business to have CCPA compliance in place.
What is the easiest way to complete these steps to handle compliance and Facebook’s LDU? Use Loginhood’s Consent Management Platform, where we take care of this process and provide you with a dashboard to manage it all.