Home | Blog | Facebook CCPA: What Advertisers Need to Know
Share this article
As ifeCommerce marketing in 2020 (and things in general, for that matter) wasn’t chaotic enough, social media advertisers are having a massive wrench thrown in their works.
At least we can say that this has been a consistent year.
Back in 2018,the California Consumer Privacy Act (CCPA) was approved by the state’s governor. However, the law was only rolled out recently, and it has left many advertisers feeling frustrated and befuddled.
The act, which deals with the rights consumers have in regards to their personal data being collected online, hasFacebook advertising teams scrambling to deal with the fact that data and targeting for California audiences has virtually vanished before their very eyes. Naturally, this is having a profound impact on campaign performance.
Making matters worse is the complete lack of clarity of what it actually means to be CCPA-compliant and what different types of companies that engage in data sharing must do to adhere to the new rules.
As a bit of an obligatory disclaimer, it is important to stress that we here at Visiture are not lawyers and are not providing any sort of legal advice or guidance in this piece. Instead, we would like to take this opportunity to break down the implications of Facebook’s new CCPA feature for advertisers, discuss how it is impacting existing campaigns and help establish a roadmap forward in terms of performance.
That said, let’s begin by discussing exactly what the California Consumer Privacy Act is and what it does.
What Is the CCPA All About?
The California Consumer Privacy Act, a statewide law, holds implications for brands across the world. In an effort to protect California citizens’ online privacy, the CCPA aims to increase the transparency companies exhibit about the data they are collecting from users and how that information is being used.
Through the implementation of the CCPA, California residents now have a legal right to:
Know what personal information is being collected by corporations
Knowledge if their data is being sold
Insights into who is purchasing their data
Access to personal data that has been collected on them individually
The capacity to opt-out of their data being sold
The ability to force businesses to delete the data that has been collected on them
Not to be discriminated against for exercising these new privacy rights
Extra data collection protections for minors
This is a pretty substantial list that has sweeping implications for both consumers and marketers.
However, to really understand how this law is poised to impact businesses and advertisers, it is necessary to probe deeper into how “personal information” is defined.
What Is ‘Personal Information’ Under the CCPA?
While “personal information” might sound like an ambiguous and imprecise term, the fact of the matter is that it was designed to be as broad and nebulous as it sounds.
“‘Personal information’ means information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”
As the legislative piece also notes, based on this definition, personal information includes, but is not limited to:
“Identifiers such as a real name, alias, postal address, unique personal identifier, online identifier Internet Protocol address, email address, account name, social security number, driver’s license number, passport number, or other similar identifiers… Characteristics of protected classifications under California or federal law… records of personal property… Biometric information… Geolocation data.”
While most of this is rather understandable, the part that really impacts online marketers and advertisers is the bit that follows:
“Internet or other electronic network activity information, including, but not limited to, browsing history, search history, and information regarding a consumer’s interaction with an Internet Web site, application, or advertisement…. Products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies.”
This definition and all that falls under it has significant ramifications forFacebook retargeting ads and other campaigns, as will be discussed in detail momentarily.
What the CCPA Means for Businesses
Given that the CCPA is a law thatfocuses squarely on the consumer, businesses around the world will need to conform to the newly minted rights of those in California. Therefore, when a business interacts with a California resident in any capacity, that company must ensure that it is CCPA-compliant.
This also means that, outside of excluding California altogether (which has a population of roughly 40 million people and the highest GDP in the nation), any advertisers that target California residents must also ensure that their campaign plays within the CCPA framework.
Organizational Responsibilities Under CCPA
In a nutshell, businesses and marketers are not legally allowed to harvest the previously defined data from California residents without their explicit consent.
Because of how the law is structured, it is a company’s responsibility to ensure that compliance is met. While most of the details on how to do this are left up to individual organizations, there are a handful of specific practices that must be implemented in order to conform to CCPA standards.
The things that companies are responsible for implementing include:
Processes for acquiring data sharing consent from parents or guardians for minors under the age of 13 as well as affirmative consent for minors ages 13 through 16
A “Do No Sell My Personal Information” link on the brand’s homepage which sends users to an opt-out page
Methodologies for submitting data access requests
Policies that limit requesting opt-in consent to a 12-month window after the initial opt-out
While many are surely rubbing their foreheads with stress at this point, it is crucial to understand that failure to comply with this law could cause even larger headaches.
For each intentional violation, businesses can be slapped with fines as high as $7,500. Meanwhile, for unintentional violations, fines can still reach up to $2,500. Moreover, these amounts stack, so as a business collects significant volumes of data, the penalties can quickly multiply. That said, businesses do have the option to fix the violation within 30 days of being notified of the infraction. If the situation is remedied within the allotted time frame, the penalties may be waived.
Now, with all this laid out, it is essential to note that all businesses are not subject to the CCPA’s dictates.
Types of Businesses Affected By CCPA
Technically speaking, not every business that engages California residents is at the mercy of CCPA guidelines.
For CCPA rules to apply to an organization, it must meet at least one of the following criteria:
An annual gross revenue of $25 million or more
The business purchases, receives or sells the personal information of 50,000 or more individuals or households
The company earns more than half of its annual revenue from the sale of personal information of consumers
This means that smaller businesses are provided a bit of leeway with the CCPA as they have limited resources to allocate to compliance efforts. However, it is essential to remember that only one of the aforementioned points must be true for a company to be subjected to CCPA guidelines.
With a proper understanding of the law, relevant definitions and the types of organizations impacted, let’s explore how this new decree is impacting Facebook and those who advertise on the platform.
How the CCPA Impacts Facebook and Instagram Advertising
Now that the CCPA has gone into effect (and the six-month grace period long since over), Facebook is aiming to help businesses successfully manage their CCPA responsibilities by including a new feature that will limit data usage for California residents.
“To support businesses with their compliance efforts, we’re introducing a new feature businesses can use to limit how we use the data they send to Facebook, called Limited Data Use. When a business applies this feature, it will direct Facebook to process information about people in California as the business’s Service Provider. That means we will limit how this information is processed as specified in our State-Specific Terms.”
What this means is that businesses on Facebook are provided with the option of either informing Facebook when an individual in California opts out of data usage, or they can allow the social network to determine a user’s location and omit Californians from data sharing.
As the post goes on to state:
“When Limited Data Use is enabled, businesses may notice an impact to campaign performance and effectiveness, and retargeting and measurement capabilities will be limited.”
In effect, this complicates things for social media platforms in significant ways as now they must set parameters for users in different regions. In addition to the CCPA, Facebook and other tech giants have already been working on segmenting specific populations off under GDPR, whichserves a similar purpose for European users.
In the initial post introducing the Limited Data Use (LDU) feature, Facebook proclaimed that the transitionary period for implementing this new tool would end on July 31.
Seeing as this time has come and gone, it is necessary for advertisers to have applied an “LDU flag” to their Facebook pixel as a means of addressing specific events that relate to California residents.
Those who have implemented the LDU flag will be capable of toggling the enablement of user data.
With the broader impact of how social media platforms have been impacted by the CCPA, let’s drill down to see how exactly this new regulation is influencing the campaigns of social media advertisers.
How CCPA Is Affecting Facebook Advertisers
Those who advertise their business or products on Facebook are likely aware of the negative ramifications brought on by the new Limited Data Use feature.
Given that the company automatically enabled LDU on all accounts as of the first of July, those in California are no longer included in pixel-based targeting campaigns.
For brands that have a sizable audience residing in California, the result of this implementation has likely been significant. For instance, if 40 percent of a company’s customers live in California, the LDU feature has made it so that the brand is unable to see nearly half of its audience, thus negatively impacting campaigns in general and retargeting efforts in specific.
To exemplify the consequences of the CCPA and LDU feature, let’s go ahead and take a look at one of Visiture’s clients.
Limited Data Use Impact: Client Example
Again, as the Facebook announcement of the Limited Data Use feature notes, “when Limited Data Use is enabled, businesses may notice an impact to campaign performance and effectiveness, and retargeting and measurement capabilities will be limited.”
With a little more than a month passing, we decided to look back and analyze what impact these changes had on California compared to the rest of the country.
The charts below showcase Facebook advertising data from one of our clients, comparing June 2020 to July 2020 for California, compared with the rest of the country.
Additionally, it is important to note that this account leverages the campaign budget optimization feature that Facebook offers, which guides the algorithm to spend where the most significant return will be generated based on the client’s optimization goals. For this particular seller, the goal is to drive purchases.
Taking a look at overall account performance in which California is juxtaposed to the rest of the country, the impact is striking as spending in the state dropped by a whopping 77 percent, month-over-month, despite the fact that California was one of the account’s top-performing locations and the overall account spend was boosted by 79 percent.
As a result, California’s percentage of overall spend decreased from 16 percent in June to a mere two percent in July.
Moreover, the revenue generated from California bottomed out, dropping by a staggering 96 percent.
Looking at the account overall, it is clear that every metric that could have been negatively impacted was.
Looking deeper into the account performance and analyzing the client’s prospecting performance, similar trends were revealed.
Here, retailers can see a stark 74 percent decrease in spend levels month-over-month for California, compared to a 79 percent increase in overall prospecting outside of California.
Considering thatROAS levels were above averagefor California prospecting, it is not unreasonable to assume much larger spend levels in California. However, it seems that the opposite was true.
The way in which the account’s prospecting performance was affected appears to be a direct result of the lack of data sharing between website purchases and the Facebook pixel since the new LDU feature was enabled.
Another item to note is that it is currently unclear how the LDU feature is impacting the effectiveness of prospecting targeting that utilizes either interest-based or Lookalike Audiences. If there is a lack of personal data available for the Facebook algorithm, then it would be fair to question how accurate the targeting within these audiences will continue to be over time.
Moving on to retargeting efforts for the account, a similar scenario comes to pass, as remarketing was also dramatically affected.
While California plays a less substantial role in the overall remarketing aspect of the account compared to how the state performs in prospecting, it is still worth noting that revenues decreased by 89 percent for remarketing efforts within the state.
It seems that Facebook’s warning label for the LDU feature was spot on, given that all campaigns were negatively impacted in meaningful ways for California. Meanwhile, outside of the site, performance across most data points continued to trend upward.
However, it is extremely troubling that, through the budget optimization feature, Facebook is reallocating much of the ad dollars that would have been spent in California to other states. In effect, this has reduced ROAS by significant margins. When looking at the account on a state-by-state basis, this is true across the board, save a few exceptions.
Additionally, it seems that there was no meaningful increase in frequency, despite reports reflecting the campaign reaching more consumers. This is a concerning trend and, when multiplied across all targeted states, this becomes a severe issue.
Based on all of this data, it seems that Facebook is not allowing advertisers to leverage specific targeting features until compliance is established and the LDU feature is removed.
“California residents have the right to opt out of disclosures of Personal Information to third parties for valuable consideration (which may be considered “sales” under California law even if no money is exchanged). We currently do not “sell” your information as we understand this term. However, Peloton respects and understands that you may still want to minimize sharing of your information with third parties for marketing purposes. If you are a California resident and you would like to minimize sharing of your information with third parties for marketing purposes, please fill out this form.”
Assuming that advertisers are not selling customer information, this seems like a straightforward avenue for a customer to request it be deleted.
But, before diving too far into theories and speculation, let’s go ahead and explore the next steps that merchants can take to navigate the new CCPA and LDU paradigm.
Next Steps for Facebook Advertisers
Before doing anything at all, it is first necessary to determine if the company is even affected by the CCPA. Again, in order to be subjected to this framework, a business must meet one of the following requirements.
Generate $25 million or more in annual revenue
Earn more than half of its annual revenue selling consumers’ personal data
Possess the personal data of more than 50,000 “consumers, households, or devices”
If the company does not meet any of these criteria, feel free to disable the LDU feature on Facebook in order to continue collecting data from California residents. However, it is wise to consult with legal counsel beforehand to ensure that it is indeed safe.
That said, if the business does fall within the CCPA’s jurisdiction, then proceed to the following steps.
Advertisers can make the update via the Events Manager. Once there, navigate to the Data Sources tab, select the pixel and then click Settings and use the Transition Period Settings section.
However, do be aware that those who have not extended their transition period will have seen the LDU feature disappear as of the first of August, and are therefore collecting California user data and are not compliant with CCPA.
Step 2: Choose the Right Course for the Company
By the first of August (or October 20, if extended the transition period), advertisers must determine if they wish to continue to enable the LDU feature at all times or only at select times (such as when a user specifies that they do not want to be tracked).
Within this framework, there are three different alternatives that advertisers have at their disposal, all carrying different risk levels:
Enable LDU for All California Users
Going this route poses no risk to businesses as this effectively eliminates California residents from remarketing lists and other types of targeting that rely on such data.
Moreover, businesses that opt for this method do not need to set up any opt-out opportunities for data tracking as the LDU feature will ensure that all citizens of California are identified and excluded.
However, on the downside of this approach, advertisers are likely to see a significant hit to their performance, per the exclusion. This is what was largely exemplified earlier in this piece.
Enable LDU for Opt-Outs Only
Through this course of action, advertisers are exposing themselves to a moderate level of risk. This is especially true as the interpretation of the CCPA is still not 100 percent clear.
Under this approach, businesses will need to offer users the opportunity to opt-out of data tracking. This can be achieved through the use of cookie compliance solutions such asCookieBot orOneTrust.
With this in place, advertisers would only need to implement the LDU feature for those who have chosen to opt-out, thereby disabling the Facebook pixel from firing.
However, if choosing this avenue, advertisers should be aware that it could be complicated to configure, and it is currently uncertain as to how the LDU would be utilized since an opt-out would limit the pixel from firing in totality. Therefore, it is wise tohire a certified developer who can assist in the process and potentially provide insights and further guidance.
This is an extremely risky approach. Here, advertisers will basically do nothing at all and see what comes as a result.
Any advertiser or company that chooses this approach is advised to speak with their legal team to assess the potential risks, liabilities and penalties that could result from CCPA non-compliance.
While doing nothing will allow advertisers to continue collecting the data of California users and including them in their remarketing campaigns, there is a great chance that any gains made through this route will be wiped out in fines and fees–if not worse.
Moreover, advertisers should be aware that opting for any other implementation option besides enabling LDU across the board is at risk of potentially processing data from a California resident who opted-out in a different browser or earlier session where the cookie has since been deleted.
The fact of the matter is that there is no perfect solution and many things are still ambiguous regarding the CCPA. Therefore, each of these scenarios comes with their own unique set of challenges.
It is up to business owners to determine the level of risk that they are comfortable taking and proceeding accordingly.
Step 3: Update the Facebook Pixel
If sellers have deployed their Facebook pixel throughGoogle Tag Manager, then it is necessary to make modifications for the Facebook PageView pixel. If the pixel is hardcoded, a web developer will be capable of handling the process.
Moreover, alterations to other Facebook events may need to be made as well, depending on the business and the level of risk that leaders have elected to assume.
Modifications to the newly minted “dataProcessingOptions” will enable Facebook to establish if a user is a California resident or not, as well as the level of CCPA compliance that a brand has chosen to implement.
This new setting allows advertisers to instruct Facebook as to when the LDU feature should be enabled or disabled, and the preferred method for determining a user’s location through the pixel.
Common Questions Unaddressed Thus Far
As an eCommerce marketing and advertising agency, Visiture has been in the thick of it regarding the Limited Data Use feature and acting as a guide to our clients who advertise on Facebook.
Naturally, there have been a number of questions that have come up time and again, both from clients and internal team members. In an effort to help sellers better navigate the CCPA/LDU waters, some of the most commonly asked questions include:
If the Website Is CCPA-Compliant and Enables Users to Opt-Out, Does the Facebook Pixel Still Need to Be Updated?
If a merchant’s site is CCPA-compliant, and the seller does not wish Facebook to control the flow of data from Californians, it is okay to remove the LDU feature from pixels.
Does the Facebook Pixel Need to Be Updated for International Advertisers?
While Californians may not be a company’s primary audience, people do travel around and can end up accidentally being targeted for data collection.
Therefore, it is best to hedge one’s bets and update the pixel to be CCPA-compliant.
How Does All of This Affect Retargeting Campaigns?
If a California consumer agrees to be targeted and have their data harvested, then including them in retargeting campaigns is not an issue.
However, those who opt-out from data collection will not be able to be targeted with such campaigns.
Therefore, retailers may want to considerDynamic Facebook Ads for Broad Audiences segmenting off California from the ad set.
There is still a considerable amount of confusion and ambiguity surrounding the precise application, reach and implications of the CCPA. Moreover, there are likely scores of businesses that do not yet realize that the law applies to their organization.
Similar to when Europe’s GDPR went into effect, and U.S.-based businesses were not ready for the measures or ramifications, not running ads in California seems to be the safest mode of operation at this time. However, as the rules around compliance begin to become more transparent, this will gradually become normal, and advertisers will effectively adjust to the new standards.
In the meantime, it is best for retailers to review this information and decide which course of action is best for them, as well as update their website and Facebook pixel accordingly.
A Georgia Southern University graduate, Brittany joined Visiture in 2015 and manages Visiture's extensive internal marketing endeavors. Interests include: true crime podcasts, *watching sports, and her two pups, Lulu the Pug and Laurence the Greyhound.
Receive a Free eCommerce Marketing Audit Today!
How to Use Analytical Data to Create Better eCommerce Customer Personas
October 22, 2020
11 Email Personalization Techniques to Increase Impact
October 20, 2020
11 Actionable Strategies to Increase eCommerce Sales