To help its business customers with CCPA compliance efforts, Facebook has implemented the “Limited Data Use” feature which restricts how Facebook uses personal information of California individuals that it collects or otherwise processes on behalf of its business customers via certain Facebook products.
Requirements under the law, uncertainty under the guidance and recent California attorney general actions: Under the CCPA, California consumers have the right to opt out of the “sale” of their personal information. The CCPA defines “sale” very broadly as “…making available personal information…for monetary or other valuable consideration.”
Despite several rounds of AG guidance, it is still unclear whether a website’s use of the Facebook pixel constitutes a “sale” of data for purposes of the CCPA.
Recent California AG inquiries began July 1, 2020, and have put more pressure on companies to add a “Do Not Sell My Personal Information” link to their website.
Service provider exception and Facebook Limited Data Use features: While there is a large degree of uncertainty as to what constitutes a “sale” under the CCPA, the act contains several exceptions to “selling,” including where personal information is made available to a “service provider” (e.g., Facebook) pursuant to a written contract that restricts the service provider’s use of the personal information to only what is necessary to provide the services on behalf of the business.
- Facebook’s approach. To fit within this service provider exception, Facebook is providing (i) updated terms restricting Facebook’s use of personal information that is subject to the CCPA collected via certain Facebook products, and (ii) a technical mechanism to restrict Facebook’s use of this information to only what is necessary to provide the services on behalf of its business customers.
- CCPA compliance option for companies. As a result, if the website implements the Limited Data Use feature, it will qualify for one of the statutory exceptions to “selling” under the CCPA and can say with certainty it is not “selling” any personal information through its use of the Facebook pixel.
- Google’s approach. Google has added a similar “Restricted Data Processing” mechanism for its products that involve a potential “sale” of personal information under the CCPA. More information on Google’s approach for different products like Google Ads and Google Analytics can be found here.
Given the timing of when this feature was announced, the following key dates are important to note:
- Enforcement date. CCPA enforcement began July 1, 2020, as noted above, with focus in this area.
- Limited Data Use by default until July 31, 2020—action required if you want to deliver targeted ads to Facebook users in California in July. Facebook has enabled Limited Data Use as the default setting until July 31, 2020, to give its business customers time to decide on their approach and implement necessary code changes to utilize Limited Data Use for the long term, if desired. Under Limited Data Use, targeted ads can only be delivered to California Facebook users if the Limited Data Use setting is turned off (as discussed below).
- Limited Data Use choice on and after August 1, 2020—action required to continue Limited Data Use. On August 1, 2020, Limited Data Use will be disabled by default, and companies will need to make a specific election and implement any associated code changes to continue Limited Data Use on their systems to opt out individuals or entire databases from any “sales” under the CCPA.
Options for Companies
Companies not subject to the CCPA: Companies not subject to CCPA because they do not have data on 50,000 or more California residents or $25 million in annual revenue may choose not to utilize Limited Data Use.
Companies that filter events before they are sent to Facebook: Rather than using Facebook’s Limited Data Use functionality wholesale, some companies that are subject to the CCPA and “sell” information may choose to filter events before sending them to Facebook, such as through their own “Do Not Sell” mechanism.
For Facebook business customers that do not wish to utilize Limited Data Use have two options:
- Turn off the feature effective immediately. Some companies may elect to disable Limited Data Use immediately to limit impact to their Facebook campaigns. See instructions on how to disable Limited Data Use immediately here.
- Do nothing. Because disabling Limited Data Use before July 31 requires engineering updates, some companies may choose to do nothing and simply “wait out” the July grace period. On August 1, 2020, Limited Data Use will automatically disable.
For Facebook business customers that do wish to utilize Limited Data Use:
- Make required code changes before August 1, 2020. Companies should implement the code changes required for Facebook products they are currently using. Code changes for each Facebook product can be found here.
Questions? Please contact Jim Koenig, Alexandra Vesalga, Brent Tuttle, Kenia Rincon, Jim Gregoire, Tyler Newby or any member of our global privacy and cybersecurity practice for more information.