At the beginning of July, Facebook quietly implemented a Limited Data Use (LDU) mode for their advertising products (including the PageView pixel). Under this mode—which is enabled by default for the month of July—a business customer can determine whether Facebook is restricted in how it processes user personal information when a user visits its page. Of note, if LDU mode is turned on and Facebook determines that a user is located in California (either because the business affirmatively represents this as true or Facebook’s geolocation tools believe the user to be in the state), Facebook will act like a “service provider” under the California Consumer Privacy Act (CCPA) and only use the data collected for limited purposes. That being said, Facebook provides severely restricted functionality to its business customers when LDU mode is enabled.
If you are a business advertising on Facebook, beginning on August 1, you will need to make a decision whether the platform will have access to your California customers' personal information. If you do nothing, Facebook will turn off LDU mode and your customers' information will be accessible to them without restriction, which may constitute a "sale" under the CCPA and subject you to fines from the California Attorney General. On the other hand, if you enable LDU mode, you will still need to decide whether to manually report your customers' geolocation information to Facebook or rely on Facebook's own geolocation tools (which may be defective with respect to California residents when they use VPNs, proxies, or just travel outside the Golden State). In order for LDU mode to operate properly, if your users exercise their CCPA right to opt-out of the sale of their personal information, you will need to provide your users with: 1) a website where a cookie (a small piece of data stored on their device) can be set in the browser, and 2) instructions that they will need to set this cookie on each of their devices. There is also the technical issue of how to set the LDU cookie when a user submits a global CCPA opt-out request.
Unfortunately, there is very little time for Facebook’s business customers to respond. In its disclosure regarding LDU mode, Facebook said that LDU mode will be deactivated by default starting today (July 31), meaning it will only remain available to business customers who actively implement it. In short, Facebook has told its business customers that they must affirmatively opt-in to the LDU functionality or they will end up selling their customers’ personal information to Facebook by default starting on August 1. Facebook is alone in this per-transaction approach—other social media companies and advertisers (like Google) have addressed CCPA compliance by providing business customers with back-end controls, which allow them to either restrict the platform’s ability to use data for other purposes across their entire customer base (i.e. operating as a “service provider” under the CCPA) or allowing them to activate the opt-out functionality on a per-user basis in order to support their CCPA compliance programs.
It remains to be seen whether Facebook will alter course, but if they choose not to, they likely have the resources to battle the California Attorney General on this issue for years to come, while their business customers rack up CCPA fines in the interim (again, the fine is assessed against the seller of the data (the business customer) not the purchaser (Facebook)). Bottom line: if you advertise with Facebook, it is recommended that you consult an attorney that specializes in privacy law and has the technical expertise to help you and your website developer with the coding necessary to implement the privacy controls you choose. Of course, the privacy and cybersecurity specialists at Michelman & Robinson are available to help toward that end.
This blog post is not offered, and should not be relied on, as legal advice. You should consult an attorney for advice in specific situations.