IDC Names Securiti a Worldwide Leader in Data Privacy


Learn why every Facebook advertiser is at risk of CCPA non-compliance, and how should they respond

By Omer Imran Malik
Published October 30, 2020 / Updated November 22, 2023

Listen to the content


July 1 - July 31 (With option to extend until Oct 20)

  • What happened: Facebook turns ON a feature to limit processing California residents data by default
  • What was the impact: Ensured all Facebook customers (advertisers and publishers) are compliant with CCPA, but limited their ability to re-target California residents
  • What are the consequences: Organizations are CCPA compliant, but their marketing performance suffers since there is no re-targeting for any California residents
  • Optimal solution: Organizations should identify California residents and ask/honor their consent before sharing their personal information with Facebook for further processing

After Oct 20

  • What happened: Facebook turns OFF the feature that limits processing of California residents personal data
  • What was the impact: Advertisers and publishers potentially at risk of processing all customers data (including California residents) without consent
  • What are the consequences: If no action is taken, organizations are not compliant with CCPA and potentially at risk of fines
  • Optimal solution: Organizations should identify California residents and ask/honor their consent before sharing their personal information with Facebook for further processing

Earlier in the year, Facebook had launched a feature called Limited Data Use (LDU) to help their customers, advertisers & publishers, comply with California Consumer Privacy Act (CCPA) compliance. You can learn all about LDU here.

In a nutshell, Facebook used LDU to limit or block processing California residents personal data to allow businesses time to comply with CCPA.

Under CCPA, which started enforcement July 1st, 2020 when consumers exercise the ‘Do Not Sell’ request, the companies are legally required to honor their consent and stop selling or processing consumer’s existing and collected personal data.

For-profit businesses that met one of the following criterion were required to comply with CCPA:

  • Greater than $25m in gross annual revenue
  • Obtains or shares personal information of at least 50,000 California residents, households, and/or devices per year
  • At least 50% of their annual revenue is generated from selling California residents’ personal information

To help its customers comply with CCPA, Facebook automatically enabled LDU for all Facebook business accounts and personal information shared through the following Facebook products.

  • Facebook Pixel
  • Server-Side API
  • App Events API
  • Offline Conversions

With this feature ON businesses were compliant with CCPA. Facebook would auto-identify all California residents and ensure their data isn’t being processed. Businesses had the option to turn it off if they weren’t serving California residents.

After October 20, 2020 Facebook turned this feature OFF by default, putting the onus on the business to identify California residents, and inform Facebook not to process their data, if they chose to opt-out.

Businesses can still use LDU, but if they use it broadly it would limit their ability to retarget users impacting marketing performance. Arguably, since CCPA does not require publishers to obtain opt-in consent of users but based on an opt-out consent regime, businesses can enable the LDU flag for only Californian residents who opt-out of sharing their personal information.

With this balanced approach, advertisers can reach a larger segment of the California residents population without being non-compliant with CCPA.

How can we help? offers Cookie consent and Universal consent products that can be deployed within days to help businesses comply with CCPA. We help you track where visitors on your website come from, and for California residents manage user consent by asking and collecting opt-out requests on your websites. These opt-out notices are used to notify Facebook that user data shouldn’t be processed. Advertisers and publishers can create an audit trail to demonstrate compliance. In this way, advertisers and publishers can ensure they are always compliant with CCPA.

Get started within minutes by using our free trial or contact us to learn more.

Omer Imran Malik

Authored by Omer Imran Malik

Omer Imran Malik (CIPP/US, CIPM) is a data privacy and technology lawyer with significant experience in advising governments, technology companies, NGOs and legislative think-thanks on data privacy and technology related legal issues and is an expert in modeling legal models for legal technology. He has been a prominent contributor to numerous esteemed publications, including Dawn News, IAPP and has spoken at the World Ethical Data Forum as well.

His in-depth knowledge and extensive experience in the industry make him a trusted source for cutting-edge insights and information in the ever-evolving world of data privacy, technology and AI related legal developments.

Join Our Newsletter

Get all the latest information, law updates and more delivered to your inbox


More Stories that May Interest You

At Securiti, our mission is to enable enterprises to safely harness the incredible power of data and the cloud by controlling the complex security, privacy and compliance risks.


Gartner Cool Vendor Award Forrester Badge IAPP Innovation award 2020 IDC Worldwide Leader RSAC Leader CBInsights Forbes Security Forbes Machine Learning G2 Users Most Likely To Recommend