Securiti leads GigaOm's DSPM Vendor Evaluation with top ratings across technical capabilities & business value.

View

Learn why every Facebook advertiser is at risk of CCPA non-compliance, and how should they respond

Published October 30, 2020
Author

Omer Imran Malik

Data Privacy Legal Manager, Securiti

FIP, CIPT, CIPM, CIPP/US

Listen to the content

Table of contents

Summary

July 1 - July 31 (With option to extend until Oct 20)

  • What happened: Facebook turns ON a feature to limit processing California residents data by default
  • What was the impact: Ensured all Facebook customers (advertisers and publishers) are compliant with CCPA, but limited their ability to re-target California residents
  • What are the consequences: Organizations are CCPA compliant, but their marketing performance suffers since there is no re-targeting for any California residents
  • Optimal solution: Organizations should identify California residents and ask/honor their consent before sharing their personal information with Facebook for further processing

After Oct 20

  • What happened: Facebook turns OFF the feature that limits processing of California residents personal data
  • What was the impact: Advertisers and publishers potentially at risk of processing all customers data (including California residents) without consent
  • What are the consequences: If no action is taken, organizations are not compliant with CCPA and potentially at risk of fines
  • Optimal solution: Organizations should identify California residents and ask/honor their consent before sharing their personal information with Facebook for further processing
swiss-privacy

Earlier in the year, Facebook had launched a feature called Limited Data Use (LDU) to help their customers, advertisers & publishers, comply with California Consumer Privacy Act (CCPA) compliance. You can learn all about LDU here.

In a nutshell, Facebook used LDU to limit or block processing California residents personal data to allow businesses time to comply with CCPA.

Under CCPA, which started enforcement July 1st, 2020 when consumers exercise the ‘Do Not Sell’ request, the companies are legally required to honor their consent and stop selling or processing consumer’s existing and collected personal data.

For-profit businesses that met one of the following criterion were required to comply with CCPA:

  • Greater than $25m in gross annual revenue
  • Obtains or shares personal information of at least 50,000 California residents, households, and/or devices per year
  • At least 50% of their annual revenue is generated from selling California residents’ personal information

To help its customers comply with CCPA, Facebook automatically enabled LDU for all Facebook business accounts and personal information shared through the following Facebook products.

  • Facebook Pixel
  • Server-Side API
  • App Events API
  • Offline Conversions

With this feature ON businesses were compliant with CCPA. Facebook would auto-identify all California residents and ensure their data isn’t being processed. Businesses had the option to turn it off if they weren’t serving California residents.

After October 20, 2020 Facebook turned this feature OFF by default, putting the onus on the business to identify California residents, and inform Facebook not to process their data, if they chose to opt-out.

Businesses can still use LDU, but if they use it broadly it would limit their ability to retarget users impacting marketing performance. Arguably, since CCPA does not require publishers to obtain opt-in consent of users but based on an opt-out consent regime, businesses can enable the LDU flag for only Californian residents who opt-out of sharing their personal information.

With this balanced approach, advertisers can reach a larger segment of the California residents population without being non-compliant with CCPA.

How can we help?

securiti.ai offers Cookie consent and Universal consent products that can be deployed within days to help businesses comply with CCPA. We help you track where visitors on your website come from, and for California residents manage user consent by asking and collecting opt-out requests on your websites. These opt-out notices are used to notify Facebook that user data shouldn’t be processed. Advertisers and publishers can create an audit trail to demonstrate compliance. In this way, advertisers and publishers can ensure they are always compliant with CCPA.

Get started within minutes by using our free trial or contact us to learn more.

Join Our Newsletter

Get all the latest information, law updates and more delivered to your inbox


Share

More Stories that May Interest You
Videos
View More
Mitigating OWASP Top 10 for LLM Applications 2025
Generative AI (GenAI) has transformed how enterprises operate, scale, and grow. There’s an AI application for every purpose, from increasing employee productivity to streamlining...
View More
Top 6 DSPM Use Cases
With the advent of Generative AI (GenAI), data has become more dynamic. New data is generated faster than ever, transmitted to various systems, applications,...
View More
Colorado Privacy Act (CPA)
What is the Colorado Privacy Act? The CPA is a comprehensive privacy law signed on July 7, 2021. It established new standards for personal...
View More
Securiti for Copilot in SaaS
Accelerate Copilot Adoption Securely & Confidently Organizations are eager to adopt Microsoft 365 Copilot for increased productivity and efficiency. However, security concerns like data...
View More
Top 10 Considerations for Safely Using Unstructured Data with GenAI
A staggering 90% of an organization's data is unstructured. This data is rapidly being used to fuel GenAI applications like chatbots and AI search....
View More
Gencore AI: Building Safe, Enterprise-grade AI Systems in Minutes
As enterprises adopt generative AI, data and AI teams face numerous hurdles: securely connecting unstructured and structured data sources, maintaining proper controls and governance,...
View More
Navigating CPRA: Key Insights for Businesses
What is CPRA? The California Privacy Rights Act (CPRA) is California's state legislation aimed at protecting residents' digital privacy. It became effective on January...
View More
Navigating the Shift: Transitioning to PCI DSS v4.0
What is PCI DSS? PCI DSS (Payment Card Industry Data Security Standard) is a set of security standards to ensure safe processing, storage, and...
View More
Securing Data+AI : Playbook for Trust, Risk, and Security Management (TRiSM)
AI's growing security risks have 48% of global CISOs alarmed. Join this keynote to learn about a practical playbook for enabling AI Trust, Risk,...
AWS Startup Showcase Cybersecurity Governance With Generative AI View More
AWS Startup Showcase Cybersecurity Governance With Generative AI
Balancing Innovation and Governance with Generative AI Generative AI has the potential to disrupt all aspects of business, with powerful new capabilities. However, with...

Spotlight Talks

Spotlight 11:29
Not Hype — Dye & Durham’s Analytics Head Shows What AI at Work Really Looks Like
Not Hype — Dye & Durham’s Analytics Head Shows What AI at Work Really Looks Like
Watch Now View
Spotlight 11:18
Rewiring Real Estate Finance — How Walker & Dunlop Is Giving Its $135B Portfolio a Data-First Refresh
Watch Now View
Spotlight 13:38
Accelerating Miracles — How Sanofi is Embedding AI to Significantly Reduce Drug Development Timelines
Sanofi Thumbnail
Watch Now View
Spotlight 10:35
There’s Been a Material Shift in the Data Center of Gravity
Watch Now View
Spotlight 14:21
AI Governance Is Much More than Technology Risk Mitigation
AI Governance Is Much More than Technology Risk Mitigation
Watch Now View
Spotlight 12:!3
You Can’t Build Pipelines, Warehouses, or AI Platforms Without Business Knowledge
Watch Now View
Spotlight 47:42
Cybersecurity – Where Leaders are Buying, Building, and Partnering
Rehan Jalil
Watch Now View
Spotlight 27:29
Building Safe AI with Databricks and Gencore
Rehan Jalil
Watch Now View
Spotlight 46:02
Building Safe Enterprise AI: A Practical Roadmap
Watch Now View
Spotlight 13:32
Ensuring Solid Governance Is Like Squeezing Jello
Watch Now View
Latest
Simplifying Global Direct Marketing Compliance with Securiti’s Rules Matrix View More
Simplifying Global Direct Marketing Compliance with Securiti’s Rules Matrix
The Challenge of Navigating Global Data Privacy Laws In today’s privacy-first world, navigating data protection laws and direct marketing compliance requirements is no easy...
View More
Databricks AI Summit (DAIS) 2025 Wrap Up
5 New Developments in Databricks and How Securiti Customers Benefit Concerns over the risk of leaking sensitive data are currently the number one blocker...
A Complete Guide on Uganda’s Data Protection and Privacy Act (DPPA) View More
A Complete Guide on Uganda’s Data Protection and Privacy Act (DPPA)
Delve into Uganda's Data Protection and Privacy Act (DPPA), including data subject rights, organizational obligations, and penalties for non-compliance.
Data Risk Management View More
What Is Data Risk Management?
Learn the ins and outs of data risk management, key reasons for data risk and best practices for managing data risks.
View More
Getting Ready for the EU AI Act: What You Should Know For Effective Compliance
Securiti's whitepaper provides a detailed overview of the three-phased approach to AI Act compliance, making it essential reading for businesses operating with AI.
Beyond DLP: Guide to Modern Data Protection with DSPM View More
Beyond DLP: Guide to Modern Data Protection with DSPM
Learn why traditional data security tools fall short in the cloud and AI era. Learn how DSPM helps secure sensitive data and ensure compliance.
View More
Unlock Amazon Q’s Full Potential with Secure, Governed Data
Learn how robust DSPM can help secure Amazon Q data access, automate sensitive data tagging, eliminate ROT data, and maximize AI productivity safely.
Singapore’s PDPA & Consent: Clear Guidelines for Enterprise Leaders View More
Singapore’s PDPA & Consent: Clear Guidelines for Enterprise Leaders
Download the essential infographic for enterprise leaders: A clear, actionable guide to Singapore’s PDPA and consent requirements. Stay compliant and protect your business.
Gencore AI and Amazon Bedrock View More
Building Enterprise-Grade AI with Gencore AI and Amazon Bedrock
Learn how to build secure enterprise AI copilots with Amazon Bedrock models, protect AI interactions with LLM Firewalls, and apply OWASP Top 10 LLM...
DSPM Vendor Due Diligence View More
DSPM Vendor Due Diligence
DSPM’s Buyer Guide ebook is designed to help CISOs and their teams ask the right questions and consider the right capabilities when looking for...
What's
New