13 min read

Everything You Need To Know About CCPA Compliance

Advertisers Scramble To Comply With America's First Big Data Privacy Law
Everything You Need To Know About CCPA Compliance

Thanks for subscribing to The Cache - a weekly summary of the most important stories, trends, & commentary in eCommerce marketing, curated by Rob Bettis.


If you are not familiar with the California Consumer Privacy Act (CCPA), that is about to change.

Last week, we discussed how advertising on Facebook in the state of California had gone haywire because of some new data protection standards Facebook had put in place. Those standards were a response to the CCPA, which went into effect on January 1 of this year, with a compliance deadline of July 1.

From my perspective, CCPA has flown under the radar thus far with advertisers - perhaps falling behind the endless stream of more important news. Regardless, CCPA compliance remains an important task for any brand, but especially if you have a national footprint.

To get a legal perspective on CCPA, I asked data privacy attorney & friend of Cache, Thomas Codevilla, to share his wisdom on the matter. Quoting his post:

Coming from a company that once claimed it did not sell personal information, Facebook’s introduction of CCPA controls in late June surprised many by introducing a “Limited Data Use” (LDU) capability on several Facebook features.

Facebook turned on the LDU feature during the month of July, after which LDU will be turned off automatically until a business enables it. Below I write on the effects of LDU and how your business might react to comply with the CCPA if it utilizes Facebook campaigns, pixels, or other features.

First, Are You Subject to the CCPA?

If your business is not subject to the CCPA and probably won’t be for a while, then crack a beverage and watch this all unfold. If you (i) have less than $25 million in annual revenue, (ii) don’t collect the personal information of more than 50,000 individuals, households, or devices (some of which are in California), or (iii) don’t sell personal information to obtain a majority of your revenue, you do not need to utilize Facebook’s CCPA controls because you’re not subject to the CCPA (cough not legal advice cough). You might still use LDU if, for example, you committed to not selling consumer information on your website or privacy policy.

The rest of this post assumes you are subject to the CCPA; if you’re not sure, email me at codevilla@skandslegal.com.

What LDU Does

Essentially, enabling LDU means that if Facebook receives an “opt-out” flag from a California consumer, Facebook will not sell that consumer’s information. This plays out in different ways depending on whether you use Facebook’s pixel, Server-Side API, App Events API, or Offline Conversions.

It is unclear exactly what Facebook processes LDU disables, and I suspect Facebook is being deliberately obtuse on this point to protect its business. However, the practical effect of LDU has been a negative impact on campaign performance, effectiveness, retargeting, and measurement. We know LDU specifically impacts Facebook’s ability to customer match and behaviorally target consumers. If your business is subject to the CCPA and leans heavily on these features to advertise in California, consider alternate advertising methods.

LDU’s effects make intuitive sense: Facebook needs to monetize or exchange consumer information with other companies to fully measure a consumer’s behavior on its platform and others. LDU effectively removes a consumer from the complex advertising measurement ecosystem, so Facebook can tell you less information on that consumer.

Should You Enable LDU? Then What?

If your brand or e-commerce business advertises on Facebook and you’re subject to the CCPA, at minimum you must design a way for California consumers to send an LDU flag to Facebook communicating the consumer’s decision to opt out of sale of their personal information. This might take the form of a “Do Not Sell My Personal Information” button on your home page or app, but technical implementation will be more complex depending on what Facebook features you use. Your technical implementation will also be more complex if you choose to present the opt-out feature only to California consumers, though Facebook has indicated it might help with that distinction. See more about technical implementation here.

Importantly, your business’ opt-out mechanism should apply to all sales of personal information, not just to Facebook advertising. For example, if you use Google for advertising, you may wish to enable Restricted Data Processing depending on how much you share with Google. Just which activities in the advertising ecosystem constitute “sales” for CCPA purposes is unclear, however, and requires counsel to parse through.

To get a better picture of your CCPA responsibilities, map your data; determine every service provider you utilize while running your business and what information you share with them, then analyze each relationship to determine whether you’re selling information or whether that entity is a service provider. If you’re not sure what third parties do with the information you share, read your contract and/or call a lawyer. Even if you are not selling information, those third parties might be selling the information you share with them, so the CCPA still requires you to notify California consumers and give them a chance to opt out of that sale.

Additionally, if you only use Facebook pixel and you’re subject to the CCPA, implement a cookie banner enabling California consumers to opt-out of cookies and pixels that are not essential for site functioning. This is different than a “Do Not Sell My Personal Information” button, and mercifully easier to implement.

Finally, call a privacy lawyer and talk about proper disclosure of all the above and other steps necessary to comply with the CCPA. You can reach me at codevilla@skandslegal.com.

You can easily see how anyone on the web that leverages a Facebook Pixel or Google Analytics can easily fall short of compliance with this legislation and not even know it.

As Thomas said, this is not legal advice. Your situation is likely unique and you need advice that fits. I would encourage you to reach out to Thomas or your own data privacy attorney for guidance. However, I wanted to unpack three common responses to CCPA, which may be helpful as you seek compliance.

Three Common Responses

Exclude California Residents

When Facebook’s LDU dropped in early July, the response for many advertisers was to exclude California from your advertising. That, at least for the moment, returned ad performance to pre-LDU levels. However, for many retailers, that falls short of compliance. Because of the very nature of the internet, brands do not have control over where their visitors come from. If you are collecting data - from Analytics or a FB Pixel or any other number of advertising tools - of more than 50,000 users each year and any portion of those are Californians, you need to be in compliance. So, to clarify last week’s issue of this newsletter, excluding California from your ad targeting would likely fall short of compliance. This is especially true if you are remarketing to your visitors.

Cookie Banner

If you operate in GDPR compliance, you may already have tools in place to allow users to opt-in to cookie tracking. If so, it may be easy to add California residents to the list of folks who receive a cookie banner on your site.

Most brands, however, will be seeking a minimal response to CCPA, so that they maintain as much of their current advertising strategy as possible. Unless your brand associates itself with data privacy and receives value from being above and beyond minimum standards, you would not want to sacrifice the use of advertising tools and techniques unless necessary.

In the cookie banner example, displaying this banner and requesting permission from all users would severely reduce your remarketing audiences. Instead, I would recommend you only request permission from folks in the UK (GDPR) and California (CCPA).

Code Updates

Perhaps a more effective, but more technically challenging, response is to update the individual tools you utilize to collect this data. Remember, to be CCPA compliant, you need to allow users the ability to opt-out of data collection. So, if the tool provides a feature for users to opt-out, you can enable that feature, and (in theory), the tool will manage the opt-out flow.

Let’s look at three of the most common.

Google Analytics

In this help article, Analytics provides brands steps to accept CCPA-compliant adjustments for how user data is collected on your site. That is an easy one.

Here is the same info, detailed for Google Tag Manager.

Google Ads

If you utilize Google Ads tracking instead of (or in addition to) Google Analytics, you likely need to also update that code. From another Google support post:

Google Ads offers you two options to enable restricted data processing:

A new restricted_data_processing parameter which can be set in your global site tag, to enable restricted data processing for particular users on your site.

A checkbox in the Google Ads interface where you configure your Google Ads remarketing tag to enable restricted data processing for all users located in California.

Facebook Pixels

At the time of this writing, Facebook does not offer a convenient ‘check a box’ solution. Instead, you will need to modify your code to include a new parameter. Once enabled, if a user has chosen to opt-out of tracking, their browser/profile can alert your tracking pixel upon their visit, so the pixel does not include them in the collection.

Per this Search Engine Land post, the parameter is dataProcessingOptions.

At this time, the LDU parameter is not included within the Facebook pixel by default, and you need to refer to a specific developer documentation page to review the scope of requirements.

To explicitly not enable Limited Data Use (LDU) mode, use:
fbq('dataProcessingOptions', []); fbq('init', '{pixel_id}'); fbq('track', 'PageView'); 

To enable LDU mode using geolocation: fbq('dataProcessingOptions', ['LDU'], 0, 0);

To enable LUD for users and specific user geography: fbq('dataProcessingOptions', ['LDU'], 1, 1000);

For many brands running modern CMS’s - platforms like Shopify and WooCommerce - the UI for installing pixels provides an easy copy & paste implementation.

Unfortunately, very few (if any) of these platforms have been updated to allow for CCPA compliance. I have personally checked Shopify, WooCommerce (the official Facebook For WooCommerce plugin), and Squarespace. So, if your site was set up that way, you will need to find alternative solutions for your pixel implementation.

(To be fair to the platforms, Facebook didn’t provide guidance on their solution to CCPA until earlier this month. So hopefully platform-level support is forthcoming.)

In summary, brands should be CCPA compliant, like yesterday (as of July 1, to be correct). If you, like many, are just now learning about the CCPA, you have some work to do. Hopefully, this info gets you started along that path. But as I said before, I would encourage any brand to heed Thomas’ advice about mapping your data.  Then seek the counsel of a qualified data privacy attorney (like Thomas), to work through the details of your situation.


🗣 Social

Previously, the comments shown below a photo have been chosen algorithmically. Now brands have control over which comment is shown, providing additional protection for brand image.

This is a finally, right?  Regardless, it is nice to see.

TikTok Self-Serve Ads Available Globally & $100 Million in Ad Credits

After a couple years of waiting patiently, TikTok has announced they are rolling out their self-serve advertising platform globally.

The tools will give advertisers access to their tools for creative, targeting, and flexible budgeting.

TikTok's fastest growing user base is 25-44 year olds with high disposable income, representing the group media buyers used to rely on Facebook for most.

Speaking of...

A great tread to guide those new to TikTok advertising.

Instagram swaps out its ‘Activity’ tab for ‘Shop’ in new global test | TechCrunch

Instagram today is starting a small global test of the Instagram Shop tab, first announced this May, which allows Instagram users to shop from top brands and creators via a new tab in the app’s navigation bar with just one tap. Here, users will be able to filter products by categories, as they can today via the existing Shop experience within Instagram Explore.

Though the company in May had also announced plans for a newly designed Instagram Shop with a different layout than what’s available today through Explore, those changes aren’t being tested at present. Instead, this new global test will direct users to the same “Shop” experience that U.S. users have been able to reach by tapping the “Shop” button in Explore.

📈 Reporting & Revenue

Exclusive: Apple is working on QR Code payments for Apple Pay, iOS 14 code reveals - 9to5Mac

References found in the iOS 14 code reveal that Apple is working on a new method for letting users make payments with Apple Pay by scanning a QR Code or traditional barcode with the iPhone camera.

We’ve managed to access this feature hidden in iOS 14 beta 2, and although it still doesn’t work, we can clearly see an image showing how it will work. Users will point the iPhone camera at a QR Code or traditional barcode to pay bills and other things with a card registered with Apple Pay.

The opposite would also work, with users holding the iPhone in front of a scanner with a QR Code generated by the Wallet app. We can also say that there will be some kind of interaction with third-party apps, as this code was found in a public system API.

Apple hasn’t discussed this feature at WWDC 2020, and it’s not finished yet, so we don’t know when Apple will make it available to users. It’s important to note that this was not present in the first iOS 14 developer beta released last month, so it’s definitely something Apple is still working on.

As a germaphobe, touching the keypads at registers sucks. Touching them during a pandemic is even worse. I’m hopeful that one good thing that might come from the COVID-19 season is significant advancements in touchless payments. This story has me hopeful. I’m also hopeful for the health of frontline workers and those providing curbside services.

🛍 Marketplace

Walmart+, an Amazon Prime competitor, launches in July - Vox

Walmart plans to launch a new subscription service later this month called Walmart+ that will cost $98 a year. It will include perks like same-day delivery of groceries and general merchandise, discounts on fuel at Walmart gas stations, and early access to product deals, multiple sources told Recode.

Walmart originally planned to unveil Walmart+ in late March or April, Recode reported in February, but the retailer pushed back the launch date after the Covid-19 pandemic began sweeping across the US in March. It’s unclear whether the program will launch nationally, or first on a regional level, later this month.

Amazon Marketplace Is No Longer Anonymous - Marketplace Pulse

Amazon will begin displaying the business name and address of sellers in the U.S. marketplace starting September 1st, putting the U.S. marketplace in line with the European, Japan, and Mexico marketplaces, where this information was always available because of local laws.

Removed sellers’ anonymity benefits consumers by allowing them to directly seek legal action with the seller, in case, for example, the product they purchased caused harm. Other businesses, most often brands, benefit from knowing the seller’s true identity for managing approved retailers and directly pursuing counterfeits.

The Pandemic Is Rewriting the Rules of Retail

This new emphasis on innovation and service needs to extend to the digital customer experience as well. Most retailers with roots in brick-and-mortar simply try to replicate their in-store experience online, but such efforts are fruitless and misguided. Beyond the transaction basics discussed earlier, customers don’t expect a virtual experience to be like an in-person one — nor do they want it to be.

Investing in some of the unique capabilities of digital — including real-time inventory management, predictive analytics, AI-powered search, and personalization and co-creation functions — can create completely new and different shopping experiences. Take, for example, social commerce, which not only enables companies to sell through social media channels but also incorporates social interactions; peer support, reviews, and recommendations; multimedia content; personalization; gamification; and more. A retailer can use these new capabilities to create a social, interactive, immersive experience wherever customers are — that’s something no physical outlet can provide.

To get inspiration and insights for designing an online shopping experience from the ground up, retailers might want to examine the evolution of other brick-and-mortar industries and institutions. When Covid-19 forced churches to shut down their weekly services, most simply transferred their church services online using digital conferencing solutions like Zoom. But Cincinnati-based Crossroads Church seized the opportunity to re-imagine its pastors’ weekly sermons. Now they film pastors delivering messages at different locations to help reinforce that week’s message (for example, talking about the importance of a strong foundation at the site of a historic church). Similarly, retailers can take advantage of the greater flexibility and new contexts that digital affords by, for example, depicting a single clothing item on multiple models to show what it looks like on different body shapes and sizes or using videos to demonstrate how real customers actually use a tool.

They can also take inspiration from how digital enables immediacy and interactivity for online education platforms such as edX and Coursera. Students studying software programming can upload their coding projects and get them automatically graded, so they receive instant feedback; psychology students can use an app that goes with their class to track their habits and better notice patterns in their own behavior. What might this look like in the retail context? Possibilities include AI-enabled answers to customers’ questions in real-time, instant video chat with a personal stylist, and apps that track usage of current products to make recommendations for new ones. Ideas like these arise when retailers think beyond adapting the in-person experience online.

DTC brands struggled with profitability prior to COVID-19. Now what? | Retail Dive

The cost to acquire customers online has gotten prohibitively high, and as a result, many direct-to-consumer brands have shoveled millions of dollars into their marketing quarter after quarter.

Chewy spent $106 million on advertising in the first quarter, or 7% of total revenue, from $102 million in the year-ago period; Casper spent $38 million, or 33% of total revenue, from $30 million a year ago; and Wayfair spent $276 million, or 12% of direct retail net revenue, from $244 million a year prior.

"Obviously in recent months it's come down a fair amount, in terms of customer acquisition costs because media costs have come down," Basham said. "Consumers have been seeking out these types of companies to purchase things online." However, he added that he doesn't think advertising will remain at the current levels for long, especially after the pandemic subsides. "I think that we'll see customer acquisition costs go back towards levels they were at pre-COVID."

Re: Casper - 33% of total revenue. 👀

Today’s class of eCommerce powerhouses all seem to follow the same formula. Find a high-margin product category, build a higher-margin product through superior branding, and throw all of that margin towards advertising the hell out of it.

🛠 Tips & Tools

Connected Sheets is generally available | Google Cloud Blog

Today, we‘re announcing the general availability of Connected Sheets, which provides the power and scale of a BigQuery data warehouse in the familiar context of Sheets. Connected Sheets enables people to analyze billions of rows and petabytes of data in Sheets—without requiring specialized knowledge of computer languages like SQL. A live connection between BigQuery and Sheets means your data stays fresh and protected by Google’s security architecture, unlike with desktop spreadsheet applications. People across your organization can apply familiar Sheets tools like pivot tables, charts, and formulas to big data, quickly deriving insights and reducing their dependence on specialized analysts.

👋 Holla!

Questions, comments, inquiries? I’d love to hear from you! Email newsletter@robbettis.com.