Meta Privacy Compliance Update: Changes to Facebook LDU
In July 2020, Facebook launched a novel tracking flag called “Limited Data Use”, or LDU. LDU was used to flag that any data associated with a specific user should be processed according to regional privacy laws.
LDU was built to address data processing compliance requirements in the state of California, specifically for users that were subject to CPPA compliance. But the LDU flag was actually designed to reach a bit farther, allowing for:
- Auto-detection: Facebook automatically determined a user’s state-level residence and processed data according to state-regulations
- Manual detection: The LDU flag values would be set within the browser if a brand wanted to override default detection (if a user is logged in and their residential state is explicitly known, for example).
Many brands implemented the flag as part of their Meta pixel, while others chose to use a consent management pop-up that would allow users within a given location the ability to opt out of tracking and data sharing.
With new legislation set to come into play in Virginia on January 1, 2023, many marketers are wondering whether they need to do something with LDU or make changes to stay in compliance in that state.
Can you use LDU in Virginia as part of your privacy compliance solution?
Although the LDU flag was initially designed to provide interoperability across various regional privacy laws, Meta has since released a statement noting that the LDU scope will not be expanding beyond the state of California.
It’s likely Meta has limited the expansion of LDU due to the prevalence of consent management solutions utilized across the majority of US websites today.
There have been rumors within the digital marketing space that they may make an update for Virginia in response to VCDPA privacy legislation, but at the moment the only thing Meta has updated is their terms, which now include Virginia-specific definitions and obligations for processors.
If you are already using a consent management solution, it is unlikely you would also need to integrate the LDU flag since the user will already have the option to consent. It should be noted that no data will be sent to Meta for any users that opt out.
Is Meta updating or expanding LDU in light of new privacy legislation?
First of all, let’s remind everyone that your business needs to be CCPA compliant if you’re doing any marketing in California, even if your business isn’t located in the state.
Any business that is targeting residents of California with ads must be in compliance with CCPA or face potentially serious repercussions.
California’s laws are changing; CPRA, an amendment to the original CCPA privacy legislation, will likely go into enforcement in April, according to the state’s privacy agency, so stay tuned for additional updates as the regulations and requirements are finalized in the coming months.
As far as LDU is concerned, Meta released a statement indicating it plans to update their state-specific terms on January 1st, 2023 to incorporate new definitions and other requirements for upcoming privacy laws in both California and Virginia. They specifically note certain state-specific changes:
- For California: a new definition of “Share,” restrictions for the transferring of Personal Information, and other updated service provider obligations
- For Virginia: Virginia-specific definitions and obligations for processors
They also shared that “the Limited Data Use feature, where available, can continue to be leveraged to help support compliance with the California Consumer Privacy Act (CCPA), as amended by the California Privacy Right Act (CPRA). As always, you should consult with your legal counsel regarding the use of Meta products, including Limited Data Use, and compliance with all applicable laws.”
What do you need to do to ensure compliance if you can’t rely on LDU?
LDU is only offered in California right now as Meta continues to evaluate which additional states to add in 2023. Despite Virginia’s inclusion in the list of state-specific changes, Meta doesn’t currently offer LDU in Virginia.
Any compliance solutions should be run through your legal department to ensure they meet the legal standard.
Start preparing your business for changes in California and Virginia by following these three guidelines:
- Get up to speed with CPRA and VCDPA. Focus on understanding the requirements for compliance and speak with your legal team with regard to your current data processing and sharing processes.
- Review your consent management solution. We’re big fans of OneTrust (for larger enterprise organizations) and CookieBot (for smaller orgs with limited compliance needs).
- Understand where consumer data enters and exits your marketing ecosystem. There may be a broad range of ways your organization currently moves data, including cookies sending data back to Facebook or Google, the actual sale of user emails, and PII purge points for inactive users.
We’re headed for a privacy-first future regardless of where Meta decides to implement LDU. That’s why it’s important to keep up with the various data restrictions and regulations so you can avoid any issues or fines that may hinder your quest for performance and business growth.
Responses