Updates on CCPA for Paid Media Advertisers

As a refresher, the CCPA (California Consumer Privacy Act) requires businesses to give California residents the right to opt-out of the “sale” of their personal information, with the opt-out offered via a prominent “Do Not Sell My Personal Information” link on the business’ website. Under California law, “sale” is broadly defined and may include the use of cookies for targeted advertising through a third party.

CCPA currently applies to businesses that:

  • Have a gross annual revenue of over $25 million, or
  • Businesses that involve buying/receiving/selling the personal information of more than 50,000 CA residents, or 
  • That derive 50%+ of their annual revenue from selling the personal information of CA residents.

CCPA officially became California law on January 1, 2020 and enforcement started on July 1, 2020, after a six-month grace period. 

Despite this law being in place for months now, you may still be wondering how best to ensure compliance. Completely understandable! It’s a rather muddy situation and unfortunately, still changing. As of September 2020, here’s what we know and can imagine you’re asking about now. [Note: Please do not take this as legal advice!]

What do I do for my advertising campaigns on Google, Facebook, and Amazon?

For advertising campaigns on Google

Google released “Restricted Data Processing” (RDP) in November 2019 to allow advertisers to restrict how data is processed through Google Ads, App Campaigns, and Google Analytics.

  • For Google Ads, we recommend our clients enable RDP by adding the RDP parameter in Google’s existing global site tag to limit use of personal data on a per-user basis (or on all California residents if you’re still working on your website’s compliance requirements).
  • Once RDP is enabled, Google will NOT add specified users to remarketing lists or add users to similar audience remarketing seed lists. However, conversion tracking and measurement will not be affected.
  • Both customer match and store sales (direct upload) already operate using restricted data processing. It’s very important to update your customer lists on a regular basis to remove those users who opt-out.
  • Once RDP is implemented, the impact of your performance will be dependent on the scale of opt-out users and your campaign types. Expect lower volume on campaigns utilizing retargeting and lookalike, which includes Smart campaigns and Discovery campaigns.

For advertising campaigns on Facebook

Facebook also released “Limited Data Use” in June 2020. In addition, Facebook automatically enabled LDU for all Facebook business accounts to limit the use of data for all California residents for the month of July. 

  • If you haven’t updated your Facebook pixel to include LDU, you could extend the transition period through Oct 20, 2020 by going to Facebook’s Ads Manager -> Event Manager -> Setting. Extending this transition period means Facebook will automatically remove all California residents’ data from your campaign until your pixel is updated. We recommend you update your pixel ASAP within this transition period or you’ll be solely responsible for CCPA compliance once the transition period is over.
  • A major performance impact was seen by many advertisers in July 2020 when Facebook automatically enabled LDU as Facebook limited use of California residents data for optimization, retargeting, and lookalike audiences. We recommend implementing LDU on a per-user basis to help minimize performance impact. 

For advertising campaigns on Amazon

Amazon already has strict guidelines in place that govern data use. In Amazon’s ad policy, Amazon states that advertisers must “Obtain your visitors’ consent and/or satisfy such other applicable legal requirements for the use of pixels by third parties, including Amazon and its Affiliates.” In addition, Amazon also states that “The agency will contractually require that advertisers comply with these requirements. The agency will be fully responsible for advertisers’ non-compliance with these requirements.”

  • To be fully compliant with advertising on Amazon, it’s required to obtain your visitors’ consent on use of their information for any marketing purposes.

What about other publishers or tech companies in the media ecosystem?

Interactive Advertising Bureau (IAB) developed the IAB CCPA Compliance Framework for Publishers and Technology Companies as an attempt to standardize compliance across the ad tech industry. The framework includes three main components:

  1. “Websites/publishers must disclose California consumers’ privacy rights at the point of data collection, and that websites/publishers must implement a “Do Not Sell My Personal Information” link on their sites/apps.
  2. An agreed-upon way for publishers to communicate to ad tech companies that a California consumer has opted out of third-party data sales.
  3. An agreed-upon way for tech companies to operate after a Californian resident has opted out of third-party data sales.” (Cookiebot)

We encourage you to reach out to your publishers or media partners to inquire about whether they’re following the IAB framework; or what they’re doing to ensure CCPA compliance. 

What can I do to make up for the performance impact from limiting CA users’ data?

For advertisers who rely heavily on California website visitors and are or are planning to use RDP and/or LDU (especially if you’re using RDP/LDU to remove all CA cookies), you may want to look into your geo reports pre- vs post- RDP/LDU implementation to assess the impact to better establish the baseline of your performance going forward. 

Given the nature of CCPA – which provides users the option to opt-out, we think the immediate impact would be low if you are removing opt-out users based on a per person basis; as the users who prefer to opt-out tend to be those who are no longer interested in your products/services. 

However, if you’re seeing a drastic decline with your CA retargeting pool or would like to retarget CA audience through other means, a good workaround is to utilize those “platform engagers” instead. We recommend setting up an engagement objective campaign targeting CA first, then retarget those who have engaged with your Facebook page, posts, lead gen forms or videos. Similarly, a video remarketing campaign could be used to test those audiences who have watched your content.

Are there any long-term strategies I can apply as more states adopt CCPA-equivalent privacy laws?

As of September 2020, Nevada, Utah, and Maine also have passed similar privacy laws, federal privacy laws are in discussion and Apple announced its privacy policy change on IDFA. The industry is slowly moving away from tracking every digital footprint we have towards the opt-in model similar to GDPR. Instead of managing all the privacy nuances by states or devices in your campaigns, we think it’s a good time to take a step back and rethink your audience strategies to focus on quality of the audiences instead of quantity. For example, 

  1. Segment your existing audience lists further and manage them with different goals. (e.g., visitors with 1-2 pageviews vs. visitors with 3+ page views, customers with different LTVs)
  2. Provide more value to encourage signups or social following (e.g., First-time 10% off signup, free webinar registration, instagram contest)
  3. Start a Facebook group to grow a community of like-minded people with email opt-in as one of the requirements to join

Lastly, don’t forget to review your existing audience lists and make sure the same compliance standards are applied across all states. Plus, it’s always a good time to clean up the audience lists that are no longer relevant or useful!

About the author: Lillian Barclay is a Paid Media consultant at Apiary Digital®. She has 12 years of experience and has supported brands, including Resolution Media and ID Media.