Privacy regulations are a new challenge marketers need to overcome, as platforms like Facebook are increasingly implementing their own requirements. And the results of non-compliance are dramatically impacting conversions. At Invisit, a software for e-commerce marketers to manage the privacy requirements across all marketing channels, we audit hundreds of websites daily. And over 70% of e-commerce websites suffer from privacy issues that are directly impacting their marketing performance.

Facebook Limited Data Use is the newest of these platform requirements. This privacy restriction passes the compliance burden from Facebook onto the advertisers using the platform. Specifically, Facebook requires advertisers to send ‘Limited Data Use’ signals, which provide information on whether each site visitor has chosen to remain opted-in to targeted advertising campaigns (the default option per CCPA) or if they have exercised their right to opt-out.

As a privacy management company built on e-commerce, we’ve seen a wide range of Limited Data Use implementation issues with substantial performance impacted as a result. On average, 13% of conversions are lost from privacy mismanagement, with California often seeing the most dramatic impact. And in some instances, this amount can be far higher when certain Limited Data Use signals are implemented incorrectly.

Let's walk through some of the most common issues.

No Facebook Limited Data Use implemented

The most common problem most e-commerce companies are facing is taking no action in response to Facebook’s Limited Data Use. Since this restriction is so new and Facebook has been very brief in their explanation, it's understandable that so few websites have implemented the Limited Data Use signals yet.

In our experience with Limited Data Use so far, clients see nation-wide improvements after implementing the Limited Data Use signals. This suggests that Facebook’s algorithm favors campaigns where it has full compliance information since it reduces Facebook’s own liability. By taking no action, marketers are losing out on performance uplift.

Limited Data Use firing on ALL site visitors

This is another common issue and has even more substantial performance impact. Many businesses have misinterpreted Limited Data Use and CCPA’s opt-out requirements. Under both of these mandates, site visitors are opted-in by default. They must go through the manual process of opting-out of targeted advertising.

When the ‘LDU’ signal loads in the ‘dpo’ parameter, this is telling Facebook to opt users out of targeted advertising. Many companies are doing this by default, which means they are telling Facebook to remove every site visitor from targeted campaigns.

The correct experience should be to fire an empty array in the ‘dpo’ parameter and update it with the ‘LDU’ field only when a user has opted-out (correct implementations later in this doc).

Limited Data Use working, but an opt-out mechanism is not in place (CCPA violation)

Getting closer to the correct workflow, here is an example of sites that have the Limited Data Use signals implemented correctly. However, their site visitors have no way of opting-out. While their Facebook performance is likely unaffected, this opens them up for significant liability.

CCPA carries a potential fine of $2,500 for each violation and $7,500 for each intentional violation. By implementing Facebook’s privacy signals but neglecting to provide an actual opt-out mechanism, it could be argued that this is an intentional violation of CCPA.

Everything working correctly!

And finally, we have a handful of sites that have Facebook Limited Data Use and CCPA implemented correctly. It's a rarity, so kudos to the sites that have this in place. The ‘dpo’ parameter is passing an empty array, meaning the user is still opted-in, and their site features a mechanism to opt-out of targeted advertising.

By Dean Shapero

Dean is the founder and CEO of Invisit, a software for e-commerce companies to automate privacy requirements in all of their marketing channels to protect their performance. Prior to Invisit, he led a martech software company called RADS from concept to exit. He then started Hearst Magazine's data monetization division, building it to a $15mm ARR business.