Show Menu
TOPICS×

Adobe Advertising Cloud Support for the General Data Protection Regulation

For Adobe Advertising Cloud Search, Adobe Advertising Cloud Creative, Adobe Advertising Cloud DSP, and Adobe Media Optimizer DCO
The contents of this document are not legal advice and are not meant to substitute for legal advice. Consult with your legal counsel for advice concerning the General Data Protection Regulation.
The General Data Protection Regulation (GDPR), a law in effect May 25, 2018, gives all individuals (data subjects) within the borders of the European Union (EU) control of their personal data and simplifies the regulatory environment for international business. This law applies to all businesses (data controllers) that offer goods or services to, monitor the behavior of, or collect personal data from individuals within the borders of the EU at the time their personal data is processed, regardless of the data controller's business location.
Adobe Experience Cloud acts as a data processor for any personal data it receives and stores on behalf of its customers. As a data controller, you determine the personal data that Adobe Experience Cloud processes and stores on your behalf.
This document describes how Advertising Cloud Search, Advertising Cloud Creative, Advertising Cloud DSP (Demand Side Platform), and Media Optimizer DCO support your data subjects' GDPR data access and deletion rights using the Adobe Experience Platform Privacy Service API and Privacy Service UI.
For more information about what GDPR means for your business, see GDPR and Your Business .

Supported Data Request Types for Advertising Cloud

Adobe Experience Platform provides the ability for businesses to complete the following tasks:
  • Access a data subject's cookie-level data or device ID-level data (for ads in mobile apps) within Search, Creative, DSP, or DCO.
  • Delete cookie-level data stored within Search, Creative, DSP, or DCO for data subjects using a browser; or delete ID-level data stored within DSP for data subjects using apps on mobile devices.
  • Check the status of one or all existing requests.

Required Setup to Send Requests for Advertising Cloud

To make requests to access and delete data for Advertising Cloud, you'll need to:
  1. Deploy a JavaScript library to retrieve and remove your data subject cookies. The same library, AdobePrivacy.js, is used for all Adobe Experience Cloud solutions.
    Requests to some Adobe Experience Cloud solutions don't require the JavaScript library, but requests to Advertising Cloud require it.
    You should deploy the library on the web page from which your data subject s can submit access and delete requests, such as your company's privacy portal. The library helps you retrieve Adobe cookies (namespace ID: gsurferID) so that you can submit these identities as part of access and delete requests via the Adobe Experience Platform Privacy Service API.
    When the data subject asks to delete personal data, the library also deletes the data subject's cookie from the data subject's browser.
    Deleting personal data is different than Opt-Out, which stops the targeting of an end user with audience segments. However, when a data subject asks to delete personal data from Creative, DSP, or DCO, the library also sends a request to Advertising Cloud to opt out the data subject from segment targeting. For advertisers with Search, we recommend that you provide the data subjects a link to https://www.adobe.com/privacy/opt-out.html , which explains how to opt out of audience segment targeting.
  2. Identify your IMS Org ID and make sure it is linked to your Advertising Cloud accounts.
    An IMS Org ID is a 24-character alphanumeric string appended with @AdobeOrg. Most Adobe Experience Cloud customers have been assigned an IMS Org ID. If your marketing team or internal Adobe system administrator doesn't know your organization's IMS Org ID, or isn't sure if it's been provisioned, contact Adobe Customer Care at gdprsupport@adobe.com . You'll need the IMS Org ID to submit requests to the Privacy API.
    Contact your company’s Advertising Cloud representative to confirm that all of your organization's Advertising Cloud accounts — including DSP accounts or advertisers, Search accounts, and Creative or DCO accounts — are linked to your IMS Org ID.
  3. Use either the Adobe Experience Platform Privacy Service API (for automated requests) or the Privacy Service UI (for ad-hoc requests) to submit access and delete requests to Advertising Cloud on behalf of the data subjects, and to check the status of existing requests.
    For advertisers who have a mobile app to interact with data subjects and launch campaigns with the DSP, you'll need to download the Privacy-ready Mobile SDKs for Experience Cloud. The Mobile SDKs allow data controllers to set opt-out status flags, retrieve the data subject's device ID (namespace ID: deviceID), and submit requests to the Privacy Service API. Your mobile app will require an SDK Version 4.15.0 or greater.
    When you submit a data subject's access request, the Privacy Service API returns a data subject's information based on the specified cookie or device ID, which you then must return to the data subject.
    When you submit a data subject's delete request, the cookie ID or device ID and all cost, click, and revenue data associated with the cookie are deleted from the server.
    If your company has multiple Adobe Experience Cloud Identity Management Service Organization IDs (IMS Org IDs), then you must send separate API requests for each. You can, however make one API request to multiple Advertising Cloud sub-solutions (Search, Creative, DSP, and DCO), with one account per sub-solution.
All of these steps are necessary for Advertising Cloud. For more information about these and other related tasks you need to perform using the Adobe Experience Platform Privacy Service, and where to find the items you'll need, see www.adobe.io/apis/cloudplatform/gdpr.html .

Required Field Values in Advertising Cloud JSON Requests

"company context":
  • "namespace": imsOrgID
  • "value": < your IMS Org ID value >
"users":
  • "key": < usually the name of the data subject >
  • "action": either access or delete
  • "user IDs":
    • "namespace": 411 (which indicates the adcloud cookie space)
    • "value": < the actual data subject’s cookie ID value as retrieved from AdobePrivacy.js >
  • "include": adCloud (which is the Adobe product that applies to the request)
  • "regulation": gdpr (which is the privacy regulation that applies to the request)

Example of Request Submitted by Data Subject Using an Advertising Cloud User ID Retrieved from AdobePrivacy.js

{
"companyContexts":[
      {
         "namespace":"imsOrgID",
         "value":"5AB13068374019BC@AdobeOrg"
      }
   ],
   "users": [
{
 "key": "John Doe",
 "action":["access"],
  "userIDs":[
      {
         "namespace":"411",
         "value":"Wqersioejr-wdg",
         "type":"namespaceId",
         "deletedClientSide":false
      }
   ]
}
],
"include":[
      "adCloud"
   ],
    "regulation":"gdpr"
}
}

Data Fields That Are Returned for Access Requests

The following is an example of an access response for Advertising Cloud.
{
    "jobId":"12345AD43E",
    "action":"access",
    "product":"adCloud",
    "status":"complete",
    "results":{
        "userIDs":[
            {
                "namespace":"411",
                "userID":" Wqersioejr-wdg "
            }
        ],
        "receiptData":{
            "impressionCount":"100",
            "clickCount":5,
            "geo":[
                "United States of America",
                "San Francisco CA"
            ],
            "profile":[
                {
                    "pixelid":"111",
                    "ut1":"abc",
                    "ut2":"def",
                    "ut3":"ghi",
                    "ut4":"jkl",
                    "ut5":"mno"
                },
                {
                    "pixelid":"123",
                    "ut1":"abc",
                    "ut2":"def",
                    "ut3":"ghi",
                    "ut4":"jkl",
                    "ut5":"mno"
                }
            ],
            "matchingSegments":[
                {
                    "segmentName":"AP4 - Art/Culture - In-Market",
                    "segmentID":"kV1mPa2aqPNWKSNtf325",
                    "serviceProvider":"Adobe"
                },
                {
                    "segmentName":"EMEA - UK - Health Food Buyers",
                    "segmentID":"eP2oJ2UPsfsDVDhvlGewx",
                    "serviceProvider":"BlueKai"
                }
            ]
        }
    }
}