Show Menu
TOPICS×

Frequently asked questions

Question Answer
How does Adobe Analytics support access and delete requests for end users (Data Subjects) validated by customers (Data Controllers)?
When GDPR takes effect, Adobe Analytics will support processing verified requests submitted by Data Controllers to the Experience Cloud GDPR API to enable a more automated process. Adobe’s GDPR API is designed to help process individual rights requests (e.g., access and delete requests) for our customers’ data stored across Adobe Experience Cloud solutions. It is flexible and scales according to the number of data access and delete requests your company receives from data subjects. Also, the GDPR API allows the customer to check the status on how the data access and delete requests are being fulfilled.
For more details see GDPR API documentation .
Who is responsible for receiving, accepting, and fulfilling GDPR requests from end users?
The Data Controller (i.e. The Adobe Customer) has the sole responsibility for providing data subjects with personal data in response to an individual rights request under GDPR. The Data Controller also has the sole responsibility for receiving requests and accepting the request - validating the data subject’s identity and then fulfilling the request, part of which may involve contacting Adobe with data subjects’ IDs that may be associated with data stored in Adobe Analytics. As the Data Processor, Adobe must provide reasonable assistance to the controller to process verified requests within an acceptable amount of time.
How will Adobe Customers (Data Controllers) find out which GDPR requests map to which IDs in Adobe Analytics for GDPR processing?
The data controllers will determine how to resolve identity for requests from the data subjects. Consider deploying Adobe's GDPR ID Retrieval Tag . Your development teams will save time by using our GDPR ID retrieval tag to capture user IDs (cookie IDs), and then using our GDPR API to send those user IDs to the relevant solutions in the Adobe Experience Cloud for GDPR request processing.
The GDPR API can support a broad range of customer IDs across multiple Adobe solutions. If a data subject submits a request along with an identifier (custom variable - prop or eVar), then Adobe Analytics will scan then entire retained history of the data collected for the given identifier. For more details about how to configure custom IDs stored in Analytics props or eVars, please refer to the Analytics documentation on [Namespaces](/help/admin/c-data-governance/gdpr-namespaces.md).
How can Adobe Analytics Data Governance assist with processing GDPR requests?
Data Governance is a new tool within Adobe Analytics that provides data controllers the ability to apply data controls and classifications across their Analytics data. This new tool empowers Adobe customers to customize the processing of their GDPR data access and data delete requests. In the Data Governance console, admins can define the desired settings that should be applied to various data columns that reside in Adobe Analytics. Once those labels are defined, Adobe will honor and process any downstream access or delete requests according to the customers’ desired label settings. It is the responsibility of the data controller to review and council with their legal representatives regarding these label settings. Adobe Analytics encourages clients to set up data labeling correctly in advance of GDPR effective date, which is May 25th, 2018 to allow customize completion of request utilizing GDPR API.
The Data Governance tool contains the following data labels:
  • Identity Data Labels : used to classify data that can identify an individual either directly or in combination with other data. (None, I1, I2)
  • Sensitive Data Labels : used to classify data as data that may be defined as sensitive under applicable law. (None, S1, S2) Note that currently the use of Sensitive Data in Adobe Analytics is generally prohibited except for precise geo-location data properly obtained under applicable law, which may be considered Sensitive Data in some jurisdictions.
  • GDPR Data Labels : used to define the fields that may contain personal identifiers for use in GDPR requests or that should be removed as part of a GDPR delete request. These labels may overlap the Identity and Sensitive Data labels, in some cases.
For more information on Data Governance labels, see GDPR Labels for Analytics Variables .
Where do I get started on getting GDPR ready with Adobe Analytics?
For a step-by-step walkthrough to get ready for GDPR, see Adobe Analytics GDPR Workflow .
How should data controllers think about consent when it comes to user engagement?
GDPR is a good opportunity to re-consider your consent management strategy and practices, including determining when consent is needed and thinking about the value proposition for the user. Consider the value proposition for consumer privacy, which can help drive conversion and loyalty.
The consent management space (e.g., tools, standards, best practices) is rapidly evolving, and is an area to watch. To minimize impact on user engagement, controllers should work with vendors in this space and with their counsel, and follow emerging EU laws and guidance on consent and cookies. Thinking about “experiential privacy” by using an on-brand, contextually relevant experience that sets out the value proposition of your data collection activities is a good strategy.
How should data controllers think about data retention when it comes to GDPR?
GDPR generally provides that personal data generally should not be retained for longer than necessary to achieve the purpose for which it was collected.
As Adobe detailed in its customer communication in February, we will apply a 25-month data retention plan to most customers unless other arrangements have been made (subject to customer notification and authorization). Customers will be required to set their data retention policy before Adobe can process GDPR request.
Adobe Analytics requires customers to set their data retention to process their GDPR requests. Each report suite’s current data retention policy is displayed in the new Data Governance Admin UI. Customers should contact their Adobe representative if they need to adjust their data retention policies. Please, refer to Adobe Analytics Data Retention FAQS .
Can a customer reduce or extend the Default Data Retention Period?
Customers can request that their data be deleted sooner than 25 months by calling customer care. Customers can extend data retention beyond 25 months by purchasing an extension.
Extensions are available in increments of 1 (one) additional year, up to a maximum of 8 (eight) additional years (10 years total). These extensions may require updated contract terms and additional fees.
What privacy considerations should a Data Controller account for when personal data is exported from Adobe Analytics?
If a customer uses Adobe Analytics Data Feeds to export data from Analytics into their enterprise data warehouse or into other systems outside of Adobe, it is the responsibility of the Customer (the Data Controller) to ensure that delete requests are applied to the data. This also applies to on-premise implementations of Adobe Data Workbench (Insight), where an ongoing Adobe Analytics data feed is populating the Data Workbench data. Adobe may provide tools to assist in finding and deleting the records from certain types of data feeds, including those used for Data Workbench, but it is still the Customer’s (Data Controller) responsibility to ensure that the data is deleted consistent with their own, internal data retention and deletion policies.
Please also consider cases where employees may have downloaded Adobe Analytics reports that contain personal data. These reports may need to be updated or deleted if a GDPR or other privacy-related delete request is received involving an ID that may be present in the report. Customers should work with your company’s legal counsel to determine retention periods, and privacy and security requirements that should be applied to these types of documents.
Some data we were not supposed to collect was accidentally sent into Adobe Analytics. Can we use the GDPR API to cleanup this data?
The GDPR API has been provided to help you fulfill GDPR requests, which are time sensitive. Using this API for other purposes is not supported by Adobe and may impact Adobe’s ability to provide timely turn-around of high priority, user-initiated GDPR requests for other Adobe customers. We ask that you do not use the GDPR API for other purposes such as clearing out data that was accidentally submitted across large groups of visitors.
You should also be aware that any visitor who has a hit deleted (updated or anonymized) as a result of a GDPR deletion request will have their state information reset. The next time the visitor returns to your website, they will be a new visitor. All eVar attribution will start again, as will information such as visit numbers, referrers, first page visited, etc. This side effect is undesirable for situations where you want to clear out data fields, and highlights one reason why the GDPR API is inappropriate for this use.
Please contact your Account Manager (CSM) to coordinate with our Engineering Architect consulting team to further review & provide level of effort to remove any PII or data issues.
Our legal team has determined that values we have been collecting in a variable for years, no longer comply with our updated privacy policy. Can we use the GDPR API to clear out all values from this variable?
The GDPR API has been provided to help you fulfill GDPR requests, which are time sensitive. Using this API for other purposes is not supported by Adobe and may impact Adobe’s ability to provide timely turn-around of high priority, user-initiated GDPR requests for other Adobe customers. We ask that you do not use the GDPR API for other purposes such as clearing out data that was accidentally submitted across large groups of visitors.
You should also be aware that any visitor who has a hit deleted (updated or anonymized) as a result of a GDPR deletion request will have their state information reset. The next time the visitor returns to your website, they will be a new visitor. All eVar attribution will start again, as will information such as visit numbers, referrers, first page visited, etc. This side effect is undesirable for situations where you want to clear out data fields, and highlights one reason why the GDPR API is inappropriate for this use.
Please contact your Account Manager (CSM) to coordinate with our Engineering Architect consulting team to further review & provide level of effort to remove any PII or data issues.
Additional GDPR Resources: