Adobe Experience Platform Privacy Service overview
In order to deliver better customer experiences, you need to collect and store your customers' personal data. When using this data, it is important to understand and respect your customers' privacy. New legal and organizational regulations are giving users the right to access or delete their personal data from your data stores upon request.
Adobe Experience Platform Privacy Service was developed in response to a fundamental shift in how businesses are required to manage the personal data of their customers. The central purpose of Privacy Service is to automate compliance with data privacy regulations which, when violated, can result in major fines and disrupt data operations for your business.
Privacy Service provides a RESTful API and user interface to help you manage customer data requests. With Privacy Service, you can submit requests to access and delete personal customer data from Adobe Experience Cloud applications, facilitating automated compliance with legal and organizational privacy regulations.
Getting started with Privacy Service
In order to make use of Privacy Service, several key decisions need to be made in terms of your organization's privacy requirements, the kinds of identity data you collect from your customers, and the best way to interface your CRM system with the service.
These decisions can be summarized through the following questions:
- What information am I gathering from my customers?
- To make the best use of Privacy Service, you must have a detailed understanding of the types of data you collect from your customers, and which of it is subject to privacy regulations. See the section on determining privacy requirements for more information.
- Have I correctly labeled my data?
- Data must be properly labeled in order for the service to determine which fields to access or delete during privacy jobs. See the section on labelling data for more information.
- Do I know which IDs to send to Privacy Service?
- How am I tracking my privacy jobs?
- Once you have made privacy requests, there are several options for tracking their status and results. See the section on monitoring privacy jobs for more information.
The sections below provide general guidance on these important prerequisite steps, and also provide links to further Privacy Service documentation for more details.
Determine your organization's privacy requirements
Depending on the nature of your business and the jurisdictions it operates under, your data operations may be subject to legal privacy regulations. These regulations often give your customers the right to request access to the data you collect from them, and the right to request the deletion of that stored data. These customer requests for their personal data are referred to as "privacy requests" throughout the documentation.
The following table outlines the legal privacy regulations that Privacy Service manages requests for, including links to documentation for more information:
The California Consumer Privacy Act (CCPA) enhances privacy rights and consumer protection for residents of California, United States. The CCPA provides new data privacy rights to California residents, including the right to access and delete their personal data, to know whether their personal data is sold or disclosed (and to whom), and the right to opt out of having their data sold to third parties.
Links for further documentation:
GDPR (European Union)
The General Data Protection Regulation (GDPR) introduced several new data privacy rights for members of the European Union, including the Right to Access and the Right to be Forgotten . This means that any EU citizen whose personal data has been collected by your business can request to access or delete their data at any time.
Links for further documentation:
The Lei Geral de Proteção de Dados (LGPD) aims to regulate the treatment of personal data of all individuals or natural persons in Brazil. The LGPD gives Brazil citizens the rights to access and delete their personal data, to know whether their personal data is sold or disclosed (and to whom), and the right to opt out of having their data sold to third parties.
Links for further documentation:
The Personal Data Protection Act of Thailand (PDPA) was introduced to safeguard Thai data owners from the illegal collection, use, or disclosure of their personal data. Inspired by the European Union's GDPR, the regulation grants Thai citizens the right to request access to, or the deletion of, their stored personal data.
Links for further documentation:
If your data operations fall under the purview of any of the above regulations, review their documentation for important information such as the specific privacy rights they afford your customers, and compliance windows for honoring privacy requests. This information should be taken into account when determining how to integrate Privacy Service into your CRM system, and how customers should interact with your website in order to make privacy requests.
In addition to legal regulations, any organizational or industry standards applicable to your organization should also be considered when making these decisions.
Label data for privacy requests
Depending on the Experience Cloud applications that you are using, you must label the specific data fields that should be accessed or deleted in response to privacy requests. The process for labelling data varies between applications. To learn how to label data for each supported Adobe application, see the document on Experience Cloud applications .
Determine the types of identity data to send to Privacy Service
In order for Privacy Service to process a privacy request from a customer, at least one unique identity value for that customer must be provided in the request itself. A unique identity value is any piece of information that can be used to identify an individual person and their stored personal data within your Experience Cloud data stores. Privacy Service uses this identity information to locate and process the customer's personal data according to the nature of the request (access, delete, or opt-out).
Depending on the Experience Cloud applications your CRM system utilizes, the type and number of identity values you must provide for each customer will vary. Some applications utilize their own internal customer ID values (such as Adobe Target IDs), while other solutions rely on global identifiers from Adobe Experience Cloud Identity Service (ECID) which track customer activity across all Experience Cloud applications. In addition, generic personal information like an email address or phone number can also serve as valid identity data.
The document on identity data for privacy requests provides more detailed information on the types of identity information that are accepted for Privacy Service. The document also provides guidance on how to leverage Adobe technologies to effectively retrieve the appropriate identity information from your customers as they interact with your website, and send that data to Privacy Service in API requests.
Start making privacy requests
Once you have determined your business' privacy needs, and decided which identity values to send to Privacy Service, you can start making privacy requests. Privacy Service allows you to send privacy requests through either the API or the UI.
The sections below provide links to documentation that cover how to make generic privacy requests in the API or UI. However, depending on the Experience Cloud applications you are using, the fields you must send in the request payload may be different from the examples shown in these guides.
As you follow along with the API or UI guides, please refer to the document on Privacy Service and Experience Cloud applications for further documentation on how to format privacy requests for your particular Experience Cloud application(s).
Using the API
The Privacy Service API provides several endpoints for creating and managing privacy jobs using RESTful API calls, allowing you to programmatically approach privacy regulation compliance for your Experience Cloud applications. For detailed steps on how to use the API, see the Privacy Service API developer guide .
Using the UI
The Privacy Service UI currently only supports access and delete requests. All opt-out requests must be made through the API instead.
The Privacy Service UI allows you to create and monitor privacy jobs using a graphical interface. The UI includes a Status Report widget that provides a visual representation of the status of all active requests, and allows you to create new requests by using the built-in Request Builder or by uploading JSON files. For more information on using the UI, see the Privacy Service user guide .
Monitor privacy jobs
Once you have made privacy jobs, you have several options for monitoring their status and results:
Privacy Service UI
The Privacy Service UI provides a monitoring dashboard that allows you to view a visual representation of the status of all active requests. See the Privacy Service user guide for more information.
Privacy Service API
You can programmatically monitor the status of Privacy jobs by using the lookup endpoints provided by the Privacy Service API. See the Privacy Service developer guide for detailed steps on how to use the API.
Privacy Events leverage Adobe I/O Events sent to a configured webhook in order to facilitate efficient job request automation. They reduce or eliminate the need to poll the Privacy Service API in order to check if a job is complete or if a certain milestone within a workflow has been reached. See the tutorial on subscribing to Privacy Events for more information.
This document provided a high-level overview of Privacy Service and the major steps required to start using the service's capabilities. Please refer to the documentation linked to throughout the overview for more in-depth information about the various aspects of working with Privacy Service.