Data Privacy Requests
Overview
This document provides an overview of managing individual data privacy and opt-out requests that you can send to Audience Manager through the Privacy Service UI and the Privacy Service API.
These tools allow you to send consumer data privacy requests made under GDPR and CCPA.
Before reading this article, we recommend going through the GDPR Glossary and CCPA Glossary, to better understand the terminology used here.
You can submit individual requests to access and delete consumer data from Audience Manager, in two ways:
- Through the Privacy Service UI. See the documentation here.
- Through the Privacy Service API. See the documentation here and the API reference here.
When sending individual data privacy requests, you can submit any Audience Manager identifiers (IDs), as described in the Audience Manager Identifiers section, along with their respective namespace IDs (data source IDs).
The Privacy Service supports two types of requests: data access and data deletion requests.
Data Access Requests
You can send individual data access requests through the Privacy Service UI (documentation here or by calling the Privacy Service API (documentation here and API reference here.
The Privacy Service UI allows you to create new job requests either by using the Request Builder or by uploading a JSON file.
To see what a valid JSON file looks like, you can download a sample JSON.
We understand your commitment to honoring your data privacy requests within the time period set by the legislation.
Data Deletion Requests
You can send data deletion requests through the Privacy Service UI (documentation here or by calling the Privacy Service API (documentation here and API reference here.
The Privacy Service UI allows you to create new job requests either by using the Request Builder or by uploading a JSON file.
To see what a valid JSON file looks like, you can download a sample JSON.
Adobe understands your commitment to honoring your data privacy customer requests within 30 days. For that reason, Adobe is committed to processing your data deletion request as soon as possible.
In response to your consumer data deletion requests, Audience Manager deletes traits and segments associated with the Audience Manager identifier included in the request. Additionally, the respective Audience Manager identifiers for the individual opted out of further data collection by Audience Manager and the respective ID mappings will be removed.
When you send declared IDs, such as cross device CRM IDs or cookie IDs, in data privacy requests, Audience Manager will perform the necessary deletion on all the linked devices (up to 100 devices per declared ID).
Audience Manager will attempt to notify activation partners about deletion requests by sending them unsegment information for Data Subjects requesting deletion of certain data. However, some activation partners:
- Cannot support unsegment (or remove segment) requests from Audience Manager and/or
- Are not able to receive updates from Audience Manager with a frequency of less than 30 days. In those cases, Audience Manager customers are not able to send delete requests to activation partners in an automated way through Audience Manager.
In those cases, you are not able to send delete requests to activation partners in an automated way through Audience Manager.
Refer to our device-based destinations list documentation to see which Audience Manager activation partners support unsegment.
Opt-out Requests
Audience Manager supports industry-wide standards with regard to opt-out management. Read on for complete information on the types of opt-out supported by Audience Manager.
While data access and deletion requests are handled through the Privacy Service, opt-out requests are currently supported through the DCS API. Read on to learn what the opt-out API calls should look like.
Global Opt-out Requests
The global opt-out represents an opt-out across Audience Manager and other Adobe Experience Cloud solutions for all brands. The table below lists the methods used for global opt-out:
Your users can opt-out from data collection by all Audience Manager brands by making a call to the DCS API below and include the Audience Manager User ID:
curl -i "https://www.demdex.net/demoptout.jpg" --cookie "demdex=12345678901234567890123456789012345678;dextp=12;DST=12"
As a result, we will set demdex=NOTARGET
and dextp=NOTARGET
cookies for the submitted Audience Manager User ID.
See the opt-out and privacy settings for:
Your end users can also opt out of global data collection by visiting the websites of our industry standards partners.
Following the opt-out requests described above:
- Audience Manager will cease all data collection, segmentation or activation, as long as the user does not clear their browser cookies.
- Historical data is removed from the user profile after 120 days.
Partner Level Opt-out with Declared ID calls
The partner-level opt-out allows you to opt-out your users from data collection by specific Audience Manager partners. You can send partner-level opt-out requests for cross-device IDs, including CRM IDs and hashed email addresses.
Following a partner-level opt-out with a declared ID call:
- The CRM ID is opted out of data collection;
- The last device ID (Audience Manager Unique User ID) linked to the CRM ID is opted out of data collection.
- Audience Manager will cease all data collection, segmentation or activation going forward for the CRM ID and the last device ID linked to the CRM ID;
- Audience Manager unsegments the opted-out CRM ID and last device ID from all segments;
- Destination partners receive the unsegment request for the CRM ID and last device ID. Unsegmentation works for both real-time and batch destinations.
- No historical data is deleted.
When Audience Manager receives a partner-level opt-out request, the JSON returned by the DCS contains the error code 171, with the message “Encountered opt out tag”, instead of the Audience Manager user ID.
You can make a declared ID opt-out request with the d_cid
and d_cid_ic
key-value pairs. The legacy parameters like d_dpid
and d_dpuuid
still work, but are considered deprecated. See CID Replaces DPID and DPUUID. In the examples, italics indicates a variable placeholder.
Opt-out With CID and CID_IC
For a description and syntax, see URL Variables and Syntax for Declared IDs.
https://yourcompany.demdex.net/demoptout.jpg?d_cid=123%01987...
https://yourcompany.demdex.net/demoptout?d_cid_ic=456%01321...
d_cid
and d_cid_ic
key-value pairs.https://yourcompany.demdex.net/demoptout?d_cid=123%01987&d_cid_ic=456%01321...
Partner Level Opt-Out with Device ID calls
The partner-level opt-out allows you to opt-out your users from data collection by specific Audience Manager partners. You can opt-out from data collection on a given device ID for a brand by making the following calls to the DCS API:
uuid
).https://yourcompany.demdex.net/demoptout.jpg?d_uuid=123
mid
)https://yourcompany.demdex.net/demoptout.jpg?d_mid=123&d_orgid=IMSoRGid
Read more about uuid
, mid
and imsOrgId
in the Index of IDs in Audience Manager.
Following a partner-level opt-out with a device ID call:
- The device ID is opted out of data collection.
- Audience Manager will cease all data collection, segmentation or activation, for the partner, going forward for the device ID.
- Audience Manager unsegments the device ID from all segments;
- Destination partners receive the unsegment request for the device ID. Unsegmentation works for both real-time and batch destinations.
- No historical data is deleted.
Audience Manager Partners With Unsegmentation Capabilities
In order to help you automate your consumer data privacy requests, Audience Manager will attempt to notify activation partners about deletion requests from Data Subjects by sending them unsegment (or remove segment) information.
However, some of our activation partners:
- Cannot support unsegment requests from Audience Manager and/or
- Are not able to receive updates from Audience Manager more frequently than once in 30 days.
In those cases, you are not able to send delete requests to activation partners in an automated way through Audience Manager.
Consult the list of device-based destinations to see which Audience Manager activation partners support unsegment.
Data Correction Requests
Given that Audience Manager is not the source of the data, there is a limited role for data correction in Audience Manager. The correction could mean that the consumer has requested to either be disqualified from an incorrect trait/segment or qualified to the desired trait/segment.
Audience Manager customers can choose to capture the relevant signals/traits/segments against user profiles and send this information through offline data ingestion to Audience Manager. Please note that the user will continue to get qualified to the original trait and segments if they repeat their behavior.