Privacy and data protection regulations
Information about the European Union’s General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and other international privacy requirements. Learn how these regulations impact your organization and Adobe Target.
Privacy and General Data Protection Regulation (GDPR) overview
On May 25, 2018, the European Union’s GDPR went into effect. For more information about what this regulation means for you, see GDPR and Your Business.
When Adobe is providing software and services to an enterprise, Adobe is acting as a Data Processor for any personal data it processes and stores as part of providing these services. As a Data Processor, Adobe processes personal data in accordance with your company’s permission and instructions (for example, as set out in your agreement with Adobe).
As the Data Controller, you determine the personal data that Adobe processes and stores on your behalf. If you use Adobe Experience Cloud solutions, Adobe might host personal data for you, depending on the solutions you use and the information you choose to send to your Adobe Experience Cloud account. For a detailed list of examples, see Adobe Experience Cloud Privacy.
Adobe Experience Cloud provides GDPR-ready APIs for Data Controllers that allow them to complete the following tasks:
- Access Data Subject information stored within Target
- Delete Data Subject information stored within Target
For more information, see:
California Consumer Privacy Act (CCPA) overview
The California Consumer Privacy Act (CCPA) provides California consumers with new rights regarding their personal information and imposes data protection responsibilities on certain entities that conduct business in California. The CCPA went into effect January 1, 2020.
At a high level, the law affords Californians several key rights, including rights to:
- Request information (data access)
- Opt out of the sale of personal information (a broadly defined right to opt out of sharing of information with third parties)
- Have personal information deleted
- Be informed that personal information is being disclosed or sold
If you were busy getting ready for Europe’s privacy law (GDPR) last year, some of these rights might be familiar and much of the work you have done can be repurposed.
Adobe Target and Adobe Experience Platform opt-in
Target provides opt-in functionality support via tags in Adobe Experience Platform to help support your consent management strategy. Opt-in functionality lets customers control how and when the Target tag is fired. There is also an option via Adobe Experience Platform to pre-approve the Target tag. To enable the ability to use Opt-In in the Target at.js library, you should use targetGlobalSettings
and add the optinEnabled=true
setting. In Adobe Experience Platform, select “enable” from the GDPR Opt-In drop-down list in the extension installation view. See Implement Target using Adobe Experience Platform for more details.
The following code snippet shows you how to enable the optinEnabled=true
setting:
window.targetGlobalSettings = {
optinEnabled: true
};
Using Adobe Experience Platform to manage opt-in is the recommended approach. Further granular control exists in Adobe Experience Platform to hide selected elements of your page before Target firing that are helpful to use as part of your consent strategy.
There are three scenarios to consider when using Opt-In:
-
The Target tag is pre-approved via Adobe Experience Platform (or the data subject previously approved Target): The Target tag is not held for consent and functions as expected.
-
The Target tag is NOT pre-approved and
bodyHidingEnabled
is FALSE: The Target tag fires only after consent is collected from the customer. Before consent is collected, default content only is available. After consent is received, Target is called and personalized content is available to the data subject (visitor). Because only default content is available before consent, it is important to use an appropriate strategy, such as a splash page that covers any portion of the page or content that might be personalized. This process ensures that the experience remains consistent for the data subject (visitor). -
The Target tag is NOT pre-approved and
bodyHidingEnabled
is TRUE: The Target tag fires only after consent is collected from the customer. Before consent is collected, default content only is available. However, becausebodyHidingEnabled
is set to true,bodyHiddenStyle
dictates what content on the page is hidden until the Target tag is fired (or the data subject declines opt-in, in which case default content is displayed). By default,bodyHiddenStyle
is set tobody { opacity:0;}
, which hides the HTML body tag. Adobe’s recommended page configuration is below so that the entire body of the page, other than the consent manager dialog, is hidden by putting the content of the page in one container and the consent manager dialogue in a separate container. This setup configures Target so that it hides the page content container only. See the Privacy Service overview.The recommended page setup for scenario 3 is:
code language-none <html> <head> //visitor, at.js </head> <body> <div id = "consentManagerDialog"> //consent manager html dialog goes here </div> <div id="pageContent"> // page content goes here </div> </body> </html>
Assuming the
bodyHiddenStyle
of:code language-none #pageContent { opacity:0;}
Privacy and data protection regulations FAQ
Frequently Asked Questions about the European Union’s General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and other international privacy requirements specific to Target.
What is the Adobe policy for these regulations?
Adobe either already meets or is implementing its obligations as a Data Processor. Adobe has a strong foundation of certified security and privacy controls by design and made product enhancements before the May 2018 deadline. Enterprise customers have the responsibility to implement these enhancements and update any necessary policies and procedures.
Must my company, the Data Controller, submit a GDPR or CCPA request to each Adobe Experience Cloud solution that it uses?
No, Adobe provides a central way to help Data Controllers meet their GDPR and CCPA requirements. Data Controllers do not need to go directly to each solution.
All GDPR and CCPA requests across Experience Cloud solutions, including Target, are through a central Adobe API, currently called the GDPR API. The API then completes the request across the Data Controller’s Experience Cloud solution suite.
What information does Adobe enable customers to delete in response to a data subject/user request?
The information related to an individual visitor within Target is contained within the Target Visitor Profile. Target lets customers delete all data associated with an ID in their Visitor Profile. For examples of the profile data Target stores, see Visitor Profile.
Aggregated or anonymized data (for example, reporting data) that does not identify a particular individual, or data that is unrelated to a specific individual (for example, content data), is outside the scope of a user-deletion request.
Target Visitor Profiles that have been inactive for 90 days are deleted by default, without any action required.
What IDs are supported to help customers complete a GDPR or CCPA access and deletion request for Target?
Target supports the following ID types to locate a customer profile:
How does Target handle consent management?
GDPR and CCPA do not change when you must get consent, but how you get it. Each customer’s consent strategy depends on its data collection and use practices and its privacy policy. Consent management isn’t supported by and shouldn’t be achieved via Target for GDPR and CCPA.
Adobe does not currently offer a Consent Management Solution, but there are various tools developing in the market to address some of the new requirements. For more information on privacy tools in general, including consent managers, see the 2017 Privacy Tech Vendor Report on the International Association of Privacy Professionals (iaap) website.
Target does provide opt-in functionality support via Adobe Experience Platform to support your consent management strategy. Opt-in functionality lets customers control how and when the Target tag is fired. There is also an option via Adobe Experience Platform to pre-approve the Target tag. Using Adobe Experience Platform to manage opt-in is the recommended approach. Further granular control exists in Adobe Experience Platform to hide select elements of your page before the Target firing that might be helpful to use as part of your consent strategy.
For more information on GDPR, CCPA, and Adobe Experience Platform, see The Adobe Privacy JavaScript Library and GDPR. Also, see the Adobe Target and Adobe Experience Platform opt-in section above.
Does AdobePrivacy.js
submit information to the GDPR API?
AdobePrivacy.js does not submit this information to the API. The customer must do that. This library provides only the IDs that are stored in the browser for that specific visitor.
What does removeIdentities
remove?
removeIdentities
only removes those identities from the browser, and that only depends on whether the Adobe solution has implemented it.
For example, Target deletes the cookies storing its IDs, but Adobe Audience Manager (AAM) does not delete the demdex ID that is stored in a third-party cookie.
What information must be included in a Target GDPR or CCPA request?
In addition to the requirements from Central Privacy Service, a valid GDPR or CCPA message for Target contains:
{
"jobId":"12345AD43E",
...
"products":["Target",...],
"companyContexts":[
{
"namespace":"imsOrgID",
"value":"123456789@AdobeOrg"
},
...
],
"userContexts":[
{
"namespace":"ECID",
"namespaceId":4,
"type":"standard",
"value":"53792210477379708453829363835595041181"
}
And/OR:
{
"namespace":"TNTID",
"namespaceId":9,
"type":"standard",
"value":"1234567890"
}
And/OR:
{
"namespace":"THIRDPARTYID",
"type":"target",
"value":"thirdPartyIdName"
},
...
]
}
What types of responses can I expect from Target via the GDPR API?
Some companies have multiple IMS IDs. Submit the IMS ID where Target is provisioned.
This result also returns if you attempt to submit a namespace ID type that is not supported by Target (see above for supported IDs).
Error while uploading to Azure for access request.
What response does Target send to the GDPR API for an access request?
Responses to access data requests contain a summary of the Target profile for the visitor in question. This return is sent to the Experience Cloud GDPR API, which in turn sends Data Controllers a response.
A sample Target access API response could look like this:
{
"jobId":"12345AD43E",
...
"products":["Target",...],
"companyContexts":[
{
"namespace":"imsOrgID",
"value":"123456789@AdobeOrg"
},
...
],
"userContexts":[
{
~"namespace":"ECID",
"namespaceId":4,
"type":"standard",
"value":"53792210477379708453829363835595041181"
}
And/OR:
{
~"namespace":"tntId",
"namespaceId":9,
"type":"standard",
"value":"1234567890"
}
And/OR:
{
"namespace":"thirdPartyId",
"type":"target",
"value":"thirdPartyIdName"
},
...
]
}
When multiple values are provided to identify profiles, each valid identifier has one profile file. One or more profile files are sent to the central GDPR Azure Blob through the GDPR Central API, in the format of Target Profile JSON response.
A sample Target Profile JSON could look like the following example:
{"profileAttributes":
"Sample_Parameter":{"value":"Gold Loyalty Status","modifiedAt":"2018-04-11T21:44:14.000-04:00"},
"user.ReturnTimeOfDay":{"value":"44.0","modifiedAt":"2018-04-11T21:44:14.000-04:00"},
"firstSessionStart":{"value":"1523497450602","modifiedAt":"2018-04-11T21:44:10.000-04:00"},
"user.sessionCountScript":{"value":"1","modifiedAt":"2018-04-11T21:44:14.000-04:00"}
}
}
The following table contains description of the illustrative profile JSON fields:
Does Target support IP obfuscation?
Target supports IP obfuscation if you choose to use it as part of your GDPR or CCPA implementation strategy. For more information, see Privacy.
Should I do something to prevent my data from being shared or sold to third parties?
Target does not allow customers to share or sell data direct from Target to third parties, so there is no opt-out of sale for Target.