PII Data from AEP to Target

Question

I am in the process of connecting Adobe Target with AEP. When I select the audience, AEP asks me to select the profile attribute as well. My doubt is if I select First Name, Email, Adress XDM fields and these fields are PII fields, will the data be stored in Target somewhere or visible to Target users. Is it safe to map these attributes.

I am asking this double with respect to security of PII data. Because, if I have to personalize the webpage, I would require PII data, but I am not sure if sending this data from AEP to Adobe target along with audience is safe ?

Gokul_Agiwal · Accepted Answer

Hi ​@sdsYes — if you send PII fields (First Name, Email, Address, etc.) from AEP to Adobe Target, Target will store them, ( as per the profile lifetime) and they will be visible to Target users who have access to profile attributes.As its strongly recommends NOT sending PII to Adobe Target unless absolutely required — and in most cases, you should avoid it.Here is the quick read -https://experienceleague.adobe.com/en/docs/experience-cloud-kcs/kbarticles/ka-14022Further you can check your data governance policy and make sure follow the right compliance under GDPR and CCPA.Please check once your use case and see if you can use alternatives like instead of sending raw PII data, send non PII Personalization attributes.AEP enables personalized targeting using the behavioral and identity data managed within the platform.Thanks,

santoshkr · Answer

Hi ​@sdsWhen you share AEP Segments and Attributes with Adobe Target, there are two separate layers of security to consider:1. Data Storage (Server-to-Server)When you map XDM fields like 'First Name' or 'Email' to Adobe Target, that data is stored in theTarget Unified Profile.Is it stored?Yes, but it is tied to the Edge profile and is not 'visible' to Adobe Target users in the UI as a list. Target users can only see thenameof the attribute (e.g.,profile.firstName), not the actual values of your customers.Security:Adobe Target is PCI and SOC2 compliant. However, if your company has a strict policy against storing PII outside of your primary CDP (AEP), you should avoid mapping 'Email' or 'Full Address' unless absolutely necessary for personalization.2. Data Exposure (The 'Client-Side' Risk)This is the most important part: If you use a mapped PII attribute to personalize a webpage (e.g., 'Hello, {profile.firstName}'), that datawill be visible in the browser’s network response.The Risk:Anyone who knows how to open the 'Inspect' tool in a browser can see the Target trace or the network call containing that PII.Best Practice:Never send highly sensitive PII (like SSN, passwords, or full credit card numbers) to Target. Only send 'Experience-based' PII like First Name or Loyalty Tier.3. The Workaround: Hashed IDsIf you are worried about security but still need to target specific users:Instead of sending a rawEmail, send aHashed Email (SHA256). This allows you to match users across systems without ever exposing the actual PII in the browser.Summary:It is 'safe' from a platform security standpoint, but from aPrivacy/Compliancestandpoint, you should only map the minimum amount of data required to create the experience. If you don't need 'Email' to change a banner, don't map it!Thanks,Santosh Kumar

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded