Hi,
I am using Adobe Analytics and I have questions about compliancy with GDPR guidelines.
We now need users to consent before we can track any of their activity on our websites with AA. For that reason we currently prevent the entire library to fire if the user opts out for Adobe or makes no choice.
We are losing most bouncers I guess + all optout visitors. Reporting wise, it is a nightmare and that is why I’m investigating to see if we can fulfill exemption criteria for audience measurement tools described by the CNIL.
My problem is I don’t understand what technical solution Adobe offers for that.
I saw a webinar from Adobe French teams on the matter and they said that there are 3 of id/infos we need to anonymize :
But it is still unclear to me what they suggest on a technical perspective, especially for client ID (which I assumed is visitor id?).
My understanding is that prior and explicit consent must be obtained before any activation of cookies, apart from whitelisted & necessary cookies. I don’t think Adobe falls into that category, so I don’t see why I would be allowed to drop visitor id cookies (s_fid and s_vi). But I don't think data collect can work without them.
The solution presented during the webinar seemed to suggest maintaining collect of these ID, but restrict access to it. My understanding is that to be exempted from consent for AA we should not be dropping these visitor cookies at all if a user refuses AA tracking, and not simply anonymize visitor IDs while collecting them.
Am I getting it right ?
Am I bound to do block AA library for optout / no choice users or do I have other options ?
Thanks
Solved! Go to Solution.
Topics help categorize Community content and increase your ability to discover relevant content.
Views
Replies
Total Likes
I don't know what that presentation from the Adobe French team was, but I think Client ID refers to a user ID that you obtain from a customer database, hence the "CRM ID" name too. So that is different from Adobe's visitor ID.
It can be argued that Adobe's visitor IDs can be tied back to an individual. In that case, it might be required to obtain consent before you can track your users to AA.
I don't know what that presentation from the Adobe French team was, but I think Client ID refers to a user ID that you obtain from a customer database, hence the "CRM ID" name too. So that is different from Adobe's visitor ID.
It can be argued that Adobe's visitor IDs can be tied back to an individual. In that case, it might be required to obtain consent before you can track your users to AA.
I don't think I can post an image but here is the video : https://www.youtube.com/watch?v=ZXZCWjXnWOg
At 12:39 they present a diagram for AA with target consent exemption. Translation would be something like :
1) Visitors
2) Landing on website, AA is active and collects limited data (following CNIL guidelines, said orally)
3) Users is asked for consent
4) a) User refuses or does nothing : AA continues to collect only limited data
4) b) User accepts : AA collects data as usual.
Based on what they said I'm not 100% sure they would refer to CRM ID and not mention visitor ID.
As said above I’m currently not launching AA when a user refuses /does nothing because I don’t see how limited data collection can be achieve while complying with CNIL guidelines. But I would be very interested to know how I could do that since they display this option.
Views
Replies
Total Likes
I wonder what they mean by "limited data".
Nonetheless, if you use any of Adobe's built-in methods of visitor identification, e.g. Experience Cloud ID Service, then I think you'll need to ask for consent first, because Adobe's method uses a mathematical method that ensures the same user at the same website gets the same ID all of the time. It could be that, under the "limited data", you set your own visitor ID that doesn't persist across visits.
Whatever it is, please don't take my word as the final recommendation. Seek legal advice.
Views
Replies
Total Likes
Views
Replies
Total Likes
I guess you could bypass ECID and define vid(visitor ID) with the below considerations:
#1 Bypassing ECID visitor identification has no dependency on other Adobe products
#2 you may come up own vid as fall back option upon detecting that user didn't opt-in; tricky as you could end up on 2 strategies.
#3 the vid persists but NOT beyond the session; thus implications on your UV metric
#4 your local regulatory accepts session ID for 3rd party data collection although implemented as FPC/same domain(1st party), and would be used ONLY for sessionization and nothing else
# At last, review #2 & #3 once again
Also do note the below, but maybe worth a tradeoff rather capturing nothing
- As one clears their cache within a session
- Opens a different browser; unique visitor is counted per browser.
- incognito browsing session
Views
Replies
Total Likes
Views
Replies
Total Likes
From what I know, consent is needed before analytics tracking can be implemented (i.e. First-Party analytics). This means that in your privacy policy, make sure to work with your legal team to have a good and clear statement around the CRM ID tracking and tie-up thing you are doing. I suggest that you work with your legal team to determine what's the best thing to do to comply. When it comes to data privacy, technologists usually just get guidance from the legal experts on what is best to do
Pls. also check if you guys are allowed to collect IP addresses. I believe those should be obfuscated in some territories
Views
Replies
Total Likes
Views
Likes
Replies
Views
Likes
Replies