Your achievements

Level 1

0% to

Level 2

Tip /
Sign in

Sign in to Community

to gain points, level up, and earn exciting badges like the new
BedrockMission!

Learn More

View all

Sign in to view all badges

Adobe library, visitor ID (s_fid and s_vi cookies) and GDPR

Avatar

Avatar
Level 1
MFADLP
Level 1

Likes

0 likes

Total Posts

3 posts

Correct Reply

0 solutions
View profile

Avatar
Level 1
MFADLP
Level 1

Likes

0 likes

Total Posts

3 posts

Correct Reply

0 solutions
View profile
MFADLP
Level 1

29-04-2021

Hi,

 

I am using Adobe Analytics and I have questions about compliancy with GDPR guidelines.

We now need users to consent before we can track any of their activity on our websites with AA. For that reason we currently prevent the entire library to fire if the user opts out for Adobe or makes no choice.

We are losing most bouncers I guess + all optout visitors. Reporting wise, it is a nightmare and that is why I’m investigating to see if we can fulfill exemption criteria for audience measurement tools described by the CNIL.

My problem is I don’t understand what technical solution Adobe offers for that.

 

I saw a webinar from Adobe French teams on the matter and they said that there are 3 of id/infos we need to anonymize :

  1. Client ID (also referred to as CRM ID I believe)
  2. Purchase ID
  3. IP address

But it is still unclear to me what they suggest on a technical perspective, especially for client ID (which I assumed is visitor id?).

 

My understanding is that prior and explicit consent must be obtained before any activation of cookies, apart from whitelisted & necessary cookies. I don’t think Adobe falls into that category, so I don’t see why I would be allowed to drop visitor id cookies (s_fid and s_vi). But I don't think data collect can work without them.

The solution presented during the webinar seemed to suggest maintaining collect of these ID, but restrict access to it. My understanding is that to be exempted from consent for AA we should not be dropping these visitor cookies at all if a user refuses AA tracking, and not simply anonymize visitor IDs while collecting them.

 

Am I getting it right ?

Am I bound to do block AA library for optout / no choice users or do I have other options ?

 

Thanks

Adobe Analytics GDPR Visitor ID
View Entire Topic

Avatar

Avatar
Springboard
MVP
yuhuisg
MVP

Likes

146 likes

Total Posts

476 posts

Correct Reply

90 solutions
Top badges earned
Springboard
Bedrock
Validate 1
Establish
Contributor
View profile

Avatar
Springboard
MVP
yuhuisg
MVP

Likes

146 likes

Total Posts

476 posts

Correct Reply

90 solutions
Top badges earned
Springboard
Bedrock
Validate 1
Establish
Contributor
View profile
yuhuisg
MVP

29-04-2021

I don't know what that presentation from the Adobe French team was, but I think Client ID refers to a user ID that you obtain from a customer database, hence the "CRM ID" name too. So that is different from Adobe's visitor ID.

It can be argued that Adobe's visitor IDs can be tied back to an individual. In that case, it might be required to obtain consent before you can track your users to AA.

MFADLP

I don't think I can post an image but here is the video : https://www.youtube.com/watch?v=ZXZCWjXnWOg

At 12:39 they present a diagram for AA with target consent exemption. Translation would be something like :

1) Visitors

2) Landing on website, AA is active and collects limited data (following CNIL guidelines, said orally)

3) Users is asked for consent

4) a) User refuses or does nothing : AA continues to collect only limited data

4) b) User accepts : AA collects data as usual.

 

Based on what they said I'm not 100% sure they would refer to CRM ID and not mention visitor ID.

As said above I’m currently not launching AA when a user refuses /does nothing because I don’t see how limited data collection can be achieve while complying with CNIL guidelines. But I would be very interested to know how I could do that since they display this option.

yuhuisg

I wonder what they mean by "limited data".

Nonetheless, if you use any of Adobe's built-in methods of visitor identification, e.g. Experience Cloud ID Service, then I think you'll need to ask for consent first, because Adobe's method uses a mathematical method that ensures the same user at the same website gets the same ID all of the time. It could be that, under the "limited data", you set your own visitor ID that doesn't persist across visits.

Whatever it is, please don't take my word as the final recommendation. Seek legal advice.

MFADLP
Sure, I’m already blocking AA without consent anyway 🙂 I’ve tried to manually override the visitor ID to see if I could input a default value for instance, but AA rewrites it most of the time unless there is a specific length and format (I did not find a way in AA interface to manage visitor id myself). I wonder too what they meant by that. I’ve also seen in the same webinar that AA submitted to the CNIL program to be sort of “approved”, hopefully it will become clearer after that…
yuhuisg
If you want to use your own visitor ID, you'll need to set the s.visitorId variable. See https://experienceleague.adobe.com/docs/analytics/components/metrics/unique-visitors.html?lang=en#ho..., which describes the various ways to identify a user, one of which is using this "visitorId" variable. Setting that should cause AA to use that as the visitor ID, even if ECID is present.