Expand my Community achievements bar.

SOLVED

Adobe library, visitor ID (s_fid and s_vi cookies) and GDPR

Avatar

Level 1

Hi,

 

I am using Adobe Analytics and I have questions about compliancy with GDPR guidelines.

We now need users to consent before we can track any of their activity on our websites with AA. For that reason we currently prevent the entire library to fire if the user opts out for Adobe or makes no choice.

We are losing most bouncers I guess + all optout visitors. Reporting wise, it is a nightmare and that is why I’m investigating to see if we can fulfill exemption criteria for audience measurement tools described by the CNIL.

My problem is I don’t understand what technical solution Adobe offers for that.

 

I saw a webinar from Adobe French teams on the matter and they said that there are 3 of id/infos we need to anonymize :

  1. Client ID (also referred to as CRM ID I believe)
  2. Purchase ID
  3. IP address

But it is still unclear to me what they suggest on a technical perspective, especially for client ID (which I assumed is visitor id?).

 

My understanding is that prior and explicit consent must be obtained before any activation of cookies, apart from whitelisted & necessary cookies. I don’t think Adobe falls into that category, so I don’t see why I would be allowed to drop visitor id cookies (s_fid and s_vi). But I don't think data collect can work without them.

The solution presented during the webinar seemed to suggest maintaining collect of these ID, but restrict access to it. My understanding is that to be exempted from consent for AA we should not be dropping these visitor cookies at all if a user refuses AA tracking, and not simply anonymize visitor IDs while collecting them.

 

Am I getting it right ?

Am I bound to do block AA library for optout / no choice users or do I have other options ?

 

Thanks

Topics

Topics help categorize Community content and increase your ability to discover relevant content.

1 Accepted Solution

Avatar

Correct answer by
Community Advisor

I don't know what that presentation from the Adobe French team was, but I think Client ID refers to a user ID that you obtain from a customer database, hence the "CRM ID" name too. So that is different from Adobe's visitor ID.

It can be argued that Adobe's visitor IDs can be tied back to an individual. In that case, it might be required to obtain consent before you can track your users to AA.

View solution in original post

8 Replies

Avatar

Correct answer by
Community Advisor

I don't know what that presentation from the Adobe French team was, but I think Client ID refers to a user ID that you obtain from a customer database, hence the "CRM ID" name too. So that is different from Adobe's visitor ID.

It can be argued that Adobe's visitor IDs can be tied back to an individual. In that case, it might be required to obtain consent before you can track your users to AA.

Avatar

Level 1

I don't think I can post an image but here is the video : https://www.youtube.com/watch?v=ZXZCWjXnWOg

At 12:39 they present a diagram for AA with target consent exemption. Translation would be something like :

1) Visitors

2) Landing on website, AA is active and collects limited data (following CNIL guidelines, said orally)

3) Users is asked for consent

4) a) User refuses or does nothing : AA continues to collect only limited data

4) b) User accepts : AA collects data as usual.

 

Based on what they said I'm not 100% sure they would refer to CRM ID and not mention visitor ID.

As said above I’m currently not launching AA when a user refuses /does nothing because I don’t see how limited data collection can be achieve while complying with CNIL guidelines. But I would be very interested to know how I could do that since they display this option.

Avatar

Community Advisor

I wonder what they mean by "limited data".

Nonetheless, if you use any of Adobe's built-in methods of visitor identification, e.g. Experience Cloud ID Service, then I think you'll need to ask for consent first, because Adobe's method uses a mathematical method that ensures the same user at the same website gets the same ID all of the time. It could be that, under the "limited data", you set your own visitor ID that doesn't persist across visits.

Whatever it is, please don't take my word as the final recommendation. Seek legal advice.

Avatar

Level 1
Sure, I’m already blocking AA without consent anyway I’ve tried to manually override the visitor ID to see if I could input a default value for instance, but AA rewrites it most of the time unless there is a specific length and format (I did not find a way in AA interface to manage visitor id myself). I wonder too what they meant by that. I’ve also seen in the same webinar that AA submitted to the CNIL program to be sort of “approved”, hopefully it will become clearer after that…

Avatar

Level 3

I guess you could bypass ECID and define vid(visitor ID) with the below considerations:

 

#1 Bypassing ECID visitor identification has no dependency on other Adobe products 

#2 you may come up own vid as fall back option upon detecting that user didn't opt-in; tricky as you could end up on 2 strategies.

#3 the vid persists but NOT beyond the session; thus implications on your UV metric

#4 your local regulatory accepts session ID for 3rd party data collection although implemented as FPC/same domain(1st party), and would be used ONLY for sessionization and nothing else

# At last, review #2 & #3 once again

 

Also do note the below, but maybe worth a tradeoff rather capturing nothing

- As one clears their cache within a session

- Opens a different browser; unique visitor is counted per browser.

- incognito browsing session

Avatar

Community Advisor
If you want to use your own visitor ID, you'll need to set the s.visitorId variable. See https://experienceleague.adobe.com/docs/analytics/components/metrics/unique-visitors.html?lang=en#ho..., which describes the various ways to identify a user, one of which is using this "visitorId" variable. Setting that should cause AA to use that as the visitor ID, even if ECID is present.

Avatar

Level 4

From what I know, consent is needed before analytics tracking can be implemented (i.e. First-Party analytics). This means that in your privacy policy, make sure to work with your legal team to have a good and clear statement around the CRM ID tracking and tie-up thing you are doing. I suggest that you work with your legal team to determine what's the best thing to do to comply. When it comes to data privacy, technologists usually just get guidance from the legal experts on what is best to do

Pls. also check if you guys are allowed to collect IP addresses. I believe those should be obfuscated in some territories 

Avatar

Level 10
Do any of the answers below answer your initial question? If so, can you select one of them as the correct answer? If none of the answers already provided answer your question, can you provide additional information to better help the community solve your question?