We’ve had a lot of “data doomsdays” in the past handful of years, haven’t we?
That probably sounds a bit dramatic. But we mean that, for businesses, it’s always been a stressful hustle to modify all existing data-grounded solutions to ensure they’re following the latest data laws.
Moreover, each new change inevitably results in the loss of some valuable data as we push to give users more control over how their data is used. Necessary changes, no doubt, but no less stressful for your data teams regardless.
As data laws evolve, Adobe Analytics has remained a step-ahead solution. Even before the implementation of GDPR in 2018, and into the future as we watch third-party cookies disintegrate, Adobe Analytics provides comprehensive features to help businesses adapt.
GDPR has been one of the biggest challenges for companies to adapt to. But Adobe Analytics gives you the tools you need to collect data GDPR compliantly and help you protect it.
Is Adobe Analytics GDPR Compliant, and How?
There’s no avoiding it—we need data. It helps us understand who our customers are, and how to reach them in the most relevant ways. It leads us to understand the efficacy of our tests and keeps us from repeating testing failures.
But, with GDPR in mind, we’re sure you’re constantly aware of how sensitive data collection can be, especially more so in certain verticals. That might be why you’ve chosen (or plan to choose) Adobe’s solution. Adobe Analytics and GDPR certainly aren’t strangers to each other.
Now, how Adobe Analytics works to comply with GDPR is the real question we’re here to add context to. Let’s take a look.
Safer data collection with 1st party cookies
For a long time, brands have been used to using 3rd party cookies to collect information about relevant user behaviors across the web. But, for many reasons, specifically those around privacy concerns, most browsers now block third-party cookies—and it’s soon to be all browsers, once Google jumps on the bandwagon this year.
If you’re not familiar with what sets 3rd party cookies apart from 1st party cookies, here’s a quick recap:
- Third-party cookies are placed by a website other than the site a web searcher is currently on (i.e. your website). These cookies then stay attached to a user’s browser and track data on how that user behaves across the web. The Facebook pixel for instance uses 3rd party cookies in some circumstances to track cross-site user journeys.
- First-party cookies are placed on a website and managed by that site’s owner, i.e. you. They attach to a user’s browser but only collect information about user behavior and some identifying data on your website, not off it.
Collecting ample data without 3rd party cookies can be tough, especially if your company needs to comply with GDPR. Third-party cookies generally don’t give users the control to opt in or out of them. But Adobe Analytics provides robust solutions to prep you for both 3rd party cookie collapse and GDPR readiness using a mixture of client-side and server-side tracking.
In Adobe Analytics, client-side tracking uses first-party cookies placed on your website to collect data on how users interact with your site. This includes data like pages viewed, eCommerce actions completed, or the device they’re browsing on.
Server-side tracking, on the other hand, is capable of tracking many of the same data points as client-side, but it also enables cross-domain tracking, and can securely collect more durable identifiers like device ID, or IP address. This type of tracking also uses first-party Adobe Analytics cookies (GDPR-friendly cookie types) to accomplish data collection.
While Adobe Analytics uses a combination of client-side and server-side tracking to build a fuller picture of user behavior, server-side tracking specifically is a key solution for GDPR readiness and compliance.
It enables you to define what data is collected and processed with consent. It also helps prevent data breaches by passing data directly from your server to Adobe Analytics, limiting the amount of exposure and opportunities for theft.
Customizable data retention and storage
One of many factors GDPR-compliant businesses have to consider with any analytics platform is how long you store your data.
Under GDPR, businesses may retain data only as long as necessary. This window may vary from business to business and it’s something you’ve likely already decided on with your stakeholders. But this means that in most cases, the default data retention window for many analytics platforms may be longer than the retention window you’re legally allowed to maintain.
With Adobe Analytics, the “default” data retention policy is 25 months; however, data retention windows are established when you sign your contract and may differ from the default depending on the terms you agreed to with your Adobe account team.
Moreover, data retention remains highly customizable after you’ve established your contract. You’ll need to contact your Adobe account team if you want to change the retention policy, but specifically shortening your retention window doesn’t incur any additional cost.
When data reaches the end of your retention window, it will be deleted by Adobe, helping you minimize the data collected and stored to adhere to GDPR.
Customer consent management
Acquiring user consent to collect data is one thing. Making sure your analytics platform properly interprets consent opt-in and opt-out before it processes any data is another.
Businesses trying to adhere to GDPR never want to see data processed in an analytics platform if consent wasn’t explicitly given for that, and Adobe’s tailored consent management solutions help ensure that consent is always considered first.
Adobe Analytics GDPR consent features allow you to implement opt-out links, which empower users to protect their data from processing. It does this by applying opt-out cookies to a user’s browser once they decline data processing, and these cookies instruct Adobe Analytics to omit any data from the browser associated with this opt-out cookie.
However, Adobe recommends instead implementing the opt-in service through Tags in Adobe Experience Platform, because these links provide more comprehensive opt-in options.
Adobe Analytics then uses dimensions to set rules for data collection that consider user opt-ins and opt-outs. Setting your dimension to filter data according to whether users have opted in or out of data collection prevents unconsented data from being forwarded to Adobe Analytics.
Adobe Analytics also enables you to review the most common reasons why people opted out, and filters can be separately set for different kinds of opt-outs (e.g. opting out of server-side collection, data sharing, or data selling).
However, we still want to highlight that Adobe’s opt-in and opt-out features aren’t a substitute for a Consent Management Platform, since they only work to collect consent around Adobe cookies.
You’ll still need a Consent Management Platform (CMP) in place, which can then be integrated with your opt-in links if you set those up for your Adobe products. If you don’t already have a CMP, consider OneTrust, Sourcepoint, or the like.
Adobe Analytics and GDPR Best Practices
Now that we’re aware of the biggest features that enable businesses to ensure Adobe Analytics GDPR compliance, let’s shine a light on some of the best practices you should be considering when reviewing your current analytics setup with GDPR in mind.
- Identity resolution: Ensure that you have an identity resolution strategy in place and be able to define how that strategy works. Identity resolution will ultimately help minimize the number of data points you collect around a single user profile and provide increased transparency about the data collected on a single user.
- Change reviews: Changes to your Adobe Analytics instance over time provide plenty of opportunities for regress in GDPR compliance. You’ll need to implement a schedule on which you regularly re-review your instance for GDPR adherence.
- Tag management: Regularly monitoring tag lifecycles with a robust tag management platform, such as Tags in Adobe Experience Platform, further helps you minimize data sources, and helps prevent issues like duplicate data that can cause GDPR non-compliance risks. Tag management systems also help you keep a running record of your active tags in one place, whereas hard-coded tags can be more difficult to track and provide documentation on.
- IP obfuscation and deletion: To protect your user’s sensitive data, (such as IP addresses) from potential breaches, it’s recommended that you keep in touch with your Adobe account rep regarding the partial obfuscation or deletion of this data after you’ve processed it.
- Data labeling: Make the most of data labeling features to organize and categorize your data, which ensures that you know where all data lives, and control what data you retain. Being unaware that certain processed data exists within your analytics instance isn’t an excuse as far as GDPR compliance is concerned, so it’s vital you use the tools at your disposal to keep tabs on absolutely everything.
Collecting, sharing, and security: You may have a general idea of what data you collect, what you share and with whom, and how you keep data safe. But when it comes down to it, it’s best to document all of this so that you can explain and substantiate your data processing activity whenever needed. Transparency and visibility are key.
Adobe Analytics and GDPR Pitfalls
Even the best-intentioned analytics setups can experience some issues with GDPR compliance when data collection initiatives become more complex.
Customization, for instance, is one of the best features of Adobe Analytics (and other Adobe products). It allows businesses to build tailored solutions to meet their specific data collection needs.
However, custom data collection can present certain challenges with GDPR. Consent management is one of the biggest concerns to be aware of. You need to understand if the custom data you’re collecting is considered personally identifiable, and, if so, you must implement explicit consent options for users if you want to compliantly process that data under GDPR. So, setting up the opt-in or opt-out links correctly to process explicit consent is essential.
Additionally, your data likely comes from more than one source. Full GDPR compliance requires that you ensure proper consent management for your data across each source, and also requires that you have processes in place to prevent duplicate data and excessive or unnecessary data from forwarding to Adobe Analytics.
Setting everything up properly for full GDPR compliance is a complicated collection of tasks—we won’t sugarcoat it. And if you’ve gone through the proper steps to ensure you’re compliant in Adobe Analytics, but still feel unsure, an expert set of eyes on your setup can help give you the peace of mind you need to go on with your day (or, shall we say…go on with your data?).
Clever wordplay aside, our Adobe Analytics veterans provide extensive Adobe Analytics audits, and know exactly what to look for to ensure your data is GDPR-compliant from stem to stern.
Additionally, if you haven’t yet implemented Adobe solution, but plan to, it’s always best to start off on the right foot with Analytics and GDPR, rather than needing to fix costly GDPR mistakes down the line. Our implementation experts can help you set up your instance and ensure that it’s prepped and ready for GDPR adherence from the moment you begin collecting data. No need for pitfalls when you have peace of mind from the get-go.
To wrap things up…
Adobe Analytics is a world-class, widely recognized data collection solution, and it’s no stranger to the needs of businesses that must be mindful of GDPR. Plenty of features in this application help you adhere to GDPR, like server-side tracking, customizable data retention, and robust customer consent management.
However, Adobe Analytics’s wealth of customization options when it comes to data can make it significantly harder for businesses to accurately adhere to GDPR. If you’ve got a highly customized instance, it’s always better to be safe than sorry and reel in Adobe Analytics experts for a little extra support.
That said, what unexpected challenges have you come across while implementing GDPR compliance measures in your analytics solution?