Adobe Experience Cloud Adobe Analytics and GDPR

Transcription

1 Adobe Experience Cloud Adobe Analytics and GDPR

2 Contents Adobe Analytics and GDPR...3 Frequently Asked Questions...5 Adobe Analytics GDPR Workflow...9 View/Manage Report Suite's Data Governance Settings...10 Label Report Suite Data...12 Submit Access and Delete Requests...18 GDPR Labels for Analytics Variables...22 Namespaces...32 ID Expansion...35 Labeling Best Practices...38 Labeling Example...43 GDPR and Data Connectors (Genesis)...46 GDPR Terminology...49 Contact and Legal Information...52 Last updated 11/8/2018 Adobe Analytics and GDPR

3 Adobe Analytics and GDPR 3 Adobe Analytics and GDPR This document describes what you need to do in Adobe Analytics to support your data subjects' GDPR access and delete rights. Adobe Overview Important: The contents of this document are not legal advice and are not meant to substitute for legal advice. Please consult your company's legal department for advice concerning GDPR. On May 25, 2018, the European Union's General Data Protection Regulation (GDPR) goes into effect. For more information about Adobe's response and what this means for you as an Adobe customer, see GDPR and Your Business. When Adobe is providing software and services to an enterprise, Adobe is acting as a data processor for any personal data it receives and stores on behalf of our customers, as part of providing the services. As a data processor, Adobe processes personal data in accordance with your company s permission and instructions (for example, as set out in your agreement with Adobe). As the data controller, you will determine the personal data that Adobe processes and stores on your behalf. If you use Adobe Experience Cloud solutions, Adobe might host personal data for you depending on the solutions you use and the information you choose to send to your Adobe Experience Cloud account. For a list of examples, see Adobe Experience Cloud privacy. How Adobe Handles GDPR Data The Adobe Cloud Platform (ACP) provides an integrated solution that connects your brand's data governance infrastructure with the Adobe tools it uses to create and manage consumer experiences. The data governance features of the Adobe Cloud Platform enable a direct linkage of data governance policy to data usage. Familiarize yourself with how Adobe Analytics handles GDPR which discusses steps for GDPR readiness and how to integrate with the Adobe Experience Cloud GDPR API. GDPR Readiness and your Adobe Analytics Data Adobe realizes that you are most familiar with the custom data in your report suites and we are giving you the opportunity to define your data governance settings and preferences. To that end, Adobe Analytics provides a Data Governance user interface that lets you, as the data controller, set privacy labels on your Analytics reports suites and all the dimensions and metrics in those report suites. You can identify the columns in your data set that contain directly identifiable data or indirectly identifiable data so that you

4 Adobe Analytics and GDPR 4 can submit your access and delete requests to address that data. For each request, the labels defined in the Analytics Data Governance user interface will be honored for the specific identifier that corresponds to that request. See Label Report Suite Data for more information on how to set the labels. Prerequisites Familiarize yourself with GDPR terminology. Link your login company to an Experience Cloud organization, if it isn't already. Contact Adobe Customer Care and refer to Organizations and account linking. Map any Adobe Analytics report suite that you want to set up for data governance to your Experience Cloud organization. Set a data retention policy for each report suite so that GDPR Delete and Access requests can be honored. Note: Adobe Analytics cannot assist you with processing requests to the GDPR API, i.e., processing access or deletion requests you receive from your end users, if the data retention period has not been set in Adobe Analytics. Please contact your Customer Success Manager in order to set your data retention period. Check your permissions: to use the Data Governance Management interface in Adobe Analytics, you must be an Adobe Analytics Administrator.

5 Frequently Asked Questions 5 Frequently Asked Questions 1. Question How will Adobe Analytics support access and delete requests for end users (data subjects) validated by customers (data controllers)? Answer When GDPR takes e ect, Adobe Analytics will support processing verified requests submitted by Data Controllers to the Experience Cloud GDPR API to enable a more automated process. Adobe s GDPR API is designed to help process individual rights requests (e.g., access and delete requests) for our customers data stored across Adobe Experience Cloud solutions. It is flexible and scales according to the number of data access and delete requests your company receives from data subjects. Also, the GDPR API allows the customer to check the status on how the data access and delete requests are being fulfilled. For more details see GDPR API documentation. 2. Who will be responsible for receiving, accepting, and fulfilling GDPR requests from end users? The Data Controller (i.e. The Adobe Customer) has the sole responsibility for providing data subjects with personal data in response to an individual rights request under GDPR. The Data Controller also has the sole responsibility for receiving requests and accepting the request validating the data subject s identity and then fulfilling the request, part of which may involve contacting Adobe with data subjects IDs that may be associated with data stored in Adobe Analytics. As the Data Processor, Adobe must provide reasonable assistance to the controller to process verified requests within an acceptable amount of time How will Adobe Customers (data controllers) find out which GDPR requests map to which IDs in Adobe Analytics for GDPR processing? How can Adobe Analytics Data Governance assist with processing GDPR requests? The data controllers will determine how to resolve identity for requests from the data subjects. Consider deploying Adobe's GDPR ID Retrieval Tag. Your development teams will save time by using our GDPR ID retrieval tag to capture user IDs (cookie IDs), and then using our GDPR API to send those user IDs to the relevant solutions in the Adobe Experience Cloud for GDPR request processing. The GDPR API can support a broad range of customer IDs across multiple Adobe solutions. If a data subject submits a request along with an identifier (custom variable prop or ), then Adobe Analytics will scan then entire retained history of the data collected for the given identifier. Please, go to Adobe GDPR ID Retrieval Tag for a demo. Data Governance is a new tool within Adobe Analytics that provides data controllers the ability to apply data controls and classifications across their Analytics data. This new tool empowers Adobe customers to customize the processing of their GDPR data access and data delete requests. In the Data Governance console, admins can define the desired settings that should be applied to various data columns that reside in Adobe Analytics. Once those labels are defined, Adobe will

6 Frequently Asked Questions 6 Question Answer Where do we get started on getting GDPR ready with Adobe Analytics? How should data controllers think about consent when it comes to user engagement? How should data controllers think about data retention when it comes to GDPR? honor and process any downstream access or delete requests according to the customers desired label settings. It is the responsibility of the data controller to review and council with their legal representatives regarding these label settings. Adobe Analytics encourages clients to set up data labeling correctly in advance of GDPR e ective date, which is May 25th, 2018 to allow customize completion of request utilizing GDPR API. The Data Governance tool contains the following data labels: Identity Data Labels: used to classify data that can identify an individual either directly or in combination with other data. (None, I1, I2) Sensitive Data Labels: used to classify data as data that may be defined as sensitive under applicable law. (None, S1, S2) Note that currently the use of Sensitive Data in Adobe Analytics is generally prohibited except for precise geo-location data properly obtained under applicable law, which may be considered Sensitive Data in some jurisdictions. GDPR Data Labels: used to define the fields that may contain personal identifiers for use in GDPR requests or that should be removed as part of a GDPR delete request. These labels may overlap the Identity and Sensitive Data labels, in some cases. For more information on Data Governance labels, see GDPR Labels for Analytics Variables. For a step-by-step walkthrough to get ready for GDPR, see Adobe Analytics GDPR Workflow. GDPR is a good opportunity to re-consider your consent management strategy and practices, including determining when consent is needed and thinking about the value proposition for the user. Consider the value proposition for consumer privacy, which can help drive conversion and loyalty. The consent management space (e.g., tools, standards, best practices) is rapidly evolving, and is an area to watch. To minimize impact on user engagement, controllers should work with vendors in this space and with their counsel, and follow emerging EU laws and guidance on consent and cookies. Thinking about experiential privacy by using an on-brand, contextually relevant experience that sets out the value proposition of your data collection activities is a good strategy. GDPR generally provides that personal data generally should not be retained for longer than necessary to achieve the purpose for which it was collected.

7 Frequently Asked Questions 7 Question Answer As Adobe detailed in its customer communication in February 2018, we applies a 25-month data retention plan to most customers unless other arrangements have been made (subject to customer notification and authorization). Customers will be required to set their data retention policy before Adobe can process GDPR request. Adobe Analytics requires customers to set their data retention to process their GDPR requests. Each report suite s current data retention policy is displayed in the new Data Governance Admin UI. Customers should contact their Adobe representative if they need to adjust their data retention policies. Please refer to Adobe Analytics Data Retention FAQS. 8. Can a customer reduce or extend the Default Data Retention Period? Customers can request that their data be deleted sooner than 25 months by calling customer care. Customers can also extend data retention beyond 25 months by purchasing an extension. Extensions are available in increments of 1 (one) additional year, up to a maximum of 8 (eight) additional years (for a total of 10 years). These extensions may require updated contract terms and additional fees What privacy considerations should a data controller account for when personal data is exported from Adobe Analytics? Some data we were not supposed to collect was accidentally sent into Adobe Analytics. Can we use the GDPR API to clean up this data? If a customer uses Adobe Analytics Data Feeds to export data from Analytics into their enterprise data warehouse or into other systems outside of Adobe, it is the responsibility of the Customer (the Data Controller) to ensure that delete requests are applied to the data. This also applies to on-premise implementations of Adobe Data Workbench (Insight), where an ongoing Adobe Analytics data feed is populating the Data Workbench data. Adobe may provide tools to assist in finding and deleting the records from certain types of data feeds, including those used for Data Workbench, but it is still the Customer s (Data Controller's) responsibility to ensure that the data is deleted consistent with their own, internal data retention and deletion policies. Please also consider cases where employees may have downloaded Adobe Analytics reports that contain personal data. These reports may need to be updated or deleted if a GDPR or other privacy-related delete request is received involving an ID that may be present in the report. Customers should work with your company s legal counsel to determine retention periods, and privacy and security requirements that should be applied to these types of documents. The GDPR API is provided to help you fulfill GDPR requests, which are time sensitive. Using this API for other purposes is not supported by Adobe and may impact Adobe s ability to provide timely turn-around of high priority, user-initiated GDPR requests for other Adobe customers. We ask that you do not use the GDPR API for other purposes such as clearing out data that was accidentally submitted across large groups of visitors.

8 Frequently Asked Questions 8 Question Answer 11. Our legal team has determined that values we have been collecting in a variable for years, no longer comply with our updated privacy policy. Can we use the GDPR API to clear out all values from this variable? You should also be aware that any visitor who has a hit deleted (updated or anonymized) as a result of a GDPR deletion request will have their state information reset. The next time the visitor returns to your website, they will be a new visitor. All attribution will start again, as will information such as visit numbers, referrers, first page visited, etc. This side effect is undesirable for situations where you want to clear out data fields, and highlights one reason why the GDPR API is inappropriate for this use. Please contact your Account Manager (CSM) to coordinate with our Engineering Architect consulting team to further review and provide level of effort to remove any PII or data issues. The GDPR API is provided to help you fulfill GDPR requests, which are time sensitive. Using this API for other purposes is not supported by Adobe and may impact Adobe s ability to provide timely turn-around of high priority, user-initiated GDPR requests for other Adobe customers. We ask that you do not use the GDPR API for other purposes such as clearing out data that was accidentally submitted across large groups of visitors. You should also be aware that any visitor who has a hit deleted (updated or anonymized) as a result of a GDPR deletion request will have their state information reset. The next time the visitor returns to your website, they will be a new visitor. All attribution will start again, as will information such as visit numbers, referrers, first page visited, etc. This side effect is undesirable for situations where you want to clear out data fields, and highlights one reason why the GDPR API is inappropriate for this use. Please contact your Account Manager (CSM) to coordinate with our Engineering Architect consulting team to further review and provide level of effort to remove any PII or data issues. Additional GDPR Resources: GDPR Common Terms Experience Cloud GDPR Care Package Experiential Privacy Blog Post

9 Adobe Analytics GDPR Workflow 9 Adobe Analytics GDPR Workflow Welcome to Adobe Analytics and GDPR readiness! This workflow outlines the steps you need to take to make your Adobe Analytics implementation ready to support your data subjects' GDPR access and delete rights. Step # Task Description Ensure that any of your report suites that might contain GDPR-relevant data are mapped to your Experience Cloud (or IMS) organization. GDPR requests are submitted using an Experience Cloud Organization and will be applied to all report suites claimed by that Organization. Requests will not apply to report suites not mapped to that Organization, even if they are part of your login company. Links to Instructions and More Information Refer to Map report suites to an organization. Set your data retention policy. A data retention policy needs to be in place in order for Adobe to service GDPR data access/delete requests. For more information, see this Analytics Data Retention FAQ. Familiarize yourself with DULE/GDPR labels, Adobe Analytics IDs, namespaces, and ID expansion. Read these topics in this documentation set: GDPR Labels for Analytics Variables Labeling Best Practices Assign identity, sensitivity, and data governance labels to each variable in a report suite. Follow the instructions in Label Report Suite Data. Note: Remember that Labeling needs to be reviewed each time a new report suite is created or when new variable is enabled within an existing report suite. You may also need to review the labeling when new solution integrations are enabled, as they can expose new variables that may require labeling. A re-implementation of your mobile apps or websites may change the way that existing variables are used, which may also necessitate updates to labels.

10 Adobe Analytics GDPR Workflow 10 Step # Task Description Connect to the Adobe GDPR API and submit Access and Delete Requests. Links to Instructions and More Information As an Adobe Analytics customer, you can submit individual GDPR requests to access and delete customer data, by calling the Adobe Experience Cloud GDPR API. You can submit any Analytics identifiers (as described in the section Labeling Best Practices) in the requests along with their respective namespace IDs (data source IDs). View and manage your report suite's GDPR settings. Follow the instructions in View/Manage Report Suite's Data Governance Settings. View/Manage Report Suite's Data Governance Settings The Data Governance dialog in the Admin Tools provides an overview of which report suites have been configured for data governance, whether they have been mapped to an Experience Cloud organization, and whether a data retention policy is in place for this report suite. 1. Log in to Adobe Experience Cloud. 2. Navigate to Analytics > Admin > Data Governance. You will see all the report suites that are part of your login company:

11 Adobe Analytics GDPR Workflow 11 Setting Report Suites Organization Mapping Description The first line lists the friendly name of the report suite. The second line contains the internal name of the report suite. If you are allowed to set labels for a report suite, the first line will be a clickable link that takes you to the labeling page. Mapped: This report suite has already been mapped to the same Experience Cloud organization as the Analytics login company that you are logged in to. Only report suites that have this setting can be labeled. Map Report Suite: Clicking this link will let you map a report suite to an Experience Cloud organization. This means you will be redirected to the Experience Cloud Organization Report Suite Mapping Admin page where you have to find the report suite, and assign it to the appropriate organization. Once that is done, navigate back to this Data Governance UI. Mapped to Another Organization: Another Experience Cloud organization has already mapped this report suite to their organization. Data Retention Policy The Analytics GDPR implementation requires that you have a data retention policy in place. This setting shows whether a data retention policy is in place for this report suite, and how long the data is retained by Adobe before it is deleted. The default data retention period is 25 months. Note: Adobe Analytics cannot assist you with processing requests to the GDPR API, i.e., processing access or deletion requests you receive from your end users, if the data retention period has not been set. Please contact your Customer Success Manager in order to set your data retention period. Groups Grouping functionality is not currently implemented. Left-hand side bar Click the funnel icon to open or close the side bar. The Organization Mapping section displays the number of report suites that fall into each of the described categories. The Data Retention Policy section displays each unique data retention policy currently in place for your organization and the number of report suites that were assigned that retention policy. Export to CSV If you mark the checkbox next to one or more of the report suites, the Export to CSV option displays. This option lets you download a CSV file containing all current label definitions for all variables for all selected report suites. We recommend that your legal team review your labeling choices and this option facilitates this review. Instead of needing to perform the review while logged into the Data Governance UI, you can share the.csv file with them.

12 Adobe Analytics GDPR Workflow 12 Setting Description Label Report Suite Data Labeling report suite data means that you assign identity, sensitivity, and data governance labels to each variable in a given report suite. Make sure you first familiarize yourself with the labels and their definitions. Assign or Edit Report Suite Labels Copy Labels to Report Suite(s) Note: Remember that Labeling needs to be reviewed each time a new report suite is created or when a new variable is enabled within an existing report suite.you may also need to review the labeling when new solution integrations are enabled, as they can expose new variables that may require labeling. A re-implementation of your mobile apps or websites may change the way that existing variables are used, which may also necessitate updates to labels. Assign or Edit Report Suite Labels Example: You, as the data controller, plan to collect addresses and cookie IDs from data subjects to process their GDPR requests. These cookie IDs are stored in a report suite in Adobe Analytics. To create a label for addresses and cookie IDs, you must use the Adobe Cloud Platform's Data Usage Labeling & Enforcement (DULE) framework in Analytics. 1. In Analytics, navigate to Admin > Data Governance > [select report suite].

13 Adobe Analytics GDPR Workflow Select which group of variables you want to label. Standard Dimensions (Adobe Analytics out-of-the-box dimensions) Standard Metrics (Adobe Analytics out-of-the-box metrics) Conversion Events (Custom success events) Merchandising Conversion Dimensions (Merchandising s) Conversion Dimensions (non-merchandising s) Custom Traffic Dimensions (props) Solution Dimensions and Events (Dimensions/events related to solutions such as Mobile, Video, Activity Map, etc., and integrations with solutions such as Adobe Campaign, Adobe Experience Manager, Advertising Cloud, etc.) Data Processing Dimensions (variables not exposed directly in reporting through the Adobe Analytics UI, but available to you through Data Feeds and/or Data Warehouse requests)

14 Adobe Analytics GDPR Workflow (Optional) Click the information (i) icon next to each variable to better understand its most common values over the last 90 days. (This functionality is not available for Data Processing Dimensions, because they are not available in the Analytics UI.) 4. Select one or more variables by clicking their checkbox, then select the Edit icon (to the right) to edit one or more variable(s). 5. The Identity Data labels dialog opens automatically. These labels classify data that can be used by itself or in combination with other data to identify or enable direct contact with an individual. For more information on these options, refer to Identity Data Labels (DULE). Note: The Data Usage Labeling & Enforcement (DULE) Framework is designed to provide a uniform way across Solutions/Services/Platforms to capture, communicate, and use metadata about data across the Adobe Experience Cloud. The metadata helps data controllers indicate which data is personal information, which data is sensitive data, and what contract restrictions are associated with data.

15 Adobe Analytics GDPR Workflow Open the Sensitive Data section to set Sensitive Data Labels, which categorize geolocation data. For more information on these options, refer to Sensitive Data Labels (DULE). 7. Open the GDPR Data section to set Data Governance Labels. Use this section to instruct Adobe how to handle each variable for GDPR access and delete requests, as well for defining which variables should be scanned to

16 Adobe Analytics GDPR Workflow 16 find data subject IDs for these requests. For more information on these options, refer to Data Governance Labels (GDPR). 8. Click Apply once you have completed all labeling. Copy Labels to Report Suite(s) If you want to apply the same DULE/GDPR settings to more than one report suite, you can follow these steps: 1. Select the variable group (Standard Dimensions, Conversion Dimensions, etc.) containing the variable you want to copy. Note that you can only copy the labels for one group of variables at a time. 2. Select some or all of the variables in this group. 3. Click Copy Labels to Report Suite(s) at the top right of the Data Governance dialog.

17 Adobe Analytics GDPR Workflow Either check Select All to copy labels for the selected variables to all report suites or select the individual report suites that you want to copy the labels to. Important: Keep in mind that all report suites you select have to be mapped to your Experience Cloud organization. When you copy the labels for a variable or set of variables into a different report suite, the copy goes to the variable in the corresponding position in the destination report suite. For Standard Dimensions, Standard Metrics, Solution Dimensions and Events and Data Processing Dimensions, the labels will be copied to the variable with the same name in the destination report suite. However, for Conversion Variables (s), Merchandising Conversion Dimensions and Custom Traffic Dimensions (props) the copy be will to the variable with the same number in the destination report suite. For example, 12 will be copied into 12 in all destination report suites. The names of these variables will be ignored in determining the target of the copy. If the corresponding variable is not enabled in the destination report suite, the copy will fail for that variable. When copying the labels for classifications defined for a variable, the labels will be copied to a classification on the corresponding variable in the destination report suite (such 7 to 7) that has a name identical to the classification being copied. Otherwise, the copy for that classification's labels will fail. A status message is displayed after a set of labels has been applied. The status message will include the names of any destination variables or classifications and their report suites for which the copy failed. 5. Click Apply. Important: You should always check the destination report suites to make sure that the labels copied over correctly. This is especially important for variables that have ID or DEL labels.

18 Adobe Analytics GDPR Workflow 18 Submit Access and Delete Requests Note: This page describes functionality that will be available at a later date. Overview Manage Consumer Consent Validate Users and Their Data Submit Requests Sample JSON Request Response Details Testing GDPR Processing on Your Data Overview If your customers (consumers/data subjects) want to know what data you maintain about them or decide they want to be deleted from your Analytics properties, you as the data controller are responsible for responding to those requests. The data controller determines how your organization will interact with data subjects (e.g., through a data subject user portal) and manages interactions with the data subject. It also is the controller's responsibility to close the loop with the data subject when the request is fulfilled. In other words, Adobe Experience Cloud, as the data processor, will not accept requests directly from data subjects or return data directly to them. Rather, Adobe will receive requests from and return data to only you as the data controller. You also may want to ensure your mobile apps and websites will have relevant pop-up notices and supporting materials about data subjects' rights regarding their directly identifiable or indirectly identifiable data, and other data you collect. Manage Consumer Consent You, as the data controller, are responsible for obtaining explicit consent from your data subjects before you collect data about them (possibly including Adobe Analytics data) and for implementing an opt-out mechanism on your web site. This lets your data subjects opt out of future Adobe Experience Cloud data collection. Validate Users and Their Data You, as the data controller, are responsible for verifying that the data subject is who they say they are and that they have a right to the data they are requesting. Further, it is your responsibility to ensure that the correct data is returned to the data subject and that they don t inadvertently receive data about other data subjects. This includes reviewing the data returned by Adobe Analytics as part of a GDPR access request before sending it on to the data subject. Particular care should be taken if you are using Person IDs, and returning not only data where that ID is present, but also data for other hits on a shared device where that ID was sometimes present (ID Expansion). Each file combines data from all your report suites, automatically removing extra copies of replicated hits. You can decide which of these files to return to the data subject. Or you may extract some of this data and combine with data from other systems before returning it to the data subject. Submit Requests You can submit GDPR access and delete requests through our GDPR UI portal or via our GDPR API.

19 Adobe Analytics GDPR Workflow 19 Note: The GDPR API supports batch submissions for multiple users in a single request. The currently supported limit is 1000 separate users (may have multiple IDs per user) in a single request JSON file. Sample JSON Request Here is the JSON that might be submitted through the GDPR API or UI, requesting GDPR processing for three users. { } "companycontexts": [ { "namespace": "imsorgid", "value": "5D AA6D9580A495C6C@AdobeOrg" } ], "users": [ { "key": "GDPR-1234", "action": ["access"], "userids": [ { "namespace": "AAID", "namespaceid", 10, "type": "standard", "description": "Legacy Visitor ID", "value": "2D783E ", } ] }, { "key": "GDPR-1235", "action": ["access"], "userids": [ { "namespace": "ECID", "namespaceid": 4, "type": "standard", "description": "This is the ID generated by the Adobe ID service.", "value": " ", } ] }, { "key": "GDPR-1236", "action": ["access","delete"], "userids": [ { "namespace": "CRM-ID", "type": "analytics", "description": "namespace defined on 17 in some report suites", "value": "ACME ", }, { "namespace": " address", "type": "analytics", "description": "namespace defined on 23 in some report suites", "value": "john@mail.com", } ] } ], "expandids": true Notice there are three blocks in the user s section, representing three separate requests, presumably for three separate data subjects.

20 Adobe Analytics GDPR Workflow 20 The first request is an access request using a traditional Adobe Analytics cookie ID (AAID). The second request is also an access request but is using an MCID/ECID cookie. The third request is requesting both access and delete for the specified IDs. While ID Expansion is specified for all of the requests, it will have the biggest impact on this third request, as it is the only one that uses non-cookie IDs. As a result, this request will also discover cookie IDs associated with any devices with the specified CRM-ID or address, and expand the request to include those IDs as well. Keep in mind that The value 5D AA6D9580A495C6C@AdobeOrg in the companycontexts section must be updated with the value of your own Experience Cloud organization. The type and namespace fields are described in more detail in the Namespaces section. The description fields are ignored. The key fields can contain any value that you want. If you have an internal ID that you are using for tracking GDPR requests, you could place that value here, to make it easier to match requests in Adobe s system to those in your own systems. Response Details This sections contains details on access and delete responses. Access Response Details The data returned for an access request provides you, the data controller, with a URL you can use to download a ZIP file containing a directory for each Adobe product you own. Within the Analytics folder, there may be: Person Files Derived from hits containing a matched ID-PERSON label A.CSV file with one row for every matching hit, and one column for every field with an ACC-ALL or ACC-PERSON label, sorted by timestamp. An HTML summary file with one entry for every ACC-ALL or ACC-PERSON label. Each entry lists all unique values for that field and the number of times each occurred. Fields containing timestamps are rounded to specify only unique days. Device Files Derived from hits where one of the fields matched a specified ID-DEVICE but none matched a specified ID-PERSON A.CSV file with one row for every matching hit, and one column for every field with an ACC-ALL label, sorted by timestamp. HTML summary file with one entry for every ACC-ALL label. Each entry will list all unique values for that field and the number of times each occurred. Fields containing timestamps are rounded to specify only unique days. Each file combines data from all your report suites, automatically removing extra copies of replicated hits. You can decide which of these to return to the data subject. Or you may extract some of this data and combine with data from other systems before returning it to the data subject. Delete Response Details No data is returned for delete requests - only a status to the GDPR API that the request was completed successfully. Testing GDPR Processing on Your Data Typically, Analytics customers will set up some test report suites to verify functionality before it is released to the general public. Pre-production websites or apps will send data into these test/dev/qa report suites to evaluate how things will work when the code releases before real traffic is sent to the production report suites.

21 Adobe Analytics GDPR Workflow 21 However, with a normal configuration, GPDR request processing cannot be tested first on these test report suites, before applying requests to production report suites. The reason for this is that a GDPR request is automatically applied to all report suites in the Experience Cloud organization, which is often all report suites for your company. There are a few ways that you can still test your GDPR processing prior to applying it to all your report suites: One option is to set up a separate Experience Cloud organization that contains only test report suites. Then use this Experience Cloud organization for your GDPR testing and your normal Experience Cloud organization for actual GDPR processing. Another option is to assign different namespaces to the IDs in your test report suites, versus those in your production report suites. For example, you can prefix each namespace with qa- in your test report suites. When you submit GDPR requests with only namespaces with the qa prefix, these requests will only run against your test report suites. Later, when you submit requests without the qa prefix, they will apply to your production report suites. This is the recommended approach, unless you use the visitorid, AAID, ECID or customvisitorid namespaces, because these are hardcoded and you cannot specify alternate names for them in your test report suites.

22 GDPR Labels for Analytics Variables 22 GDPR Labels for Analytics Variables Why Label Your Data? DULE Labels Sensitive Data Labels (DULE) Data Governance Labels (GDPR) Provide a Namespace when Labeling a Variable as ID-DEVICE or ID-PERSON Variable Types and the GDPR/DULE Labels they support Variables to which Labels other than ACC-ALL/ACC-PERSON can be assigned/modified Deletion Handling Variables that Don t Support the Expected Delete Labels Date Fields for Access Requests Why Label Your Data? Many Adobe customers have legal teams that have reviewed the GDPR law and that have drawn their own conclusions about how data should be handled in order to conform with GDPR. The legal interpretations may differ across companies and the desired data handling settings may also differ across customers. Since customers have differing preferences for GDPR data processing and differing data sets, Adobe is enabling Adobe customers, as the data controller, to customize their desired settings for GDPR data processing for their unique data. This allows each unique customer to process GDPR requests in the way that makes most sense for their brand and their unique data set. Adobe Analytics provides tools for labeling data according to its sensitivity and contractual restrictions. Labels are important and useful for helping: (1) identify data subjects, (2) determine which data to return as part of an access request, and (3) identify data fields that must be deleted as part of a deletion request. Before you can figure out which labels should be applied to which variables/fields, you need to understand the IDs that you are capturing in your Analytics data, and to decide which you will use for GDPR requests. The Adobe Analytics GDPR implementation supports the following labels for identity data, sensitive data, and data governance. DULE Labels Note: The Data Usage Labeling & Enforcement (DULE) Framework is designed to provide a uniform way across all Adobe Solutions/Services/Platforms to capture, communicate, and use metadata about data across the Adobe Experience Cloud. The metadata helps data controllers indicate which data is personal information, which data is sensitive data, and what contract restrictions are associated with data. In this initial release, Analytics is exposing only the DULE labels that are relevant to GDPR. As other Adobe products implement support for DULE labels, future releases will introduce additional sensitive data labels, as well as contractual labels, which will help ensure that data shared between products is used only in legally permissible ways. Identity Data Labels (DULE) Identity data "I" labels are used to categorize data that can identify or contact a specific person.

23 GDPR Labels for Analytics Variables 23 Label I1 I2 Definition Directly identifiable: Data that can specifically identify or enable direct contact with an individual, such as a name or an address. Indirectly identifiable: Data that can be used in combination with any other data to identify or enable direct contact with an individual or device. Does not allow identification of an individual by itself, but can be combined with other information (that may or may not be in your possession) to identify someone. Examples include a customer loyalty number, or an ID used by a company's CRM system that is unique for each of their customers. Other Requirements Cannot be set on events Cannot be set on Merchandising s Cannot be set on events Cannot be set on Merchandising s Sensitive Data Labels (DULE) Sensitive data "S" labels are used to categorize sensitive data such as geographic data. Additional Sensitive Data labels will be introduced in the future to identify other types of sensitive information. Label S1 Definition Precise geo-location data related to latitude and longitude that can be used to determine the exact location of a device (within 100 meters or less). S2 Geo-location data that can be used to determine a broadly defined geo-fence area. Data Governance Labels (GDPR) Data Governance labels provide users the ability to classify data that reflects privacy-related considerations and contractual conditions to be compliant with regulations and corporate policies. GDPR Access Labels Label None Definition Select this option if this variable does not contain data that must be included in data returned to the data subject as part of a GDPR access request. Other Requirements ACC-ALL Values in this field should be included in all GDPR access requests. If this hit came from a device shared by multiple individuals, by applying this label, you, as the data controller, are indicating that it is acceptable to share the data in this field with any individual who had access to the shared device. Fields with this label will be returned for all GDPR requests.

24 GDPR Labels for Analytics Variables 24 Label ACC-PERSON Definition Values in this field should be included only for GDPR access requests when we are reasonably certain that the hit was from the data subject, as determined by a GDPR request ID matching an ID-PERSON field s value. Other Requirements You must also have an ID-PERSON label set on some variable within this report suite, and submit requests using that ID, or this label will never apply. While few variables will receive any of the other labels, it is expected that access labels will be applied to many of your variables. However, it is up to you, in consultation with your Legal team, to decide which data you have collected should be shared with data subjects. GDPR Delete Labels Label Definition Unlike the other labels, these Delete labels are not mutually exclusive. You can select either, both or none. A separate None label is not necessary, because None is indicated simply by not checking either of the Delete options. Other Requirements A delete label is required only for fields that contain a value that would allow a hit to be associated with the data subject (i.e. that would allow identification of the data subject). Other personal information (favorites, browsing/purchase history, health conditions, etc.) does not need to be deleted since the association with the data subject will be severed. DEL-DEVICE For GDPR delete requests, values in this field should be anonymized only for requests where a specified ID-DEVICE is present in the hit. If the same value occurs on other hits, which are not being deleted, then those other instances will not be changed. This will result in the counts changing for reports which compute unique counts on this field. On shared devices, this may remove identifiers for other individuals, beyond just the data subject. Also requires I1 or I2 or S1 label Cannot be set on events Cannot be set on Merchandising s Cannot be set on Classifications You must submit requests using an ID-DEVICE or set expandids to true, or this label will never apply. Counts do not change if this field also has an ID-DEVICE label and the value in this field was used as an ID for the GDPR request. DEL-PERSON For GDPR delete requests, values in this field should be anonymized only for requests where a specified ID-PERSON is present in the hit. If the same value occurs on other hits, which are not being deleted, then those other values will not Also requires I1 or I2 or S1 label Cannot be set on events Cannot be set on Merchandising s Cannot be set on Classifications You must also have an ID-PERSON label set on some variable within this

25 GDPR Labels for Analytics Variables 25 Label Definition be changed. This will result in the counts changing for reports which compute unique counts on this field. Counts will not change if this field also has an ID-PERSON label and the value in this field was used as an ID for the GDPR request. Other Requirements report suite and submit requests using that ID, or this label will never apply. GDPR Identity Labels Label None Definition This variable does not contain an ID that will be used for GDPR requests. Other Requirements You need to set one of these other labels only if this field contains an ID that you will use when submitting access or delete requests through the GDPR API or UI. ID-DEVICE ID-PERSON This field contains an ID that can be used to identify a device for a GDPR request, but cannot distinguish between different users of a shared device. You do not need to specify this label for all variables that contain IDs (that is what the I1/I2 labels are for). Use this label if you submit GDPR requests using IDs stored in this variable and want to search this variable for the specified ID. This field contains an ID that can be used to identify an authenticated user (a specific person) for a GDPR request. You do not need to specify this label for all variables that contain IDs (that is what the I1/I2 labels are for). Use this label if you will submit GDPR requests using IDs stored in this variable and want to search this variable for the specified ID. Also requires I1 or I2 label Cannot be set on events Cannot be set on Merchandising s Cannot be set on Classifications Also requires I1 or I2 label Cannot be set on events Cannot be set on Merchandising s Cannot be set on Classifications Provide a Namespace when Labeling a Variable as ID-DEVICE or ID-PERSON When you label a variable as ID-DEVICE or ID-PERSON, you are prompted to provide a namespace.you can either use a previously defined namespace or define a new one. Use a Previously Defined Namespace If you have previously assigned an ID label to other variables in any of the report suites in your login company, you can select one of these existing namespaces. You should reuse the namespace if this variable contains the same type of IDs as other variables that are already labeled with this namespace and you want to search all of them when submitting a request. 1. Click Select Namespace and select one of the existing namespaces. 2. Click Apply.

26 GDPR Labels for Analytics Variables 26 Define a New Namespace You can also define a new namespace. We recommend that namespace strings be limited to alphanumeric characters, plus the characters underscore, dash and space. They will be converted to all lower case. 1. Click Select Namespace and type in the namespace title. 2. Press Enter to add this namespace. Only now will the Apply button be activated. 3. Click Apply. The string you specify as the namespace is the same string you should use when submitting requests through the GDPR API as the value of the namespace parameter. The request will then cause Adobe Analytics to search all variables in all of your report suites that share this namespace for the ID you specified with the request. You do not need to specify the ID-DEVICE or ID-PERSON labels on all variables that contain IDs (that is what the I1/I2 labels are for). Use this label if you will be submitting GDPR requests using IDs stored in this variable and want to search this variable for the specified ID. As an example, if 1 can contain an address, and 2 can contain a login user name, but you will only ever submit requests using the user name, then you might label 1 as I1, ACC-PERSON, DEL-PERSON, but 2 as I2, ACC-PERSON, DEL-PERSON, ID-PERSON with namespace user name. You can then submit a request with a user section JSON block such as: { } "namespace": "user name", "type": "analytics", "value": "rocketman123" It is acceptable to use the same namespace for different variables within the same report suite. For example, some custom implementations store a CRM-ID in both a prop and an. If the CRM-ID always occurs in one of them (such as the ), and only occasionally occurs in the other (the prop), and never in the prop when not also in the, then only the requires an ID label and a namespace, as Adobe can search only in that for the ID. If, however, the CRM-ID sometimes occurs in one variable and sometimes in the other, then both should have the same namespace and Adobe will search both variables for occurrences of the ID specified as part of a GDPR request

27 GDPR Labels for Analytics Variables 27 with this namespace. You should still have DEL labels on all of these variables, so that the value is anonymized no matter where it occurs. As another example, you might have a CRM ID that is sometimes sent in via 1 and sometimes sent in via prop7. You then have a processing rule that copies the value from 1, if it exists, into 3. Otherwise it copies the value from prop7 into 3. In this scenario, 3 will always contain the CRM ID if it is known, so only 3 requires an ID-PERSON label. Variable Types and the GDPR/DULE Labels they support GDPR/DULE labeling affects four broad classes of Analytics variables. Not all variables support all labels. This table shows which variables support or don't support which labels. Variable Type Custom Success Events Merchandising s Multi-valued variables (mvvars) Hierarchy variables Supported Labels S1/S2 ACC-ALL, ACC-PERSON Unsupported Labels I1/I2 ID-DEVICE, ID-PERSON DEL-DEVICE, DEL-PERSON Classifications Traffic variables (props) Commerce variables (non-merchandising s) I1/I2, S1/S2 ACC-ALL, ACC-PERSON, All labels ID-DEVICE, ID-PERSON DEL-DEVICE, DEL-PERSON - Most other variables (See table below for exceptions) ACC-ALL, ACC-PERSON I1/I2, S1/S2 ID-DEVICE, ID-PERSON DEL-DEVICE, DEL-PERSON Variables to which Labels other than ACC-ALL/ACC-PERSON can be assigned/modified Group Variables Modifiable Labels Comment Conversion Dimensions Custom Traffic Dimensions All, except classifications Classifications All None / I1 / I2 None / S1 / S2 Conversion Events All None / S1 / S2 Solution Dimensions and Events Activity Map Link, Activity Map Page None / I1 / I2 None / DEL-DEVICE / DEL-PERSON Variables can contain URL parameters, which may include directly or indirectly identifiable data. If your implementation does not collect directly or indirectly identifiable data in

28 GDPR Labels for Analytics Variables 28 Group Variables Modifiable Labels Comment these variables, then they don t need Identity or deletion labels. Note that delete clears the URL parameters, but preserves the base URL. Data Processing Dimensions Custom Visitor ID ID-DEVICE/ID-PERSON DEL-DEVICE/DEL-PERSON You cannot remove the ID or DEL labels (se to None), but you can change them to be either the DEVICE or PERSON variants, depending on your custom ID implementation. If you don t use the custom visitor ID, then the setting does not matter. Standard Dimensions Data Processing Dimensions IP Address IP Address 2 DEL-DEVICE/DEL-PERSON You cannot remove the DEL label, but you can change it to be either DEL-DEVICE or DEL-PERSON, or both. ClickMap Action (Legacy), ClickMap Context (Legacy), Page, Page URL, None / I1 / I2 None / DEL-DEVICE / DEL-PERSON Variables can contain URL parameters, which may include directly or indirectly identifiable data. If your implementation does not collect directly or indirectly identifiable data in these variables, then they don t need Identity or deletion labels. Original Entry Page URL, Referrer, Note that delete clears the URL parameters, but preserves the base URL. Visit Start Page URL Deletion Handling Adobe Analytics support for GDPR deletion requests is designed to minimize impacts to reporting. In most cases, the metrics displayed in reports should not change. A historical report that was run before GDPR deletion will match the same report run after deletion has been performed. This is accomplished by completely disassociating the deleted data from the data subject, while leaving non-identifiable data in place so that reported values remain consistent. The following table describes how various variables are deleted. This is not a complete list. Variables Traffic Variables (props) Deletion Method Existing value is replaced with a new value of the form GDPR D55C4F9C7AB3FBB2F2FA where the 32-digit hexadecimal