GDPR and Digital Marketing: Adobe Experience Cloud to the rescue


The European Union’s new General Data Protection Regulation (GDPR) governs EU consumers’ (EU citizens) private information. The regulation gains power before the end of May, but its impact on businesses worldwide is already noticeable by the number of privacy policy updates and email notifications we have been receiving daily from service providers, social media platforms, etc.

If you’re looking into a new digital experience platform or are already using Adobe Experience Cloud solutions, chances are one of your main concerns is what tools these technologies have in place not only to help your organization’s marketing compliance with GDPR, but also to make it as easy and effortless to manage as possible.

But first things, first, let’s recap what is GDPR and what’s its impact in digital experience management.

GDPR recap

In the GDPR context, technology systems and digital platforms like the Adobe Experience Cloud play the role as “data processors”. The end customers are “data subjects” whereas the enterprises who collect and use these data are “data controllers”.

GDPR readiness stakeholders by Adobe

In very short terms, the GDPR protects user data in just about every possible way. In order to be GDPR-compliant, a company must not only handle consumer data carefully but also provide consumers with ways to control, monitor and delete any information pertaining to them that they want.

Organizations that wish to stay in compliance must implement processes (and probably also add dedicated human resources) to ensure that when personal data is handled, it remains protected. The five essential golden rules here are (1) to reduce the unnecessary data collection, (2) to obtain easy-to-understand consent from the users in an way that adds customer privacy to your value proposition, (3) review privacy policies and notices, (4) anonymize, pseudonymize or encrypt unique personal identifiers, and (5) provide users with easy access to their data, including change/deletion requests, and implement the corresponding internal procedures.

Adobe tools for GDPR compliance

To help organizations using Adobe technologies towards GDPR compliance, a number of dedicated tools are being incorporated into the underlying Adobe Experience Cloud solutions.

Adobe has developed a dedicated GDPR API which includes tools and documentation for automating consumer GDPR access and deletion requests across Adobe platform components. A key benefit of this GDPR API is that it enables organizations to scale their response by handling potential high volumes of consumer information requests. Most Adobe solutions (e.g. Adobe Analytics, Adobe Campaign, Adobe Social, Adobe Target, etc.) interface with the API, but integrations may vary according to their versions.

In the context of Adobe Analytics, the first step to protect personal data is to determine which data being collected can be tagged as GDPR relevant. Adobe provides a JavaScript Library for passing automated requests to the platform and to enable certain types of identity resolution, for example indirectly identifiable data such as IP addresses or cookie IDs. Analytics also has the option to obfuscate the last octet of IP addresses or delete them completely after initial processing. 

The data labeling tools offered in Adobe Analytics help you to operationalize your data governance practices and policies, i.e., understand what data you collect and why, with whom you share it and for how long you keep it. You can also consider managing the lifecycle of digital marketing tags or web beacons with a tag management system, such as Launch by Adobe. The greatest advantage of Launch is it also works with non-Adobe marketing platforms.

Once sensitive data has been tagged, Adobe can ensure that this data gets e.g. deleted if the customer requests for it. In any case, organizations should also identify a process to receive and respond to Data Subject requests. Building an automated tool to manage visitor requests can be an alternative, in addition to the GDPR API.

Within Adobe Target, visitors’ personal information is stored in the Target Visitor Profile. Adobe Target has planned to introduce the ability to delete all data associated with an ID in their Visitor Profile. Target Visitor Profiles that have been inactive for 90 days are also deleted by default, without any action required.

Adobe Audience Manager users have full control over how and what data is uploaded into the platform. However, data that would allow Adobe to directly identify an individual (such as, email addresses, first and last names, etc.) is not allowed to be used. For data types that could fit into this category, you should assess, together with your GDPR implementation partner, what tools and privacy-enhanced technologies best fit your needs to convert the sensitive data into hashed IDs prior to uploading them into Audience Manager.

There are also new features already built-in Audience Manager, such as Data Export Controls, to make it easy for marketers to manage audience data directly in the platform, when building audience profiles and segmentation. These can help you, for example to block audience activation to technologies that house personal data, such as third-party data should not be incorporated to email service providers.

Adobe Campaign standard tools already help data controllers manage all aspects of opt-in and opt-out - from opt-out flags in the standard data model to a prebuilt unsubscribe page hosted by Adobe Campaign.

Both Adobe Audience Manager and Adobe Campaign support detailed user setup, specifying what data different users can access and what activities they can perform on the platform, e.g. who can send an email campaign or export a database. These Role-Based Access Controls help ensure the right teams have access to intended data, and minimize data breach risks.


GDPR compliance is clearly a shared responsibility and Adobe has done a great job to prepare the Experience Cloud for the challenges that come along with GDPR. But although there are several helpful new features and tools to help organizations comply with the new data privacy rules, there’s also a lot of “heavy lifting” that you’re expected to handle within your organization.

The right partner will act as a trusted advisor within your data protection team to help you to inventory all personal data in your existing marketing platforms, review your personal data workflows, build automation tools to submit and respond to customers’ requests and determine the best approach for honoring consumer opt-outs.