Adobe Audience Manager: GDPR Consent and Opt-Outs
Two of the most common questions we get from our AAM Targeting partners are whether we support GDPR parameters in ID syncs and how we send opt-out information. I’ll describe how those both work and provide some links to other helpful GDPR info for AAM partners.
It's important to understand that Adobe is a Data Processor in the parlance of GDPR and so it provides functionality for its customers to comply with GDPR requirements but the customers are the Data Controllers and are responsible for determining how personal data will be processed. See this FAQ and this documentation for more information.
GDPR ID sync parameters
As of July 2019, AAM supports the IAB GDPR Transparency & Consent Framework parameters in AAM-initiated ID syncs and in partner initiated ID syncs. (See this documentation for more information on how AAM-initiated and partner-initiated syncs work—it may require logging into the Exchange program to access the article.) The parameters we can send and receive are:
gdpr = <0|1>
For example (AAM-initiated sync):
https://dpm.vendor.com/sync?id=<ID> &gdpr=<GDPR_APPLIES>&gdpr_consent=<GDPR_CONSENT>&redir= https%3A%2F%2Fdpm.demdex.net%2Fibs%3Adpid%3D375%26dpuuid%3DPARTNER_UUID
The AAM product team has rolled out the new parameters to AAM-initated ID syncs for several partners and we hope to roll it out to all partners who can support it. If you would like us to update the sync we have with you, please contact support using this form.
You can begin sending the GDPR consent parameters to on your syncs with AAM. AAM does not reject syncs that lack IAB consent parameters so if your system isn’t ready to send them yet your sync calls will not be rejected by AAM. If you are ready, AAM will receive them and will drop any syncs where the parameters are present but consent is not granted to AAM.
See ID sync for outbound transfers for more information on ID syncs and the parameters available.
GDPR opt-outs are sent to our targeting partners as unsegment signals. When a GDPR opt-out is processed by AAM, the user will be dropped from all segments and this information will be sent to Destinations—how soon the information gets to each Destination depends on the send frequency for that Destination. Real-time HTTP Destinations will receive the unsegment signal within 12 hours of the GDPR opt-out (unsegments are processed as a batch so the signal does not go out in real time). Batch Destinations will receive the unsegment signal in the next batch to go out after the opt out is processed.
Partners who do not receive unsegment signals from AAM will not be able to process opt-outs so we encourage all partners to add unsegments to their Destination format.
Opt-out signals are indistinguishable from scenarios where a user becomes unqualified from all segments and is dropped from them. AAM does not have a separate opt-out mechanism or a way to differentiate between opt-outs and ‘normal’ unsegments.
Other helpful links
If you’d like to understand more about how AAM works with GDPR and how that might affect our Targeting partners, check out the following links: