In order for data usage labels to effectively support data compliance, data usage policies must be implemented. Data usage policies are rules that describe the kinds of marketing actions that you are allowed to, or restricted from, performing on data within Experience Platform.
There are two types of policies available:
Data usage policies are not to be confused with access control policies, which determine whether certain Platform users in your organization can access certain data fields, and are configured through the Permissions tab.
This document provides a high-level overview of data usage policies, and provides links to further documentation for working with policies in the UI or API.
Marketing actions, (also called marketing use cases) in the context of the data governance framework, are actions that an Experience Platform data consumer can take, for which your organization wants to restrict data usage. As such, a data usage policy is defined by the following:
An example of a marketing action might be the desire to export a dataset to a third-party service. If there is a policy in place saying that specific types of data (such as Personally Identifiable Information (PII)) cannot be exported, and you attempt to export a dataset that contains an “I” label (Identity data), you will receive a response from the Policy Service telling you that a data usage policy has been violated.
Marketing actions by themselves do not restrict data usage. They must be included in enabled data usage policies in order for those actions to be evaluated for policy violations.
When data usage happens in your organization’s service, relevant marketing actions should be indicated so that any policy violations can be identified. You can then use the Policy Service API to check for policy violations in your integration.
You can set up marketing use cases on destinations to automate policy enforcement. See the destinations documentation for more information on the configuration options for your particular destination.
See the appendix to this document for a list of available Adobe-defined marketing actions. You can also define your own custom marketing actions using the Policy Service API or the Experience Platform user interface. More information on working with marketing actions and policies is provided in the next section.
Once data usage labels have been applied, data stewards can use the Policy Service API or the Experience Platform UI to manage and evaluate policies related to marketing actions being taken on data containing data usage labels. You can create and update policies, determine the status of a policy, and work with marketing actions to evaluate whether a specific action violates a data usage policy.
All data usage policies (including core policies provided by Adobe) are disabled by default. In order for an individual policy to be considered for enforcement, you must manually enable that policy through the API or UI.
For step-by-step instructions on working with marketing actions and data usage policies in the API, see the tutorial on creating and evaluating data usage policies. For more information the key operations provided by the Policy Service API, see the Policy Service developer guide.
For information on how to work with marketing actions and policies in the Platform UI, see the data usage policy user guide.
This document provided an introduction to data usage policies within the Data Governance framework. You can now continue to read the process documentation linked to throughout this guide to learn more about how to work with policies in the API and UI.
The following section provides additional information about data usage policies.
The table below describes the core marketing actions that are provided out-of-the-box by Adobe.
The core marketing actions should be seen as a starting point to help you identify what usage policies to create and check for violations. The definitions and how they are interpreted depend on your organization’s needs and policies.
|An action that uses data for analytics purposes, such as measuring, analyzing, and reporting on customers’ usage of your organization’s sites or apps.
|Combine with directly identifiable data
|An action that combines any Personally Identifiable Information (PII) with anonymous data. Contracts for data sourced from ad networks, ad servers, and third-party data providers often include specific contractual prohibitions on the use of such data with directly identifiable data.
|Cross Site Targeting
|An action that uses data for cross-site ad targeting. The combination of data from several sites, including a combination of on-site data and off-site data or a combination of data from several off-site sources, is referred to as cross-site data. Cross-site data is typically collected and processed to make inferences about users’ interests.
|An action that uses data for data science workflows. Some contracts include explicit prohibitions on data use for data science. Sometimes these are phrased in terms that prohibit the use of data for Artificial Intelligence (AI), machine learning (ML), or modeling.
|An action that exports data to any location or destination outside Adobe products and services. For example, downloading data to your local machine, copying data from the screen, scheduling delivery of data to a location outside Adobe, Customer Journey Analytics Scheduled Projects, Download Reports, Reporting API, and so on.
|An action that uses data in email targeting campaigns.
|Export to Third Party
|An action that exports data to processors and entities that do not have direct relationships with customers. Many data providers have terms in the contracts that prohibit the export of data from where it was originally collected. For example, social network contracts often restrict the transfer of data you receive from them.
|An action that uses data for onsite ads, including the selection and delivery of advertisements on your organization’s websites or apps, or to measure the delivery and effectiveness of such advertisements.
|An action that uses data for onsite content personalization. Onsite personalization is any data that is used to make inferences about users’ interests, and is used to select which content or ads are served based on those inferences.
|An action that uses data for Adobe Experience Platform Segment Match, which allows for two or more Platform users to exchange audience data. By enabling policies that reference this action, you can restrict what data is used for Segment Match. For example, if the core policy “Restrict data sharing” is enabled, any data with a C11 label cannot be used for Segment Match.
|Single Identity Personalization
|An action that requires that a single identity be used for personalization purposes instead of stitching identities from multiple sources.