This document provides answers to frequently asked questions about supported legal privacy regulations and their implementation in Adobe Experience Cloud.
Definitions for the various terms used in this document can be found in the privacy regulation terminology guide.
The following questions relate to all privacy regulations supported by Experience Cloud.
The privacy regulations supported by Experience Cloud apply to all organizations that store and process the personal data of citizens within the regulations’ respective jurisdictions, regardless of the organization’s geographic location.
Personal data is any information related to a natural person or data subject that can be used to directly or indirectly identify the person. It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer IP address.
The following identifiers are commonly used in Experience Cloud applications and could be subject to privacy regulation requirements:
Personal information can also include internet or other electronic network activity information. This includes, but is not limited to:
Even though privacy regulations cover a wide set of personal information, Adobe’s standard contract terms dictate that sensitive personal information (such as SSN, driver’s license information, financial account information, and biometric data) is generally prohibited from import and use in Experience Cloud applications.
A data controller is the entity that determines the purposes, conditions and means of processing personal data, while the data processor is an entity which processes personal data on behalf of the data controller.
A data controller is the person or organization who has the power and responsibility to make decisions regarding the collection, use, or disclosure of personal data. A data processor is the person or organization who operates in relation to the collection, use, or disclosure of the personal data and the direction of the data controller.
Explicit consent refers to a standard of consent which involves a specific, informed and unambiguous indication of the data subject’s wishes in oral or written form. Put simply, the data subject must literally and explicitly say “I consent” or “I agree” in order for the consent to be considered explicit. In addition, it must be as easy to withdraw consent as it is to give it.
Unambiguous (implied) consent refers to consent that was not explicitly given by the data subject, but is nonetheless unambiguous in nature. For example, during the sign-up process for a company website, a notice is given that by providing an email address, the data subject consents to receiving emails on special offers. If the data subject reads the notice, the affirmative action of entering their email is enough to be considered unambiguous consent.
For many regulations like the GDPR, explicit consent is required for processing sensitive personal data, where nothing short of “opt in” will suffice. For non-sensitive data, however, unambiguous (implied) consent is acceptable.
Many privacy regulations stipulate that if a data subject is below a certain age, they cannot legally provide consent for the collection of their personal data. Some regulations allow for consent to be given by the holder of parental responsibility for that data subject in these cases, but not all. The following table lists the minimum age for data subjects to provide their own consent for each regulation, with notes for further information:
|Regulation||Age of consent||Notes|
|GDPR (European Union)||16||
Assuming that the business has collected personal information and that it can authenticate or verify the identity of a particular consumer, privacy regulations allow a specific time window for a consumer request to be fulfilled. The following table breaks down the applicable time windows for each regulation, with notes on some exceptions:
|CCPA (California)||45 days|
|GDPR (European Union)||30 days||If the request is complex, or numerous requests have been made by the same data subject, then the request can be extended to 60 days.|
|LGPD (Brazil)||15 days|
|PDPA (Thailand)||30 days||If a company cannot respond to a data subject’s request within the compliance window, the company will have an additional 30 days from the date they were unable to fulfill the request to respond in writing to the data subject.|
If your organization’s data operations fall under the legal jurisdictions of the GDPR, LGPD, or PDPA, you must appoint a data protection officer (DPO) in the following cases:
Unlike other regulations, the CCPA does stipulate this as a requirement. However, it is generally recommended that to maintain privacy compliance a company must have a qualified individual monitoring data gathering activities and the storage of consumer data, as well as responding to customer inquiries.
Once you have taken the necessary steps to authenticate consumers that fall within the appropriate legal jurisdictions, Adobe Experience Platform Privacy Service allows you to submit consumer privacy requests to compatible Experience Cloud applications. See the Privacy Service overview for more information. For information on how your particular Experience Cloud applications can honor privacy requests, please refer to the guide on Privacy Service and Experience Cloud applications.
Further guidance from the California regulator is still forthcoming as to which types of data are eligible for consumer privacy requests.
The following questions relate specifically to the CCPA.
As defined by CCPA, the following roles apply to Adobe and its customers:
As a Service Provider, Adobe collects and processes personal information on behalf of the Business and is contractually bound to use that information only for the specific purposes set out in the agreement.
Given this relationship and Adobe’s contract language, disclosures to Adobe likely would not be considered a “sale” for which businesses would need to provide notice and request consent.
However, Adobe services may be used to enable certain data sharing and transfers to third parties. These third-party transfers could be considered a “sale” and legally require disclosure and consent. Customers should work with their legal counsel to evaluate specific use cases to assess applicable requirements.
Adobe Experience Cloud applications provide data management and governance functions that can be helpful for companies’ privacy needs. Among these tools are data usage labeling, role-based access controls, IP obfuscation, and hashing capabilities.
Adobe has received various certifications of its privacy and security practices, such as an ISO 27001 certification and a TrustArc GDPR validation.
The following questions relate specifically to the GDPR.
A regulation is a binding legislative act and must be applied in its entirety across the EU. A directive is a legislative act that sets out a goal that all EU countries must achieve, but it is up to the individual countries to decide how.
It is important to note that the GDPR is a regulation, in contrast the the previous legislation (the Data Protection Directive), which is a directive.
Proposed regulations surrounding data breaches primarily relate to the notification policies of companies that have been breached. Data breaches which may pose a risk to individuals must be notified to the data protection authority within 72 hours and to affected individuals without undue delay.
The following questions relate specifically to the PDPA.
The PDPA provides stringent requirements for the collection and storage of sensitive personal data which includes personal data pertaining to: racial or ethnic origin, political opinions, religious or philosophical beliefs, criminal records, trade union memberships, genetic data, biometric data, health records, and sexual orientation or preferences.