When to use ID expansion

During the first few months after Data Privacy went live, the vast majority of Analytics Data Privacy requests did not request ID expansion. However, determining the appropriate value for your organization is up to you. You should consult with your Legal team about whether ID expansion is required for your data with the IDs that you use and the data you collect within Adobe Analytics.

A primary consideration could be: On a shared device, from which multiple users have visited your site, using ID expansion includes data from other users’ hits of the device, in data returned by access requests (in the device file). Even if you have followed best practices in labeling (for example, no private data is included in the device file, such as pages visited) the device file contains the number of pages visited and the times of each of those visits. You may want to ask yourself: Is it okay if you share this information with someone who may not have been the visitor?

When ID expansion is not used for a delete request: if you use a non-cookie ID (any ID other than the ECID or Analytics cookie) to identify hits that should be deleted, and that ID has an ID-DEVICE label, then unique visitor counts in reports do change. This is because only some instances of the cookie IDs will be anonymized, while others will be left unchanged. If you are not specifying ID expansion, then we recommend that you either use a cookie ID for requests, or use IDs with an ID-PERSON label.

When Adobe performs ID expansion, it can require an additional full data scan. This increases the time that it takes Adobe to complete the request, often adding a week to the processing time.

Other Data Privacy request flags

In addition to the “expandIDs” flag, Analytics supports two other flags that can be passed as part of a Data Privacy request. These flags with their default values are:

"analyticsDeleteMethod": "anonymize"
"priority": "normal"

In the future, the analyticsDeleteMethod may support a value of “purge” in addition to the default value of “anonymize”. When supported, it will cause the entire hit to be deleted rather than simply updating the values of hit fields that have DEL labels.

In addition to its default value, the priority field also supports a value of “low”. You should specify this value for requests that are not a result of a Data Subject request and thus do not have a legal requirement to be completed within a certain timeframe.

Uses of the Privacy Service API

IMPORTANT
Adobe does not permit the use of the Privacy Service API for reasons other than valid Data-Subject-initiated requests. The Privacy Service API is not an appropriate tool for data cleansing or repairs. Any misuse of the Privacy Service API for non-Data-Subject-initiated requests will have unintended consequences. The Privacy Service API is provided to Adobe customers to help you fulfill Data Privacy requests, which are time sensitive. Using this API for other purposes is not supported by Adobe and may impact Adobe’s ability to provide timely turn-around of high priority, user-initiated Data Privacy requests for other Adobe customers. We ask that you do not use the Privacy Service API for other purposes such as data hygiene or clearing out data that was accidentally submitted across large groups of visitors.

You should also be aware that any visitor who has a hit deleted (updated or anonymized) as a result of a Data Privacy deletion request will have their state information reset. The next time the visitor returns to your website, they will be a new visitor. All eVar attribution will start again, as will information such as visit numbers, referrers, first page visited, etc. TThe result is undesirable for situations where you want to clear out data fields, and highlights one reason why the Privacy Service API is inappropriate for this use.

Please contact your Adobe Account Team to coordinate with our Engineering Architect consulting team to further review and provide level of effort to remove any PII or resolve data issues.

Analytics