AEM cookie classification, behavior, and compliance validation for security and GDPR requirements
Cookies often appear on AEM-powered sites without a clear explanation of their origin, purpose, or classification, which creates GDPR and compliance risk, especially when cookies load before consent or when teams must document whether they store personal data. AEM and Adobe Experience Cloud integrations set functional and identity-related cookies as expected behavior, and these generally do not store personal data directly; consent-management platforms can misclassify them by default, and some cookies originate from infrastructure or third parties.
To resolve this, identify each cookie and its source, determine whether it stores personal data, classify it correctly for consent tools, and apply the supported security attributes.
Description description
Environment
- Adobe Experience Manager as a Cloud Service
- Adobe Experience Manager Managed Services
- Adobe Experience Manager 6.5 (ContextHub)
Issue/Symptoms
- Cookies appear on the site without a clear origin, purpose, or classification.
- Specific cookies (such as
AMCV_,AMCVS_,affinity,demdex,AWSALB) require confirmation of whether they store personal data. - Cookies appear before user consent in consent-management platforms.
- Unknown cookies (such as
dextp) appear after migrating to Adobe Cloud. - Compliance or legal teams require documentation on whether cookies store IP addresses or personal data.
Root cause
AEM and Adobe Experience Cloud integrations set functional and identity-related cookies as part of expected behavior, and these generally do not store personal data directly. When customers enable additional Adobe services such as Analytics, Audience Manager, or Target, associated cookies (for example, demdex, AMCV, mbox, at_check) appear. Infrastructure-level services such as AWS Application Load Balancer set their own cookies. Consent-management platforms may classify cookies incorrectly by default, causing them to load before consent, and some cookies (such as RT) originate from third parties.
Steps to reproduce
- Inspect cookies in the browser developer tools under Application/Storage
>Cookies, and review each cookie’s domain, path, and name. - Compare each cookie against its known Adobe, infrastructure, or third-party origin.
- Inspect cookie values to confirm that none contain readable personal data.
Resolution resolution
To fix the issue:
-
Identify the cookie and its source. Open the browser developer tools, go to Application/Storage
>Cookies, review the domain, path, and name, and map each cookie to its origin:AMCV_,AMCVS_,TEST_AMCV_COOKIE_WRITE- Adobe Experience Cloud ID Servicedemdex,dextp- Adobe Audience ManagerAWSALB,AWSALBCORS- AWS Application Load Balancermbox,at_check,mboxEdgeCluster- Adobe Targetaffinity- AEM load balancer routing cookieRT- third-party Real User Monitoring cookie
-
Determine whether the cookie stores personal or sensitive data:
AMCV/AMCVSstore the ECID (an anonymous visitor ID) and do not contain PII.demdex,dextpprovide visitor ID sync and do not store PII.AWSALBcookies do not store PII.mbox/at_checkstore activity and session information but not PII.affinitydoes not store PII.RTis not set by Adobe and is usually a third-party performance cookie.
-
Classify the cookie for GDPR and consent tools, then confirm the classifications with your legal or privacy team:
- Strictly necessary / technical:
affinity,AWSALB,TEST_AMCV_COOKIE_WRITE, and many ECID cookies when required for core functionality. - Performance / targeting:
AMCV,AMCVS,demdex,mboxwhen used for analytics, personalization, or audience building. - Third-party:
RT.
- Strictly necessary / technical:
-
Ensure cookies do not load before consent when required. In your consent tool, categorize cookies into the groups defined in the previous step. Then clear browser storage, reload the page, and confirm that consent-required cookies (such as
demdexandAMCV) are absent until consent is given. Confirm that Adobe libraries (Analytics, Target, Launch) are blocked by the consent script until approval. -
Configure Secure or HttpOnly flags when required by compliance (Managed Services only, not AEM as a Cloud Service). In the AEM Web Console, go to /system/console/configMgr, open the
org.apache.felix.httpconfiguration, and enable the Secure flag for standard HTTP cookies. Ensure the site is served exclusively over HTTPS, which is required for the Secure flag. Note that HttpOnly cannot be applied toAMCV/AMCVScookies because JavaScript access is required. -
Validate client-side storage for ContextHub (AEM 6.5 Managed Services only). Confirm that data is stored in browser localStorage or sessionStorage unless explicitly configured otherwise, using Application
>Local Storage in the developer tools. -
Validate the result. Clear browser storage and reload to confirm that cookies load only under the correct regulatory category, inspect cookie values to confirm none contain personal data, and verify that Secure flags apply correctly on HTTPS pages where configured (Managed Services only).
-
If a cookie cannot be identified, appears to store readable personal information, or still loads before consent after classification, contact Adobe Support with a screenshot of the cookie values, the environment type (AEMaaCS or Managed Services), the list of enabled Adobe solutions (Analytics, Target, Audience Manager), and your consent tool configuration.