Adobe Target and Data Protection – What Website Operators Need to Know

When a website operator uses Adobe Target, it processes visitor data for the purpose of personalisation and A/B testing on the basis of consent and legitimate interests. Adobe Target is a personalisation and testing tool that enables website operators to divide visitors into groups and show them different versions of content or products in order to optimise conversion rates. This guide is aimed at website operators and explains what information about Adobe Target legally belongs in their own privacy policy.

A. Purpose and Function of Adobe Target

Adobe Target is usually integrated into the website via a JavaScript snippet (client-side) or via server calls. The tool automatically collects data about user behaviour and device attributes. On this basis, Adobe Target creates user segments and automatically shows the visitor one of several pre-defined tested versions (A/B testing or multivariate testing).

A website operator typically uses Adobe Target to optimise which product detail page, which checkout process, which headline or which marketing message leads to higher conversion. Adobe Target stores click and usage paths, creates behavioural profiles based on this and sends these to Adobe systems for central processing, profile enrichment and machine learning training.

Integration is done via a JavaScript tag or a server API. The tag is embedded either directly in the HTML code of the website or via a tag manager (Google Tag Manager, Adobe Launch). For backend implementations, API calls with visitor identifications are sent.

B. Mandatory Disclosures in the Privacy Policy regarding Adobe Target

Pursuant to Art. 13(1)(c) GDPR, a website operator must disclose the purposes of processing. Art. 13(1)(d) requires the legal bases, Art. 13(1)(e) the recipients or categories of recipients. Art. 13(1)(f) requires that third-country transfers (e.g. to the USA) be disclosed and justified.

Note: Tool-specific text templates are problematic. Art. 12(1) GDPR requires that privacy policies be drafted in clear and plain language. A text template that is merely copied and pasted and only speaks of Adobe Target does not show the specific processing on this website and violates the transparency requirement. Better: The website operator describes in a topic-oriented manner (e.g. under "Optimisation and Personalisation") which data is processed for this purpose, by which tools and on what legal basis.

At the end of the privacy policy, a recipient appendix is recommended, which bundles all processors and their purposes.

C. Provider of Adobe Target: Adobe Systems Software Ireland Limited

Legal name: Adobe Systems Software Ireland Limited
Address: 4-6 Riverwalk, Citywest Business Campus, Dublin 24, D24 AV82, Ireland
Country of registered office: Ireland (European Economic Area)
Role: Processor

DPF status: Adobe Inc. (USA) is DPF-certified. Further information at https://www.adobe.com/de/privacy/policy.html

Data Processing Addendum (DPA): Adobe provides a DPA, which website operators must conclude with Adobe before using Adobe Target. The DPA regulates the processing of personal data on the instruction of the website operator and contains obligations regarding data protection, sub-processors, data transfer to third countries and data security.

D. Data Processing by Adobe Target – Sequence

E. Data Collected when Using Adobe Target

Adobe Target automatically collects a variety of data about visitors. The scope can be configured by the website operator (e.g. which data is transmitted via the data layer).

This data can be classified into the following standardised data categories:

• Web server log data: IP address, date/time/time zone, URL, referrer, browser/OS/device, technical metadata
• Click paths: Pages visited including referrer, clicked links/buttons with date/time
• Device data: Device type, operating system, screen resolution/size, orientation, touch support
• Browser information: Browser name, browser version, installed extensions
• User profiles: Interests, preferences, segment assignments, usage histories, derived metrics
• Conversion events: Registration, shopping cart creation, product purchase, appointment booking, contact request, download, video view, calling up specific pages
• Interaction data: Scroll movements, mouse movements, key presses, mouse pointer position, touch movements, clicks
• Technical telemetry data: Error messages, loading times, data volume

This information is based on provider information and publicly accessible sources (Adobe documents its data collection in technical documentation and the DPA).

F. Purposes of Use when Using Adobe Target

Adobe Target is generally used for the following purposes:

• User-individual product improvement: A/B tests, multivariate testing, personalised content, personalised offers
• General product improvement: Optimisation based on frequently accessed content or high conversion rates, usability, business planning
• General marketing: Measuring the success of campaigns, reach analysis, target group definition
• User profile creation: Identification of interests, purchasing behaviour, segments
• Provision of functionality: Provision of the product functionality, error detection/correction
• Security and abuse protection: Attack detection, fraud prevention

G. Legal Bases for Adobe Target

Adobe Target is a tracking and personalisation tool. The following legal bases are relevant for data processing:

1. Consent (Art. 6(1)(a) GDPR in conjunction with Section 25(1) TDDDG): For cookies and similar storage technologies that Adobe Target uses to identify visitors and track their activities, explicit consent is required under German law. This must be given before the cookie is set and must explicitly relate to Adobe Target or at least to "optimisation and personalisation" or "marketing cookies".

2. Legitimate interests (Art. 6(1)(f) GDPR): Insofar as Adobe Target is only used to improve the website functionality (e.g. error tracking for troubleshooting), the legitimate interests of the website operator can be invoked. This requires a balancing of interests.

Note: A case-by-case review with legal advice is necessary, as the boundary between provision of functionality and profiling is fluid.

H. Special Features and Notes on Adobe Target

• Cookie management: Adobe Target sets cookies itself (e.g. mbox) and uses first-party cookies to recognise visitors. The website operator must list these cookies in the privacy policy.
• DPF and SCCs: Adobe relies on the Data Privacy Framework (DPF) and Standard Contractual Clauses (SCCs) for third-country transfers. The website operator should refer to the DPF certification.
• Sub-processors: Adobe works with sub-processors. A current list should be coordinated with Adobe.
• Data security: Adobe is ISO 27001 certified and implements technical and organisational measures (TOMs).
• Opt-out options: Visitors can deactivate Adobe Target. The website operator should offer an opt-out link in the privacy policy.

I. FAQ on Adobe Target

J. Conclusion and Recommendations on Adobe Target

Adobe Target is a powerful personalisation tool, but is associated with significant data protection obligations. A website operator must ensure that consents are in place, that the third-country transfers to the USA are legally justified, and that the privacy policy transparently explains which data is processed for which purposes.

Tool-specific text templates that are merely copied contradict the transparency requirement under Art. 12(1) GDPR. A topic-oriented approach that specifically describes how Adobe Target is used on this website and what the consequences are for visitors is better. A recipient appendix to the privacy policy that lists all processors creates additional clarity.

Website operators should also ensure that a complete and up-to-date Data Processing Addendum (DPA) with Adobe is in place and that they know all sub-processors.