Is Adobe Analytics GDPR-compliant?

At a glance

Adobe Analytics is not GDPR compliant by default. Unlike smaller tools, it’s a powerful enterprise platform where the controller (you) has significant responsibility for configuration. You’ll need to manage consent, IP obfuscation, data governance labels, retention limits, DSAR workflows, and a signed DPA with Adobe. EU data centre options exist.

The challenge: Adobe Analytics is a highly flexible, highly complex tool. Compliance isn’t something Adobe does for you – it’s something you configure and maintain as the data controller. Adobe provides the mechanisms; you’re responsible for using them correctly.

What does Adobe Analytics collect?

Out of the box, Adobe Analytics collects full IP addresses, sets cookies without consent, retains data indefinitely, and doesn’t have consent integration enabled. Like most major analytics platforms, it needs to be configured for compliance.

With proper configuration, however, Adobe Analytics has some of the most robust compliance tooling available – including EU data residency, a Privacy API for DSARs, and governance labels for classifying data at the field level. A standard Adobe Analytics implementation collects:

• Full IP addresses (before any obfuscation).
• Visitor IDs (via first-party cookies, typically s_vi and AMCV_).
• Page views, events, and custom variables (eVars, props) configured by your team.
• Browser and device information (user agent string, screen resolution).
• Referrer data and marketing attribution.
• Timestamp and geolocation data derived from IP.
• Any custom data points your team has passed through eVars, props, or the data layer.

That last point is critical: what Adobe Analytics collects is defined by your implementation. If your team has passed in user names, email addresses, loyalty numbers, or other directly identifying information through eVars – which is common, and almost always non-compliant – your data layer contains personal data that goes far beyond standard analytics.

Compliance steps: what you need to do

1. Integrate consent before the tag fires: Adobe Analytics should not load until the user has consented via your cookie banner. Use Adobe Launch (now Adobe Experience Platform Tags) or your tag manager to gate the Adobe Analytics tag behind consent. Adobe’s Opt-in Service, part of the ECID (Experience Cloud ID) library, can also be used to manage consent signals natively within the Experience Cloud stack.
2. Enable IP obfuscation: Adobe Analytics can be configured to obfuscate or remove IP addresses before they’re stored. Access this via Admin → Report Suites → General Account Settings → IP Obfuscation. Full IP addresses are personal data – obfuscation is not optional under a strict reading of GDPR. Your options are:
   • Obfuscation (last octet removed)
   • Hash (IP hashed before storage), or
   • Removal.
3. Apply Data Governance labels: Adobe Analytics has a Data Governance framework that allows you to label data fields with privacy classifications – identifying which variables contain personal identifiers, sensitive data, or data that should be excluded from export. Apply governance labels to all eVars, props, and events. This is the foundation for privacy-compliant data operations and DSAR handling.
4. Set data retention periods: Adobe Analytics data is retained for the period configured in your contract and settings. Review your retention settings and align them with your retention policy. Most organisations have no need to retain detailed analytics data beyond 25 months – many fewer. Audit what you have and reduce retention where possible.
5. Implement DSAR workflows: Adobe provides a Privacy API (part of Adobe Experience Platform Privacy Service) for submitting and managing data subject access requests – access, deletion, and opt-out. Configure this to connect to your internal DSAR process. Critically: if your governance labels are correctly applied, the Privacy API can accurately identify and delete personal data fields without wiping all analytics data.
6. Sign a Data Processing Agreement: Adobe provides DPA documentation through the Adobe Legal Center. You need a signed DPA in place – it should already be part of your Adobe contract, but verify that it is and that it reflects current processing activities. Ensure the DPA covers all Experience Cloud products you’re using, not just Analytics in isolation.

EU data residency

Adobe offers EU data centre options for Analytics data. Data collected from EU visitors can be stored and processed in Adobe’s European data centres, reducing (though not eliminating) international transfer concerns.

With EU data residency: your data doesn’t leave the EU/EEA for standard processing, which substantially addresses the international transfer issue. Some processing activities (such as backup and disaster recovery) may still involve non-EU infrastructure – check the specifics of your contract.

PII in custom variables

One of the most common GDPR issues in many complex analytics products – especially Adobe Analytics implementations – is personal data inadvertently passed into variables. This typically happens when:

• A user’s name or email address is used for personalisation purposes
• A loyalty number (which may be linkable back to an individual) appears in an event
• A free-text search query captures personal information
• User IDs from your CRM are pushed through without pseudonymisation

Audit your eVars and custom variables. Any that contain or could contain directly identifying data need to be explicitly labelled in your governance framework and included in your DSAR deletion workflows.