Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Adobe Analytics is the enterprise web and app analytics platform of the Adobe Experience Cloud. It collects pageviews, clicks, conversion events, custom variables (eVars and props) and cross device journeys via the AppMeasurement library or the Web SDK. From a GDPR perspective Adobe Analytics is a high impact analytics product that sets persistent cookies, can be combined with Customer AI and Audience Manager, and transfers data to Adobe Inc. in the United States.
Adobe Analytics is the enterprise analytics platform of the Adobe Experience Cloud and one of the historical leaders in digital analytics, with a strong presence among large banks, retailers, media groups and public sector organisations in Europe. It is typically deployed via Adobe Launch (now Tags in Adobe Experience Platform) by loading the AppMeasurement.js library or the new Web SDK (alloy.js), which captures pageviews, link clicks, form interactions, custom events and a rich set of variables (eVars, props, success events) that map to the analytics report suites.
Adobe Analytics sets the Adobe Experience Cloud Visitor ID (AMCV_*), session cookies (s_cc, s_sq), the legacy s_vi cookie when first party domain is not configured and additional cookies when integrated with Adobe Audience Manager (demdex). It collects the visitor IP address (truncated server side via the Obfuscate IP setting when enabled), page URL, Referer, User Agent, custom variables, conversion events and timing data. When the Web SDK is used, the data is sent through the Adobe Edge Network which can carry cross product identifiers for Adobe Target and Audience Manager.
Adobe Analytics is a third party analytics service that stores persistent identifiers on the device, falls outside the ePrivacy strictly necessary exemption and requires consent under Article 5(3) of the ePrivacy Directive before any cookie is set or any event is collected. The legal basis under the GDPR is consent under Article 6(1)(a). European regulators (CNIL, AEPD, Garante) require that scripts and cookies do not load before the visitor has actively accepted, that consent be granular and that visitors can withdraw at any time.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
Adobe Analytics customer data is processed by Adobe Inc. in the United States, with regional report suites that may live in Adobe data centres in the United States, Singapore or London. Even when an EU report suite is selected, certain administration, support and Customer AI features remain centralised in the United States. Transfers rely on the Adobe Data Processing Agreement, the EU Standard Contractual Clauses under Article 46(2)(c) GDPR and the EU US Data Privacy Framework, with TLS 1.3 in transit, encryption at rest, ISO 27001 and SOC 2 Type II controls.
Sign the Adobe Data Processing Agreement and configure the IP Obfuscation setting at the maximum level allowed by your reporting needs. Use Adobe Launch or Tags rules that only fire the analytics beacon after consent is recorded by your consent management platform (Cookiebot, OneTrust, Adobe Privacy Service, Sourcepoint). Set short retention for raw hits, disable the Marketing Cloud ID Service if you do not need cross product identification, and document Adobe Analytics in your record of processing activities.
Websites using Adobe Analytics must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA is required when Adobe Analytics is deployed at scale together with Customer AI, Audience Manager or Adobe Real Time CDP, when it serves sensitive verticals (financial services, health, public sector), when it processes data about EU minors or when cross device stitching is enabled across Adobe Experience Cloud products.
Sample consent text
We use Adobe Analytics (Adobe Inc., USA) to understand how our visitors use the site and to improve our content. Adobe Analytics sets cookies (s_cc, s_sq, AMCV_*) and transfers your IP address and behavioural data to Adobe servers, including in the United States. By accepting, you allow this analytics tracking under EU Standard Contractual Clauses and the EU US Data Privacy Framework.
Third-party domains contacted
omtrdc.netomtrdc.netsc.omtrdc.net2o7.netadobedc.net2o7.netdemdex.netadobedtm.comeveresttech.netdemdex.neteveresttech.netadobedtm.comassets.adobedtm.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| AMCV_<orgID>@AdobeOrg | First party (Experience Cloud) | 2 years | Stores the Experience Cloud Visitor ID used to join behavioural data across Adobe Experience Cloud products (Adobe Analytics, Adobe Target, Adobe Audience Manager) |
| s_cc | Analytics | Session | Tests whether the browser accepts cookies. Set when AppMeasurement.js loads. |
| AMCVS_<orgID>@AdobeOrg | First party (Experience Cloud) | Session | Indicates that an Experience Cloud session has started and synchronises the AMCV cookie within the session |
| s_sq | Analytics | Session | Stores information about the previous link clicked within the site for click map and exit link reporting. |
| s_cc | First party (AppMeasurement) | Session | Tests whether cookies are enabled in the browser. Required for AppMeasurement to determine whether data can be collected |
| s_vi | Analytics | 2 years | Unique visitor identifier used by Adobe Analytics to distinguish individual visitors and stitch sessions together. |
| s_sq | First party (AppMeasurement) | Session | Records the previous link clicked and the report suite that received the click, used for click map and link tracking reports |
| AMCV_###@AdobeOrg | Analytics | 2 years | Adobe Experience Cloud Identity Service visitor ID used to identify the same visitor across Adobe Experience Cloud applications. |
| s_vi | First party (AppMeasurement, legacy) | 2 years | Legacy visitor identifier still written by older AppMeasurement deployments; replaced by the Experience Cloud Visitor ID |
| AMCVS_###@AdobeOrg | Analytics | Session | Indicates that the Adobe Experience Cloud Identity Service session has started. |
| demdex | Third party (Adobe Audience Manager) | 6 months | Adobe Audience Manager visitor identifier used for audience segmentation and cross site retargeting when AAM is activated through Adobe Analytics |
| s_fid | Analytics | 5 years | Fallback unique visitor identifier used when the primary s_vi cookie cannot be set, typically due to ITP restrictions. |
| kndctr_<orgID>_AdobeOrg_identity | First party (Adobe Experience Platform Web SDK) | 2 years | Stores the Experience Cloud Identity (ECID) used by the new Web SDK that replaces the legacy Visitor.js library |
| mbox | Analytics | 2 years | Set when Adobe Target is integrated. Stores the Target session ID and visitor PCID for personalisation and A/B testing. |
Adobe Analytics collects user analytics data — you legally need a consent banner. Try FlowConsent free.
Adobe Analytics sets several first party and third party cookies including s_cc (session test), s_sq (last hit tracker), s_vi (unique visitor ID, 2 years), AMCV_* and AMCVS_* (Adobe Experience Cloud visitor IDs, 2 years and session), s_fid (fallback visitor ID, 5 years) and mbox related cookies when integrated with Adobe Target. Cookie names and lifetimes can change depending on your implementation and the first party cookie configuration you choose.
AppMeasurement sets four main first party cookies: AMCV_<orgID>@AdobeOrg, which stores the Experience Cloud Visitor ID for up to 2 years; s_cc, a session cookie used to test whether cookies are enabled; s_sq, a session cookie that records the last link clicked; and s_vi, the legacy visitor identifier with a default lifetime of 2 years. The Adobe Experience Platform Web SDK also stores the kndctr_<orgID>_AdobeOrg_identity and consent cookies.
Yes. Under the GDPR and the ePrivacy Directive, Adobe Analytics requires prior, freely given, specific, informed and unambiguous consent before any tracking cookie or identifier is set on the user device. CNIL, Datenschutzkonferenz and AEPD have all confirmed that audience measurement tools that go beyond strictly necessary statistics fall under article 5(3) ePrivacy and need consent.
Yes. Adobe Analytics is not covered by the CNIL audience measurement exemption because the Experience Cloud Visitor ID is shared across Adobe products and can be combined with CRM data. Prior consent must be collected under GDPR art. 6(1)(a) and ePrivacy art. 5(3) before AppMeasurement is loaded. Server side data collection without device storage may use legitimate interest, but only with strict minimisation.
The only valid legal basis is consent (article 6(1)(a) GDPR), combined with consent under article 5(3) of the ePrivacy Directive for the storage and reading of information on the user device. Legitimate interest is not a viable basis because Adobe Analytics processes online identifiers and behavioural data that go beyond what is strictly necessary to deliver the service.
Consent under GDPR art. 6(1)(a) combined with ePrivacy art. 5(3) for the cookies and the Experience Cloud Visitor ID. Legitimate interest under art. 6(1)(f) is not accepted by EU regulators for the standard client side deployment because the Visitor ID enables cross product profiling and the data is transferred to Adobe in the US.
Adobe Inc. is headquartered in the United States and Adobe Analytics data is processed on Adobe infrastructure that can involve transfers outside the EEA. Since the Schrems II ruling and the EU US Data Privacy Framework, transfers are possible if Adobe is certified under the DPF or if appropriate safeguards such as Standard Contractual Clauses and supplementary technical measures are in place. You must document the transfer mechanism in your records of processing activities.
Yes. Even when the report suite sits on the EU cluster (London or Dublin), Adobe support and engineering staff in the United States, India and Romania can access the data. Adobe is certified under the EU US Data Privacy Framework. The 2021 Standard Contractual Clauses are used as a fallback and a Transfer Impact Assessment is required by EDPB Recommendation 01/2020.
A DPIA is recommended when Adobe Analytics is used for large scale behavioural profiling, when it is combined with Adobe Audience Manager or Adobe Target for cross site tracking, or when sensitive sites such as health, finance or political content are involved. For a vanilla audience measurement use case with limited dimensions and consent management, a DPIA is generally not mandatory but a Legitimate Interests Assessment style risk review is still recommended.
Yes, in most cases. The combination of persistent identifiers, behavioural profiling across Adobe products, session level capture, optional CRM linkage and US transfers triggers several DPIA criteria in the EDPB list. The DPIA must document cluster residency, retention, access controls, transfer impact and consent gating.
Block the Adobe Analytics tag (AppMeasurement.js or the Launch rule) until you have explicit consent. Use the Adobe Experience Cloud Privacy JS library or your CMP to forward consent signals to Adobe via setOptOut or the Consent Management API. Configure first party cookies on your own domain, enable IP obfuscation, disable Adobe ID synching when not needed, and sign the Adobe Data Processing Addendum.
Load AppMeasurement only after consent, request the EU cluster, enable IP obfuscation, set retention to 13 or 25 months, disable cross product activation when not needed, integrate with your CMP via Adobe Experience Platform tags and IAB TCF v2.2, publish a clear notice and register the processing in your record of processing activities.
For EU first audience measurement: Matomo (self hosted or EU cloud), Piwik PRO, AT Internet, Plausible, Fathom, Simple Analytics or Pirsch. These products either run cookieless or qualify for the CNIL audience measurement exemption when properly configured, removing the need for prior consent and US transfers.
For a privacy first audience measurement stack, Matomo on premise, Piano Analytics (formerly AT Internet) and Plausible offer EU hosted, consent friendly options. For enterprise scale, Piwik PRO Analytics Suite and Mapp Intelligence are common Adobe alternatives. Google Analytics 4 is not necessarily more compliant since it raises the same consent and US transfer questions.
List Adobe Analytics in your cookie policy with the cookie names, durations and purposes shown in this page. In your privacy notice, name Adobe Inc. as processor, describe the categories of data (online identifiers, browsing behaviour, device data), mention the data transfer to the United States and the safeguards used (DPF or SCCs), and explain how to withdraw consent. Keep the list in sync with your real tag configuration.
List Adobe Analytics as a third party processor, name the cookies (AMCV, s_cc, s_sq, s_vi), state the retention period, mention the Experience Cloud Visitor ID, disclose the US access under the Data Privacy Framework, link to the Adobe Privacy Center and provide a way to withdraw consent at any time.