Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
The Adobe Experience Platform Identity Service is the underlying identity resolution layer of the Adobe Experience Cloud. It issues and maintains the Experience Cloud ID (ECID), a persistent visitor identifier that lets Adobe Analytics, Target, Audience Manager and Campaign recognise the same visitor across sessions and properties. The ECID is a persistent online identifier under the GDPR and its use requires consent under ePrivacy Art. 5(3) and Art. 6(1)(a).
The Adobe Experience Platform Identity Service is the foundational identity resolution layer of the Adobe Experience Cloud. It issues a persistent visitor identifier called the Experience Cloud ID (ECID), formerly known as the Marketing Cloud ID (MID). The ECID lets every Adobe product downstream (Adobe Analytics, Adobe Target, Adobe Audience Manager, Adobe Campaign, Adobe Commerce, Adobe Journey Optimizer) recognise the same visitor across sessions and across properties, stitching together separate touchpoints into a single profile.
The Identity Service writes the AMCV_<orgID>@AdobeOrg cookie on the operator''s first party domain (2 year lifetime) containing the ECID. The same ECID is sent to demdex.net (the Adobe Audience Manager identity graph host) where it is joined to the Adobe Marketing Cloud ID and to third party partner cookies from DSPs and ad networks. The Web SDK (alloy.js) and the legacy Visitor Service handle cookie issuance, ID syncing, opt out and consent state. The Identity Service does not write tracking data itself, but every downstream Adobe product transmits its events with the ECID attached.
Because the Identity Service writes a persistent cookie that is not strictly necessary, ePrivacy Art. 5(3) requires prior informed consent before alloy.js or the legacy Visitor.js may execute. Under the GDPR the same processing requires consent under Art. 6(1)(a) since the ECID is a persistent online identifier and personal data. Operators should treat the Identity Service as a high risk processing activity because it is a cross product, cross device identifier shared across Adobe ecosystems. Demdex.net synchronisation involves transfer to Adobe Inc. in the US and joining with third party ad tech vendors.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
Adobe Experience Platform supports the IAB Europe TCF v2.2 consent string, the Google Additional Consent string and a custom Adobe consent format. The Web SDK can be configured to wait for a consent decision before issuing the ECID, which is the recommended approach for GDPR compliance. With Adobe Launch or Adobe Tags, operators wire the consent signal from their Consent Management Platform to the Identity Service tag, then propagate the same signal to Analytics, Target and Audience Manager.
Adobe operates a global edge network with US primary processing. Adobe Experience Platform Enterprise customers can choose EU regional processing for their tenant (Ireland or Frankfurt), which keeps event data and profile storage in the EU. However, the identity graph reconciliation that powers cross site recognition is global by design, so some processing always touches non EU infrastructure. Adobe self certifies under the EU US Data Privacy Framework, offers Standard Contractual Clauses, and has Binding Corporate Rules approved by the CNIL.
Gate the Identity Service (alloy.js or Visitor.js) behind a Consent Management Platform with explicit advertising consent before issuing the ECID. Configure the Web SDK with consent integration so the ECID and downstream Adobe products honour the visitor''s choice. Sign Adobe''s Data Processing Addendum and Standard Contractual Clauses, and where relevant the BCR. Document the Identity Service in the record of processing, including the ECID, the AMCV cookie, the demdex.net synchronisation, the US transfer mechanism and the EU regional processing option chosen. Run a DPIA covering the cross product identity graph.
Websites using Adobe Experience Platform Identity Service must obtain user consent under GDPR regulations.
DPIA considerations
The Identity Service issues an Experience Cloud ID (ECID) and stores it in the AMCV_<orgID>@AdobeOrg cookie on the operator's first party domain (2 year lifetime). The same ECID is synchronised to demdex.net (Adobe's identity graph host) where it is joined to other Adobe Audience Manager identifiers and to third party DSP partner cookies. DPIA considerations: (1) the ECID is a persistent online identifier and personal data under the GDPR; (2) the cross product nature of the ID enables identity stitching across Adobe Analytics events, Adobe Target experiment exposures, Adobe Audience Manager audience memberships and Adobe Campaign sends, which is a high risk profiling vector; (3) demdex.net synchronisation involves transfer to Adobe US infrastructure and joining with third party ad tech vendors; (4) Adobe is a US company with US CLOUD Act exposure; (5) Adobe offers regional processing on Adobe Experience Platform (Ireland, Frankfurt) on Enterprise plans, but the identity graph itself remains global. A DPIA is strongly recommended for any deployment.
Sample consent text
We use the Adobe Experience Platform Identity Service to recognise you across sessions and across our Adobe Experience Cloud tools (Adobe Analytics, Adobe Target, Adobe Audience Manager). Adobe assigns you a persistent visitor identifier (Experience Cloud ID) stored in the AMCV cookie on our domain. The identifier is also synchronised with Adobe Inc. in the United States and may be matched to advertising partners. We rely on your consent (Art. 6(1)(a) GDPR), which you can withdraw at any time via our cookie settings.
Third-party domains contacted
demdex.netdpm.demdex.netfastly.demdex.neteveresttech.netomtrdc.netCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| AMCV_<orgID>@AdobeOrg | Marketing / Advertising | 2 years | Set by the Adobe Experience Platform Identity Service on the operator's first party domain. Contains the Experience Cloud ID (ECID), the version of the Identity Service that issued it and the timestamp. Read by all downstream Adobe Experience Cloud products to recognise the visitor. |
| demdex | Marketing / Advertising | 6 months | Set by Adobe on the demdex.net third party domain. Carries the Adobe Audience Manager identifier and is used to synchronise the ECID with DSP and ad network partner cookies for cross site audience matching. |
| s_ecid | Marketing / Advertising | 2 years | Set by Adobe Analytics on the operator's domain. First party backup copy of the Experience Cloud ID, used to recover the ECID when third party cookie access to demdex.net is blocked by the browser. |
| dst | Marketing / Advertising | 13 months | Set by Adobe on demdex.net. Stores the destination publishing state used by Audience Manager to track which audience destinations have already received the visitor's segment memberships. |
| aam_uuid | Marketing / Advertising | 30 days | Set by Adobe Audience Manager on third party DSP domains during ID syncing. Stores a mapping between the ECID and the partner's own user identifier so that audience segments can be reused across platforms. |
Adobe Experience Platform Identity Service collects user analytics data — you legally need a consent banner. Try FlowConsent free.
The Identity Service writes the AMCV_<orgID>@AdobeOrg cookie on the operator's first party domain (2 year lifetime) containing the Experience Cloud ID (ECID), version and timestamp. Demdex.net synchronisation sets a demdex cookie on the demdex.net third party domain (6 month lifetime). Adobe Analytics may also write s_ecid as a backup first party copy of the ECID.
Yes. The AMCV cookie is a persistent online identifier, not strictly necessary, so ePrivacy Art. 5(3) requires prior consent. Under the GDPR the same processing requires consent under Art. 6(1)(a). No firing of alloy.js or Visitor.js before consent.
Consent (GDPR Art. 6(1)(a)). Legitimate interest is generally not available because the cross product cross device profiling enabled by the ECID does not meet EDPB balancing test criteria for tracking technologies.
Yes. Adobe Inc. is US based and the demdex.net identity graph is operated globally with US primary processing. EU regional processing is available on Adobe Experience Platform Enterprise (Ireland, Frankfurt) for event and profile storage, but the identity graph reconciliation itself remains global. Adobe self certifies under the EU US Data Privacy Framework and offers SCCs and BCR.
A DPIA is strongly recommended. The processing combines persistent online identifiers, cross product profiling, demdex.net synchronisation with third party DSPs, and US data transfer. All four factors are flagged by EDPB guidance as high risk; the DPIA threshold under GDPR Art. 35 is typically met.
Use the Adobe Experience Platform Web SDK (alloy.js) with consent integration so the ECID is not issued before the visitor grants advertising consent. Wire the consent signal from your CMP through Adobe Launch/Adobe Tags to Identity, Analytics, Target and Audience Manager. Sign Adobe's DPA, SCCs and BCR. Choose EU regional processing on Adobe Experience Platform Enterprise if available. Run a DPIA covering the cross product identity graph.
Other identity resolution layers include Tealium AudienceStream (US, with EU residency on Enterprise), mParticle (US), Treasure Data (US), Segment (US, Twilio owned) and EU based alternatives such as Commanders Act (France), Mapp Cloud (Germany) and Bloomreach Engagement. Each has its own consent and transfer profile.
List AMCV_<orgID>@AdobeOrg and demdex under marketing/advertising cookies, with their durations. Name Adobe Inc. as a recipient in the privacy notice, declare the US transfer and the EU regional processing option chosen, and reference the identity graph functionality. Provide a working withdrawal link that clears the ECID and stops further Adobe Experience Cloud event collection.