Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Adobe Experience Manager (AEM) is Adobe's enterprise content management system, comprising AEM Sites, AEM Assets and AEM Forms. It is delivered as a self hosted product or as AEM as a Cloud Service, and ships with optional ContextHub personalisation that can set behavioural cookies.
Adobe Experience Manager (AEM) is Adobe''s enterprise content management system, marketed as part of the Adobe Experience Cloud. AEM Sites delivers public websites and editorial workflows, AEM Assets manages images, video and document libraries, AEM Forms handles digital forms and approvals. The product is offered as a customer hosted Java application, as Adobe Managed Services, or as AEM as a Cloud Service.
By default AEM sets a handful of strictly necessary cookies such as login-token, cq-authoring-mode and the JSESSIONID for the underlying Java application. ContextHub, the personalisation framework bundled with AEM Sites, can additionally write cq.profile, cq.products and cq.surferinfo cookies in the visitor browser to drive segmentation. When AEM is integrated with Adobe Analytics, Adobe Target or the Experience Cloud Identity Service, the corresponding cookies and identifiers (AMCV_, mbox, ECID) are set as well.
Login and CSRF cookies are strictly necessary and exempt from consent under Article 5(3) of the ePrivacy Directive. ContextHub segmentation cookies and any Adobe Analytics or Target integration go beyond strictly necessary processing: they require informed, prior consent. Where AEM is hosted by Adobe (AMS or Cloud Service), processing on behalf of the customer is governed by the Adobe Data Processing Addendum.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
Strictly necessary AEM cookies are exempt. Personalisation, A/B testing and analytics integrations must be gated behind a Consent Management Platform. The AEM Sites integration with Adobe Tags or Launch makes it straightforward to wire third party scripts to a CMP signal. ContextHub itself does not include native consent management, so disable or restrict it until the visitor accepts the analytics or marketing category.
AEM as a Cloud Service and Adobe Managed Services support EU regional hosting on AWS or Azure. Even then, support telemetry, backups, and Experience Cloud integrations (Analytics, Target, ECID) usually flow through US Adobe systems. Adobe relies on the EU US Data Privacy Framework and SCCs. Customers running self hosted AEM in their own EU data centre can keep CMS data on shore but must still review any Experience Cloud add ons.
Audit which AEM components are active (ContextHub, Personalisation, Search and Promote, Analytics integration). Configure your CMP to block personalisation, A/B testing and analytics scripts until consent is granted. Use AEM Tags or Launch to load third party scripts conditionally on consent state. Sign Adobe''s DPA, choose EU hosting where available, document data flows in your record of processing activities, and run a DPIA when ContextHub or Target is used at scale.
Websites using Adobe Experience Manager must obtain user consent under GDPR regulations.
DPIA considerations
AEM itself is a CMS and most cookies it sets directly (login, CSRF, authoring mode) are strictly necessary. A DPIA may be needed where AEM Sites is combined with ContextHub personalisation, Adobe Target experiments, Adobe Analytics, or large scale profiling using the Experience Cloud ID. Document the full Experience Cloud integration footprint before exempting AEM from Art. 35 GDPR review.
Sample consent text
Our website is built on Adobe Experience Manager. We use Adobe ContextHub and Adobe Analytics to personalise content and measure performance. These services may transfer data to Adobe Inc. in the United States. Please confirm your consent below.
Third-party domains contacted
adobeaemcloud.comadobedtm.comomtrdc.netdemdex.netadobe.ioCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| login-token | Strictly necessary (AEM authoring login) | Session | Maintains the authenticated session for editors in the AEM author environment |
| cq-authoring-mode | Strictly necessary (AEM authoring) | Session | Stores the active editing mode (preview, edit, design) for AEM authors |
| JSESSIONID | Strictly necessary (Java application server) | Session | Identifies the user session on the underlying Java application server |
| cq.profile | Personalisation (ContextHub) | Persistent (varies) | Stores the ContextHub user profile used for segmentation and personalisation |
| cq.surferinfo | Personalisation (ContextHub) | Persistent (varies) | Captures device, browser and referrer signals for ContextHub segmentation |
This service may collect user data. Ensure GDPR compliance with FlowConsent.
By itself AEM sets only a few strictly necessary cookies (login-token, cq-authoring-mode, JSESSIONID). With ContextHub enabled it adds cq.profile, cq.products and cq.surferinfo to support segmentation. Integrations with Adobe Analytics, Target or the Experience Cloud Identity Service introduce additional cookies (AMCV_, mbox, ECID) that go beyond strictly necessary processing.
Operating AEM as a pure CMS only requires the strictly necessary cookies, which are exempt from consent. As soon as you turn on ContextHub personalisation, A/B testing through Adobe Target, or Adobe Analytics tracking, you must obtain prior explicit consent before those scripts run.
Strictly necessary CMS cookies rely on Art. 6(1)(b) GDPR (contract performance) or Art. 6(1)(f) (legitimate interest in keeping the site running). Personalisation, analytics and marketing cookies require consent under Art. 6(1)(a) GDPR and Art. 5(3) ePrivacy.
Self hosted AEM in an EU data centre processes CMS data locally. Adobe Managed Services and AEM as a Cloud Service offer EU regions, but Adobe support, telemetry, and any Experience Cloud integration (Analytics, Target, ECID) typically route through the US. Adobe relies on SCCs and the EU US Data Privacy Framework.
A bare AEM Sites deployment for editorial content rarely requires a DPIA. A DPIA becomes appropriate when ContextHub, Target experiments, behavioural personalisation, or large scale analytics integrations are layered on top of AEM, especially when combined with the Experience Cloud Identity Service.
Audit active components and integrations, route every personalisation and analytics script through a Consent Management Platform (Adobe Tags / Launch make this easier), choose EU hosting where possible, sign the Adobe DPA, and document Experience Cloud data flows in your RoPA. Keep ContextHub disabled by default until consent is granted.
For Europe focused customers, alternatives include open source CMS like TYPO3, Drupal or Strapi (EU friendly hosting), and commercial European platforms like Magnolia, Hippo (Bloomreach) or Storyblok. None offer the same Experience Cloud integration but they reduce US data flow risk.
List the strictly necessary AEM cookies separately and exempt them from consent. Disclose ContextHub cookies under a personalisation category and Adobe Analytics or Target cookies under analytics and marketing categories. Reference Adobe as a sub processor and link to the Adobe privacy policy and DPA.