Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Adobe Target is the A/B testing, multivariate testing and personalisation engine of the Adobe Experience Cloud, used to deliver targeted variations based on visitor profiles and audiences.
Adobe Target is the A/B testing, multivariate testing and personalisation tool of the Adobe Experience Cloud. It delivers different page variations to different visitor segments based on rules, machine learning or external audiences fed by Adobe Audience Manager. Adobe Target runs through mbox tags injected on every page, or through the server side Decisioning API. It is widely used by enterprise marketing teams to optimise conversion and tailor content.
Adobe Target sets the mbox cookie (visitor PCID, 2 years), the mboxEdgeCluster cookie (edge node, 1 month) and reads Adobe Experience Cloud Identifiers (AMCV_ and AMCVS_). On each page view, it sends details about the URL, referrer, screen size, user attributes, profile parameters and audience memberships. The mbox PCID identifies a visitor persistently and is shared with Adobe Analytics, Adobe Audience Manager and Adobe Real Time CDP when those products are linked.
Adobe Target stores and reads identifiers on the user device and builds a behavioural profile. Both article 5(3) of the ePrivacy Directive and article 6 of the GDPR apply. The only realistic legal basis is consent, since personalisation and A/B testing are not strictly necessary to deliver the service requested by the user. CNIL, AEPD and Datenschutzkonferenz all confirm that A/B testing with persistent identifiers requires prior, opt in consent.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
Block the at.js library or the Launch rule until the user grants consent for personalisation. Use the Adobe Experience Platform Web SDK with the alloy.setConsent API or the Adobe Experience Cloud Privacy library, and forward the IAB TCF v2.2 string when relevant. If consent is denied, do not load at.js and do not call the Decisioning API in identified mode. Honour user opt out by clearing mbox related cookies.
Adobe Target data is processed on Adobe infrastructure with edge nodes worldwide and US headquarters. Transfers to the United States rely on the Adobe Data Processing Addendum, Standard Contractual Clauses and the EU US Data Privacy Framework. Adobe is DPF certified. Document the chosen mechanism in your records of processing activities and inform users in your privacy notice.
Sign the Adobe DPA. Block at.js or alloy.js behind your CMP. Limit the profile parameters captured to what each test requires. Avoid combining Target profiles with Audience Manager or third party audiences without a clear consent. Document the active activities and audiences in your records. Update your cookie policy and privacy notice to list mbox cookies, the AMCV identifier and the Adobe Experience Cloud companies involved.
Websites using Adobe Target must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA is recommended whenever Adobe Target is used for large scale behavioural personalisation, when integrated with Adobe Audience Manager or Adobe Analytics, or when sensitive verticals are involved (health, finance, political content). The Visitor Profile feature creates persistent profiles that require careful documentation.
Sample consent text
We use Adobe Target to test and personalise content on our website. Adobe Target sets cookies on your device to identify you across sessions and to remember the variations you have seen. Without your consent, no personalisation cookie is set and you see the default version of the site.
Third-party domains contacted
tt.omtrdc.nettt.omtrdc.netadobedtm.comomtrdc.netedge.adobedc.netadobedc.netdemdex.netassets.adobedtm.comadobedtm.comdemdex.netCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| AMCV_<orgID>@AdobeOrg | First party (Experience Cloud) | 2 years | Experience Cloud Visitor ID shared across Adobe products including Adobe Target |
| mbox | Marketing | 2 years | Stores the Adobe Target visitor profile ID (PCID) used to deliver consistent personalisation and A/B test variations across sessions. |
| mbox | First party (Adobe Target at.js) | 14 days session sticky | Stores the Target profile identifier (mboxPC) used to match the visitor with their personalisation profile and ongoing tests |
| mboxEdgeCluster | Functional | 1 month | Stores the Adobe Target edge cluster that served the visitor so subsequent requests reach the same edge node and the visitor experience stays consistent. |
| mboxEdgeCluster | First party (Adobe Target at.js) | Session | Identifies the Adobe Target edge node currently serving the visitor so subsequent calls hit the same cluster |
| AMCV_###@AdobeOrg | Marketing | 2 years | Adobe Experience Cloud Identity Service visitor ID shared with Adobe Target, Adobe Analytics and Adobe Audience Manager. |
| AMCVS_###@AdobeOrg | Functional | Session | Indicates that the Adobe Experience Cloud Identity Service session has started. |
| check_for_permission | First party (Adobe Target at.js) | Session | Used internally by at.js to test whether the visitor accepts cookies before continuing the personalisation flow |
| kndctr_<orgID>_AdobeOrg_identity | First party (Adobe Experience Platform Web SDK) | 2 years | Stores the Experience Cloud Identity (ECID) used by the AEP Web SDK that replaces at.js and the legacy Visitor.js library |
| at_check | Functional | Session | Used by Adobe Target to detect whether the browser accepts third party cookies. |
Adobe Target collects user analytics data — you legally need a consent banner. Try FlowConsent free.
Adobe Target reads AMCV_<orgID>@AdobeOrg (up to 2 years, Experience Cloud Visitor ID), writes mbox (14 days session sticky, profile identifier), mboxEdgeCluster (session, edge node) and check_for_permission (session, consent test). The AEP Web SDK replaces mbox with kndctr_<orgID>_AdobeOrg_identity. Profile data lives server side on Adobe infrastructure.
Adobe Target sets the mbox cookie (visitor profile ID, 2 years), the mboxEdgeCluster cookie (edge node, 1 month) and reuses the Adobe Experience Cloud Identifiers AMCV_ and AMCVS_. Additional helper cookies can be set depending on your integration (mboxDisable for opt out, at_check for cookie support detection).
Yes. Because Target writes the mbox cookie and reads the AMCV Visitor ID for profiling and personalisation, ePrivacy art. 5(3) and GDPR art. 6(1)(a) apply. Consent must be collected before at.js or the Web SDK loads. There is no audience measurement exemption.
Yes. Personalisation and A/B testing rely on identifiers stored on the user device and on behavioural profiling, both of which trigger article 5(3) ePrivacy and article 6 GDPR. Consent is required before at.js loads or before the Decisioning API is called in identified mode.
Consent (GDPR art. 6(1)(a)) for the cookies and profile, combined with ePrivacy art. 5(3). Auto Target and Auto Personalization that produce decisions with significant effect on the user fall under GDPR art. 22 and require the right to human review.
Consent (article 6(1)(a) GDPR), combined with consent under article 5(3) ePrivacy for the storage of mbox cookies. Legitimate interest does not work because users typically do not expect to be profiled or randomly served different content variants.
Yes by default. Adobe Target decisioning runs on US infrastructure unless the EU Profile Datacenter (eu-central) is activated. Adobe is certified under the EU US Data Privacy Framework, with 2021 SCCs as fallback and a Transfer Impact Assessment required.
Adobe Inc. is based in the United States and processes Adobe Target data on Adobe infrastructure. Transfers are covered by the Adobe DPA, EU SCCs and the EU US Data Privacy Framework (Adobe is DPF certified). Document the mechanism in your records of processing activities and explain it to users in the privacy notice.
Yes. Profiling for personalisation, possible automated decisioning, CRM linkage via mboxThirdPartyId and US transfers trigger several DPIA criteria. The DPIA must address the EU Profile Datacenter choice, profile retention, automated decision impact, and visitor rights.
A DPIA is recommended when Adobe Target is used for systematic personalisation, when it is combined with Audience Manager profiles, when it processes data on minors or in sensitive verticals (health, finance, political content), or when machine learning models are involved.
Load at.js or the Web SDK only after personalisation consent, activate the EU Profile Datacenter, minimise mbox profile parameters, integrate with your CMP via Adobe Experience Platform tags, document automated decisioning in the privacy notice and offer an opt out that disables Target without breaking the rest of the site.
Block at.js or alloy.js until consent. Pass the consent state through alloy.setConsent or the Adobe Experience Cloud Privacy library. Avoid passing direct identifiers (hashed email, customer ID) into mbox parameters unless covered by consent. Limit profile parameters and audiences to what each activity needs.
For privacy friendly A/B testing and personalisation: AB Tasty (EU hosted), Kameleoon (French vendor), Convert.com, VWO with EU data residency or open source options such as GrowthBook or Flagsmith. For server side experiments without browser cookies, consider Optimizely Feature Experimentation or Statsig with first party server collection.
EU friendly options include AB Tasty (France), Kameleoon (France with EU hosting option), Webtrekk Mapp Optimize, VWO with EU residency, Optimizely with EU edge and Convert.com. For server side experimentation only: GrowthBook (self hosted), Eppo, Statsig with EU plan. None of these remove the need for consent when they use a persistent identifier, but several keep data in the EU.
List Adobe Target as a processor, name the cookies (AMCV, mbox, mboxEdgeCluster), state durations, mention the Experience Cloud Visitor ID linkage, disclose US access under the Data Privacy Framework and the EU Profile Datacenter option, and provide a permanent way to withdraw consent.
List the mbox and mboxEdgeCluster cookies, the AMCV identifier and the purpose (personalisation, A/B testing). In the privacy notice, mention Adobe Inc. and the Adobe Experience Cloud companies as processors, describe the data flows to the US, the safeguards used (DPF, SCCs) and how to withdraw consent. Keep the documentation in sync with active Target activities.