{"id":490,"date":"2018-06-06T17:50:31","date_gmt":"2018-06-06T17:50:31","guid":{"rendered":"https:\/\/www.digitaldatatactics.com\/?p=490"},"modified":"2021-07-01T19:12:43","modified_gmt":"2021-07-01T19:12:43","slug":"cross-post-from-33-sticks-setting-up-adobe-analytics-for-gdpr","status":"publish","type":"post","link":"https:\/\/www.digitaldatatactics.com\/index.php\/2018\/06\/06\/cross-post-from-33-sticks-setting-up-adobe-analytics-for-gdpr\/","title":{"rendered":"Cross-post from 33 Sticks: Setting up Adobe Analytics for GDPR"},"content":{"rendered":"<p><em>I recently <a href=\"https:\/\/33sticks.com\/setting-adobe-analytics-gdpr\/\">posted on the 33 Sticks blog<\/a>; I figured I&#8217;d copy the post here for posterity&#8217;s sake ;).\u00a0<\/em><\/p>\n<p>There is so much documentation out there for Adobe Analytics and GDPR, it\u2019s hard to see how it all fits together (though I do feel like <a href=\"https:\/\/marketing.adobe.com\/resources\/help\/en_US\/analytics\/gdpr\/an_gdpr_workflow.html\" target=\"_blank\" rel=\"noopener noreferrer\">Adobe\u2019s documentation on the GDPR workflow<\/a> is a good place to start). <strong>Note, I am NOT claiming to be an expert on this- I\u2019ll defer to Adobe staff for their expertise. And I am NOT offering advice on what\/how to regulate- I&#8217;ll defer to your legal\/privacy team for that.<\/strong>\u00a0But since I just had to muddle through all this, and learned a lot in the process, I figured I\u2019d share my learnings and hopefully help others who are also muddling through.<\/p>\n<p>I\u2019ve found that in general, when folks are talking about changes in Adobe Analytics to account for GDPR, they\u2019re talking about one of three things:<\/p>\n<ol>\n<li>Obfuscating\/removing User IP addresses<\/li>\n<li>Adobe Data Retention Settings<\/li>\n<li>Client Opt-out<\/li>\n<\/ol>\n<h3>Obfuscating\/Removing IP Addresses<\/h3>\n<p>This is pretty straightforward, though the documentation is a bit tricky to find. This is simply a setting you can set in the Admin Console of Adobe Analytics within General Account Settings for each Report Suite:<\/p>\n<p><a href=\"https:\/\/www.digitaldatatactics.com\/wp\/wp-content\/uploads\/2018\/06\/IPobfuscate.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-492\" src=\"https:\/\/www.digitaldatatactics.com\/wp\/wp-content\/uploads\/2018\/06\/IPobfuscate.png\" alt=\"\" width=\"616\" height=\"93\" srcset=\"https:\/\/www.digitaldatatactics.com\/wp\/wp-content\/uploads\/2018\/06\/IPobfuscate.png 616w, https:\/\/www.digitaldatatactics.com\/wp\/wp-content\/uploads\/2018\/06\/IPobfuscate-300x45.png 300w\" sizes=\"(max-width: 616px) 100vw, 616px\" \/><\/a><\/p>\n<p>Adobe\u2019s <a href=\"https:\/\/marketing.adobe.com\/resources\/help\/en_US\/reference\/general_acct_settings_admin.html\" target=\"_blank\" rel=\"noopener noreferrer\">General Settings Documentation<\/a> has good info on these settings. To me, the important take-aways here are:<\/p>\n<ul>\n<li><b>Replace the last octet of IP address with 0<\/b> is basically like taking the street number off of my house\u2019s address- you may still be able to know my general location, but you no longer have the specifics. This change applies <i>BEFORE<\/i> data is processed, meaning it WILL affect Adobe\u2019s ability to do Bot\/IP Filtering, might affect VISTA rules, and will make it so Adobe\u2019s Geo-segmentation will have less info to work with and will therefore be at least a little less accurate.<\/li>\n<li><b>IP Obfuscation affects what analysts\/admins<\/b> can view of the IP address, like in Data Warehouse. You can choose to leave the IP address as-is, to obfuscate it so it becomes a unique string that can\u2019t be used to identify the user, or to replace it with \u201cx.x.x.x\u201d (which is the default option for EMEA suites gong forward). The obfuscation or deletion happens further along in data processing, after VISTA rules and Bot\/IP filtering.<\/li>\n<\/ul>\n<h3>Adobe Retention Settings<\/h3>\n<p>After May 25, 2018, Adobe may start deleting data older than 25 months, unless you specifically work with your Adobe Account reps to extend this to up to 37 months (at a cost). Unlike Google Analytics (<a href=\"http:\/\/www.kristaseiden.com\/new-data-retention-policies-in-google-analytics\/\" target=\"_blank\" rel=\"noopener noreferrer\">which will keep standard reports but just delete user\/event data<\/a>), Adobe truly is just deleting all data older than your retention window. When thinking about this, I\u2019d encourage you to consider:<\/p>\n<ol>\n<li>the rareness of a user who hasn\u2019t reset their cookies\/changed devices\/changed browsers in over 2 years<\/li>\n<li>if your site and\/or implementation hasn\u2019t significantly changed in 2+ years, then we may have bigger issues than data retention<\/li>\n<\/ol>\n<p>Basically, if you\u2019re heavily using data that is over two years old, I\u2019m fairly certain that you\u2019re already not looking at data that could be compared as apples-to-apples with your current site\/implementation.<\/p>\n<p>You can view your current data retention by going to the Data Governance interface mentioned later in this post (note, my Report Suites say anywhere from 37 months to 121 months, even though I have definitely not worked to extend it beyond 25 months- I suspect that since I have not explicitly extended it, I can\u2019t count on it staying this way):<\/p>\n<p><a href=\"https:\/\/www.digitaldatatactics.com\/wp\/wp-content\/uploads\/2018\/06\/dataRetention.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-493\" src=\"https:\/\/www.digitaldatatactics.com\/wp\/wp-content\/uploads\/2018\/06\/dataRetention.png\" alt=\"\" width=\"552\" height=\"104\" srcset=\"https:\/\/www.digitaldatatactics.com\/wp\/wp-content\/uploads\/2018\/06\/dataRetention.png 552w, https:\/\/www.digitaldatatactics.com\/wp\/wp-content\/uploads\/2018\/06\/dataRetention-300x57.png 300w\" sizes=\"(max-width: 552px) 100vw, 552px\" \/><\/a><\/p>\n<h3>Client Opt-Out<\/h3>\n<p>This is definitely the most involved piece of GDPR compliance. Again, Adobe\u2019s <a href=\"https:\/\/marketing.adobe.com\/resources\/help\/en_US\/analytics\/gdpr\/an_gdpr_workflow.html\" target=\"_blank\" rel=\"noopener noreferrer\">documentation on the GDRP Workflow<\/a> has some good information, but here is my take on what you need to do (assuming you are already on the Experience Cloud):<\/p>\n<h4>Label what data needs to be \u201cgoverned\u201d<\/h4>\n<p>Here, on a per-Report-Suite basis, I can go through all my dimensions and metrics and flag what things should be affected by data governance. Many of my dimensions and metrics don\u2019t NEED to be governed- for instance, browser type can probably just be left alone (<strong>Disclaimer:<\/strong> seriously, talk to your legal team about what to govern). Other things, like geo-location, Adobe may have automatically already applied appropriate labels to, which you just need to review\/confirm:<\/p>\n<p><a href=\"https:\/\/www.digitaldatatactics.com\/wp\/wp-content\/uploads\/2018\/06\/govDefaults.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-494 size-full\" src=\"https:\/\/www.digitaldatatactics.com\/wp\/wp-content\/uploads\/2018\/06\/govDefaults.png\" alt=\"\" width=\"762\" height=\"229\" srcset=\"https:\/\/www.digitaldatatactics.com\/wp\/wp-content\/uploads\/2018\/06\/govDefaults.png 762w, https:\/\/www.digitaldatatactics.com\/wp\/wp-content\/uploads\/2018\/06\/govDefaults-300x90.png 300w\" sizes=\"(max-width: 762px) 100vw, 762px\" \/><\/a><br \/>\nBut my own organization\u2019s policies may dictate that I go even more stringent and also label things like <i>US States<\/i>, which Adobe didn\u2019t auto-apply a label to. The more likely scenario is that I need to pop open the subtle drop-down menu that says \u201cStandard Dimensions\u201d and go to my custom Events and Dimensions so I can find my eVar that captures User ID and label it so Adobe knows how to govern it:<\/p>\n<p><a href=\"https:\/\/www.digitaldatatactics.com\/wp\/wp-content\/uploads\/2018\/06\/govCustom.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-495\" src=\"https:\/\/www.digitaldatatactics.com\/wp\/wp-content\/uploads\/2018\/06\/govCustom.png\" alt=\"\" width=\"431\" height=\"389\" srcset=\"https:\/\/www.digitaldatatactics.com\/wp\/wp-content\/uploads\/2018\/06\/govCustom.png 431w, https:\/\/www.digitaldatatactics.com\/wp\/wp-content\/uploads\/2018\/06\/govCustom-300x271.png 300w\" sizes=\"(max-width: 431px) 100vw, 431px\" \/><\/a><\/p>\n<p>The labels are, unfortunately, <a href=\"https:\/\/marketing.adobe.com\/resources\/help\/en_US\/analytics\/gdpr\/gdpr_labels.html\" target=\"_blank\" rel=\"noopener noreferrer\">not super straight-forward<\/a>, but basically, these are your options for each dimension\/metric:<\/p>\n<p><a href=\"https:\/\/www.digitaldatatactics.com\/wp\/wp-content\/uploads\/2018\/06\/govLabels.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-496\" src=\"https:\/\/www.digitaldatatactics.com\/wp\/wp-content\/uploads\/2018\/06\/govLabels.png\" alt=\"\" width=\"751\" height=\"1225\" srcset=\"https:\/\/www.digitaldatatactics.com\/wp\/wp-content\/uploads\/2018\/06\/govLabels.png 751w, https:\/\/www.digitaldatatactics.com\/wp\/wp-content\/uploads\/2018\/06\/govLabels-184x300.png 184w, https:\/\/www.digitaldatatactics.com\/wp\/wp-content\/uploads\/2018\/06\/govLabels-628x1024.png 628w\" sizes=\"(max-width: 751px) 100vw, 751px\" \/><\/a><\/p>\n<p>Adobe will use these labels to decide what to do when it receives a request from you about a user access\/deletion.<\/p>\n<h3>Set Up Your Privacy Portal for Capturing Adobe ID Requests<\/h3>\n<p>Before Adobe can \u201cgovern\u201d anything, you need to give users a way of opting out of tracking. This means setting up a Privacy Portal on your site, and using it as a means of collecting information about who is requesting to access their data or opt out. Adobe has provided some tools to help find out about the WHO and WHAT, but then it&#8217;s up to your Data Regulator (whoever in your org is assigned to do this stuff) to pass that information along to Adobe.<\/p>\n<h4>1. The User Visits the Privacy Portal<\/h4>\n<p><a href=\"https:\/\/www.adobe.io\/apis\/cloudplatform\/gdpr\/services\/allservices.html\" target=\"_blank\" rel=\"noopener noreferrer\">adobePrivacy.js<\/a> (or the Adobe Experience Cloud Privacy Launch extension) can put all the tracking identifiers we have for the current user into a JSON object.<\/p>\n<p>Our user might request to merely view what data is being kept on him, in which case, he\u2019ll have to wait- adobePrivacy.js can show us his IDs, but not much more than that. But I could at least show him the identifiers if I want. He may request to delete all past data (and\/or get a copy of what was deleted). For that, I need to take that JSON object from adobePrivacy.js and pass it along to whatever mechanisms my Org has in place to organize data governance requests with with Adobe GDPR API.<\/p>\n<p>For example-driven learners like me, I have\u00a0<a href=\"http:\/\/digitaldatatactics.com\/33sticks\/GDPR\/privacyPortal.html\">an extremely unattractive example page<\/a>\u00a0showing how to use adobePrivacy.js.<br \/>\nThis is what the &#8220;retrieve&#8221; response might look like:<\/p>\n<pre>[\r\n {\r\n  \"company\": \"adobe\",\r\n  \"namespace\": \"visitorId\",\r\n  \"type\": \"analytics\",\r\n  \"name\": \"s_fid\",\r\n  \"description\": \"Fallback Visitor ID\",\r\n  \"value\": \"64F04470FAKE04E9-1DADD8FAKE65B7C2\"\r\n },\r\n {\r\n  \"company\": \"adobe\",\r\n  \"namespace\": \"CORE\",\r\n  \"namespaceId\": 0,\r\n  \"type\": \"standard\",\r\n  \"name\": \"AAM UUID\",\r\n  \"description\": \"Adobe Audience Manager UUID\",\r\n  \"value\": \"610212449467061254000504ALSOFAKE\"\r\n },\r\n {\r\n  \"company\": \"adobe\",\r\n  \"namespace\": \"ECID\",\r\n  \"namespaceId\": 4,\r\n  \"type\": \"standard\",\r\n  \"name\": \"Experience Cloud ID\",\r\n  \"description\": \"This is the ID generated by Visitor and set in 1st party cookie.\",\r\n  \"value\": \"6080944537973STILLFAKE359908301249\"\r\n }\r\n]\r\n<\/pre>\n<h4>2. I Submit the Request Through the GDPR API\/API Portal<\/h4>\n<p>I can use either the <a href=\"https:\/\/privacyui.cloud.adobe.io\/ target=\"_blank\" rel=\"noopener noreferrer\">Privacy UI Portal<\/a> (which I can get to from my Adobe Experience Cloud Admin Console) or the GDPR API (after I\u2019ve set up an adobe.io integration- see Appendix on this post).<\/p>\n<p>Here, I can take the JSON object I got from my portal (shown to the right in blue), batch it up with other user\u2019s info (if desired), and let Adobe know who has made an access\/delete request. Requests take 1-2 weeks. For access requests, you get a CSV that returns the status of your requests.<\/p>\n<p>I happen to use <a href=\"https:\/\/www.getpostman.com\/\" target=\"_blank\" rel=\"noopener noreferrer\">Postman<\/a> for my request, which is a handy UI for API requests. This is what my request might look like:<\/p>\n<p><strong><i>POST API request to https:\/\/platform.adobe.io\/data\/privacy\/gdpr\/<br \/>\n<\/i><\/strong><b><em>Headers:<\/em><\/b><\/p>\n<pre>x-gw-ims-org-id : DCF779195968NOTREAL@AdobeOrg\r\nx-api-key: 5a7105dNotARealAPIKeyc735355\r\nAuthorization: Bearer eyJ4NXUiOiJpbXNfbmExLWtleS0xLmNlciIsImFsZyI6IlJTMjU2In0.eyJpZCI6IjE1Mjc2MTI3MjQwNTdfYjRkNjg4YTUtOThhMi00MzM2LWIwNjgtNDkwYjYzZThiMTIThisIsntARealTokenI6IjVhNzEwNWQ0YmNiMjQwZjQ4NDBmZmNmYTBjNzM1MzU1IiwidXNlcl9pZCI6IkQ2MjgzNjJDNUFGQzU1REQwQTQ5NUMxMEB0ZWNoYWNjdC5hZG9iZS5jb20iLCJ0eXBlIjoiYWNjZXNzX3Rva2VuIiwiYXMiOiJpbXMtbmExIiwiZmciOiJTTzZOSUY1UEZMTjdDSEFPQUFBQUFBQUFRND09PT09PSIsIm1vaSI6IjU5MzFhZmM5IiwiYyI6IlZFTE5iN1JHcEhhN0h5dkNYSi9SNFE9PSIsImV4cGlyZXNfaW4iOiI4NjQwMDAwMCIsInNjb3BlIjoib3BlbmlkLEFkb2JlSUQscmVhZF9vcmdhbml6YXRpb25zLGFkZGl0aW9uYWxfaW5mby5wcm9qZWN0ZWRFakeFakeFake0Q29udGV4dCIsImNyZWF0ZWRfYXQiOiIxNTI3NjEyNzI0MDU3In0.WBPyKnis4BN1sAmFFSCM1Lazg51z2rnuaniZYPcATOSscfVOB-6L-yWvo1kTjfxxMVvzBLLr9H6pNr2ZzA8PzUDbcYjzzjRvmSqVEII3vW0KFTmG5cO5fmi8j0e662WXg0cp4hUhOhr0MvGa5vRPXBKr7NmtaU0d5_bsKs_5AJBfDsUCnJ5ZcGnK_8DFKb9VIqmxFdLl_dQzKl2dMaEqsK-98cUTT32Th0nC5rQ96-N8TsuYD2fmqzSCiOCQRhXQeQ1U97UvlYOobgKTAF41WDt3gsa786ouV668YZN9-J3tVaejGosEUcHYTKpRKmpKS_jwElfA0ptNV3PCS-aBNg\r\nContent-Type: application\/json\r\n<\/pre>\n<p><b><em>Body (JSON):<\/em><\/b><\/p>\n<pre>{\r\n \"companyContexts\": [\r\n  {\r\n   \"namespace\": \"imsOrgID\",\r\n   \"value\": \"DCF77919596885950A495D3E@AdobeOrg\"\r\n  },\r\n  {\r\n   \"namespace\": \"analytics\",\r\n   \"value\":\"33stickssandbox\"\r\n  }\r\n ],\r\n \"users\": [\r\n  {\r\n   \"key\": \"GDPR-1234\",\r\n   \"action\": [\"access\",\"delete\"],\r\n   \"userIDs\": [\r\n    {\r\n     \"company\": \"adobe\",\r\n     \"namespace\": \"visitorId\",\r\n     \"type\": \"analytics\",\r\n     \"name\": \"s_fid\",\r\n     \"description\": \"Fallback Visitor ID\",\r\n     \"value\": \"64F04470FAKE04E9-1DADD8FAKE65B7C2\"\r\n    },\r\n    {\r\n     \"company\": \"adobe\",\r\n     \"namespace\": \"CORE\",\r\n     \"namespaceId\": 0,\r\n     \"type\": \"standard\",\r\n     \"name\": \"AAM UUID\",\r\n     \"description\": \"Adobe Audience Manager UUID\",\r\n     \"value\": \"610212449467061254000504ALSOFAKE\"\r\n    },\r\n    {\r\n     \"company\": \"adobe\",\r\n     \"namespace\": \"ECID\",\r\n     \"namespaceId\": 4,\r\n     \"type\": \"standard\",\r\n     \"name\": \"Experience Cloud ID\",\r\n     \"description\": \"This is the ID generated by Visitor and set in 1st party cookie.\",\r\n     \"value\": \"6080944537973STILLFAKE359908301249\"\r\n    }\r\n   ]\r\n  }\r\n ],\r\n \"expandIds\": true\r\n}\r\n<\/pre>\n<h4>3. Adobe Acts Based on Data Governance Labels<\/h4>\n<p>Adobe sees a request to access\/delete the data for ECID 64F04470FAKE04E9-1DADD8FAKE65B7C2 and sees what data we have for that user. Let\u2019s look at three dimensions and their settings for an example:<\/p>\n<p><a href=\"https:\/\/www.digitaldatatactics.com\/wp\/wp-content\/uploads\/2018\/06\/govDomain.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-497\" src=\"https:\/\/www.digitaldatatactics.com\/wp\/wp-content\/uploads\/2018\/06\/govDomain.png\" alt=\"\" width=\"832\" height=\"184\" srcset=\"https:\/\/www.digitaldatatactics.com\/wp\/wp-content\/uploads\/2018\/06\/govDomain.png 832w, https:\/\/www.digitaldatatactics.com\/wp\/wp-content\/uploads\/2018\/06\/govDomain-300x66.png 300w, https:\/\/www.digitaldatatactics.com\/wp\/wp-content\/uploads\/2018\/06\/govDomain-768x170.png 768w\" sizes=\"(max-width: 832px) 100vw, 832px\" \/><\/a><\/p>\n<p>If we have data for that user in the <b>Domains<\/b> dimension, it will see that that data has a data governance label of \u201cACC-PERSON\u201d which, according to the tooltip means it \u201cwill never be returned for a GDPR access request, unless an ID-PERSON label is applied on a variable in this report suite\u201d. I am keeping tracking of an ID for this user in one of my eVars, so the user\u2019s access request will show what Adobe knows their domain to be.<br \/>\n<b>Entry Page <\/b>doesn\u2019t have any data governance labels applied, so the Entry Page data for this user is left alone.<br \/>\n<b>Entry Page Original <\/b>has both a \u201cDEL-DEVICE\u201d and a \u201cDEL-PERSON\u201d label on it, meaning Entry Page Original data for this user will be anonymized.<\/p>\n<h3>Next Steps<\/h3>\n<p>I\u2019ve submitted a few user access\/deletion requests so I can see how it affects the data and what the access report looks like, so I\u2019ll have a follow up post in a few weeks with my findings.<\/p>\n<h3>Appendix I: Passing along my own Identifications for Users<\/h3>\n<p>If I have an eVar (or prop) that I use to identify users (for example, capturing a hashed user ID), then in my data governance labels, I would check the \u201cID-PERSON\u201d radio button.<\/p>\n<p><a href=\"https:\/\/www.digitaldatatactics.com\/wp\/wp-content\/uploads\/2018\/06\/govID.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-498\" src=\"https:\/\/www.digitaldatatactics.com\/wp\/wp-content\/uploads\/2018\/06\/govID.png\" alt=\"\" width=\"741\" height=\"237\" srcset=\"https:\/\/www.digitaldatatactics.com\/wp\/wp-content\/uploads\/2018\/06\/govID.png 741w, https:\/\/www.digitaldatatactics.com\/wp\/wp-content\/uploads\/2018\/06\/govID-300x96.png 300w\" sizes=\"(max-width: 741px) 100vw, 741px\" \/><\/a><\/p>\n<p>Then I need to specify which NAMESPACE I\u2019m going to keep that value in for my API requests. Basically, my API JSON objects already have the IDs that Adobe sets and knows about:<\/p>\n<pre>{\r\n \"company\": \"adobe\",\r\n \"namespace\": \"ECID\",\r\n \"namespaceId\": 0,\r\n \"type\": \"standard\",\r\n \"name\": \"Experience Cloud ID\",\r\n \"description\": \"This is the ID generated by Visitor and set in 1st party cookie.\",\r\n \"value\": \"6080944537973STILLFAKE359908301249\"\r\n}\r\n<\/pre>\n<p>So now in my API requests I can add in the IDs that I have for that user:<\/p>\n<pre>{\r\n \"namespace\": \"myuserid\",\r\n \"value\": \"malReynolds1234\",\r\n \"type\": \"analytics\",\r\n \"isDeletedClientSide\": false\r\n}\r\n<\/pre>\n<p>Then Adobe\u2019s Data Governance tools can make the connection that IDs sent to the \u201cmyuserid\u201d namespace in my API requests correspond to the IDs in my custom dimension that I\u2019m labelling as \u201cID-PERSON\u201d.<\/p>\n<p><a href=\"https:\/\/www.digitaldatatactics.com\/wp\/wp-content\/uploads\/2018\/06\/govNamespace.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-499\" src=\"https:\/\/www.digitaldatatactics.com\/wp\/wp-content\/uploads\/2018\/06\/govNamespace.png\" alt=\"\" width=\"270\" height=\"96\" \/><\/a><\/p>\n<h3>Appendix II: Setting Yourself Up for the API<\/h3>\n<p>So, that all seems simple enough, right (ha!)? For me, one of the trickier parts of getting this all set up was setting myself up to use the GDPR API through an Adobe.io integration. I had an advantage because I\u2019ve used a similar integration for Adobe Launch Extensions, but even then for the GDPR API I had to have at least one support ticket (first through Adobe Client Care, then through the adobe.io support team- turns out the ever-evolving documentation didn\u2019t have the right endpoint for me to use yet, but that has since been fixed.)<\/p>\n<p>Pulling largely from the <a href=\"https:\/\/www.adobe.io\/apis\/cloudplatform\/gdpr\/docs\/alldocs.html#!api-specification\/markdown\/narrative\/gdpr\/gdpr-whitepaper.md\" target=\"_blank\" rel=\"noopener noreferrer\">Adobe.io Experience Cloud and GDPR whitepaper<\/a>, here are the steps I took:<\/p>\n<ol>\n<li style=\"list-style-type: none;\">\n<ol>\n<li>You will need to generate <a href=\"https:\/\/www.adobe.io\/apis\/cloudplatform\/console\/authentication\/jwt_workflow.html\" target=\"_blank\" rel=\"noopener noreferrer\">a public and private key<\/a>. I find the easiest way to do this is to open up a Terminal (aka Command Prompt), navigate to a sensible folder (eg, \u201ccd analytics\/gdpr\u201d) and type in the following:\n<pre>openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -keyout private.key -out certificate_pub.crt<\/pre>\n<p>It will prompt you to fill in some information about yourself and your org- complete the prompts, and you should now have two files in your folder: \u201ccertificate_pub.crt\u201d and \u201cprivate.key\u201d. You\u2019ll use these in a moment.<\/li>\n<li>If you don\u2019t already have one, you\u2019ll need to create an adobe.io account (with the same email you use for the experience cloud). Sign in to <a href=\"https:\/\/console.adobe.io\/integrations\" target=\"_blank\" rel=\"noopener noreferrer\">the adobe.io console<\/a>.<\/li>\n<li>Create a new integration. On the second screen, select \u201cAccess an API\u201d. On the third screen, select the service \u201cGDPR API\u201d.<\/li>\n<li>On the final screen, give it a name (like \u201cGDPR API for Acme, Inc\u201d) and description. Take the \u201ccertificate_pub.crt\u201d you created in step 1 and upload it to the \u201cPublic keys certificates\u201d field. Click \u201cCreate Integration\u201d then \u201cContinue to Integration Details\u201d.<\/li>\n<li>On the Integration Details screen, note your Organization ID (eg \u201cDCF7791959688FAKEID495D3E@AdobeOrg\u201d)- this should match your Experience Cloud Org ID for your company. You\u2019ll need this for the \u201cx-gw-ims-org-id\u201d field in your API Request Headers.<\/li>\n<li>Also on the Integration Details Screen, note your API Key (Client ID) (eg, \u201c765f21b62606FAKEapiKEYb3e656048a910e\u201d). You\u2019ll need this for the \u201cx-api-key\u201d field in your API Request Headers.<\/li>\n<li>On the Integration Details screen, click the \u201cJWT\u201d tab. It will have generated a JWT that you can basically ignore. Open the \u201cprivate.key\u201d file you created in step 1 in a text editor, copy the contents (including the \u201c\u2014\u2014BEGIN PRIVATE KEY\u2014\u2014\u201c and \u201c\u2014\u2014END PRIVATE KEY\u2014\u2014\u201c lines) and paste into the \u201cPaste Private Key\u201d field.<\/li>\n<li>Copy the \u201cSample CURL Command\u201d value and paste it into your Terminal\/Command Prompt and hit enter. This should return something like this:\n<pre>{\r\n \"Token_type\":\"bearer\",\r\n \"access_token\":\"eyJ4NXUiOiJpbXNfbmExLWtleS0xLmNlciIsImFsZyI6IlJTMjU2In0.eyJpZCI6IjE1Mjc2MTkzNjUzMzBfODYzOGM5NTYtOTM4My00ZTk5LTg0OTYtYz-hmYTM0OGQ5NjQyX3VlMSIsImNsaWVudF9pZCI6Ijc2NWYyMWI2MjYwNjQyNTlhMmIzZTY1NjA0OGE5MTBFAKETOKENDONOTCOPYME0N0I1NUIwRDlEQjQwQTQ5NUUyQ0B0ZWNoY-WNjdC5hZG9iZS5jb20iLCJ0eXBlIjoiYWNjZXNzX3Rva2VuIiwiYXMiOiJpbXMtbmExIiwiZmciOiJTTzZVRUY1UEhMTjcySEFPQUFBQUFBQUFZRT09PT09PSIsIm1vaSI6IjZh-NDBlMTg4IiwiYyI6IkVVVVgwOVdML1VKbE9pY2Y2Tk5NOTAREALTOKENNfaW4iOiI4NjQwMDAwMCIsInNjb3BlIjoib3BlbmlkLEFkb2JlSUQscmVhZF9vcmdhbml6YXRpb25zL-GFkZGl0aW9uYWxfaW5mby5wcm9qZWN0ZWRQcm9kdWN0Q29udGV4dCIsImNyZWF0ZWRfYXQiOiIxNTI3NjE5MzY1MzMwIn0.a4sUwZjuJyU_g3STYAnK5uQrDLj2AOeRlj3GmTuY-MeK5MrWnXFg3MTdLxgz1cbdkJiV42sAxjoWUtsTfANa1wnIIPimHpVvgypJBJ4VcaQk7h0iio1asPxmeUq3NUrVM7WjnVwqwc6fHlou2OFGbkiL_OulM7D4Yj-kzI68GAV0wJbi-D38rWGlI_nPpq_ICR_0WU3w4l4KPfqk3B6gkaFDedVY6fLpqTQLfad6NQI7BujC1ljsV1RuQnaQ6o59WR6d20IRNVF0N9P2j2SnGasjayQ9uoDSuDp4r-N1I40w6ExOBeGzRGLg-KFxFkTgOhqE1XnqKJfBzuJ9QWKHg\",\r\n \"expires_in\":86399993\r\n}<\/pre>\n<p>The portion in purple is your API Authorization Token for the next 24 hours. After that, you need to repeat steps 7 and 8 to generate a new temporary token.<\/li>\n<\/ol>\n<\/li>\n<\/ol>\n","protected":false},"excerpt":{"rendered":"<p>I recently posted on the 33 Sticks blog; I figured I&#8217;d copy the post here for posterity&#8217;s sake ;).\u00a0 There is so much documentation out there for Adobe Analytics and GDPR, it\u2019s hard to see how it all fits together (though I do feel like Adobe\u2019s documentation on the GDPR workflow is a good place &#8230; <a title=\"Cross-post from 33 Sticks: Setting up Adobe Analytics for GDPR\" class=\"read-more\" href=\"https:\/\/www.digitaldatatactics.com\/index.php\/2018\/06\/06\/cross-post-from-33-sticks-setting-up-adobe-analytics-for-gdpr\/\" aria-label=\"Read more about Cross-post from 33 Sticks: Setting up Adobe Analytics for GDPR\">Read more<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[23],"tags":[57],"_links":{"self":[{"href":"https:\/\/www.digitaldatatactics.com\/index.php\/wp-json\/wp\/v2\/posts\/490"}],"collection":[{"href":"https:\/\/www.digitaldatatactics.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.digitaldatatactics.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.digitaldatatactics.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.digitaldatatactics.com\/index.php\/wp-json\/wp\/v2\/comments?post=490"}],"version-history":[{"count":5,"href":"https:\/\/www.digitaldatatactics.com\/index.php\/wp-json\/wp\/v2\/posts\/490\/revisions"}],"predecessor-version":[{"id":608,"href":"https:\/\/www.digitaldatatactics.com\/index.php\/wp-json\/wp\/v2\/posts\/490\/revisions\/608"}],"wp:attachment":[{"href":"https:\/\/www.digitaldatatactics.com\/index.php\/wp-json\/wp\/v2\/media?parent=490"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.digitaldatatactics.com\/index.php\/wp-json\/wp\/v2\/categories?post=490"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.digitaldatatactics.com\/index.php\/wp-json\/wp\/v2\/tags?post=490"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}