Is Adobe Activity Map capturing my customer’s PII (personally identifiable information)?
Share this article
What makes Adobe Activity Map a great a link tracking solution is exactly what can also lead to it unintentionally capturing customer’s PII (personally identifiable information) across a website. Read on to understand why PII is important, how Activity Map can expose unintended customer data collection, and what options are available to mitigate the risks associated with an Activity Map implementation.
If you’re not already familiar with Activity Map and how it works, then please refer to our previous blog post – ‘What is Adobe Activity Map and how does it work?‘
Table of contents:
- Why is this important?
- What is PII?
- Why does Activity Map expose a potential PII risk?
- How can I tell if Activity Map has or is capturing PII?
- What should I do if PII has been captured by Activity Map?
- How can I remove Activity Map or prevent it from capturing PII across my website?
- I think I still need some help.
This article is intended for an audience that includes existing Adobe Analytics users, business stakeholders, developers, digital platform managers and teams, data analysts, website optimisation teams, digital marketing teams, digital risk and legal teams.
Why is this important?
As any legal expert will tell you, capturing a customer’s personally identifiable information without explicit consent can result in significant ramifications for a business both financially and in regard to reputation. Data privacy and security is becoming more important than it ever given the developments that we’re currently seeing in how browsers are storing cookies (ITP), the GDPR reforms laws introduced in Europe over the last few years, and the goings on with Facebook/Cambridge Analytica since the 2016 United States presidential elections.
As consultants, we are always partnering with our clients to ensure that their analytics solutions are not only providing access to the data and insights they require, but also also meeting data privacy standards. Whilst there are many different ways a website might capture PII, it should not come as a surprise that digital marketing, advertising and analytics platforms are often the most common culprits.
We know that (most) users implement Adobe Analytics with data privacy in mind, but recently we’ve come across several cases where clients haven’t realised that Activity Map was either enabled within their implementation, and that it was capturing their customer’s PII. This is not surprising, as whilst most existing Adobe Analytics users will have either heard of or are even active users of Activity Map, it doesn’t necessarily mean that it’s easy to understand how it works, let alone whether it’s actively capturing PII.
Lastly, it is important to acknowledge that we still believe Activity Map is a great tool and as consultants we do recommend it for our Adobe Analytics clients that would like to better understand how their customers are interacting with their website. However, we also make it very clear that it’s important for our clients to consider how it will work across their website so that they can be confident in deciding whether it’s a suitable link tracking solution for their needs.
What is PII?
In order to determine whether PII has or is being captured by Activity Map, it’s important to understand what exactly PII is. Broadly speaking it can be defined as any information that could be used to individually identify a person. In terms of data this can range from capturing a person’s full name, or address to more severe examples like credit card details or login details.
’Information or an opinion about an identified individual, or an individual who is reasonably identifiable:
- whether the information or opinion is true or not; and
- whether the information or opinion is recorded in a material form or not.’
Within Australia the legal definition of PII is detailed within the Privacy Act 1988 (the Privacy Act) which is available via ‘Office of the Australian Information Commissioner’ website.
In addition, if you’re still unclear of how this relates to your Adobe Analytics implementation we’d recommend consulting with your own internal legal department because businesses often have their own unique interpretations and comfort levels concerning the definition of PII.
Why does Activity Map expose a potential PII risk?
Adobe clearly warns owners of the platform that Activity Map can capture PII if they haven’t considered how the functionality will work across their website. Adobe outlines this within their online Adobe Analytics Documentation and also within the Adobe Analytics admin UI where admin level users of the platform have the ability to enable Activity Map across a report suite. In both of these locations Adobe details the particular use cases to be wary of:
“By turning on Activity Map tracking, you may be collecting personally identifiable information (PII) data. This data can be used on its own or with other information to identify, contact, or locate a single person, or to identify an individual in context.
Here are some known cases where PII data might be collected using Activity Map Tracking:
Mailto: A mailto link is a type of HTML link that activates the default mail client on the computer for sending an e-mail.
User ID links that may show up in the header/footer of a website once the user has logged in.
For financial institutions, the account number may be shown as a link. Clicking it will collect the text of the link.
Healthcare websites may also have PII data shown as links. Clicking these links will collect the text of the link, thereby collecting PII data.”
Despite the availability of this information we all know that in the real world that it’s often overlooker or simply just not passed on between past and present stakeholders within a business.
In the case of Activity Map that this is also compounded by the ‘set and forget’ nature of how Activity Map is bundled within the core Adobe Analytics AppMeasurement.js base code that is required for all Adobe Analytics implementations. In addition, it’s normal for websites to change and develop over time, so whilst PII may not have been exposed by Activity Map when it was first implemented, it’s not uncommon for changes to a website (post original Activity Map implementation) to expose PII – unbeknownst to key stakeholders.
Obviously, all websites are unique in their own way but in addition to the warnings provided within Adobe’s documentation we’d also make the following recommendations:
- Pay close attention to secure or authenticated (post user login) sections of your website. For example, menu links and drop downs which may contain a customer account ID or username.
- Pay close attention to links within online forms/applications, tools and conversion funnels that require a user to enter personal details.
- Regularly check the data being captured by Activity Map within Adobe Analytics Analysis Workspace.
- Consider formalising a business process for reviewing how Activity Map might impact any new functionality or sections across your website before they are deployed.
How can I tell if Activity Map has, or is, capturing PII?
Assuming that your personal Adobe Experience Cloud user account has been granted access to Activity Map reporting in Adobe Analytics, then within Analysis Workspace you will have access to several Activity Map dimensions and metrics which can be used to determine if PII is being captured.
To begin with, we would recommend creating a new Analysis Workspace report using the ‘Freeform Table’ visualisation. You can then select ‘Activity Map Link Instances’ as the metric of your report and ‘Activity Map Link’ as the dimension. In our experience, ‘Activity Map Link’ is the dimension where PII is most often captured because it generally represents the ‘text label’ associated to the link (or element) as it appears on the website. ‘Activity Map Link Instances’ is the event or metric that defines how many times users have clicked on the element.
Once the report is set up, use the filter in the search results for the common syntax/naming conventions/data values that you might expect PII to be captured under:
- Common first and last names – i.e. ‘Matt’, ‘Sarah’ or ‘Smith’
- Common phone numbers – i.e. ’02’ (or other phone area codes)
- Common email addresses – i.e. ‘@gmail’ (or even simply ‘@’)
- Common addresses – i.e. ‘street’ or ‘road’
- Any other patterns that may be common or specific to your website – i.e. if your website provides the ability to make payments via credit or debt card then look for 16 digit numbers
Whilst ‘Activity Map Link’ is the most common dimension that we’ve seen capture PII data, we would also recommend repeating the above steps for ‘Activity Map Region’ as well. This dimension captures the location or section of the page where a link is located, and so for some websites this could also contain PII.
If your investigations have confirmed that PII is indeed being captured, we recommend that you deactivate Activity Map as soon as possible to prevent any further PII exposure. Details on how to do this can be found here. Please note, this is not the only option – there are various solutions available to excluding Activity Map from capturing link tracking data on website sections or links as detailed later in this article.
Once disabled, the next step is to determine all the different scenarios across your site that are exposing PII.
Which specific links, pages or site sections are contributing to this data to be captured?
This is important in order to assess the scope of the links or regions contributing to PII exposure, and ultimately allow you to better decide on the best course of action to either remove Activity Map entirely or customise its implementation accordingly.
Overlaying some of the additional Activity Map dimensions in your Workspace report may help you better understand which specific links, pages or regions (i.e. global menu navigation components) of your site that are exposing PII. For example, we would recommend overlaying the Activity Map Page dimension over any PII values returned within the ‘Activity Map Link’ and ‘Activity Map Region’ dimensions to understand which pages contain the link in question.
This may require some creative thinking, as all websites are unique and the definition of PII can be broad between websites and businesses as a whole. Ultimately, your investigation should result in a list of sections, links or regions across your website that are currently exposing PII via Activity Map.
What should I do if PII has been captured by Activity Map?
Aside from first disabling Activity Map, we’d recommend that you consult your internal legal department regarding any existing or future potential risks to capturing customer’s PII. In addition, contact your Adobe Account Manager to determine how best to handle the PII that has already been captured within your report suite.
Once you’re comfortable with the above, you can consider which of the following options are most suitable to your implementation and requirements.
How can I prevent Activity Map from capturing PII across my website?
There are various options available to prevent Activity Map from capturing PII across a website ranging from complete removal to customisation of implementation. When we partner with our clients, we generally find that the suitability of each of these options ultimately comes down to the following:
- The scope of links or regions across a website that are exposing PII via Activity Map.
- The analyst and developer resources available to a client to investigate and technically implement a fix.
- How important Activity Map link tracking data is in the overall digital reporting requirements.
- How risk adversity to PII exposure both now and into the future.
Depending on our responses, we usually recommend one of the following options.
Please note: These options are based on the assumption that you are using a tag manager (i.e. Adobe DTM, Adobe Launch, Ensighten, Tealium etc) to implement Adobe Analytics (including Activity Map) across your website. If you do not use a tag manager, then the logic is still applicable but will require that you relate it to the specifics of your implementation.
Option 1 – Remove Activity Map
Remove/disable Activity Map entirely from your website.
This is the best option, if you do not actively use Activity Map reporting or simply just want to remove any chance of Activity Map from exposing PII.
To action this option, simply need to remove the Activity Map module from the Adobe Analytics AppMeasurement.js base code. How you do this depends on how the Activity Map module has been implemented. If you are using a tag manager it’s just a matter of removing the Activity Map module from the Adobe Analytics AppMeasurement.js library.
If you are using the Adobe CDN to host the AppMeasurement.js, then the method of deactivating Activity Map is slightly different. In this case please refer to our previous blog post.
Option 2 – Remove Activity Map from only certain sections of the website
Remove Activity Map from the sections of your website that are currently or will potentially will expose PII.
In our experience, this is generally the preferred option for most clients that actively use Activity Map. This is due to links containing PII often being limited to certain sections where customers can either view or enter in personal details about themselves – which is generally either authenticated (i.e. post user login) sections of websites or online application forms.
This option allows a client to still use Activity Map, but only in parts of the website that don’t expose PII.
Once you have determined the particular sections of your website that are capturing PII via Activity Map, you will need to update your implementation so that the Activity Map module will not be loaded on these sections.
This can be achieved by applying custom code or conditions within your tag manager so that the Activity Map module is only loaded onto pages that meet specific URLs, page paths, or domains/subdomains conditions. Please feel free to contact us if you would like any support with this.
Option 3 – Customise Activity Map to exclude particular links or regions on the website from being tracked.
Adobe offers instructions on how to customise your website so that Activity Map will not track particular links or regions across your website. This option ensures that you can to continue to use Activity Map reporting across your entire website but allows you to exclude particular links or regions on your website that expose PII.
The approach provided by Adobe for this option can be difficult in terms of its technical solution and the effort required to implement and maintain it. We would generally only recommend this option if the results of your investigation have determined that there’s only a few links or regions across your website that are exposing PII via Activity Map, plus you rely heavily on Activity Map link tracking and want to maintain as much of its reporting functionality across your website as possible.
Adobe provides more detailed instructions on how these customisations can be made, but for the purpose of example here how we implemented it across the Digital Balance website.
Option 4 (Requires Adobe Launch) – ‘Activity Map customiser’ Extension
This is only a viable option if you are using Adobe Launch as your tag manager. Whilst the above options are suitable for other tag management platforms, if you are using Adobe Launch as your tag manager (or in the process of migrating from Adobe DTM to Adobe Launch due to Adobe’s plans to ‘sunset’ DTM), and you would still like to use Activity Map, then we’d recommend this option.
Adobe Launch offers an ‘Extension’ that allows you to customise the exact elements (i.e links or regions) across your website that enables Activity Map to either include or exclude them from link tracking.
For example, you can exclude entire links or regions across your website according to HTML attributes such as classes and IDs. The extension is called ‘Activity Map customiser’ and more details about the extension can be found here.
This option is similar to option 3 in terms of excluding specific links or regions across your website from being tracking via Activity Map, but it will not require any additional front end development. Instead the solution can be configured and managed purely through Adobe Launch.
Recommended option if you use Adobe Launch as the tag manager across your website, and you would like to maintain Activity Map reporting.
Install the ‘Activity Map customiser’ extension and configure it so that links or regions across your website that currently or will eventually capture PII are excluded from Activity Map link tracking. We would refer you to this article by SoftCrylic, the creators of this extension on how this can be achieved.
I think I still need help
If you still have questions on the above then feel free to leave a comment, or reach out to us directly.