The following recommendation and scenarios can help you improve your privacy practices or address implementation scenarios you come across related to privacy when working with the Ambient Data Framework (ADF) and Experience Optimization (XO), which can help with personalization and content optimization scenarios.
The ADF is a capability of the Unified Delivery Platform (UDP) that will be shared between SDL Tridion Sites and SDL Tridion Docs. Experience Optimization is the SDL Tridion Sites personalization feature that relies on the ADF.
This post covers personalization, consent, implementation approaches, considerations for storing data, and Experience Optimization.
Personalization and Consent
Important factors to using the ADF, XO, or any technology that enables personalization by processing personal data, is having a legal basis to do so as well as minimizing the use of personal data and especially sensitive data.
For website experiences, consent is a typical legal basis where you ask for an explicit confirmation from users before using their data. There are other legal bases such as contractual, legal obligation, vital interests, public tasks, or legitimate interests that are not discussed here in detail.
When using consent as a legal basis for processing personal data, be transparent and use simple language when asking for explicit permission. This content should reside in managed content, rather than template or website application code to ensure translation to your user’s language. Inform Data Subjects of the data you have associated with them and offer the opportunity to opt-in to personalized experiences or otherwise change the behavior of the website to a non-personalized version. This is especially important if you persist or otherwise store this data as part of the Data Subject’s record.
The ADF works through a pluggable framework where each Cartridge can set one or more Claims about the visitor’s session and individual requests. Your implementation may use a mix of cartridges that ship with the product (e.g. Context Cartridge or Audience Manager Cartridge) as well as custom cartridges meant to offer some custom functionality. For example, a "Geographic-IP lookup" cartridge might convert an Internet Protocol (IP) address to a physical location such as a city or country.
Each Cartridge will place known information in the form of claims that are available to your application, giving your developers programmatic access to your visitor’s information. You could consider exposing some of these claims to your visitor to make the personal data you have transparent to the user.
Implementer Tip: In my own SDL Tridion Sites (SDL Web) implementations, I preferred relying on Categories and Keywords as a way to define options to present to website users or to tag content for various uses. You might consider using the same text options to define or influence your ADF claims or in your Experience Optimization implementation.
We’re looking at stronger integration between SDL Tridion Sites and Docs and Categories will be an important integration point between the two systems, starting with the systems sharing taxonomy by relying on a Category defined in SDL Tridion Sites.
- Preferences Cartridge
- On-the-Fly Claim Adjustments
An implementation-specific preferences Cartridge approach would mean that you read your user’s preferences for how they want to personalize their website experience and then set the preferences in one or more Cartridges. You can then use the claims from this cartridge to adjust the website experience knowing that you only have claims in the ADF session that have been explicitly allowed by a given user.
This is perhaps the cleanest approach and easiest to implement, change, and troubleshoot since each personalization claim is set as expected in related code. Since select claims values aren’t present, you cannot accidentally personalize on scenarios the visitor hasn’t opted into. For example, if the user has not opted into some data processing such as “location-based offers,” then the claim for location isn't set and cannot be used.
But it might take some effort to adjust existing ADF implementations. We discussed a more flexible approach with "on-the-fly" claim adjustments.
On-the-Fly Claim Adjustments
A more flexible approach can be to adjust the claims in a session to specific values based on the user’s preferences. For example, you might set a claim for “LOCATION” to “Undefined,” “Not Shared,” or a similar value to represent the fact a visitor prefers to keep their location anonymous. These should be the default options for all claims related to the processing of personal data.
The trade-off with this approach are challenges in tracking how the claims are used and ensuring claims are used properly. Different cartridges might set their own values or your cartridge dependencies might not ensure the user’s preferences are correctly set.
I would not recommend this as a first approach, but this might be useful if you need to quickly address an existing and complex personalization setup where adding new claims might be easier than changing all of your cartridges.
You or your implementation team are welcome to add your own background on managing user preferences with the ADF on Tridion Stack Exchange.
In addition to Cartridges, the ADF offers cookies for tracking and session identification. These cookies help the ADF recognize a returning user and do not contain personally identifiable information. They are, however, adjustable to your implementation. The next section describes how you can modify or even disable these cookies.
The ADF cookies, primarily used to track visitor click-paths and session identification, do not include any information that would allow a third-party to identify a visitor without access to the SDL Tridion Content Delivery databases.
These two cookies (by default named TAFTracking and TAFSession) can use any given name as configured by the implementer, and will always contain a seemingly random number that will not make any sense to a third party, since they only contain pointers to the information stored in the application server’s session and/or Content Delivery database.
Modifying and disabling the ADF Tracking cookie
SDL Tridion Sites allows for the SDL Tridion Ambient Data Framework Tracking cookie to be completely or selectively disabled. Completely disable the tracking cookie usage in the Ambient Data Framework by configuring the ambient framework (cd_ambient_conf.xml) to never set tracking cookies as explained in our documentation. To selectively use the ADF cookies, rely on the approaches described above or implement a “Cookie Claim Processor” cartridge to identify when to generate cookies.
The Context Cartridge lets you anonymously adjust web page layout or optimize images based on the visitor's device. Used in this context and considering it's nearly impossible to identify a person with this data, there's not much to change in standard Context Cartridge implementations.
However, you may need to take care to transparently explain and get permission for processing of personal data to visitors if you use the Context Cartridge to store information or otherwise personalize a website experience.
For example, take care if using the visitor’s device information to create a profile against the user, to promote certain content, or make special offers based what that device signifies about given a user. This differs a bit from anonymously optimizing an experience based on a device.
Now that we've covered ways to implement the ADF based on user preferences and considerations about the Context Cartridge, let's look a bit more about storing such data.
Storing Ambient Data
The SDL Tridion Ambient Data Framework itself does not persist any information related to your visitors and your visitors’ behaviors. All data that is stored, for instance in Audience Manager or another external system, is a result of an explicit action during implementation and not a direct result of using the ADF.
If storing ADF claims, be sure to address the data subject rights.
Data Subject Rights
Considerations for the ADF
Right to Notice
You must provide a legal basis for using the personal data of data subjects, which could be via consent or through a legitimate interest.
Right to Access
Describe the purpose and type (category) of PD collected, to whom it has been disclosed to, and how the PD is safeguarded and retained.
For example, you may describe your NDA or data privacy policies in place with 3rd-party support vendors. Perhaps you have company policies that prevent you from sharing PD outside your company or you do share select PD with certain affiliate partners, but only if allowed by the Data Subject.
You may choose to describe the source of any inferred or ambient data not inputted directly by a Data Subject. For example, websites can use GEO-IP lookup services to determine a location for a given IP address.
Right to Rectification
Your site should also be transparent in known data about its users and give them the opportunity to change the personal information you know about them.
You may use a separate database to gather and collect more information. It may help to record time-stamps and sources of information if you choose to consolidate or otherwise integrate multiple systems that work with PD.
Right to be Forgotten
Remember that customer data includes information beyond the scope of your content management system. You may want to aggregate any information from the ADF into another system to help comply with a user's right to be forgotten.
We'll end this post with some tips on Experience Optimization (XO).
To manage your opt-in process in your XO implementation, you can choose to offer in-context explanations of personalized content either at or near your XO regions or even as part of some standard promoted content that appears alongside personalized content.
Use XO’s region feature, optionally with dynamic content (Component Presentations) to explain how the site is being adjusted or otherwise optimized for the user experience. On a separate “preferences” page, you might provide a way for website users to adjust their personal data or otherwise adjust the website experience.
As a final reminder, be sure to avoid forcing a blanket opt-in in order to let visitors use your website.
(1) Adapted from “SDL Tridion Ambient Framework: Cookie and Privacy Information,” by N. Linhares.
These blog posts are meant to help SDL customers familiarize themselves with the concepts and high-level requirements of the General Data Privacy Regulation (GDPR). Following these recommendations can help organizations follow good privacy practices. But this should not be treated as legal advice or a comprehensive and exhaustive checklist for “GDPR compliance.”
All organizations are encouraged to read the GDPR from legal, business, and IT perspectives, to confirm how to best comply with the regulation to ultimately protect and safeguard the privacy of the people that interact with them.
Find my others posts in my introduction to the SDL Tridion DX GDPR Blog Post series.