April 7, 2020 ↘︎

Is Adobe Activity Map capturing my customer’s PII (personally identifiable information)?

Loading the Elevenlabs Text to Speech AudioNative Player...

What makes Adobe Activity Map a great a link tracking solution is exactly what can also lead to it unintentionally capturing customer’s PII (personally identifiable information) across a website. Read on to understand why PII is important, how Activity Map can expose unintended customer data collection, and what options are available to mitigate the risks associated with an Activity Map implementation.

If you’re not already familiar with Activity Map and how it works, then please refer to our previous blog post – ‘What is Adobe Activity Map and how does it work?

Table of contents:

This article is intended for an audience that includes existing Adobe Analytics users, business stakeholders, developers, digital platform managers and teams, data analysts, website optimisation teams, digital marketing teams, digital risk and legal teams.

Why is this important?

As any legal expert will tell you, capturing a customer’s personally identifiable information without explicit consent can result in significant ramifications for a business both financially and in regard to reputation. Data privacy and security is becoming more important than it ever given the developments that we’re currently seeing in how browsers are storing cookies (ITP), the GDPR reforms laws introduced in Europe over the last few years, and the goings on with Facebook/Cambridge Analytica since the 2016 United States presidential elections.

As consultants, we are always partnering with our clients to ensure that their analytics solutions are not only providing access to the data and insights they require, but also also meeting data privacy standards. Whilst there are many different ways a website might capture PII, it should not come as a surprise that digital marketing, advertising and analytics platforms are often the most common culprits.

We know that (most) users implement Adobe Analytics with data privacy in mind, but recently we’ve come across several cases where clients haven’t realised that Activity Map was either enabled within their implementation, and that it was capturing their customer’s PII. This is not surprising, as whilst most existing Adobe Analytics users will have either heard of or are even active users of Activity Map, it doesn’t necessarily mean that it’s easy to understand how it works, let alone whether it’s actively capturing PII. 

Lastly, it is important to acknowledge that we still believe Activity Map is a great tool and as consultants we do recommend it for our Adobe Analytics clients that would like to better understand how their customers are interacting with their website. However, we also make it very clear that it’s important for our clients to consider how it will work across their website so that they can be confident in deciding whether it’s a suitable link tracking solution for their needs.

What is PII?

In order to determine whether PII has or is being captured by Activity Map, it’s important to understand what exactly PII is. Broadly speaking it can be defined as any information that could be used to individually identify a person. In terms of data this can range from capturing a person’s full name, or address to more severe examples like credit card details or login details.

’Information or an opinion about an identified individual, or an individual who is reasonably identifiable:

  1. whether the information or opinion is true or not; and
  2. whether the information or opinion is recorded in a material form or not.’

Source: https://oaic.gov.au/privacy/guidance-and-advice/what-is-personal-information/

Within Australia the legal definition of PII is detailed within the Privacy Act 1988 (the Privacy Act) which is available via ‘Office of the Australian Information Commissioner’ website.

In addition, if you’re still unclear of how this relates to your Adobe Analytics implementation we’d recommend consulting with your own internal legal department because businesses often have their own unique interpretations and comfort levels concerning the definition of PII.

Why does Activity Map expose a potential PII risk?

Adobe clearly warns owners of the platform that Activity Map can capture PII if they haven’t considered how the functionality will work across their website. Adobe outlines this within their online Adobe Analytics Documentation and also within the Adobe Analytics admin UI where admin level users of the platform have the ability to enable Activity Map across a report suite. In both of these locations Adobe details the particular use cases to be wary of:

“By turning on Activity Map tracking, you may be collecting personally identifiable information (PII) data. This data can be used on its own or with other information to identify, contact, or locate a single person, or to identify an individual in context.
Here are some known cases where PII data might be collected using Activity Map Tracking:

  • Mailto: A mailto link is a type of HTML link that activates the default mail client on the computer for sending an e-mail.

  • User ID links that may show up in the header/footer of a website once the user has logged in.

  • For financial institutions, the account number may be shown as a link. Clicking it will collect the text of the link.

  • Healthcare websites may also have PII data shown as links. Clicking these links will collect the text of the link, thereby collecting PII data.”

Source: https://docs.adobe.com/content/help/en/analytics/analyze/activity-map/lnk-tracking-overview.html

Despite the availability of this information we all know that in the real world that it’s often overlooker or simply just not passed on between past and present stakeholders within a business.

In the case of Activity Map that this is also compounded by the ‘set and forget’ nature of how Activity Map is bundled within the core Adobe Analytics AppMeasurement.js base code that is required for all Adobe Analytics implementations. In addition, it’s normal for websites to change and develop over time, so whilst PII may not have been exposed by Activity Map when it was first implemented, it’s not uncommon for changes to a website (post original Activity Map implementation) to expose PII – unbeknownst to key stakeholders. 

Obviously, all websites are unique in their own way but in addition to the warnings provided within Adobe’s documentation we’d also make the following recommendations:

  • Pay close attention to secure or authenticated (post user login) sections of your website. For example, menu links and drop downs which may contain a customer account ID or username.
  • Pay close attention to links within online forms/applications, tools and conversion funnels that require a user to enter personal details.
  • Regularly check the data being captured by Activity Map within Adobe Analytics Analysis Workspace.
  • Consider formalising a business process for reviewing how Activity Map might impact any new functionality or sections across your website before they are deployed.

How can I tell if Activity Map has, or is, capturing PII?

Assuming that your personal Adobe Experience Cloud user account has been granted access to Activity Map reporting in Adobe Analytics, then within Analysis Workspace you will have access to several Activity Map dimensions and metrics which can be used to determine if PII is being captured.  

To begin with, we would recommend creating a new Analysis Workspace report using the ‘Freeform Table’ visualisation. You can then select ‘Activity Map Link Instances’ as the metric of your report and ‘Activity Map Link’ as the dimension. In our experience, ‘Activity Map Link’ is the dimension where PII is most often captured because it generally represents the ‘text label’ associated to the link (or element) as it appears on the website. ‘Activity Map Link Instances’ is the event or metric that defines how many times users have clicked on the element.

Once the report is set up, use the filter in the search results for the common syntax/naming conventions/data values that you might expect PII to be captured under:

  • Common first and last names – i.e. ‘Matt’, ‘Sarah’ or ‘Smith’
  • Common phone numbers – i.e. ’02’ (or other phone area codes)
  • Common email addresses – i.e. ‘@gmail’ (or even simply ‘@’)
  • Common addresses – i.e. ‘street’ or ‘road’
  • Any other patterns that may be common or specific to your website – i.e. if your website provides the ability to make payments via credit or debt card then look for 16 digit numbers

Whilst ‘Activity Map Link’ is the most common dimension that we’ve seen capture PII data, we would also recommend repeating the above steps for ‘Activity Map Region’ as well. This dimension captures the location or section of the page where a link is located, and so for some websites this could also contain PII.

Filtering ‘Activity Map Link’ dimension by the common name ‘Sarah’ within Analysis Workspace.

If your investigations have confirmed that PII is indeed being captured, we recommend that you deactivate Activity Map as soon as possible to prevent any further PII exposure. Details on how to do this can be found here. Please note, this is not the only option – there are various solutions available to excluding Activity Map from capturing link tracking data on website sections or links as detailed later in this article.  

Once disabled, the next step is to determine all the different scenarios across your site that are exposing PII.

Which specific links, pages or site sections are contributing to this data to be captured?

This is important in order to assess the scope of the links or regions contributing to PII exposure, and ultimately allow you to better decide on the best course of action to either remove Activity Map entirely or customise its implementation accordingly.

Overlaying some of the additional Activity Map dimensions in your Workspace report may help you better understand which specific links, pages or regions (i.e. global menu navigation components) of your site that are exposing PII.  For example, we would recommend overlaying the Activity Map Page dimension over any PII values returned within the ‘Activity Map Link’ and ‘Activity Map Region’ dimensions to understand which pages contain the link in question.  

Example of filtering an ‘Activity Map Link’ dimension by the Activity Map Page to determine what pages have links that are passing this ‘Activity Map Link’ data.

This may require some creative thinking, as all websites are unique and the definition of PII can be broad between websites and businesses as a whole. Ultimately, your investigation should result in a list of sections, links or regions across your website that are currently exposing PII via Activity Map.

What should I do if PII has been captured by Activity Map?

Aside from first disabling Activity Map, we’d recommend that you consult your internal legal department regarding any existing or future potential risks to capturing customer’s PII. In addition, contact your Adobe Account Manager to determine how best to handle the PII that has already been captured within your report suite.

Once you’re comfortable with the above, you can consider which of  the following options are most suitable to your implementation and requirements.

How can I prevent Activity Map from capturing PII across my website?

There are various options available to prevent Activity Map from capturing PII across a website ranging from complete removal to customisation of implementation. When we partner with our clients, we generally find that the suitability of each of these options ultimately comes down to the following:

  • The scope of links or regions across a website that are exposing PII via Activity Map.
  • The analyst and developer resources available to a client to investigate and technically implement a fix.
  • How important Activity Map link tracking data is in the overall digital reporting requirements.
  • How risk adversity to PII exposure both now and into the future.

Depending on our responses, we usually recommend one of the following options.

Please note: These options are based on the assumption that you are using a tag manager (i.e. Adobe DTM, Adobe Launch, Ensighten, Tealium etc) to implement Adobe Analytics (including Activity Map) across your website. If  you do not use a tag manager, then the logic is still applicable but will require that you relate it to the specifics of your implementation.

Option 1 – Remove Activity Map

Overview
Remove/disable Activity Map entirely from your website.

ProsCons
  • Removes any chance of Activity Map from capturing PII.
  • Minimal technical development and implementation effort required.
  • No data analysis effort required.
  • Activity Map will no longer function across your website.

Recommendation
This is the best option, if you do not actively use Activity Map reporting  or simply just want to remove any chance of Activity Map from exposing PII.

Process
To action this option, simply need to remove the Activity Map module from the Adobe Analytics AppMeasurement.js base code. How you do this depends on how the Activity Map module has been implemented. If you are using a tag manager it’s just a matter of removing the Activity Map module from the Adobe Analytics AppMeasurement.js library.

Example of the Activity Map Module as deployed via Adobe DTM. Removing the Activity Map module will disable Activity Map across your website.

If you are using the Adobe CDN to host the AppMeasurement.js, then the method of deactivating Activity Map is slightly different. In this case please refer to our previous blog post.

Option 2 – Remove Activity Map from only certain sections of the website

Overview
Remove Activity Map from the sections of your website that are currently or will potentially will expose PII.

ProsCons
  • You will still have access to Activity Map reporting across sections you have determined do not expose PII.
  • Removes the chance of Activity Map from exposing PII across sections of your website that do currently or will potentially expose PII.
  • Relatively minimal analysis effort required to determine which sections of your website to exclude from Activity Map.
  • The only technical changes required can be completed via your tag manager.
  • You will no longer have access to Activity Map reporting across certain sections of your website.
  • Requires an ongoing business process to ensure that the future development of a website is considered in terms of sections that Activity Map is applied to.

Recommendation
In our experience, this is generally the preferred option for most clients that actively use Activity Map. This is due to links containing PII often being limited to certain sections where customers can either view or enter in personal details about themselves – which is generally either authenticated  (i.e. post user login) sections of websites or online application forms.

This option allows a client to still use Activity Map, but only in parts of the website that don’t expose PII.

Process
Once you have determined the particular sections of your website that are capturing PII via Activity Map, you will need to update your implementation so that the Activity Map module will not be loaded on these sections.

This can be achieved by applying custom code or conditions within your tag manager so that the Activity Map module is only loaded onto pages that meet specific URLs, page paths, or domains/subdomains conditions. Please feel free to contact us if you would like any support with this.

Option 3 – Customise Activity Map to exclude particular links or regions on the website from being tracked.

Overview
Adobe offers instructions on how to customise your website so that Activity Map will not track particular links or regions across your website. This option ensures that you can to continue to use Activity Map reporting across your entire website but allows you to exclude particular links or regions on your website that expose PII.

ProsCons
  • Allows you to be specific in excluding Activity Map from capturing link tracking data on the exact links or regions that expose PII across your website.
  • You will still have access to Activity Map reporting across the majority of your website.
  • Considerable analysis effort required to determine which links or regions to exclude.
  • Front end web development is required across your website, as well as some technical changes within your tag manager.
  • Requires an ongoing business process to ensure that the future development of your website is considered in terms of sections, links or regions that Activity Map link tracking needs to be excluded from.

Recommendation
The approach provided by Adobe for this option can be difficult in terms of its technical solution and the effort required to implement and maintain it. We would generally only recommend this option if the results of your investigation have determined that there’s only a few links or regions across your website that are exposing PII via Activity Map, plus you rely heavily on Activity Map link tracking and want to maintain as much of its reporting functionality across your website as possible.

Process
The process for implementing this option requires you understand all the links and regions that are exposing PII, and can apply some additional front end code across your website (including HTML and CSS) to mask or exclude those links and regions from Activity Map link tracking. You would also need to add some custom JavaScript to your Adobe Analytics implementation.

Adobe provides more detailed instructions on how these customisations can be made, but for the purpose of example here how we implemented it across the Digital Balance website. 

DTM view of the s.ActivityMap.linkExclusions = ‘exclude-link1’ being added as custom code the self-hosted Adobe Analytics AppMeasurement.js.

Example of the custom code that is required to be added to your website. With the span class ‘exclude-link1’ applied to the Blog link, the associated CSS rules for that class.

Option 4 (Requires Adobe Launch) – ‘Activity Map customiser’ Extension

Overview
This is only a viable option if you are using Adobe Launch as your tag manager. Whilst the above options are suitable for other tag management platforms, if you are using Adobe Launch as your tag manager (or in the process of migrating from Adobe DTM to Adobe Launch due to Adobe’s plans to ‘sunset’ DTM), and you would still like to use Activity Map, then we’d recommend this option.

Adobe Launch offers an ‘Extension’ that allows you to customise the exact elements (i.e links or regions) across your website that enables Activity Map to either include or exclude them from link tracking.

For example, you can exclude entire links or regions across your website according to HTML attributes such as classes and IDs. The extension is called ‘Activity Map customiser’ and more details about the extension can be found here.

This option is similar to option 3 in terms of excluding specific links or regions across your website from being tracking via Activity Map, but it will not require any additional front end development. Instead the solution can be configured and managed purely through Adobe Launch.

ProsCons
  • Ability to customise the links and regions that are both included and excluded from Activity Map reporting according to specific HTML attributes and CSS classes/IDs across your website.
  • Does not require any custom code to be implemented across your website – all configurations are made via the extension within Adobe Launch.

Recommendation
Recommended option if you use Adobe Launch as the tag manager across your website, and you would like to maintain Activity Map reporting.

Process
Install the ‘Activity Map customiser’ extension and configure it so that links or regions across your website that currently or will eventually capture PII are excluded from Activity Map link tracking. We would refer you to this article by SoftCrylic, the creators of this extension on how this can be achieved.

The ‘Activity Map customiser’ extension available within Adobe Launch.

I think I still need help

If you still have questions on the above then feel free to leave a comment, or reach out to us directly. 

DB logo
DB logo
DB logo