Adobe Experience Platform: Prepping Your Team to Ensure Data Governance

June 2, 2023 | Arturo Rivero
Adobe Experience Platform: Prepping Your Team to Ensure Data Governance

The main concerns for most teams when standing up and configuring the Adobe Real-Time CDP (RTCDP) tend to lie on the technical side: defining and configuring the Martech architecture to support the implementation. We can’t unlock any insights from the data if we don’t implement the technology in the first place.

imageImage 2: Adobe Experience Platform’s Architecture and Applications. 

Ensuring proper data collection and ingestion into AEP are a priority if we want to unlock Adobe’s RTCDP’s power to create unified customer profiles, drive user experience, and take growth and incrementality from digital efforts to the next level.

The Importance of Having a Data Governance Framework for Your Team

More frequently than not, leaders place too little attention on data governance. The question “Who will be using what, with what purpose?” can sometimes be an afterthought to get the Adobe Experience Platform (AEP) up and running quickly. However, governance is the other side of the coin and is critical to instill transparency and trust in the process, and that ultimately unlocks collaboration across teams.

Traditionally, Data Management Platforms (DMPs)—the predecessors to CDPs that tracked users and were used to create user audiences—were cookie-based. Any concerns regarding personally identifiable information (PII) were nonexistent and thus considered someone else’s business by marketers and data architects. There were no legal stakes in this process.

As CDPs are set to replace DMPs, PII becomes available. Protecting user privacy becomes front and center in any CDP implementation, changing roles and responsibilities within all organizations.

Organizations' increasing main interest is to earn the consumers' trust from the beginning, collect user behavior data, and unlock the ability to use that data and create relevant consumer experiences.

Apart from offering a comprehensive data pipeline under one technology (which is already powerful), Adobe afforded AEP the capability to apply an organization’s data governance framework effectively, allowing companies to not only ingest the data they own, but also to make sure that is used to its fullest potential while complying with existing regulations.

Recent legislation like Europe’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) are here to stay. Cookies, especially third-party ones, are under heavy scrutiny. At the same time, there is an increase in native platform built-in tracking protection mechanisms like ITP and ETP. As a result, legacy business models initially built around third-party data collection, aggregation, and sharing are on the brink of extinction. First-party data is now more critical than ever.

Organizations must protect the first-party data and all the personally-identifiable information collected to earn consumers’ trust and keep them coming back. Earning consumers' trust will unlock the potential to offer personalized experiences that drive positive results for the business and delight the consumer. Consent information needs to be an integral part of this process; it is no longer an afterthought.

Data Governance Takes Time—Don’t Be a Laggard

There are fundamental efficiencies in addressing the two primary aspects of the CDP implementation roadmap simultaneously; technical implementation and regulatory compliance. But when the team in charge of buying and implementing the solution is primarily technical, the legal part risks being addressed later.

A common problem, though, is that once the solution is implemented, the data owner, or the Chief Data Officer (CDO) in charge of regulatory compliance, catches wind of this initiative and raises privacy concerns. This can block the use of any technology if there is any risk of regulatory non-compliance.

Enforcing data governance once AEP is implemented can delay your team’s implementation roadmap and cause significant revenue loss to the organization because the implementation will be a harder sell if addressed at the end. Acting quickly and efficiently to start addressing governance at the beginning of the process has clear advantages.

Data governance cannot happen in a silo. It requires collaboration across all teams, especially with the CDO. With this in mind, there are great opportunities for marketers to be visionaries, seeking and fostering collaboration with the CDO’s team in charge of governance across the organization, moving beyond their traditional areas of customer acquisition, loyalty, and partnerships. By seeing the bigger picture, they can also up their game and help future-proof customer experiences with consent policies and regulations.

Moving quickly is essential, especially for larger organizations in competitive industries. Dealing with their own bureaucracy makes it difficult to act quickly. The sooner they start pushing for their initiatives, the faster they will go through their roadmap and the sooner they can use their technology.

Laggards, however, face important challenges when deploying and enabling their solution, especially if they have to deal with governance issues after the technical aspect of the implementation has been finalized.

Early adopters will go through their learning curve first and only start activating their data when they are confident and knowingly making the best use of it. They are thus cementing their position as leaders in their industries. Because they began first, they can afford to spend time and effort testing and learning.

Laggards, on the other hand, because of their uncoordinated approach to their implementation, will suffer setbacks internally, take longer to finalize their implementation roadmap, and often only begin learning while the early adopters are already activating their insights. The loss in revenue from these delays can put the company at a severe disadvantage against its competitors, causing unnecessary risks and revenue loss for many years. Often, companies never recover from these losses.


Understanding (and Possibly Changing) How Data is Protected in The Organization.

CDP implementations can change the way that data is managed, and this requires some executive decision-making. Data can be ingested into AEP directly from the source, making the data available in real time. Data can also be ingested from centralized repositories, like a data lake.

Many organizations, especially large ones, have their data already in a data lake, and ingesting it into AEP could make even more sense to save the time and effort required to rethink the data architecture from the beginning; this, too, can be an opportunity for first movers to make meaningful gains.

The collaboration between the teams concerned with the legal and technical aspects of the implementation can and should be incentivized in the wake of the AEP implementation. As data is inventoried, the organization can establish its governance policy to apply it during data ingestion into the platform. Once all data sources are ingested and available in AEP, they will also be compliant, labeled, and ready to use.

The Governance Framework of the Adobe Experience Platform

Applying governance policies to data generally requires defining a set of roles and responsibilities. For AEP, Adobe has proposed a primary series of roles to cover a vast array of data access needs and use cases based on existing data-related practices across many organizations. These roles can be further expanded or reduced as needed. 

  • Data Steward: The person in this role is a legal officer, most likely part of the organization’s legal team, in charge of interpreting existing regulations and determining what information can be available for each specific purpose. Labeling the data is the responsibility of this role.
  • Data Engineers and Data Scientists: The people in these roles will clean and process the data once ingested and ensure data quality to draw insights and make predictions using machine learning.
  • Marketer: This role is the end of the chain and will receive the processed and labeled data to activate the insights. 

At the executive sponsor level, ensuring collaboration of the technical and legal teams can help drive adoption, not only by facilitating a smooth implementation but primarily by helping unlock the activation of the CDP solution once proper governance has been established and all stakeholders are confident that both the technical and the legal aspects of the implementation have been covered. 

Technology like AEP can act as a catalyst to spark organizational change. Establishing a Center of Excellence (COE) built around enterprise audiences and responsible data management is one of the potential organizational considerations that can help drive the maturity of the CDP practice and help go from having disconnected data to having a unified, enriched customer profile that is easily accessible and also easy to activate.

Although time-consuming, applying data usage labels to each dataset being ingested into AEP is well worth the effort. Furthermore, marketers must become familiar with the existing governance policies as data governance and privacy move front and center in the new digital strategy. Strengthening the bond between marketers and data stewards will only benefit the organization by ensuring proper compliance.

Large organizations are held accountable for using the information collected and are subject to the same or stricter regulations than smaller organizations. Large companies in the financial or healthcare sector, for example, have access not only to personally identifiable information (PII) but also to data regarding a person’s financial situation, debts, assets, etc., or health-related data, like health diagnoses and lifestyle information, both of which could easily be used for unlawful purposes, such as targeting a person through advertising, or to discriminate against them.

In the Healthcare industry, for example, companies also manage, as part of their business, information related to the health of individuals. This Personal Health Information (PHI) is protected in the United States and Canada by the Health Insurance Portability and Accountability Act (HIPAA) and the Personal Information Protection and Electronic Documents Act (PIPEDA)

Organizations should consider the most straightforward approach to data labeling to make the process more efficient. However, most companies' needs are diverse, and no one-size-fits-all solution exists. Understanding this process and the nature of data sources ingested into AEP can go a long way in speeding up data labeling.

Data Usage Labeling and Enforcement (DULE) in Adobe Experience Platform 

AEP’s data usage labels can significantly reduce manual effort and, thus, the risk of accidentally activating customer data. Data usage labels (DULE) allow you to categorize datasets and fields according to usage policies that apply to the data that are unique to your organization.

Once those data usage labels have been applied to the datasets, and the data usage policies have been defined for marketing and all other actions, enforcing the privacy and data usage policies and preventing policy violations is done automatically inside AEP.

Adobe provides comprehensive documentation to help organizations get started on their path to applying data governance to their data in AEP. 

Data usage Labeling and Enforcement (DULE) in AEP allows marketers and data stewards to categorize datasets and fields according to governance policies that apply to that data. Labels can be applied at any time, providing flexibility in how you choose to govern data. Best practices encourage labeling data as soon as it is ingested into Experience Platform, or as soon as data becomes available for use in Platform.


There are currently two locations in AEP where data can be labeled: in the Datasets or at the Schema level. If labeled in the schema, the datasets generated from the schemas will inherit the labels. Because of this, labeling at the schema level vs. dataset is recommended.

Data usage labels applied at the dataset level propagate to all fields within the dataset. Labels can also be applied directly to individual fields (column headers) without propagation. However, new datasets will not inherit the labels when data is labeled in the dataset and not directly tied to a schema.

AEP includes several out-of-the-box data usage labels that cover many typical use cases for most organizations. These “core data usage labels” are split into three categories, for the basic dataset types and use cases: contractual, identity and sensitive labels.

  1. Contract “C” labels “categorize data that has contractual obligations or is related to your organization’s data governance policies.”
  2. Identity “I” labels  “categorize data that can identify or contact a specific person”. This label category refers to what most now call personally identifiable information (PII).
  3. Sensitive “S” labels are designed to categorize data that an organization considers to be sensitive, primarily because it allows knowing the geographic location of an individual to a certain degree. This category, however, is not limited to geographic data, as it is often used to label Protected Health Information (PHI), among others.

Adobe has also created a series of alphanumeric labels under each one of the label categories mentioned above (contractual, identity, and sensitive) to facilitate their application to comply with any organization’s governance policy. Using it is not mandatory; it is a guideline for a basic governance framework. ​​Adobe frequently adds new labels to the system; refer to the official Adobe documentation here for the most up-to-date list.

For example, data labeled as C1 can usually “only be exported from Adobe Experience Cloud in an aggregated form without including individual or device identifier.” Data labeled as C2 “cannot be exported to a third party”. Data marked C12 “cannot be exported in any way”.

From C1 to C12, each dataset can be labeled with one or more of the existing labels if the Data Steward considers that these classifications are enough to comply with existing regulations regarding data usage. 

Adobe has also provided data usage labels specific to particular categories and health-related data to cover the specifics of PHI data labeling:

  1. PSPD: data contractually permitted to upload by Adobe deemed “sensitive,” “special category of data” or similar term used by applicable laws, but specifically excluding PHI or regulated health data.
  2. RHD: Protected Health Information that is contractually permitted to upload into AEP. 

With the Healthcare industry in mind, Adobe also developed its Healthcare Shield add-on to help make AEP applications HIPAA-ready to meet HIPAA compliance requirements regarding the processing and usage of PHI.

Once data is ingested and labeled for use, data usage labels are inherited within the platform. Any segments containing data marked as restricted (that cannot be shared to a destination) will be blocked for activation automatically. Data usage labels bring robustness to the AEP implementation by ensuring regulatory compliance and protecting the organization even from the accidental activation of restricted data.


Attribute-Based Access Control (ABAC) in Adobe Experience Platform

Additional to the DULE labels, which conditions which data can be shared to the available destinations in AEP for activation, Attribute-based Access Control (ABAC) is a control system part of AEP’s Role-Based Access Control that allows an administrator to apply data labels and use the data labels to either grant or deny permission to the data elements. ABAC labels are especially useful in restricting direct access to customer data by AEP users. This a critical need for organizations working with sensitive information, such as PHI.

Like the Data Usage Labels, this involves tagging data stored in AEP with Labels. However, the access-based labels can only be applied at the schema level vs. the data usage labels, which can be used at either the schema or data set level.

DULE labels can and should be used in conjunction with ABAC labels to restrict access and shape the organization’s practices for data management, segmentation, audience creation, and activation outside of AEP.

The ABAC labels can further restrict or curate an organization’s internal teams' access to specific data, such as dividing data in AEP to create separate accesses for each business unit or particular groups within a business unit. The possibilities are virtually endless.

AEP is flexible when it comes to data labeling. An organization is free to use the out-of-the-box labels provided. It can decide to modify it, expand it, or outright ignore it and create its own set of labels; this is especially useful for organizations with a labeling system in place for data governance. Following the company's policies, they must recreate it within AEP and apply each newly-created label to their respective datasets.

Beyond the technical aspects of the AEP implementation, it is important to keep in mind that the granularity achieved from implementing a company’s data governance framework aligned with multiple teams’ objectives can further provide increased complexity.

Clearing the Path for the Activation of Artificial Intelligence and AI-powered Segmentation

As the technical aspects of the implementation are defined and solved, and the data is made available in AEP, data architects and engineers should step away from day-to-day operations to give way to marketers and data scientists. As data is ingested, labels are set to tie to how the data should be used for activation. 

Marketers can then build segments using attributes from the datasets for product adoption or purchase data from the company’s systems. RTCDP will automatically inherit the rules created during data ingestion and apply them to the segment. 

Finally, as multiple marketers have access to specific segments for cross-channel activation based on the labels and policies, the segment will be blocked from activation on particular channels, like social media, but activated successfully in others, probably owned and operated channels such as an internal email system.

Marketers must also familiarize themselves with the new technology and understand the roles of data engineers and data scientists. They will have to learn, to a certain extent, if they want to make the best use of AEP, concepts such as schemas, class, field groups, identities, and relationships will become handy to understand what data is available to follow users in their customer journeys.

AEP proposes to use the abundant data in the data lake to create customer profiles that can be activated through native integrations with Adobe products and seamlessly with other third-party platforms in real-time through Adobe Real-Time Customer Data Platform (RTCDP). 

As more data sources become available in AEP, more information about users, including PII, will be available. Proper governance means that all the procedures established to protect user data are in place and that users are effectively safe from improper use of their information. At the same time, proper governance also means that the RTCDP can use the available user information to create unified customer profiles for activation.

In Canada, digital ads providers, such as Google and Meta, started rolling out restrictions on their platforms to reduce the advertisers’ capacity to target users for ads referring to housing, employment and credit. This means that these platforms can set limits to targeting users based on criteria such as, but not limited to, age, gender, and postal code, which allow for discrimination. 

Creating lookalike audiences, and interest-based audiences will also be limited for companies operating in the housing, employment, and credit markets. These advertisers need to find a way to learn about their users, create high-value segments, and push segments to destinations like Google Ads or Facebook, maintaining performance and generating incrementality with reduced targeting capacity.

Despite all the limitations of regulations and an organization’s internal data governance framework, Adobe’s RTCDP offers unique opportunities to learn from customers through its Customer AI feature.

AEP’s Customer AI allows for drawing insights and predicting user behavior through machine learning. The propensity models provided are highly accurate in understanding the factors that influence user behavior and can be used to provide robust segmentation and targeting for paid media or personalization. 

The machine learning models generated through Customer AI may or may not include PII/ PHI, which might or might not add any value. Still, they will be based on a high number of variables, including past visits and behavior during those visits(for example, to predict Customer Lifetime Value through data science). The RTCDP can learn from those users and carry out segmentation criteria that will inherently exclude any PHI and PII criteria.

PHI and PII become just another variable that can be included or excluded from the variables used in the model, depending on the organization’s data governance framework, internal policies, and existing regulations. Each company is different, and the regulations affect them differently.

Developing and strengthening the bond between marketers and data stewards can go a long way in facilitating the initiative to stand up a CDP solution in any organization. Thinking and planning well in advance around the topics discussed in this post can provide a real competitive advantage to any organization.