On December 13 the Dutch Data Protection Foundation (SDBN) filed a class action against Adobe for illegally collecting personal data through its Adobe Experience Cloud platform, using the data for creating personal profiles, and sharing them with advertisers. In other words, the SDBN claims that Adobe is illegally spying and profiling you through its ad tech tools.
Much like SDBN’s pending lawsuit against X (formerly Twitter), this lawsuit focuses on widespread privacy issues in the ad tech environment and is worth following closely. Here is what this is all about!
What is at stake?
This case could cost Adobe enormous damages because the company has been profiling millions of Dutch citizens. But money is easily the least important aspect of the case.
If we look at the broader picture, the issues highlighted by the SBDN are simply the well know issues of tracking based advertising- and Adobe are in good company. If the SDBN manages to establish a precedent against Adobe (or X), other big fish such as Google and Meta might be next in line and risk a lot of money as well.
Bottom line, the case is not really about Adobe. It is about a business model. One that is widespread, immoral, dangerous, and built on invasive surveillance on a global scale.
In this already precarious scenario, a Dutch precedent against surveillance-based advertising could have a disruptive (read: good) impact on the ad tech ecosystem.
What did Adobe (allegedly) do wrong?
The Adobe Experience Cloud is a widely used online marketing suite that includes services such as Adobe Analytics, Adobe Experience Manager and Adobe Campaign. In other words, the Cloud is a collection of software-as-a-service tools that exchange information and place ads based on visitor data.
While the lawsuit itself is not publicly available at this time, the SDBN’s website contains a general outline for the claims. The SDBN says that Adobe has been illegally collecting personal data through cookies (which implicitly points towards Adobe Analytics and the Acrobat SDK as the culprits) and has been sharing personal data with third parties in the ad tech environment.
There’s a lot to unpack there, so let’s break it down piece by piece.
Adobe Analytics is a professional, pricey, cookie-based web analytics tool. Organizations can use Adobe Analytics to track visitors and learn more about their interests. This allows them to use other tools in the Adobe Experience cloud to sell advertising spaces to Adobe’s many advertising partners.
In other words, Adobe Analytics is the Adobe equivalent of Google Analytics. It plays a crucial role in Adobe’s ad tech environment because that is where the data come from- aong with Adobe's SDK (see below).
The SDBN claims that Adobe Analytics collects data illegally by placing cookies without the user’s consent. In other words, there is something wrong with the cookie pop-ups that websites are legally required to display before placing marketing cookies on the visitor’s browser.
This can happen for a number of reasons. Cookie-based tools like Adobe Analytics and Google Analytics should only place cookies with consent. But companies often set up these tools the wrong way- intentionally or by neglect. As a result, many websites do not display a cookie pop up or place cookies even for users that turned them down.
The SDBN also claims that websites often do not provide sufficiently precise information as to what happens to personal data collected through cookies. Providing this information is a requirement for collecting valid consent under the GDPR.
The Acrobat SDK
Adobe Analytics is not the only source of personal data for Adobe Cloud Experience: Adobe also harvests personal data with the Acrobat SDK and feeds it to its ad tech tools.
Software development kits (SDKs) are bundles of pre-compiled code that are made available to third party developers- and usually contain trackers. With an SDK, a third party developer gets a very useful toolbox for developing their app for free and offloads the cost to the users, who have their personal data harvested- often without their consent. These data are used- you guessed it- for advertising and are often added to the extensive profiles that ad tech companies maintain.
In other words, SDKs a trap: a cool and free tool for developers that you pay for with your data.
Mobile tracking is a huge problem that does not get the attention it deserves, so we are happy to see another SDBN action involving widespread SDKs.
Profiling and data sharing
The SDBN claims that Adobe shares personal data with third parties. No surprises here: this is standard fare in ad tech due to the nature of the real time bidding system (RTB).
We already wrote about RTBs, so here is the short version. Tools such as Abode Analytics and Google Analytics collect your data through websites and add them to a personal profile. This profile lets companies know what you are interested in, and how to better target ads. Every time you visit a website, this profile is shared in the ad tech environment so that companies can bid on a specific advertising space. During the bid, profiles are shared with advertisers so that they know how much that visitor is worth to them in monetary terms, and what ads they should serve for a better return on investment.
This system is a disaster. The data are shared with hundreds of parties for each bid, and companies such as Adobe and Google have absolutely no control over the data after they are share. Ad tech is a surveillance free-for-all that can be abused by criminals, surveillance companies, foreign governments, and just about anyone who can be bothered to set up a company and join the party.
As the proud developers of a tracking-free web analytics tool, we are a tad bit biased when it comes to ad tech. But you don’t need to take our word for how bad things are. Two recent reports by the Irish Council for Civil Liberties (a well regarded civil rights NGO) show that online advertising is nothing short of a privacy dumpster fire that can endanger even government and military personnel!
Bottom line: yes, Adobe shares your data with a bunch of partners. In all likelihood, quite a few of them are not trustworthy. This is very bad and hardly surprising.
How will this play out?
Let’s take a look at Adobe’s position. In its press releases and previous exchanges with the SDBN, Adobe claimed that none of the alleged violations is its fault. The company maintains that compliance is the customer’s sole responsibility- Adobe sells the service, provides some legal documentation, and calls it a day.
Does Adobe have a point? To what extent does the GDPR allow Adobe to offload its compliance obligations to its customers?
The law is not black and white here, but there is an interesting precedent on this issue involving advertising multinational Criteo. In that case, the French privacy watchdog (CNIL) ruled that an organization as important as Criteo cannot entirely offload the collection and documentation of consent to its customers. Instead, it has a duty to get more involved with compliance, and must take steps to ensure that it is working with real and valid consent.
The CNIL is an influential authority, and the high-profile precedent set against Criteo might just be what the SDBN needs to tip the balance in its favor. Then again, the Dutch courts are not bound to the CNIL’s decisions and may very well take a different stance on the allocation of compliance obligations.
As you have probably figured out, we do not like tracking. We believe it is irresponsible, dangerous, and unethical. This is why we created Simple Analytics to provide our customers with all the insights they need- without collecting personal data from the end user. If this resonates with you, feel free to give us spin!