Consent and the right to object

Abstract

Guide to Sitecore support of opt-in/out and storing of consent for data subject's invoking their right to object.

Warning

This Privacy Guide provides technical guidance on how your developers can choose to configure your Sitecore product implementation to support you on your data privacy compliance journey. This guide does not provide exhaustive guidance, and should not be construed or used as legal advice about the content, interpretation, or application of any law or regulation. You, the customer, will always be in the best position to assess your own risks, and must seek your own legal counsel to understand the applicability of any law or regulation to your business, including how you process personal data. Your resulting implementation is based entirely on your own configuration choices.

The right to object concerns the data subject’s right to object to processing, direct marketing, and automated profiling. This topic describes how the Sitecore product supports the data subject’s ability to give and revoke consent, including:

  • Existing interfaces and API calls for opting in/out of processing.

  • Options for storing consent choices.

For information about processing, see Types of processing.

Opt-in and opt-out

The Sitecore product provides the following functionality by default:

The organization is responsible for:

  • Implementing interfaces (such as cookie consent banners) or processes that allow contacts to update consent choices.

  • Supporting active opt-in for all other forms of processing, including web tracking.

  • Implementing active opt-in on websites that use the Federated Experience Manager.

  • Requesting consent for any additional collection or processing of personal data, including any data collected via custom Forms.

  • Implementing an interface or process that allows data subjects to revoke consent at any time.

Storing consent

The Sitecore product provides the following functionality by default:

  • The ConsentInformation facet:

    • ConsentRevoked: Gets or sets a value indicating whether the contact has revoked their consent to be contacted by the organization in any form.

    • DoNotMarket: Gets or sets a value indicating whether the contact has globally unsubscribed from all marketing lists. This does not include system messages such as order confirmation or “your password is about to expire”.

  • Email Experience Manager global opt-out list.

  • Email Experience Manager suppression list (available for customers that use the Email Cloud Service)

The organization is responsible for:

  • If necessary, implementing additional contact facets that store consent choices for specific types of processing.

  • Storing consent for personal data collected via custom Forms - for example, by including a consent checkbox on each form.

  • Persisting consent choices for data subjects that do not want to be tracked or stored at all - for example, by storing a value in session or issuing a cookie.

Disabling processing

See Types of processing for an overview of processing activities in the platform and the options available for disabling processing.