Sitecore Privacy Guide


Guide to uncovering your Sitecore implementation's storing and processing of personal data.


This Privacy Guide provides technical guidance on how your developers can choose to configure your Sitecore product implementation to support you on your data privacy compliance journey. This guide does not provide exhaustive guidance, and should not be construed or used as legal advice about the content, interpretation, or application of any law or regulation. You, the customer, will always be in the best position to assess your own risks, and must seek your own legal counsel to understand the applicability of any law or regulation to your business, including how you process personal data. Your resulting implementation is based entirely on your own configuration choices.

This guide is aimed at developers and IT professionals, and can be used as a starting tool to assist you in determining your Sitecore products’ role in the way your organization stores and processes data. This guide covers:

Use the privacy checklist as a starting point when assessing the compliance of your Sitecore implementation with privacy regulations.

See also:

For earlier versions of the platform, see:


The following section defines several terms that appear in legal text such as GDPR, as they have been interpreted for the purposes of this guide only.

Data subject

In a Sitecore product context, the data subject is an individual whose data is connected and is represented by three entities - the customer, the contact, and the user. The term data subject is used throughout the guide unless referring to a specific entity.

Personal data

This guide assumes a broad definition of personal data as any information which identifies an individual (either directly or indirectly), including but not limited to:

  • Cookies

  • IP addresses

  • Contact interaction history

  • Contact facets

  • Contact identifiers

  • User profile data

  • Customer profile

  • Customer order history


Your organization is responsible for deciding what constitutes personal data in the context of your business.


This guide assumes a broad definition of processing, including but not limited to:

  • Tracking

  • Collection

  • Contact processing

  • Interaction aggregation

  • Personalization

  • Automation processing

  • Email marketing


Your organization is responsible for deciding what constitutes processing in the context of your business.