Right to erasure

Abstract

Guide to deleting Sitecore individuals who invoke their right to erasure. Covers xConnect, APIs, and SQL.

Applies to

GDPR, CCPA

Warning

This Privacy Guide provides technical guidance on how your developers can choose to configure your Sitecore product implementation to support you on your data privacy compliance journey. This guide does not provide exhaustive guidance, and should not be construed or used as legal advice about the content, interpretation, or application of any law or regulation. You, the customer, will always be in the best position to assess your own risks, and must seek your own legal counsel to understand the applicability of any law or regulation to your business, including how you process personal information. Your resulting implementation is based entirely on your own configuration choices.

The right to erasure (also known as the right to be forgotten) concerns the individual’s right to request the deletion of personal information. This topic describes how Sitecore facilitates the ability to remove an individual’s personal information.

Within your Sitecore implementation, you can:

  • Use the xConnect Client API to erase data marked [PIISensitive] by calling the ExecuteRightToBeForgotten() method. The ClearSupressionListWhenExecutingRightToBeForgotten handler automatically clears the contact’s past and current email addresses from the suppression list.

    Note

    The ExecuteRightToBeForgotten() method does not delete the entire contact record. Be aware that the exact implementation of the method differs between Sitecore 9.3 and Sitecore 9.2 and earlier, particularly with regard to the handling of interactions.

  • Execute the right to erasure from the Experience Profile interface.

The organization is responsible for the following:

  • Implementing a process or interface that allows individuals to request deletion of personal information.

  • Ensuring that personal information in custom contact facets is marked [PIISensitive]. Any facet or facet property marked [PIISensitive] is deleted when the right to erasure is executed.

Important

Interaction facets cannot be marked [PIISensitive] and are not deleted when the right to erasure is executed.

Removing all contact data

In Sitecore 9.2 and later, you can delete a contact and all of its interactions. Keep the following in mind if you choose to delete contacts and interactions instead of using the ExcuteRightToBeForgotten() method:

  • If a contact is deleted during an active session, that contact may be partially recreated on session end - including known identifiers that were loaded into session.

  • Aggregated data in the xDB Reporting database will be affected if you choose to re-build all reporting data.

Within your Sitecore implementation, you can:

The organization is responsible for the following:

  • Implementing a process or interface that allows individuals to request that their data is deleted.

  • Ensuring all user profile properties that contain personal information are identified and cleared.

Within your Sitecore implementation, you can:

The organization is responsible for the following:

  • Configuring the CustomersRemovePolicy correctly.

  • Implementing a process or interface that allows individuals to request that their data is deleted.

  • Ensuring all customer profile properties that contain personal information are identified and cleared.

Note

Deleting a customer does not delete the shipping address and email address associated with the order. This data also exists for anonymous orders.

If a contact requests that their data be erased, consider clearing session data and removing cookies to ensure that all connections between the device and the contact are severed:

  • Call Session.Clear()

  • Call Session.Abandon()

  • Remove the SITECORE_GLOBAL_ANALYTICS_COOKIE (although tracking will not resume after the right to erasure has been executed, xConnect Client API can be used to link a cookie to a device profile, and then to an anonymized contact record)

By default, form submission data is stored in the Forms database. Form submissions stored here are not associated with a contact ID. This means that the data is not automatically deleted if a contact requests to be forgotten. Therefore, if you store email addresses or other personal information that can be used to identify an individual, you must consider how to handle requests for this data to be removed. If a form submission is linked to an identifier such as a contact identifier or an email address, you can use SQL to clear or delete rows associated with a specific individual.

You can do this in a fashion similar to what is detailed in the topic Walkthrough: Creating a custom submit action that updates contact details except the submit action deletes contact info stored in the Forms database instead of updating contact details stored in xConnect.

Important

If you create a custom submit action that stores personal information in a third-party system such as a CRM, you are responsible for ensuring that individuals can access their data in that system.