Consent and the right to object
Applies to |
GDPR, CCPA |
---|
This Privacy Guide provides technical guidance on how your developers can choose to configure your Sitecore product implementation to support you with data privacy compliance. This guide does not provide exhaustive guidance, and should not be construed or used as legal advice about the content, interpretation, or application of any law or regulation. You, the customer, will always be in the best position to assess your own risks, and must seek your own legal counsel to understand the applicability of any law or regulation to your business, including how you process personal information. Your resulting implementation is based entirely on your own configuration choices.
The right to object concerns the individual’s right to object to processing, direct marketing, and automated profiling. This topic describes how the Sitecore product supports the individual’s ability to give and revoke consent, including:
-
Existing interfaces and API calls for opting in/out of processing.
-
Options for storing consent choices.
For information about processing, see Types of processing.
Opting in and out of processing
The Sitecore product provides the following functionality by default:
-
The Email Experience Manager supports double opt-in.
-
The Email Experience Manager API supports unsubscribing from one or all mailing lists.
-
Every email message sent by the Email Experience Manager includes links to unsubscribe from the context email message or all email messages.
-
Sitecore 10.0 and later provides API calls and configuration options that make it easier to enforce explicit consent for tracking a contact's activity on your websites.
The organization is responsible for:
-
Supporting active opt-in for all forms of processing.
-
See Right to be informed for information about implementing privacy notices or cookie consent banners.
-
See Types of processing for a list of processing activities.
-
-
Implementing interfaces (such as cookie consent banners) or processes that allow contacts to update consent choices.
-
Implementing active opt-in on websites that use the Federated Experience Manager.
-
Requesting consent for any additional collection or processing of personal information, including any data collected using forms.
-
Implementing an interface or process that allows individuals to revoke consent at any time.
Storing consent
Sitecore provides the following functionality by default:
-
Explicit consent for tracking is configured per website using the
explicitConsentForTrackingIsRequired
attribute in theSitecore.config
file (<siteroot>/App_Config/Sitecore.config)
. The default value isfalse
. -
The
ConsentInformation
facet, which is used by the Email Experience Manager and the web tracker by default. Consent options are stored as a dictionary (Dictionary<string, ConsentItem>
). You can choose to use theConsentInformation
facet to store consent choices if it meets your requirements for storing consent. -
Email Experience Manager global opt-out list.
-
Email Experience Manager suppression list (available for customers that use the Email Cloud Service).
-
Marketing automation plan Update consent settings marketing action.
The organization is responsible for:
-
If necessary, implementing additional contact facets that store consent choices for specific types of processing.
-
Storing consent for personal information collected via custom Forms - for example, by including a consent check box on each form.
-
Persisting consent choices for individuals that do not want to be tracked or stored at all - for example, by storing a value in session or issuing a cookie.
Disabling processing
See Types of processing for an overview of processing activities in the platform and the options available for disabling processing.