Consent and the right to object

Abstract

Guide to Sitecore support of opt-in/out and storing of consent for individuals invoking their right to object.

Applies to

GDPR, CCPA

Warning

This Privacy Guide provides technical guidance on how your developers can choose to configure your Sitecore product implementation to support you with data privacy compliance. This guide does not provide exhaustive guidance, and should not be construed or used as legal advice about the content, interpretation, or application of any law or regulation. You, the customer, will always be in the best position to assess your own risks, and must seek your own legal counsel to understand the applicability of any law or regulation to your business, including how you process personal information. Your resulting implementation is based entirely on your own configuration choices.

The right to object concerns the individual’s right to object to processing, direct marketing, and automated profiling. This topic describes how the Sitecore product supports the individual’s ability to give and revoke consent, including:

  • Existing interfaces and API calls for opting in/out of processing.

  • Options for storing consent choices.

For information about processing, see Types of processing.

The Sitecore product provides the following functionality by default:

The organization is responsible for:

  • Supporting active opt-in for all forms of processing.

  • Implementing interfaces (such as cookie consent banners) or processes that allow contacts to update consent choices.

  • Implementing active opt-in on websites that use the Federated Experience Manager.

  • Requesting consent for any additional collection or processing of personal information, including any data collected using forms.

  • Implementing an interface or process that allows individuals to revoke consent at any time.

Sitecore provides the following functionality by default:

  • Explicit consent for tracking is configured per website using the explicitConsentForTrackingIsRequired attribute in the Sitecore.config file (<siteroot>/App_Config/Sitecore.config). The default value is false.

  • The ConsentInformation facet, which is used by the Email Experience Manager and the web tracker by default. Consent options are stored as a dictionary (Dictionary<string, ConsentItem>). You can choose to use the ConsentInformation facet to store consent choices if it meets your requirements for storing consent.

  • Email Experience Manager global opt-out list.

  • Email Experience Manager suppression list (available for customers that use the Email Cloud Service).

  • Marketing automation plan Update consent settings marketing action.

The organization is responsible for:

  • If necessary, implementing additional contact facets that store consent choices for specific types of processing.

  • Storing consent for personal information collected via custom Forms - for example, by including a consent check box on each form.

  • Persisting consent choices for individuals that do not want to be tracked or stored at all - for example, by storing a value in session or issuing a cookie.

See Types of processing for an overview of processing activities in the platform and the options available for disabling processing.