Right to erasure
Applies to |
GDPR, CCPA |
---|
This Privacy Guide provides technical guidance on how your developers can choose to configure your Sitecore product implementation to support you with data privacy compliance. This guide does not provide exhaustive guidance, and should not be construed or used as legal advice about the content, interpretation, or application of any law or regulation. You, the customer, will always be in the best position to assess your own risks, and must seek your own legal counsel to understand the applicability of any law or regulation to your business, including how you process personal information. Your resulting implementation is based entirely on your own configuration choices.
The right to erasure (also known as the right to be forgotten) concerns the individual’s right to request the deletion of personal information. This topic describes how Sitecore facilitates the ability to remove an individual’s personal information.
Erasing personal contact data
Within your Sitecore implementation, you can:
-
Use the xConnect Client API to erase data marked
[PIISensitive]
by calling theExecuteRightToBeForgotten()
method. TheClearSupressionListWhenExecutingRightToBeForgotten
handler automatically clears the contact’s past and current email addresses from the suppression list.NoteThe
ExecuteRightToBeForgotten()
method does not delete the entire contact record. -
Execute the right to erasure from the Experience Profile interface.
The organization is responsible for the following:
-
Implementing a process or interface that allows individuals to request deletion of personal information.
-
Ensuring that personal information in custom contact facets is marked
[PIISensitive]
. Any facet or facet property marked[PIISensitive]
is deleted when the right to erasure is executed.
Interaction facets cannot be marked [PIISensitive]
and are not deleted when the right to erasure is executed.
Removing all contact data
You can delete a contact and all of its interactions. Keep the following in mind if you choose to delete contacts and interactions instead of using the ExcuteRightToBeForgotten()
method:
-
If a contact is deleted during an active session, that contact might be partially recreated on session end - including known identifiers that were loaded into session.
-
Aggregated data in the xDB Reporting database are affected if you choose to rebuild all reporting data.
Erasing personal user data
Within your Sitecore implementation, you can:
-
Use the Security API to clear profile properties that contain personal information.
The organization is responsible for the following:
-
Implementing a process or interface that allows individuals to request that their data is deleted.
-
Ensuring all user profile properties that contain personal information are identified and cleared.
Erasing personal customer data
Within your Sitecore implementation, you can:
-
Use the Commerce Service API to delete a customer. You must set the
ForgetCustomer
property totrue
in theCustomersRemovePolicy
. This ensures that the customer entity is deleted rather than marked as inactive.
The organization is responsible for the following:
-
Configuring the
CustomersRemovePolicy
correctly. -
Implementing a process or interface that allows individuals to request that their data is deleted.
-
Ensuring all customer profile properties that contain personal information are identified and cleared.
Deleting a customer does not delete the shipping address and email address associated with the order. This data also exists for anonymous orders.
Erasing active session data
If a contact requests that their data be erased, consider clearing session data and removing cookies to ensure that all connections between the device and the contact are severed:
-
Call
Session.Clear()
. -
Call
Session.Abandon()
. -
Remove the
SITECORE_GLOBAL_ANALYTICS_COOKIE
(although tracking does not resume after the right to erasure has been executed, xConnect Client API can be used to link a cookie to a device profile, and then to an anonymized contact record).
Erasing forms submission data
By default, form submission data is stored in the Forms database. If the xDB is enabled, all form submissions are associated with a contact ID. To facilitate Sitecore and its partners in complying with data privacy obligations, Sitecore Forms provides a redact API to anonymize database records of users' personal information. You need to expose a mechanism by which the individual can trigger a query to erase their data, for example, by implementing a custom submit action that redacts form submissions.
The Forms redact API is responsible for the following:
-
Searches for all form entries associated with a specific contact ID and anonymizes these entries by erasing the contact ID value and marking the entries as
[IsRedacted]
. -
Erases all submitted data associated to these entries by setting their value to
[~REDACTED~]
. -
Deletes all the uploaded files associated with the contact ID.
In CMS-only mode, form submissions are not associated with a contact ID (the contact ID is NULL). However, if form submissions are linked to another identifier such as an email address, you can use SQL to access and update a specific individual’s personal information.
If you create a custom submit action that stores personal information in a third-party system such as a CRM, you are responsible for ensuring that individuals can access their data in that system.