Consent and the right to object

Current version: 9.3

Applies to



This Privacy Guide provides technical guidance on how your developers can choose to configure your Sitecore product implementation to support you on your data privacy compliance journey. This guide does not provide exhaustive guidance, and should not be construed or used as legal advice about the content, interpretation, or application of any law or regulation. You, the customer, will always be in the best position to assess your own risks, and must seek your own legal counsel to understand the applicability of any law or regulation to your business, including how you process personal information. Your resulting implementation is based entirely on your own configuration choices.

The right to object concerns the individual’s right to object to processing, direct marketing, and automated profiling. This topic describes how the Sitecore product supports the individual’s ability to give and revoke consent, including:

  • Existing interfaces and API calls for opting in/out of processing.

  • Options for storing consent choices.

For information about processing, see Types of processing.

Opt-in and opt-out

The Sitecore product provides the following functionality by default:

The organization is responsible for:

  • Implementing interfaces (such as cookie consent banners) or processes that allow contacts to update consent choices.

  • Supporting active opt-in for all other forms of processing, including web tracking.

  • Implementing active opt-in on websites that use the Federated Experience Manager.

  • Requesting consent for any additional collection or processing of personal information, including any data collected using forms.

  • Implementing an interface or process that allows individuals to revoke consent at any time.

The Sitecore product provides the following functionality by default:

  • The ConsentInformation facet:

    • ConsentRevoked: Gets or sets a value indicating whether the contact has revoked their consent to be contacted by the organization in any form.

    • DoNotMarket: Gets or sets a value indicating whether the contact has globally unsubscribed from all marketing lists. This does not include system messages such as order confirmation or “your password is about to expire”.

  • Email Experience Manager global opt-out list.

  • Email Experience Manager suppression list (available for customers that use the Email Cloud Service)

  • Marketing automation plan Update consent settings marketing action.

The organization is responsible for:

  • If necessary, implementing additional contact facets that store consent choices for specific types of processing.

  • Storing consent for personal information collected via custom Forms - for example, by including a consent check box on each form.

  • Persisting consent choices for individuals who do not want to be tracked or stored at all - for example, by storing a value in session or issuing a cookie.

Disabling processing

See Types of processing for an overview of processing activities in the platform and the options available for disabling processing.

Do you have some feedback for us?

If you have suggestions for improving this article,