Global privacy guide

Current version: 9.3

This Privacy Guide provides technical guidance on how your developers can choose to configure your Sitecore product implementation to support you with data privacy compliance. This guide does not provide exhaustive guidance, and should not be construed or used as legal advice about the content, interpretation, or application of any law or regulation. You, the customer, will always be in the best position to assess your own risks, and must seek your own legal counsel to understand the applicability of any law or regulation to your business, including how you process personal information. Your resulting implementation is based entirely on your own configuration choices.

This guide is aimed at developers and IT professionals. You can use it as a starting point to help you determine the way your organization stores and processes data, and the role Sitecore products play.

We know that privacy and data protection laws are constantly evolving, as are the obligations that your organization might have. This guide is intended to support those efforts and covers:

When assessing the compliance of your Sitecore implementation with privacy regulations, start with the privacy checklist.

See also:

For earlier versions of the platform, see:


The following section defines several terms that appear in legal texts such as GDPR and/or CCPA, as they have been interpreted for the purposes of this guide only.



This is...

Data Subject or Consumer

A Data Subject is an individual whose data is being processed and is represented by three entities: the customer, the contact, and the user. A Consumer is a California resident whose personal information is collected or processed. The term individual is used throughout this guide to capture both meanings unless referring to a specific entity.

The customer

Personal data or personal information

Any information that identifies an individual, and might include the following as applicable under relevant laws:

  • Name

  • Email address

  • Records of products purchased

  • Internet browsing history

  • Fingerprints (or other biometric data)

  • Social Security number

  • Cookies

  • IP addresses (or geolocation data)

  • Contact interaction history

  • Contact facets

  • Contact identifiers

  • Any inferences drawn from personal information to create a profile about a consumer reflecting the consumer's preference, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.


Your organization is responsible for deciding what constitutes personal information in the context of your business.

The data Sitecore is processing

Processor or Service Provider

A Processor or Service Provider is an organization that is handling the data on behalf of another, as defined under applicable laws.




  • Tracking

  • Collection

  • Contact processing

  • Interaction aggregation

  • Personalization

  • Automation processing

  • Email marketing


Your organization is responsible for deciding what constitutes processing in the context of your business.

How Sitecore uses your data

Controller or Business

A Controller, or Business, as defined under applicable laws, is the entity or individual whose data is being handled by Sitecore.

The Sitecore customer

Do you have some feedback for us?

If you have suggestions for improving this article,