Achieve Data Privacy Compliance with Sitecore (GDPR, CCPA, CDPR)

It started in April 2016 with EU's General Data Privacy Regulation (GDPR), then came China's Cybersecurity Law (CSL) in Nov 2016, also known as China Internet Security Law, then add China's Data Protection Regulation (CDPR) to that and now California's Consumer Production Law (CCPA) went into effect in January 2020.


With ever increasing data privacy regulations across the globe going into effect, we are seeing an increase in demand for compliance from large and small, private and public enterprises alike. Although achieving full data privacy compliance for each of the regulations may be a tall order, there is a silver lining here. All of the data privacy regulations seem to have evolved from GDPR and hence you see a lot of similarities across them The means that there is a common denominator to achieving some level of compliance across all the regulations and that is what I will attempt to cover in this post.

If you deployed a leading Digital Experience Platform (DXP) like Sitecore to deliver omni-channel experiences, you may also be collecting incredible amount of personal data in order to deliver contextual experiences for each of your visitor personas. Hence, data privacy compliance becomes increasingly important. The good thing with Sitecore is that the platform is data privacy compliance "ready" and continues to improve it's data privacy compliance features.

Here is a glossary of data privacy terms from Sitecore to get your started on your patch to achieving compliance:

Data Subject

  • Customer
  • Contact
  • User

Personal Data

  • Cookies
  • IP Address
  • Contact interaction history
  • Contact facets
  • Contact identifiers
  • User profile data
  • Customer profile
  • Customer order history


  • Tracking
  • Collection
  • Contact processing
  • Interaction aggregation
  • Personalization
  • Automation processing
  • Email marketing

Here are 5 steps to achieving compliance:

  1. Familiarize yourself with the flow of personal data throughout the platform, and how each role handles personal data.
  2. Perform an audit of all customization that augment the contact, user, or customer entity. E.g. custom contact facets, custom membership profile properties, forms data.
  3. Consider whether you need to request consent to store and process personal data and plan to persist consent choices ,for example as a contact facet.
  4. Limit the exposure of personal data throughout the platform - for example, you can choose not to write personal data to logs.
  5. Review synchronization of data between your Sitecore implementation and third party applications, and ensure that this is included in the privacy policy.
Here is how Sitecore helps rectify compliance for individual's data rights:

Subject’s Rights
Right to be forgotten
Right of access by data subject
Right to data portability
Right to rectification
Right to restriction of processing
 - Use xConnect Client API to access and update Contact’s data.
 - Security API to edit user’s profile data.
 - Commerce API for customer data.

Consent and right to object
Right to be informed
 - EXM supports double opt-in, unsubscribing.
 - Sitecore Forms
 - Implement UI for allow users to update consent choices & revoke consent

Storing Consent
 - ConsentInformation facet for storing opt-in
 - ConsentRevoked, DoNotMarket facets
Right to opt-out of processing & automated decision making
 - Personalization
 - Automation plans
 - Segmentation via List Manager
 - Content Testing
 - Sitecore Cortex Processing Engine

Here are some examples of achieving compliance through custom Sitecore development:
E.g. of Right To be Forgotten rectification

  • Ensure personal data in custom contact facets is marked [PIISensitive].
  • xConnect Client API to erase data marked [PIISensitive] by calling the ExecuteRightToBeForgotten().
  • ClearSupressionListWhenExecutingRightToBeForgotten handler automatically clears the contact’s past and current email addresses from the suppression list.
  • ExcuteRightToBeForgotten() (does not delete the entire contact record).
  • Store values for ConsentInformation, ConsentRevoked, DoNotMarket facets.
  • Use Security API and Commerce APIs for erasing personal data.
  • EXM supports double opt-in, unsubscribing

Here are examples of achieving compliance via custom UI:

  • Form for requesting deletion of personal data for Customer, Contact, User
  • Form to access, update & export Customer, Contact, User data
  • Ability to access form submission data
  • Ability to allow to update consent choices & revoke consent (opt-in/out)
  • Ability to allow opt-in/out of processing
  • Ability to export Contact data

Here is the full Sitecore's developer documentation for GDPR compliance.

You might also be interested a post I wrote a while back on GDPR, CDPR, CSL


  1. GDPR training is important so that they do not make one silly mistake that snowballs into a hefty fine not only this but you also must have a cookie consent banner on your website.


Post a Comment

Popular posts from this blog

Is Rendered Item Valid XHtml Document Could not find schema information warnings during publish item Sitecore 7.2

RESOLVED: Solr Exceptions - Document contains at least one immense term in field

Sitecore Tabbed Select Rendering dialog