Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Sitecore is an enterprise digital experience platform headquartered in Canada. The classic Sitecore XP can set visitor analytics cookies on the public site through xDB, while Sitecore XM Cloud is headless and only sets cookies through xConnect or Sitecore CDP/Personalize when those add ons are enabled. Consent management is required when those tracking features are active.
Sitecore is an enterprise digital experience platform from Sitecore Holdings (Toronto, Canada). The product family includes Sitecore XP (classic content management with the xDB analytics database), Sitecore XM and XM Cloud (modern composable headless), Sitecore CDP, Sitecore Personalize, Sitecore Content Hub and Sitecore Send. Pages are rendered server side on .NET or fetched via the Experience Edge GraphQL API in the headless XM Cloud model. Sitecore is positioned for large brands needing deep personalization.
Sitecore XP with xDB enabled sets SC_ANALYTICS_GLOBAL_COOKIE (persistent visitor identifier, default 10 years) and SC_ANALYTICS_SESSION_COOKIE (session) on the public site. The Sitecore CDP product sets a _sc_browser_id or similar identifier to merge visitor behavior across pages. Sitecore Personalize uses _bx_uuid for experimentation. The XM Cloud Experience Edge delivery itself is cookieless if no analytics or personalization is layered on top. The ASP.NET backoffice authentication cookies are strictly necessary for editors.
The xDB, CDP and Personalize features create persistent visitor identifiers tied to behavioral profiles, so Article 5(3) of the ePrivacy Directive requires prior opt in consent under EDPB guidelines. Article 6(1)(a) GDPR (consent) is the legal basis. The customer is controller and Sitecore is processor under Article 28 GDPR. A signed DPA is part of the Sitecore Master Subscription Agreement. The xDB retention period and the right to erasure must be configurable, Sitecore exposes APIs for both.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
Sitecore Cloud services run on Microsoft Azure and EU customers should explicitly request a West Europe or North Europe deployment in the order form. Sitecore CDP and Personalize default to US infrastructure unless an EU pinning is negotiated. Sitecore corporate identity, support tooling and product analytics include US and Canada based providers covered by Standard Contractual Clauses and the EU US Data Privacy Framework. Document these transfers in your record of processing activities and your privacy notice.
Wire Sitecore into your consent management platform with Google Consent Mode v2 or IAB TCF signals. Block xDB, CDP and Personalize tags until consent is granted. Configure xDB retention to the minimum needed for the analytics use case. Request the EU region for Sitecore CDP and Personalize. Sign the DPA. Document a procedure to honour data subject access and erasure requests via the Sitecore xConnect and CDP APIs. Restrict backoffice access to a corporate VPN with SSO and 2FA.
Websites using Sitecore must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA is generally recommended for Sitecore deployments that use xDB analytics, Sitecore CDP, Sitecore Personalize or Sitecore Send because they enable visitor profiling. Document the legal basis for each feature, the EU region selection, the retention period in xDB or CDP and the integration with a consent management platform that emits IAB TCF or Google Consent Mode signals.
Sample consent text
This website uses Sitecore as its digital experience platform. Sitecore stores analytics and personalization cookies (SC_ANALYTICS_GLOBAL_COOKIE, _sc_session) to recognize you and to deliver tailored content. You can accept or refuse these cookies via the consent banner. Refusing leaves only strictly necessary cookies.
Third-party domains contacted
sitecore.comsitecorecloud.ioexperienceedge.sitecorecloud.ioboxever.comcdp.sitecorecloud.iocdn.boxever.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| SC_ANALYTICS_GLOBAL_COOKIE | first-party (Sitecore xDB) | 10 years (default) | Persistent visitor identifier created by Sitecore xDB to merge sessions and build behavioral profiles. Requires consent under ePrivacy. |
| SC_ANALYTICS_SESSION_COOKIE | first-party (Sitecore xDB) | Session | Session identifier for the current visit in Sitecore xDB. Used together with the global cookie to capture page views and goals. |
| _sc_browser_id | first-party (Sitecore CDP) | 1 year | Browser identifier used by Sitecore CDP to merge cross device behavior. Requires consent. |
| _bx_uuid | first-party (Sitecore Personalize) | 1 year | UUID assigned by Sitecore Personalize for experimentation and audience evaluation. Requires consent. |
| .ASPXAUTH | first-party (backoffice only) | Session | ASP.NET authentication cookie for logged in editors of Sitecore XP. Strictly necessary, never set on the public site. |
This service may collect user data. Ensure GDPR compliance with FlowConsent.
Yes when xDB analytics, Sitecore CDP or Sitecore Personalize are activated. SC_ANALYTICS_GLOBAL_COOKIE (persistent, default 10 years) and SC_ANALYTICS_SESSION_COOKIE (session) come from xDB. Sitecore CDP and Personalize add their own identifier cookies. Without these add ons, the headless XM Cloud delivery is cookieless.
Yes for xDB analytics, Sitecore CDP and Personalize because they create persistent visitor profiles. Article 5(3) ePrivacy and EDPB guidelines require prior opt in consent. The strictly necessary backoffice cookies for editors do not require consent.
Article 6(1)(a) GDPR (consent) for xDB, CDP, Personalize and Send. Article 6(1)(f) (legitimate interest) for the backoffice operation and security logs. The customer is the controller, Sitecore is the processor with a DPA in the Master Subscription Agreement.
Sitecore is headquartered in Canada with US infrastructure. EU customers must explicitly request West Europe or North Europe Azure deployments for XM Cloud and Content Hub. Sitecore CDP and Personalize default to US infrastructure unless an EU pinning is negotiated. SCCs and the EU US Data Privacy Framework cover residual transfers.
A DPIA is recommended whenever xDB, Sitecore CDP, Personalize or Send are used because they perform visitor profiling. Document the legal basis, retention period, EU pinning of CDP and Personalize and the consent management integration.
Wire Sitecore into your consent management platform, block xDB/CDP/Personalize tags until consent, configure xDB retention conservatively, request EU pinning for CDP/Personalize, sign the DPA, document a DSAR procedure via xConnect and CDP APIs, secure the backoffice with VPN, SSO and 2FA.
Other enterprise digital experience platforms include Adobe Experience Manager, Optimizely Content Cloud, Acquia (Drupal), Contentstack, Storyblok and Salesforce Experience Cloud. For lighter needs consider Strapi, Sanity, Prismic, Kontent.ai or Umbraco.
List SC_ANALYTICS_GLOBAL_COOKIE, SC_ANALYTICS_SESSION_COOKIE, Sitecore CDP and Personalize identifiers in your cookie disclosure with retention, purpose and EU pinning information. Mention the EU US data transfer in your privacy notice. Update the disclosure whenever an additional Sitecore add on is activated.