GDPR and Salesforce Audience Studio

The General Data Protection Regulation (GDPR) has been enacted on the 25th of May 2018. Its purpose is to protect and empower all European Union (EU) and the European Economic Area (EEA) citizen’s data privacy and affects all organisations that offer goods or services to monitor the behaviour of EU data subjects.

This article is to provide you with an overview of the tools that Salesforce as a Data-processor offers you. We encourage you to speak to legal counsel to learn how the GDPR may affect your organisation, as this article is no legal advice.

Here you will find a link to the materials presented in the 4/10 Webinar on GDPR and Consumer Rights Management for Salesforce Audience Studio.

Consumer Rights Management and GDPR Overview for Salesforce Audience Studio.pdf

RTBF (Right to be forgotten)
Salesforce Audience Studio as Data-Processor needs to make sure that we can delete the data on behalf of the controller that could be re-identifiable. That includes all information not just directly related to a hashed mail, but also all info related to Kuids or devices.

For more details on RTBF please click the title to be referred to the related article.

-> More info on RTBF can be found here.

Data Portability Management
Data portability management gives you the tools to request data feeds which output the consent audit logs. That way, you can determine a plan of action for complying with the regulations that apply to you.

Many data protection and privacy regulations can require you to export consumers’ personal data when consumers request it. If you have consumers or users who want to export the data that you’ve collected about them.

-> More info on Data Portability Management can be found here.

Consent System
So that Salesforce Audience Studio is allowed to collect and process the user Data on your behalf we need to be given consent. Your settings can be reviewed in your Audience Studio under management -> Consumer Rights Management. This is then divided into 2 diagrams.

Underneath the Consent Summary, you see from where the consent is coming.
1st Party: consent collected from your webpage
2nd Party: consent for your advertisements or event pixels
Backfill: consent for a user before the 25.5.2018
Policy Regime: default consent that is given if no user consent is applied

The Consent distribution tells which consent is given:
Data collection: allow Audience Studio to collect Data
Analytics: allow Audience Studio to analyse this data
Targeting: allow Audience Studio to use the data for campaign targeting and website personalisation
Cross-Device: allow Audience Studio to relate devices which belong to the same user based on behaviour or signals are given
Data Sharing: allow Data to be shared with other companies, e.g. via DSPs or SalesForce’s Data Studio
Re-Identification: allow Audience Studio to re-identify the data to a personal contact like email

Example: If a user receives your cookie the first time from an advertisement then the 2nd Party consent distribution counts. When he then clicks on the advertisements and give consent on your website, then it will be overwritten by 1st party consent.

dissent logs contain cookies that have been taken off data collection
consent audit logs contain cookies that have opted in for data collection

-> More info on Consent Management can be found here.

Policy Regime Association
You can find your Policy Regime by clicking “edit configuration” in the lower left below Configuration.


Organization Level

User Level


Every unknown device will have all consent flags set to false to be compliant with the GDPR policy regime.

Unknown devices will be associated with the policy regime based on their geoIP.  In the rare case where geoIP cannot be resolved, the user will be associated with the GDPR policy regime.

Global Standard

Every unknown device will have Data Collection, Targeting, Analytics, Cross-Device consent flags set to true and Data Sharing &  Reidentification set to false.

Unknown devices will be associated with the policy regime based on their geoIP.  In the rare case where geoIP cannot be resolved, the user will be associated with the Global Standard policy regime.

If you have an Organization Level policy regime association and GDPR, all devices are treated under the GDPR, even if the users are from the United States. Therefore, consent collection is restricted for US users.

If you have a User Level policy regime association and GDPR, Audience Studio evaluates the geographic region associated with each device and applies the appropriate policy regime. For example, consumers in the US are not managed by the GDPR rules, but EU consumers are, so we will collect consent based on geolocation instead of bucketing all users under GDPR restrictions regardless of the region as your setup stands now.

-> More info on Data Deletion and Right-To-Be-Forgotten can be found here.
-> More info on Consumer Rights Management - Concepts & Glossary of Terms can be found here.
-> For information on how to set up the consent tag, please refer to the article “JavaScript Consent Tag Spec”. 

Have more questions? Submit a request


Please sign in to leave a comment.