The Salesforce guest user license has become one of the more contentious license types in the catalog. Originally positioned as a low-cost or free option for anonymous-user scenarios — public-facing community sites, customer self-service portals before login, anonymous form submissions — guest user licenses have evolved into a regulatory and compliance hotspot. Several high-profile data exposure incidents in recent years involved guest user license misconfigurations, and Salesforce has responded with substantial tightening of the default permissions, the audit guidance, and the licensing economics. This guide walks through the 2026 guest user license landscape: what changed, what the compliance posture should be, and what the licensing and negotiation considerations look like.
What guest user licenses are
Guest user licenses provide access to Experience Cloud (formerly Community Cloud) sites for users who have not authenticated. The classic use cases:
Public marketing sites built on Experience Cloud where prospects browse content without logging in. Guest user licenses cover the anonymous traffic.
Customer self-service portals with a public landing page that pre-authenticated visitors can access. Guest user licenses cover the pre-login experience.
Partner and channel sites with public-facing content alongside authenticated partner experiences. Guest user licenses cover the public side.
Form submission scenarios where anonymous visitors submit leads, support requests, or other inputs that flow into Salesforce. Guest user licenses cover the submission interaction.
Knowledge base and help content where public-facing articles are accessible without login. Guest user licenses cover the read-only access.
The compliance problem and the 2023–2025 changes
Beginning in 2022 and continuing through 2025, Salesforce substantially restructured the guest user license capabilities and the default security posture. The driver was a series of high-profile data exposure incidents where misconfigured guest user permissions enabled anonymous visitors to access records that should have been restricted. The most prominent incidents involved state and federal government Experience Cloud sites where anonymous users could query personal data of program participants through misconfigured guest user profiles.
The Salesforce response included several material changes:
Tightened default permissions. The default permissions on new guest user profiles became substantially more restrictive. The previous defaults enabled broader read access to standard objects than was prudent for most use cases.
Required security review. Salesforce introduced requirements for security review of guest user configurations, including mandatory documentation of guest user data access patterns.
Audit reporting. Enhanced audit and reporting capabilities for guest user activity, supporting compliance documentation.
Sharing rule restrictions. Constraints on the sharing rules that can apply to guest users, preventing some of the misconfigurations that had caused incidents.
Field-level security. Enhanced field-level security controls specifically for guest user access, supporting more granular control over what data anonymous visitors can see.
2026 guest user license economics
The pricing structure on guest user licenses in 2026 includes:
| Component | Typical pricing model | Notes |
|---|---|---|
| Guest user license inclusion | Bundled with Experience Cloud | Some guest user capacity included with Experience Cloud purchases |
| Page view consumption | Per page view (1M page views bundled) | Overages typically priced per 1M page views |
| API call consumption | Per API call | Guest user API calls counted against org limits |
| Concurrent session limits | Capacity-based | Higher concurrent capacity priced separately |
The pricing is consumption-based rather than per-user (since guest users are by definition anonymous and not individually licensed), and the economics depend on the page view volume, API call volume, and concurrent session capacity. For most organizations, the direct license cost is moderate, but the compliance and operational costs of managing guest user configurations can be substantial.
The compliance discipline that matters
The 2026 compliance posture on guest user licenses requires structured discipline. The principal elements:
Inventory the guest user configurations
Document every guest user profile, every site that uses guest users, and the specific data access each guest user profile has. The inventory is the foundation of the compliance audit.
Validate field-level security
For each object accessible to guest users, validate the field-level security configuration. The default should be deny-by-default with explicit allow-list for specific fields that genuinely need guest user access.
Document business justification
For each guest user data access, document the business justification. Why does the anonymous visitor need to see this data? The documentation supports the compliance case and the security review.
Implement audit trails
Enable comprehensive audit logging for guest user activity, supporting the forensic capability if an incident occurs and supporting the compliance documentation.
Run periodic re-validation
The guest user configuration drift over time as new features deploy and as configurations evolve. Quarterly re-validation against the documented baseline catches drift before it becomes an incident.
Penetration testing
Periodic penetration testing of guest user access — including attempts to access restricted records through guest user profiles — validates that the configurations actually work as documented.
The data access patterns that warrant scrutiny
Several guest user data access patterns warrant particular scrutiny:
Account and contact read access. Default profiles previously allowed guest user read access to standard objects in ways that exposed customer data. Validate that any read access is specifically scoped and justified.
Case visibility. Service Cloud cases accessible to guest users can expose customer support history. Validate the case visibility scope.
Lead and submission objects. Lead submission forms are common guest user scenarios. Validate that the lead object access is write-only for guest users where appropriate, not read-able.
Knowledge article access. Knowledge base content is intentionally public, but the field-level security on knowledge articles should still be validated to ensure internal-only fields are not exposed.
Custom object access. Custom objects accessible to guest users frequently get overlooked in compliance reviews. Audit the custom object exposure explicitly.
Apex execution context. Apex code that runs in guest user context can elevate privileges in ways that bypass standard sharing rules. The Apex security review is critical.
The negotiation considerations
Guest user licenses are not typically the largest line item in a Salesforce contract, but several negotiation considerations matter:
Page view bundling. Negotiate page view inclusions in the Experience Cloud purchase rather than treating page views as separate consumption. Bundle 2M–5M page views into the Experience Cloud commitment to avoid overage exposure.
API call inclusions. Guest user API calls count against the org API call limits. Validate that the org-level API call allocation accounts for guest user traffic.
Concurrent session capacity. Validate the concurrent session capacity against expected peak traffic. Marketing events, product launches, or seasonal peaks can produce concurrent session spikes that exceed the default capacity.
Cap pricing on overages. The page view overage pricing can be substantial. Cap the overage exposure at a defined annual maximum to protect against runaway costs from unexpected traffic.
Compliance audit support. Negotiate Salesforce support for compliance audit activities — access to audit logs, configuration documentation, security review participation — as part of the deal.
Incident response provisions. Document the contractual provisions if a guest user-related incident occurs — notification timelines, support obligations, remediation cooperation.
The build-versus-buy decision
For some guest user use cases, the build-versus-buy decision merits explicit evaluation. The alternatives to Salesforce-hosted guest user experiences include:
Standalone marketing sites. Build the marketing presence on a standalone CMS or marketing automation platform that does not require Salesforce guest user licenses. The integration to Salesforce uses authenticated APIs rather than direct guest user access.
Headless commerce or service. Build the customer-facing experience on a headless platform with Salesforce as the backend data system. The headless front-end manages its own anonymous-user model.
Standalone customer portals. Build customer portals on technology stacks (Auth0-fronted portals, custom developments, third-party portal platforms) that connect to Salesforce through authenticated integrations rather than through guest user access.
For organizations with significant guest user usage, the build-versus-buy evaluation can produce materially different economics. The Salesforce guest user costs — including the operational overhead of compliance management — may exceed the costs of alternative architectures.
The Experience Cloud edition implications
Guest user licenses are tied to Experience Cloud edition, and the edition selection has material implications for what guest user capabilities are available. The Experience Cloud edition tiers in 2026:
- Customer Community Login — login-based community access, with limited guest user capabilities
- Customer Community Plus — broader community capabilities including some guest user features
- Partner Community — channel partner-focused community access
- External Apps License — more comprehensive guest user and external user capabilities
The edition selection has significant cost implications — the External Apps License is substantially more expensive than Customer Community Login. Right-sizing the edition against actual guest user requirements is a meaningful optimization opportunity.
What to verify before signing guest user terms
- The guest user configurations have been audited against the 2026 compliance baseline.
- Field-level security on guest user accessible objects follows deny-by-default principles.
- The page view inclusion matches expected traffic with reasonable headroom.
- API call allocations account for guest user traffic alongside authenticated user traffic.
- Concurrent session capacity matches expected peak traffic patterns.
- Overage pricing on page views and API calls is capped at an acceptable annual maximum.
- Audit logging on guest user activity is enabled and properly retained.
- Penetration testing of guest user access has been completed and findings remediated.
- Apex security review covers guest user context code.
- Quarterly re-validation against the documented baseline is on the operational calendar.
- Incident response provisions are documented in the contract.
Guest user licenses are an example of where the headline cost understates the total cost of ownership. The license itself is moderate, but the compliance and operational discipline required to manage guest user configurations safely is substantial. Across the 500-plus engagements our advisory has supported, guest user-related findings have ranged from negligible to substantial — with the substantial findings typically reflecting either over-purchased Experience Cloud capacity or under-managed compliance posture.
For most organizations, the right approach is to treat the guest user conversation as part of a broader Experience Cloud strategy that includes the architecture decision (what stays on Experience Cloud versus what moves to alternative platforms), the compliance discipline (audit, configuration management, periodic re-validation), and the commercial structure (page view bundling, overage caps, edition selection). The discipline of treating guest user licenses as a strategic decision rather than a routine purchase is the foundation of both the cost optimization and the compliance posture.
The data residency and cross-border implications
Guest user data flows often cross jurisdictional boundaries in ways that have regulatory implications. The 2026 data residency landscape includes:
EU GDPR. Personal data of EU residents collected through guest user interactions falls within GDPR scope. The data minimization, purpose limitation, and lawful basis requirements apply to guest user data collection as much as to authenticated user data.
California CCPA / CPRA. California resident data collected through guest user interactions falls within CCPA scope. The consumer rights provisions (access, deletion, opt-out) require operational capability that some guest user configurations do not naturally support.
Sectoral regulations. Healthcare (HIPAA), financial services (GLBA), education (FERPA), and other sectoral regulations apply to guest user data in their respective domains.
Country-specific residency requirements. Several countries require certain personal data to remain within national borders. Salesforce Hyperforce and the regional data residency configurations support these requirements but require explicit configuration.
The compliance posture around guest user data should explicitly address the residency and cross-border implications. The default Salesforce data residency may not match the customer’s regulatory requirements, and the configuration to support specific residency requirements requires deliberate setup.
The audit trail and forensic capability
The forensic capability for guest user activity has been a recurring weak point in incident response. Several common gaps:
- Audit logs that do not retain sufficient detail to reconstruct anonymous user actions
- Audit logs that are aggregated in ways that lose individual session detail
- Retention periods that are shorter than the typical incident detection-to-response cycle
- Audit log access that requires Salesforce support engagement rather than self-service customer access
The contractual provisions on audit log access, retention, and detail should be explicit. The incident response capability depends on the forensic data being available when needed.