You can now hard delete records when running a retention or RTBF policy. When you enable the Hard Delete option, the record isn’t placed in the recycle bin, which requires a wait period of 15 days before deleting or manually emptying the recycle bin.

Where: This change applies to Lightning Experience in Enterprise, Performance, Unlimited, and Developer editions.

How: Both the policy administrator and the user connected to Privacy Center must have the Bulk API Hard Delete permission enabled for their profile. In the policy editor, choose the object to delete. Under Action On Data in Org, turn on Hard Delete.

Hard Delete Records in Privacy Center (salesforce.com)

The Portability Policy dashboard you already know and love has new functionalities. Now you can activate, edit, and delete inactive policies, run policies directly from the dashboard, use the search function in the Portability Log, and more.

Where: This change applies to Lightning Experience and Salesforce Classic in Enterprise, Performance, Unlimited, and Developer editions.

Who: To use this feature in Privacy Center, you need the ModifyAllData and PrivacyCenter permissions.

How: From the Privacy Center dashboard, under Portability Policies, click View All to see the changes.

Manage Portability Policies with Feature Enhancements (salesforce.com)

Store customer consent preferences for multiple brands that exist in one Salesforce org. Use the Business Brand object to identify different brands that share a parent brand. Then use the Customer and Seller objects to define unique relationships to these brands.

Where: This change applies to Lightning Experience and Salesforce Classic in Enterprise, Performance, Unlimited, and Developer editions.

Track Consent Preferences for Multiple Brands (salesforce.com)

Make it easy for users with the High Volume Customer Portal user license to stay logged into your site. Keep users logged in for up to 7 days of inactivity, and allow them to remain logged in even after they close their browser.

Where: This change applies to Lightning Experience and Salesforce Classic in Enterprise, Performance, Unlimited, and Developer editions.

How: In profile session settings, select a timeout value for Session Times Out After, and select Keep users logged in when they close the browser.

Extend User Sessions for High Volume Customer Portal Users (Beta) (salesforce.com)

Capture information about Apex callouts that use named credentials as their endpoints with the EventLogFile object’s new Named Credential event type. This event type is ideal for auditing the installed managed packages that use named credentials.

Where: This change applies to Enterprise, Performance, Unlimited, and Developer editions. This event is available in the API but not in the Event Monitoring Analytics app.

Get Information About Named Credentials in the EventLogFile (salesforce.com)

To improve security, we increased the length of one-time passwords (OTPs), also known as verification codes, from five digits to six. This change applies to OTPs sent through email and SMS. If you have customizations that rely on five-digit OTPs, such as Apex implementations for multi-factor authentication or passwordless login, make sure you update them.

Where: This change applies to Lightning Experience and Salesforce Classic (not available in all orgs) in all editions.

Email and SMS One-Time Password Codes Are Longer (salesforce.com)

To improve privacy, we shortened the lloopch_loid cookie duration from 2 years to 1 year. And we changed the duration of the hideIdentityDialog cookie from 50 years to 1 year.

Where: This change applies to Lightning Experience and Salesforce Classic in all editions.

Identity Cookies Have Shorter Durations (salesforce.com)

To give you more control over email and SMS verification messages, we changed how the initSelfRegistration method detects a user’s language. You can now specify a language in the User object to guarantee that verification messages use the correct language.

Where: This change applies to Aura, LWR, and Visualforce sites accessed through Lightning Experience and Salesforce Classic in Enterprise, Performance, Unlimited, and Developer editions.

Control the Language Used for Experience Cloud Self-Registration Verification Messages (salesforce.com)

Take control of your customer communications with the Device Activation email template. You can use the template to customize the emails your users receive when they log in from an unfamiliar browser, app, or location.

Where: This change applies to Aura, LWR, and Visualforce sites accessed through Lightning Experience and Salesforce Classic in Enterprise, Performance, Unlimited, and Developer editions.

Tailor Device Activation Emails for Experience Cloud Sites (salesforce.com)

Maintain consistent branding for your site and control customer communications with the Device Activation email template. When you’re using Apex to manage identity verification for Experience Cloud sites, guarantee that self-registration verification messages are sent in the right language. To improve privacy and security, we shortened durations of the lloopch_loid and hideIdentityDialog cookies and increased the length of one-time passwords.

• Tailor Device Activation Emails for Experience Cloud Sites
  Take control of your customer communications with the Device Activation email template. You can use the template to customize the emails your users receive when they log in from an unfamiliar browser, app, or location.
• Control the Language Used for Experience Cloud Self-Registration Verification Messages
  To give you more control over email and SMS verification messages, we changed how the initSelfRegistration method detects a user’s language. You can now specify a language in the User object to guarantee that verification messages use the correct language.
• Identity Cookies Have Shorter Durations
  To improve privacy, we shortened the lloopch_loid cookie duration from 2 years to 1 year. And we changed the duration of the hideIdentityDialog cookie from 50 years to 1 year.
• Email and SMS One-Time Password Codes Are Longer
  To improve security, we increased the length of one-time passwords (OTPs), also known as verification codes, from five digits to six. This change applies to OTPs sent through email and SMS. If you have customizations that rely on five-digit OTPs, such as Apex implementations for multi-factor authentication or passwordless login, make sure you update them.
• Get Information About Named Credentials in the EventLogFile
  Capture information about Apex callouts that use named credentials as their endpoints with the EventLogFile object’s new Named Credential event type. This event type is ideal for auditing the installed managed packages that use named credentials.
• Extend User Sessions for High Volume Customer Portal Users (Beta)
  Make it easy for users with the High Volume Customer Portal user license to stay logged into your site. Keep users logged in for up to 7 days of inactivity, and allow them to remain logged in even after they close their browser.

Salesforce Identity for Your Customers