OneTrust Best Practices
OneTrust implementation requires careful attention to detail beyond basic banner installation. This guide covers critical best practices that are often overlooked but essential for proper privacy protection and compliance.
Table of Contents
- Critical Page Refresh Requirement
- Cookie Cleanup Best Practices
- Complete OneTrust Implementation
- Common OneTrust Mistakes
- Best Practices Summary
- Conclusion
Critical Page Refresh Requirement
The Problem: Consent Not Enforced on Current Page
What Happens Without Page Refresh
When users interact with OneTrust consent banner:
- User clicks "Accept" or "Reject" on consent banner
- Banner disappears but current page remains loaded
- Tracking scripts continue operating on the same page
- User navigates away by clicking a link
- Button click events fire before consent rules are applied
- Privacy violation occurs despite user's consent choice
Why OneTrust Doesn't Auto-Refresh
OneTrust by default does not force a page refresh after consent changes because:
- User experience concerns: Avoiding page reloads
- Flexibility: Allowing custom implementation
- Performance: Reducing unnecessary page loads
However, this creates a critical privacy gap that must be addressed.
The Solution: Force Page Refresh
Implementation Requirements
// Listen for OneTrust consent changes
document.addEventListener('OneTrustGroupsUpdated', function() {
// Force page refresh to apply consent rules
window.location.reload();
});
// Alternative: Listen for specific consent events
function oneTrustConsentChange() {
// Force page refresh after consent change
setTimeout(() => {
window.location.reload();
}, 100); // Small delay to ensure consent is saved
}
// Register the event listener
if (typeof OnetrustActiveGroups !== 'undefined') {
// OneTrust is loaded, set up listener
document.addEventListener('OneTrustGroupsUpdated', oneTrustConsentChange);
}
OneTrust Configuration
// Configure OneTrust to trigger refresh
OptanonWrapper = function() {
// OneTrust callback function
// This runs after consent changes
// Force page refresh
window.location.reload();
};
Cookie Cleanup Best Practices
The Problem: Lingering First-Party Cookies
What Happens Without Cookie Cleanup
When users opt out of tracking:
- Third-party scripts are blocked by OneTrust
- First-party cookies remain on the user's device
- User later accepts consent for tracking
- Third-party scripts reactivate and find existing cookies
- Historical data is accessible to third parties
- Privacy violation occurs despite previous opt-out
Common First-Party Cookies Set by Third Parties
// Examples of first-party cookies set by third parties
const thirdPartyFirstPartyCookies = [
'_ga', // Google Analytics
'_gid', // Google Analytics
'_gat', // Google Analytics
'_fbp', // Facebook Pixel
'_fbc', // Facebook Pixel
'_hjSession', // Hotjar
'_hjSessionUser', // Hotjar
'amplitude_', // Amplitude
'mixpanel', // Mixpanel
'segment_', // Segment
'intercom-', // Intercom
'zendesk' // Zendesk
];
The Solution: Comprehensive Cookie Cleanup
OneTrust Cookie Cleanup Configuration
// Configure OneTrust to clean up cookies on opt-out
function configureOneTrustCookieCleanup() {
// Define cookies to clean up when consent is withdrawn
const cookiesToCleanup = {
'analytics': [
'_ga', '_gid', '_gat', '_gcl_au', '_gcl_aw',
'_hjSession', '_hjSessionUser', '_hjFirstSeen',
'amplitude_', 'mixpanel', 'segment_'
],
'marketing': [
'_fbp', '_fbc', '_gcl_au', '_gcl_aw',
'intercom-', 'zendesk', 'drift_'
],
'functional': [
'user_preferences', 'language_setting',
'theme_preference', 'cookie_consent'
]
};
// Set up cleanup function
window.OptanonWrapper = function() {
// This runs after consent changes
cleanupCookiesBasedOnConsent();
};
function cleanupCookiesBasedOnConsent() {
const consent = OnetrustActiveGroups;
// Clean up cookies for categories that are not consented
Object.keys(cookiesToCleanup).forEach(category => {
if (!consent.includes(category)) {
cookiesToCleanup[category].forEach(cookieName => {
deleteCookie(cookieName);
});
}
});
}
function deleteCookie(name) {
// Delete cookie for current domain
document.cookie = `${name}=; expires=Thu, 01 Jan 1970 00:00:00 UTC; path=/;`;
// Delete cookie for subdomain
document.cookie = `${name}=; expires=Thu, 01 Jan 1970 00:00:00 UTC; path=/; domain=.${window.location.hostname};`;
// Delete cookie for parent domain
const parentDomain = window.location.hostname.split('.').slice(-2).join('.');
document.cookie = `${name}=; expires=Thu, 01 Jan 1970 00:00:00 UTC; path=/; domain=.${parentDomain};`;
}
}
Advanced Cookie Cleanup
// More comprehensive cookie cleanup
function advancedCookieCleanup() {
// Get all cookies
const allCookies = document.cookie.split(';');
// Define patterns for third-party cookies
const thirdPartyPatterns = [
/^_ga/, // Google Analytics
/^_gid/, // Google Analytics
/^_gat/, // Google Analytics
/^_fbp/, // Facebook Pixel
/^_fbc/, // Facebook Pixel
/^_hj/, // Hotjar
/^amplitude_/, // Amplitude
/^mixpanel/, // Mixpanel
/^segment_/, // Segment
/^intercom-/, // Intercom
/^zendesk/, // Zendesk
/^drift_/, // Drift
/^hubspot/, // HubSpot
/^salesforce/ // Salesforce
];
// Clean up cookies matching third-party patterns
allCookies.forEach(cookie => {
const cookieName = cookie.split('=')[0].trim();
thirdPartyPatterns.forEach(pattern => {
if (pattern.test(cookieName)) {
deleteCookie(cookieName);
}
});
});
}
Complete OneTrust Implementation
1. Basic Setup with Best Practices
// Complete OneTrust implementation with best practices
(function() {
// OneTrust script loading
var script = document.createElement('script');
script.src = 'https://cdn.cookielaw.org/scripttemplates/otSDKStub.js';
script.type = 'text/javascript';
script.charset = 'UTF-8';
script.setAttribute('data-domain-script', 'your-domain-script-id');
document.head.appendChild(script);
// Configure OneTrust wrapper
window.OptanonWrapper = function() {
// This runs after consent changes
// 1. Clean up cookies
cleanupCookiesBasedOnConsent();
// 2. Force page refresh
setTimeout(() => {
window.location.reload();
}, 100);
};
// Cookie cleanup function
function cleanupCookiesBasedOnConsent() {
const consent = OnetrustActiveGroups;
// Define cookies to clean up
const cookiesToCleanup = {
'C0002': ['_ga', '_gid', '_gat', '_hjSession', '_hjSessionUser'],
'C0003': ['_fbp', '_fbc', '_gcl_au', '_gcl_aw'],
'C0004': ['intercom-', 'zendesk', 'drift_']
};
// Clean up cookies for non-consented categories
Object.keys(cookiesToCleanup).forEach(category => {
if (!consent.includes(category)) {
cookiesToCleanup[category].forEach(cookieName => {
deleteCookie(cookieName);
});
}
});
}
// Cookie deletion function
function deleteCookie(name) {
const domains = [
window.location.hostname,
'.' + window.location.hostname,
'.' + window.location.hostname.split('.').slice(-2).join('.')
];
domains.forEach(domain => {
document.cookie = `${name}=; expires=Thu, 01 Jan 1970 00:00:00 UTC; path=/; domain=${domain};`;
});
}
})();
2. Testing OneTrust Implementation
Test Page Refresh
// Test that page refresh occurs after consent change
function testOneTrustPageRefresh() {
// Simulate consent change
const originalReload = window.location.reload;
let reloadCalled = false;
window.location.reload = function() {
reloadCalled = true;
console.log('Page refresh triggered correctly');
};
// Trigger OneTrust consent change
if (typeof OnetrustActiveGroups !== 'undefined') {
// Simulate consent change
document.dispatchEvent(new Event('OneTrustGroupsUpdated'));
// Check if reload was called
setTimeout(() => {
if (reloadCalled) {
console.log('✅ Page refresh test passed');
} else {
console.error('❌ Page refresh test failed');
}
}, 200);
}
}
Test Cookie Cleanup
// Test that cookies are cleaned up properly
function testOneTrustCookieCleanup() {
// Set test cookies
document.cookie = '_ga=test-value; path=/';
document.cookie = '_fbp=test-value; path=/';
// Simulate opt-out
if (typeof OnetrustActiveGroups !== 'undefined') {
// Simulate consent change
document.dispatchEvent(new Event('OneTrustGroupsUpdated'));
// Check if cookies were deleted
setTimeout(() => {
const gaCookie = document.cookie.includes('_ga=');
const fbpCookie = document.cookie.includes('_fbp=');
if (!gaCookie && !fbpCookie) {
console.log('✅ Cookie cleanup test passed');
} else {
console.error('❌ Cookie cleanup test failed');
}
}, 200);
}
}
Common OneTrust Mistakes
1. No Page Refresh
Problem: Consent changes don't apply to current page Solution: Implement page refresh after consent changes
2. No Cookie Cleanup
Problem: First-party cookies remain after opt-out Solution: Configure comprehensive cookie cleanup
3. Incomplete Cookie Identification
Problem: Not all third-party cookies are identified Solution: Use pattern matching for comprehensive cleanup
4. No Testing
Problem: OneTrust implementation not verified Solution: Regular testing of consent functionality
5. Configuration Drift
Problem: Settings change over time without documentation Solution: Version control and change management
Best Practices Summary
Essential Requirements
- Force page refresh after consent changes
- Clean up first-party cookies when consent is withdrawn
- Test regularly to ensure implementation works
- Monitor compliance to maintain privacy protection
- Document changes for team reference
Implementation Checklist
- Page refresh configured after consent changes
- Cookie cleanup implemented for all categories
- Third-party cookie patterns identified
- Testing procedures established
- Monitoring and alerting configured
Conclusion
OneTrust implementation requires more than just banner installation. The critical requirements are:
- Force page refresh after consent changes to ensure rules are applied
- Clean up first-party cookies to prevent data persistence after opt-out
- Test regularly to ensure consent implementation works correctly
- Monitor compliance to maintain privacy protection
Rember: OneTrust without proper page refresh and cookie cleanup is not providing true privacy protection.
By following these best practices, organizations can ensure their OneTrust implementation actually protects user privacy and maintains regulatory compliance.
For additional guidance on OneTrust implementation, consult with your legal team and privacy professionals to ensure compliance with applicable regulations.