OneSignal

OneSignal

Push notification service used by websites and mobile apps to re-engage users via browser and in-app notifications. The OneSignal SDK handles notification permission prompts and manages subscription state. Also tracks notification delivery, open rates, and conversion events.

Back to Vendor Library

Overview

OneSignal is a customer messaging platform specializing in browser push notifications, in-app messaging, email, and SMS. It powers push notification campaigns for over one million websites and apps, enabling operators to re-engage users with targeted messages based on behavioral segmentation and automated triggers.

What This Script Does

OneSignal's browser integration involves a JavaScript SDK, a service worker file, and optional subscription prompt UI components.

Script Files and Domains

  • OneSignalSDK.js or OneSignalSDKWorker.js — Loaded from cdn.onesignal.com. The main SDK (~150KB minified) handles subscription management, permission prompts, and messaging.
  • OneSignalSDKWorker.js — A service worker registered under the host site's domain (e.g., yourdomain.com/OneSignalSDKWorker.js). Receives push messages even when the browser tab is closed.
  • API calls go to onesignal.com/api/v1/ for subscription registration and fcm.googleapis.com (Chrome) or APNs (Safari) for push delivery via browser push infrastructure.

Cookies and Storage Set

  • os_pageViews — localStorage key tracking page view count for the subscription prompt display logic (e.g., "show prompt after 3 page views"). Session-scoped behavior, but persisted in localStorage.
  • isOptedOut — localStorage key recording the user's notification opt-out preference.
  • onesignal-notification-prompt — localStorage key tracking the last time the subscription prompt was shown to prevent excessive re-prompting.
  • OneSignal Player ID — A UUID generated for each subscriber, stored server-side and linked to the browser's push subscription endpoint. This is the primary subscriber identifier.
  • No persistent tracking cookies are set on the host domain in the traditional sense; OneSignal relies primarily on localStorage and the push subscription endpoint URL for identification.

Data Collected Per Interaction

  • Browser push subscription endpoint URL (a unique URL issued by the browser's push service — this is the primary subscriber identifier)
  • IP address (at subscription time and notification delivery)
  • Browser type, OS, user agent
  • Page URL where subscription was initiated
  • Page view count (for prompt logic)
  • Notification delivery status (delivered, displayed, clicked, dismissed)
  • Custom tags set by the site operator (e.g., plan: premium, last_purchase_category: electronics)
  • Custom events triggered by the site operator (purchases, signups, etc.) for segmentation and automation

Subscriber Segmentation and Targeting OneSignal builds subscriber segments based on behavioral attributes, tags, and event history. Automated notifications (triggered by cart abandonment, inactivity, price drops) fire based on these segments. Segments can be used for A/B testing notification copy and delivery timing.

Consent & Compliance

Consent category: Marketing

  • GDPR/ePrivacy: Push notifications are a direct marketing channel requiring explicit opt-in consent under both GDPR and the ePrivacy Directive. The browser's native permission prompt constitutes a technical mechanism for consent, but the GDPR consent must be freely given, informed, and specific — the site must disclose that subscribing enrolls the user in OneSignal-powered marketing communications. Subscriber segmentation and behavioral tagging constitute profiling under GDPR Article 4(4).
  • IAB TCF: OneSignal participates in the IAB TCF ecosystem. Relevant purposes include Purpose 1 (Store and/or access information on a device) and Purpose 4 (Select personalised ads) when behavioral targeting is used.
  • CCPA/CPRA: Subscriber behavioral data and segmentation profiles constitute personal information. Targeted push notifications based on purchase history or browsing behavior may constitute sharing under CPRA. Opt-out rights apply.
  • EU-US Data Privacy Framework: OneSignal is a US company. It relies on SCCs and DPF for EU-to-US data transfers. Verify current participation status on the DPF list.

Should You Block This Without Consent?

Yes. OneSignal is a marketing communication and subscriber segmentation platform. The service worker and SDK should not be registered or loaded until the user has provided explicit consent for marketing communications. Note that once a service worker is registered, it persists until explicitly unregistered — ensure your consent management properly handles unregistration when consent is withdrawn.

Visit website

Consent Categories

Marketing

Also Known As

OneSignalOneSignal SDKbrowser push notificationsweb push consentpush notification opt-innotification tracking

Industries

Programming and Developer SoftwareComputers Electronics and Technology

Tracked Domains (1)

onesignal.comMarketing

Frequently Asked Questions

Does OneSignal require cookie consent?

Yes. OneSignal is a marketing push notification platform. It registers a service worker and stores subscriber data for behavioral segmentation and re-engagement campaigns. Explicit marketing consent is required under GDPR and ePrivacy before the SDK loads or the service worker is registered.

What does OneSignal store on my website visitors' browsers?

OneSignal uses localStorage keys including os_pageViews, isOptedOut, and onesignal-notification-prompt. A push subscription endpoint URL serves as the primary subscriber identifier. No traditional HTTP tracking cookies are set, but localStorage is used for subscription state and prompt logic.

How does ConsentStack handle OneSignal?

ConsentStack detects OneSignal via its CDN domain cdn.onesignal.com and SDK script filename. It classifies OneSignal under the marketing category and blocks the SDK and service worker registration until the visitor grants marketing consent. Consent withdrawal triggers service worker unregistration.

Related Vendors

Google Ads
Google Ads
Google Ads is Google's advertising platform for search, display, and remarketing campaigns. Conversion tracking scripts fire on advertiser landing pages to measure actions taken after ad clicks. The remarketing tag builds audience lists for retargeting users across Google's ad network.
Google
Google
Google is the dominant provider of web analytics, advertising, and infrastructure tools. Scripts like Google Analytics, Tag Manager, Ads, and reCAPTCHA collect behavioral data, manage tag firing, serve targeted ads, and detect bots. Sets persistent cookies to track users and correlate activity across sites.
Microsoft Dynamics 365
Microsoft Dynamics 365
Microsoft Dynamics 365 is a suite of CRM and ERP applications that integrates with websites through tracking scripts and embedded forms. Web tracking code captures visitor behavior, page views, and form submissions to build customer profiles and score leads. Sets cookies to identify returning visitors and attribute marketing touchpoints across sessions.
Microsoft
Microsoft
Runs Clarity (session recording and heatmaps), the Microsoft Advertising UET tag (conversion tracking), and Bing's remarketing pixel. Clarity injects a recording script that captures mouse movements, clicks, and rage clicks. The UET tag fires conversion events to tie ad clicks to on-site actions across Microsoft's ad network.
Microsoft Advertising UET Tag
Microsoft Advertising UET Tag
Microsoft Advertising UET Tag is the Universal Event Tracking pixel for Microsoft's ad platform, formerly Bing Ads. The JavaScript tag fires on advertiser websites to track page views, conversions, and custom events for campaign optimization. Sets cookies to identify visitors across sessions and attribute conversions to Microsoft Search and Audience Network ad clicks.
LinkedIn Ads
LinkedIn Ads
LinkedIn Ads is LinkedIn's advertising platform for B2B marketing and professional audience targeting. Conversion tracking scripts and pixels fire on advertiser websites to measure sign-ups, downloads, and purchases driven by LinkedIn ad campaigns. Sets cookies for audience matching, retargeting list building, and cross-device attribution reporting.

Manage consent for OneSignal

ConsentStack automatically detects and manages OneSignal trackers so your site stays compliant with global privacy regulations.

Get started free