OneTrust

OneTrust

Consent management and privacy compliance platform. The OneTrust script serves the cookie consent banner, records consent decisions, and conditionally blocks or allows other scripts based on user preferences. Also powers cookie audits, privacy preference centers, and data subject access request workflows.

Back to Vendor Library

Overview

OneTrust is a leading consent management platform (CMP) and privacy compliance suite used by enterprises to manage GDPR, CCPA, and global privacy regulation compliance. Its script serves the cookie consent banner, records granular consent decisions, conditionally blocks or activates third-party scripts based on category, and powers privacy preference centers, cookie audits, and data subject request (DSR) workflows. OneTrust is the consent infrastructure itself — not a third-party tracker.

What This Script Does

Consent Banner and Preference Center

  • Loads and renders the cookie consent banner or modal on first visit, configured by the site operator
  • Presents granular category controls: Strictly Necessary, Performance/Analytics, Functional, Targeting/Advertising
  • Fires the preference center when users click "Manage Preferences" or equivalent triggers
  • Stores user consent selections and preference timestamps

Script Blocking and Activation (Tag Manager Integration)

  • OneTrust integrates with Google Tag Manager, Adobe Launch, and standalone tag deployments to conditionally fire or block scripts based on consent state
  • Uses <script type="text/plain" class="optanon-category-C0002"> pattern to hold scripts until consent is granted for the relevant category
  • Dispatches custom JavaScript events (OneTrustGroupsUpdated, OTConsentApplied) so other scripts can react to consent changes in real time

Cookies Set

  • OptanonConsent — the primary consent record cookie; stores consented/rejected category codes, timestamp, and version string; first-party, 1 year
  • OptanonAlertBoxClosed — records that the banner has been dismissed; first-party, 1 year
  • OTGPPConsent — encodes consent in IAB Global Privacy Platform (GPP) string format for downstream systems
  • eupubconsent-v2 — IAB TCF v2.x consent string written to the TC String cookie for ad tech vendors
  • _oneTrustCDNDomainCheck — CDN availability probe, session

Script Files and CDN

  • Primary loader: https://cdn.cookielaw.org/scripttemplates/otSDKStub.js (or cdn.cookielaw.org variants)
  • Domain script: https://cdn.cookielaw.org/consent/<UUID>/OtAutoBlock.js
  • IAB TCF stub: loaded inline to ensure the __tcfapi function is available before any ad scripts fire
  • All assets served from OneTrust's Cloudflare-backed CDN (cdn.cookielaw.org)

Additional Features

  • Cookie scanning and auto-categorization (crawls the site to discover and classify cookies)
  • Data Subject Access Request (DSAR) portal for handling Article 15–22 GDPR rights requests
  • Vendor management and IAB TCF Vendor List integration
  • Consent audit log storage for regulatory record-keeping (Article 7(1) GDPR requirement)

Consent & Compliance

Consent category: Essential / Functional

OneTrust is the consent management infrastructure and is strictly necessary under GDPR. Article 7(1) requires that the controller be able to demonstrate that the data subject has consented — OneTrust fulfills this obligation by recording and storing consent decisions. The OptanonConsent cookie is the mechanism for honoring user privacy choices across sessions. Blocking it would make it impossible for users to exercise rights under GDPR Article 7(3) (withdrawal of consent) and CCPA's opt-out mechanisms. The IAB TCF stub must load before any advertising scripts to prevent unlawful processing.

Should You Block This Without Consent?

No. OneTrust is the consent management tool itself. It must always load first, unconditionally — blocking it would prevent the consent banner from appearing and remove the mechanism by which users exercise their privacy rights. It is strictly necessary infrastructure.

Visit website

Consent Categories

Essential
Functional

Also Known As

onetrust CMPonetrust GDPRonetrust cookie bannerconsent management platformonetrust preference centeronetrust blocking

Industries

Programming and Developer SoftwareComputers Electronics and Technology

Tracked Domains (3)

cookielaw.orgFunctional
onetrust.comFunctional
cookiepro.comConsent

Frequently Asked Questions

Does OneTrust itself require visitor consent before loading?

No. OneTrust is the consent management platform — it must load unconditionally before any other scripts so it can present the consent banner and honor user privacy choices. Blocking it would prevent the banner from appearing and remove the mechanism by which visitors exercise GDPR withdrawal rights and CCPA opt-out rights.

What cookies does OneTrust set and why?

OneTrust sets OptanonConsent (1-year cookie storing consented category codes, timestamp, and version), OptanonAlertBoxClosed (records banner dismissal), OTGPPConsent (IAB Global Privacy Platform string), and eupubconsent-v2 (IAB TCF v2 consent string for ad tech). These are the compliance records required under GDPR Article 7(1).

How does ConsentStack relate to OneTrust?

OneTrust and ConsentStack are both consent management platforms — they serve the same function and would not typically be used together on the same site. If your site uses OneTrust, ConsentStack is the alternative. ConsentStack manages script blocking, consent records, and vendor auditing in the same way OneTrust does, with a simpler setup.

Related Vendors

Firebase
Firebase
Firebase is Google's mobile and web application development platform offering authentication, real-time database, cloud functions, and analytics. Web SDK scripts initialize Firebase services and may track app events via Firebase Analytics, which is powered by Google Analytics 4. Widely used in single-page apps and PWAs for backend infrastructure and usage tracking.
Google
Google
Google is the dominant provider of web analytics, advertising, and infrastructure tools. Scripts like Google Analytics, Tag Manager, Ads, and reCAPTCHA collect behavioral data, manage tag firing, serve targeted ads, and detect bots. Sets persistent cookies to track users and correlate activity across sites.
Google Tag Manager
Google Tag Manager
Google Tag Manager is a tag management system that lets marketers deploy and update analytics and marketing scripts without code changes. The GTM container script loads synchronously in the page head and injects configured tags, triggers, and variables on behalf of other vendors. No data collection of its own — acts as a loader for other scripts.
Google Fonts
Google Fonts
Google Fonts is a free font hosting service that serves hundreds of typeface families via a global CDN. Stylesheets and font files load from fonts.googleapis.com and fonts.gstatic.com to deliver web fonts to visitors. No advertising or tracking functionality is included.
reCAPTCHA
reCAPTCHA
Google reCAPTCHA is a bot detection and spam prevention service protecting web forms, login pages, and checkout flows. Scripts analyze user behavior, mouse movements, and browser fingerprints to distinguish humans from bots. The invisible reCAPTCHA v3 scores interactions without requiring user challenges.
Sign in with Google
Sign in with Google
Sign in with Google is an OAuth-based authentication service that enables users to log into websites using their Google account credentials. Scripts load the Google Identity Services library, display sign-in buttons, and handle token exchange for secure authentication. Stores session tokens and authentication cookies to maintain login state across page visits.

Manage consent for OneTrust

ConsentStack automatically detects and manages OneTrust trackers so your site stays compliant with global privacy regulations.

Get started free