OneTrust Implementation Guide

Learn how to integrate OneTrust with Ours Privacy for seamless consent management and compliance with privacy regulations worldwide.

OneTrust Implementation Guide

OneTrust and Ours Privacy work together to provide a comprehensive consent management solution that supports healthcare, GDPR, CCPA, and other privacy regulations. This guide explains the capabilities, operating modes, and integration patterns available when using OneTrust as your Consent Management Platform (CMP).

Overview

OneTrust controls when the Ours Privacy SDK loads and provides granular consent data that flows through your entire data pipeline. This approach delivers:

  • Regulatory Compliance: Full support for GDPR, CCPA, CPRA, LGPD, and healthcare regulations
  • Granular Control: Category-based and vendor-specific consent management
  • Complete Audit Trail: Visibility into every consent decision and change
  • Flexible Integration: Works with any OneTrust configuration or consent strategy

Operating Modes

Ours Privacy supports three distinct operating modes for consent management with OneTrust, each offering different levels of data collection and consent enforcement:

Mode 1: Strict Consent Mode (Zero Data Collection)

Ours Privacy SDK is not loaded until explicit consent is granted through OneTrust, ensuring zero data collection before user permission.

How it works:

  • OneTrust controls when the Ours Privacy SDK loads
  • No data is sent to Ours Privacy until consent is granted
  • Complete control over tracking initiation
  • Zero data collection before user permission

Mode 2: Mapper-Controlled Mode (Recommended)

Ours Privacy loads immediately and collects all events, but the mapping layer stops dispatch to destinations based on consent conditions.

How it works:

  • Ours Privacy SDK loads immediately and collects all events
  • Consent status is passed as event properties
  • Ours Privacy mappers conditionally route events to destinations based on consent
  • Events without proper consent are filtered out at the mapping layer

Choosing the Right Mode

The choice between these modes depends on your organization's privacy requirements, compliance needs, and technical architecture. We recommend:

  • Consult with your privacy officer and/or legal team to determine the appropriate consent management approach for your use case
  • Reach out to us to start a conversation about privacy and consent management strategies

Our team can help you evaluate your specific requirements and recommend the best approach for your organization.

Implementing Consent Events and Mapping

We recommend firing a "consent_change" event when consent is granted or changed. This allows you to track consent decisions and use them in your mapping logic.

Firing Consent Events

Use OneTrust's web SDK to get the consent status or grab their cookie string if it contains the allowed/denied categories. Then pass this information into event properties and visitor properties:

// Get consent status from OneTrust
const consentStatus = { 
  marketing: true, 
  analytics: false, 
  functional: false, 
  necessary: true 
}; // Example object grab the real one with the OneTrust web sdk.

// Track consent change event
ours('track', 'consent_change', {
  // Event properties
  ...consentStatus,
  cmp_vendor: 'onetrust'
}, {
  // Visitor properties - consent object
  consent: consentStatus
});

Implementing Mapper Logic

For each destination, you should create a "stop" mapper that prevents dispatch if the required consent isn't granted. You can also use logic builders for more granular control.

Example: Stop mapper for marketing destinations

  • Condition: visitor.consent.marketing != true
  • Action: Stop dispatch

Example: Stop mapper for analytics destinations

  • Condition: visitor.consent.analytics != true
  • Action: Stop dispatch

Example: Advanced logic with event properties

  • Condition: event.consent_marketing == true && visitor.consent.marketing == true
  • Action: Allow dispatch to marketing destinations

This approach ensures that:

  • Consent decisions are tracked and stored on the visitor
  • Destinations only receive data when appropriate consent is granted
  • You have granular control over data flow based on consent status
  • Compliance is maintained throughout your data pipeline

Mapping and Routing Capabilities

Destination-Based Routing

Ours Privacy's mapping layer routes events based on OneTrust consent:

  • Analytics destinations - Only send data when analytics consent is granted
  • Marketing destinations - Route to advertising platforms only with marketing consent
  • Functional destinations - Enable enhanced features with functional consent
  • Necessary destinations - Always route essential operational data

Conditional Data Processing

Beyond simple routing, the mapping layer can:

  • Transform data - Modify event properties based on consent level
  • Filter sensitive data - Remove PII/PHI when consent is limited
  • Aggregate data - Combine events differently based on consent
  • Delay processing - Hold events until appropriate consent is granted

Conclusion

Integrating OneTrust with Ours Privacy enables:

  • Full Regulatory Compliance: Support for GDPR, CCPA, CPRA, and healthcare regulations
  • Granular Consent Control: Category-based and vendor-specific consent management
  • Complete Audit Trail: Visibility into every consent decision and change
  • Flexible Integration: Works with any OneTrust configuration or consent strategy

The Ours Privacy platform respects these consent properties throughout your data pipeline, ensuring compliance while maintaining data integrity and user privacy.

For additional support or questions about OneTrust integration, contact our support team at [email protected].