OneTrust Cookie Consent - a commercial GDPR content solution

Fast GDPR compliance for your website: What is to be considered?

Due to the General Data Protection Regulation (= GDPR), which came into force on 25 May 2018, all websites must meet these criteria. If they do not, they will be subject to severe fines. For the particularly serious violations listed in the law under Art. 83 para. 5 GDPR, the fine is up to EUR 20 million or, in the case of a company, up to 4% of the total annual worldwide turnover in the previous financial year, whichever is the higher.

Due to this change in the law, commercial providers developed cookie consent software. This enables the website provider to accept cookies

  • into groups,
  • to be controlled (OptIn and OptOut),
  • to scan the website for cookies and partially
  • to use an automatic cookie-content solution, which independently makes all cookie settings in the Consent Layer. 

How effective are these commercial solutions? What are their weaknesses and strengths? We would like to show this in this article using the OneTrust software as an example.

Due to an European Court of Justice judgement of  01.10.2019, every user must be enabled to give active consent to the setting of cookies. Previously, it was common for users to be able to deselect cookies. This is no longer permitted. 

Cookies may only be set if users have previously consented.

Merkle Website Cookies Screenshot People Based Marketing
Display of the OneTrust layer with the possibility of individual cookie selection on Merkleinc.com

Short presentation of OneTrust Cookie Consent

OneTrust's cookie-content solution is software that is subject to a fee. The license can be purchased on a monthly or annual basis. It costs 45 EUR / month per domain, regardless of company size. The OneTrust cookie solution is hosted in the EU.

According to the manufacturer, OneTrust offers the following features in this software solution: 

  • Unlimited number of subdomains and pages
  • Unlimited Consent Records
  • Automated Website Scanning
  • Cookie categorization based on Cookiepedia (OneTrust's own cookie database in which all cookies collected by the tool are listed and categorized)
  • Customizable banners and preference center presets
  • Configurable consent models
  • Prior Informed Consent and Do Not Track
  • Automatic speech recognition
  • Dynamic cookie list script
  • Integration with CMSs, website builders, tag managers
  • Extended scanning (behind login and query parameters)
  • Multi-page templates
  • Geo-Targeting by country
  • Cross-domain consent
  • IAB Europe TCF Support
  • Local JavaScript Hosting Option
  • Multiple languages
  • Remove branding "Powered by OneTrust"

The advantages of the OneTrust content cookie solution

The legal requirements must be met. In some cases, the technical possibilities are not available to implement the development effort. A further advantage of OneTrust's cookie content-solution is the possibility to integrate the cookie layer without deployment. However, this requires tag management.

OneTrust offers not only a European solution, but also content solutions analogous to the respective countries. This is helpful for an international orientation. 

Custom solution versus commercial solution.

The advantages of a custom cookie solution are generally these:

  • No ongoing license costs,
  • Individual technical solutions enable special integrations,
  • Design / UX can correspond exactly to the corporate design

The disadvantage is primarily the high initial creation costs. 

On the other hand, there are the advantages of the commercial Consent solution:

  • Quickly implemented,
  • Low initial costs.

In contrast, the running costs remain constant. The license fee is charged per domain. The look and feel should be adopted and usually does not correspond to the corporate design of the website. 

    To Do's

    Principally, these points must be clarified and defined before integration:

    • The cookies of the domain must be recorded by means of cookie scanning. 
    • The UX / design must be clarified.
    • Special integration of cookies such as iFrame must be analyzed.
    • It should be clarified whether manual or automatic cookie blocking should be done.

    For this purpose the legal requirements must be clarified, such as 

    • the cookie categories (strictly necessary, marketing, targeting, performance, ...),
    • the consent model (OptIn / AlwaysOn) per cookie category,
    • the creation of the texts for the cookie banners, the preference center, etc.
    Merkle OneTrust Screenshot Cookies
    View the layout options for including the GDPR layer in the web page

    Integration process

    There are three ways to integrate the solution:

    • Tag Management System,
    • CMS,
    • directly into the code of the page.

    We would like to share with you the integration via the tag management. Google Tag Manager was used. 

    In general, there is the possibility to integrate the software on a development system for testing. Unfortunately there are two disadvantages. One disadvantage is that the documentation is only available if the license has already been purchased. So you can't really embed the Cookie Content solution of OneTrust in a well-founded way, but have to trust the publicly available sources. There are a few providers, but their implementations do not conform to the recommended OneTrust integration. 

    In addition, you have to do all settings again after purchasing the license, because the test settings cannot be transferred to the licensed solution. 

    Scan the page for used cookies

    OneTrust first scans the site for the cookies used. The cookies can be viewed in the OneTrust cookie library "Cookiepedia". 

    Bild 3
    (source: https://www.onetrust.com/products/cookie-compliance/) communication Cookiepedia, the cookie library of OneTrust

    There they are listed according to purpose and a definition is offered. It is also listed on which pages the respective cookie is still used.  

    OT offers the option of either an automatic classification of cookies (Auto Scan) or a manual classification of cookies. 

    The autoblock function sounds elegant at first. After scanning the cookies on the specified domain, OT assigns the cookies to pre-selected levels.

    Bild 4
    (source: https://www.onetrust.com/products/cookie-compliance/) Schematic diagram of the autoblock mode of operation.

    According to our experience, however, the integration of the autoblock script makes the loading of the page slow. The autoblock script is larger than 600 kb.

    Another point of view is that autoblock only blocks the cookies that are found. This is important because the OT Crawler cannot access password protected test systems. Testing the cookies on test systems is limited. If the content solution goes live on production systems, it is possible that modules of the production system interact with the OT Consent Banner. The OT Autoblock Script then also blocks cookies that are necessary for an essential functionality of the website (search function). So you have to make sure that you always test all cookies of the production system when integrating the autoblock script and not only a small part of them. 

    It is also possible to manually assign them to the intended levels. 

    Usually three cookie levels are used:

    • Technically necessary cookies
    • Cookies for statistical purposes
    • Cookies for marketing purposes

    Language settings of the cookie layer

    The Cookie Consent can be created in several languages. By default, OT selects the language setting of the browser. If you don't want to use this, because you use several languages per country, you can switch to the language setting of the website. The translation must be delivered.

    Testing of cookie layers

    To test the setup, a test script can be included. This differs from the production script formally only by a minimal addition ("-test") after the license number in the script. The advantage of the test script is that the changes can be seen immediately. The production scripts need up to four hours until adjustments are published, because the scripts have to be changed on the production servers, which can take a little longer in the cloud. 

    Unfortunately the test script is error-prone. You can see the adjustments, but other effects occur, such as the missing coverage of the page with a transparent background. After a varying amount of time this error was fixed again.

    Functionality with integration via Tag Management System

    The script is pushed into the page per tag and loads the OT script. The tag management system is always active, but does not load any tags before the user has given his consent. If the user selects certain cookies, the layer sets the corresponding cookie. A custom event is pushed. The Tag Management System listens to the custom event and requests the cookies here. The tags to be released for the confirmed level are activated. 

    Relevant here is to adjust the triggers for the general PageView tag so that it does not fire before the user confirms. Since the cookies that indicate the selected level are loaded in the loading order after the PageView, the trigger must be adjusted accordingly.

    All other tags must fire either by actively setting the cookie levels or by exclusion. That means, in the first variant a tag only fires if a certain cookie level is selected. With exclusion, the tag only fires if a cookie level is not available.

    Special features of iFrames

    If a cookie is set in an iFrame, it cannot be controlled by Tag Management. This is the case, for example, with integrated YouTube films. 

    We had to prevent the Youtube movies from being displayed in the iFrame immediately and the Youtube cookies from being set. We have created an HTML-Toast around the iFrame to control it. The HTML-Toast will load a still picture if the user has rejected the cookies. The freeze frame or the optical highlighting above it must be clearly recognizable as a movie placeholder. We have added a play button as optical highlighting and a link that opens the cookie layer.

    Bild 5
    Implementation of the placeholder with the optical marking that a film is hidden behind the surface.
    Bild 6
    A Merkle specific feature: the cursor enlarges and asks the user to adjust the cookies.

    The user should be given the opportunity here to go directly to the cookie level "cookies for marketing purposes". Here he can select the appropriate cookie level and watch the film immediately. 

    This implementation requires frontend capacities and UX to enable clear communication.

    Merkle Cookies Website Screenshot Video
    A click on the link opens the cookie layer directly above the placeholder.

    Conclusion

    OneTrust's tool has some special features that you need to pay attention to. You should first analyze which cookies are used in which components. From this you can deduce the effort of the respective specialists. In any case, you should plan enough time for testing. 

    In general, you will need some tech capacities for OT implementation because of some special cases. A deployment was also necessary until now. 

    Are you currently facing the challenge of evaluating and implementing a suitable content solution for your company? We would be happy to support you!