OneTrust is your consent management infrastructure, and it appears in a privacy policy differently from analytics or advertising tools. Your policy should describe OneTrust's role accurately: it manages consent preferences and controls which other tools fire, rather than collecting data for its own commercial purposes.
Last reviewed by Lokker Privacy Engineering
Not legal advice
The example language on this page is provided for educational purposes only. It is not legal advice and does not create an attorney-client relationship. Privacy laws vary by jurisdiction, sector, and the specific technologies you deploy. Always have a qualified privacy counsel or attorney review your privacy policy language to ensure it accurately reflects your actual data practices and complies with applicable law. Policy text alone does not make you compliant: your technical controls must match what the policy describes.
Data collection
This is what your privacy policy needs to describe. Be specific: vague references to "usage data" or "technical information" are not sufficient in most jurisdictions.
Consent preferences and decisions (accepts, rejects, category selections)
Timestamps and versions of consent decisions
Visitor identifiers used to store and retrieve preferences across sessions
Banner interaction data (whether the visitor dismissed, accepted, or customized)
OneTrust infrastructure cookies including OptanonConsent and OptanonAlertBoxClosed
Processing purposes
Privacy laws require you to specify the purpose for each category of data processing. These are the purposes typically associated with OneTrust.
Recording and honoring visitor consent decisions for GDPR and CCPA compliance
Controlling which third-party scripts load based on consent category
Providing visitors with a preference center to manage their choices
Generating audit logs of consent decisions for regulatory documentation
Sending consent signals to downstream advertising and analytics platforms
Jurisdiction notes
These are representative notes, not exhaustive legal guidance. Laws continue to evolve and your counsel should review the current requirements for each jurisdiction where your visitors reside.
United States
OneTrust itself collects consent preference data under a legitimate business purpose: managing legal compliance obligations. The OptanonConsent cookie and its contents are functional to consent management and are typically classified as Strictly Necessary. However, your policy should still describe OneTrust's role so visitors understand why this infrastructure is present.
EU and UK (GDPR)
Under the GDPR, consent management infrastructure is generally classified as Strictly Necessary because it is required to fulfill legal obligations around consent. OneTrust processes consent decisions as a data processor under a data processing agreement. Your policy should describe that OneTrust is used to manage consent and that the consent preferences you record are stored by OneTrust on your behalf.
Example language
The examples below are starting points for discussion with legal counsel. They are not approved or jurisdiction-complete language. Your policy must accurately reflect your actual technical configuration and comply with the laws of the jurisdictions where your visitors reside.
Consent management infrastructure row
OneTrust (OneTrust, LLC): Consent management platform that records and manages your cookie and privacy preferences. Stores your consent decisions in the OptanonConsent cookie so they can be applied across your visits. Category: Strictly Necessary (consent infrastructure).
Consent management platform disclosure paragraph
We use OneTrust, a consent management platform provided by OneTrust, LLC, to manage your preferences regarding cookies and other tracking technologies on this website. OneTrust presents our cookie consent banner and preference center, records your consent decisions, and communicates your choices to the other technologies operating on this website so that only the tools you have authorized are active during your visit. OneTrust stores your preferences using the OptanonConsent and OptanonAlertBoxClosed cookies, which are classified as Strictly Necessary because they are required to operate the consent mechanism itself. Without these cookies, we would be unable to remember your preferences across pages or sessions. OneTrust processes this information as a data processor under a data processing agreement with us and does not use consent preference data for its own commercial purposes. You can review and update your preferences at any time by clicking the Privacy Choices link in the footer of this website.
Configuration checklist
An accurate policy is only useful if the technical controls behind it work correctly. These are the configuration points to verify for OneTrust.
OneTrust itself should be in the Strictly Necessary category and does not require user consent to load. The OptanonConsent cookie enables the consent mechanism and is functional, not optional.
Your OneTrust vendor list should be kept current. Every third-party tool on your site should be mapped to a consent category. Unclassified tools are a primary source of consent compliance failures.
Audit your OneTrust configuration with Consent Validator to confirm that tools categorized under Analytics, Advertising, or Functional do not fire in the reject state. A correctly documented policy is only as valuable as the technical enforcement behind it.
If your site serves visitors in multiple regions with different consent requirements (opt-in vs opt-out), ensure that OneTrust's geolocation rules match your policy's regional section. Mismatches between documented rules and actual geolocation behavior are common.
Honor GPC signals. OneTrust has configuration options to treat GPC as an opt-out signal. This should be enabled for properties serving California residents, and your policy should reflect that GPC is honored.
Policy vs practice
These are common gaps between OneTrust privacy policy language and what actually happens in the browser. Checking only inside each SaaS admin (CMP, tag manager, or vendor console) rarely answers whether the full stack works together. Lokker tests from the outside: consent state, tag firing, and network requests viewed as one system.
What the policy says
Policies state that OneTrust controls all cookie and tracking consent decisions and that no non-essential tools load without visitor approval.
Policies describe that the correct consent banner displays to each visitor based on their jurisdiction.
Policies state that visitors can withdraw consent at any time using the Privacy Choices or cookie preference link.
Policies confirm that GPC signals are honored and treated as an opt-out of non-essential processing for California visitors.
What Lokker validates
OneTrust can only govern tools that are mapped to a consent category in its vendor list. Tags added via direct code or CMS plugins without an OneTrust entry operate outside the described consent framework. Lokker shows which endpoints are contacted before consent is granted.
OneTrust geo-rules determine banner behavior. If misconfigured, EU visitors may see an opt-out banner instead of an opt-in requirement, or no banner at all. Lokker can simulate requests from different IP regions to verify the actual banner and consent regime delivered.
Lokker tests whether the preference center link is functional across page types and whether changing a consent decision actually stops non-essential tools from firing in the same session.
Lokker sends a GPC signal header and checks whether OneTrust correctly triggers an opt-out state and whether tools classified as advertising or targeting actually stop firing when the GPC signal is present.
Consent Validator tests your site from the outside, not inside each vendor admin. It runs automated flows across accept, reject, no-interaction, and GPC states and checks whether OneTrust loads through your CMP and tag manager, whether consent signals are honored, and whether any call to that vendor still occurs when the visitor has opted out.
Questions
References
Regulatory guidance, enforcement decisions, and legal cases referenced on this page.
Regulatory guidance
European Data Protection Board
UK Information Commissioner's Office
Explore further
Same category
Validate technical compliance
Confirm that OneTrust is actually blocking non-essential tags on reject, not just recording a preference, by validating at the network layer.