Uncategorized cookies and scripts
New third-party scripts added through tag managers or CMS updates often lack a consent category assignment. They fire in every state, including reject.
Consent Platforms
Is your OneTrust configuration working the way you think it is?
OneTrust is one of the most widely deployed consent management platforms in the enterprise. A configured banner is only the starting point. Lokker tests whether reject states, GPC signals, and opt-in flows actually stop data collection the way your legal team expects.
Consent Platforms
OneTrust
OneTrust is an enterprise platform for privacy and consent management that handles cookie banners, vendor categorization, preference centers, and regional consent rules for GDPR, CCPA/CPRA, and related regulations.
Trademark
OneTrust is a trademark of OneTrust, LLC. Lokker is not affiliated with or endorsed by OneTrust, LLC.
Quick answer
OneTrust is one of the most widely deployed consent management platforms (CMPs) for enterprise organizations. It provides cookie scanning, consent banner configuration, a preference center, TCF 2.2 publisher support, and integrations with Google Consent Mode v2. OneTrust helps organizations meet GDPR, CCPA/CPRA, and other privacy laws by giving visitors control over which categories of tracking are permitted. The platform does not guarantee compliance by itself: the consent banner must be correctly configured, cookies must be accurately categorized, and the reject and GPC states must actually prevent non-essential tracking at the network layer. Organizations commonly assume OneTrust is configured correctly without independently verifying what scripts fire in each consent state. Lokker validates OneTrust deployments by running automated consent flows and comparing network activity against what the banner configuration would predict.
Risk and failure modes
Where OneTrust configurations break down over time
Even well-built OneTrust implementations drift. Vendor libraries update, marketing teams add pixels outside the review process, and geo-rules that worked at launch no longer match a growing property portfolio.
GPC signal not honored
Global Privacy Control is a browser-level opt-out signal. Many OneTrust configurations treat GPC as advisory rather than actionable, which creates exposure in California and other states with GPC obligations.
SDK and vendor library updates
OneTrust regularly releases script updates. Delayed upgrades can mean a mismatch between the consent logic in the banner and the behavior of individual vendor tags loaded alongside it.
A/B tests that bypass the banner
Experimentation platforms and site personalization tools sometimes fire before OneTrust initializes, creating a window where data leaves the browser without a valid legal basis.
Consent and configuration
Consent configuration is only as good as what the network confirms
OneTrust manages the consent decision, but the network layer reveals what actually executes. Lokker validates the gap between configured intent and real browser behavior.
Cookie category assignments must map accurately to every script loaded on a page, including third-party dependencies.
Consent Mode v2 signals for Google properties need to be validated independently of what the OneTrust dashboard reports.
Preference center URLs and re-consent flows should be tested the same way as primary banner interactions.
Tag manager containers that fire scripts in preview or debug mode can leak data in production if publish controls are loose.
Healthcare organizations using Freshpaint alongside OneTrust should validate that Freshpaint is categorized under functional, analytics, or advertising consent and not as "essential" or "strictly necessary". See /topics/freshpaint for CMP categorization guidance.
Regional compliance
Opt-in and opt-out markets require different validation
California law as amended by the CPRA requires opt-out rights for data sale and sharing for cross-context behavioral advertising, with specific obligations when GPC is detected. Most European jurisdictions require explicit opt-in before any non-essential processing. A single OneTrust configuration often needs to handle both, and the behavior in each region needs separate validation, not assumptions carried from one jurisdiction to another.
How Lokker helps
How Lokker validates OneTrust in practice
Lokker adds network-layer evidence to the configuration view OneTrust provides. Instead of trusting that the correct rules are in place, you see what actually fires across every consent state.
Consent state validation
Consent Validator runs automated browser flows across no interaction, accept, reject, and GPC states and compares what loads in each, using the same pages your visitors see.
Explore Consent ValidatorPortfolio-wide drift detection
Privacy Edge scans every property on a regular cadence and surfaces changes in what fires, so you catch new uncategorized scripts before they become findings in an audit.
Explore Privacy EdgeRuntime enforcement
Guardian intercepts outbound scripts and pixels at the network layer and enforces trust rules defined in Privacy Edge, so misconfigured tags are blocked before data leaves the browser.
Explore GuardianExplore Lokker
Products that address OneTrust privacy risk
Each product links to its full details so you can explore features, view a demo, and understand how it applies to your OneTrust deployment.
Validation
Consent Validator
Validates accept, reject, and GPC states against what OneTrust actually allows through.
Explore Consent ValidatorIntelligence
Privacy Edge
Scans your entire property portfolio and surfaces uncategorized scripts and consent drift.
Explore Privacy EdgeEnforcement
Guardian
Enforces trust rules at runtime so misconfigured tags cannot fire even when OneTrust allows them.
Explore GuardianSide-by-side comparisons
Compare OneTrust against alternatives
Evaluating OneTrust alongside other options? Our comparison guides score each tool on privacy defaults, HIPAA BAA availability, GDPR data residency, GPC support, and consent compliance posture.
Privacy policy guidance
How to disclose OneTrust in your privacy policy
Our privacy policy disclosure guide explains what data OneTrust collects, how to describe it in a cookie notice or privacy policy, jurisdiction notes, and example language for discussion with counsel.
Frequently Asked Questions
Common questions about OneTrust
What is OneTrust and what does it do?
OneTrust is a consent management platform (CMP) that provides cookie consent banners, preference centers, and privacy rights management tools. It helps organizations manage GDPR consent, CCPA opt-outs, and Global Privacy Control (GPC) signals. OneTrust scans websites for cookies and tracking technologies, allows administrators to categorize them, and then controls which categories are permitted to load based on visitor consent choices. It also handles data subject access requests and integrates with advertising platforms that require consent signals.
Is OneTrust GDPR compliant?
OneTrust is a GDPR-compliant platform in that it provides the tools needed to implement consent management under GDPR requirements, including opt-in consent, granular category control, and data subject rights workflows. However, using OneTrust does not automatically make your website GDPR compliant. Your OneTrust configuration must be correct: cookies must be accurately categorized, the consent banner must appear before non-essential tracking begins, and the reject state must actually prevent non-consented cookies from loading. Misconfigured OneTrust deployments that let cookies fire before or regardless of consent are a common finding in privacy audits.
Why do cookies still fire after I reject in OneTrust?
Cookies or tracking scripts firing after a user rejects in OneTrust is typically caused by one of these configuration issues: the tag or cookie is assigned to the wrong OneTrust category and fires as functional when it should be categorized as analytics or advertising; the script loads from a tag manager that is not properly integrated with OneTrust's consent signals; or the OneTrust blocking rules are applied too late in the page load sequence. Diagnosing this requires network-layer inspection comparing what fires in the reject state versus the accept state, not just reviewing the OneTrust workspace configuration.
Next step
Validate OneTrust consent behavior across your portfolio
Lokker runs automated browser-level consent flows and scans the network layer to confirm whether OneTrust fires in states where it should not.