Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
OneTrust is a leading consent management platform (CMP) and privacy governance suite used by over one million organisations worldwide to comply with GDPR, ePrivacy, CCPA, LGPD, and other privacy regulations. It provides a customisable cookie banner, a preference centre, and backend tools for data mapping, DSR automation, and privacy impact assessments. OneTrust loads a JavaScript SDK from cdn.cookielaw.org and sets two strictly necessary cookies to record visitor consent choices. As the consent mechanism itself, OneTrust is exempt from requiring prior consent and is treated as a strictly necessary service under ePrivacy.
OneTrust is a leading consent management platform (CMP) and privacy governance suite founded in 2016 and now used by over one million organisations worldwide. It enables businesses to collect, record, and demonstrate visitor consent for cookies and tracking technologies in compliance with GDPR, the ePrivacy Directive, CCPA, LGPD, and other data protection laws. Beyond cookie consent, OneTrust offers a complete privacy programme including automated cookie scanning, vendor risk assessments, data subject request (DSR) automation, privacy impact assessment workflows, and IAB TCF 2.2 support for programmatic advertising consent.
OneTrust is deployed by placing a JavaScript snippet in the site header that loads the OneTrust SDK from cdn.cookielaw.org. The SDK detects the visitor's jurisdiction via the geolocation.onetrust.com API and displays the appropriate consent experience for that region. It sets two first-party cookies: OptanonAlertBoxClosed records when the banner was last dismissed, and OptanonConsent stores a detailed string of the visitor's consent choices per category. Both cookies have a 12-month lifespan and do not require prior consent as they are strictly necessary for operating the consent mechanism.
Under the ePrivacy Directive, cookies strictly necessary for a service explicitly requested by the user are exempt from prior consent. The OneTrust consent tool falls into this category: it cannot function without storing consent records. European data protection authorities broadly support treating CMP-operational cookies as strictly necessary. OneTrust's GDPR-specific features include geo-targeted consent experiences (different banners per region), full consent logging with timestamps and version history, Consent Mode v2 integration for Google tags, prior blocking of non-consented scripts, and IAB TCF 2.2 compliance for advertising partners.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
OneTrust is a US company headquartered in Atlanta, Georgia. By default, consent logs and configuration data are processed on US infrastructure delivered via Fastly CDN. OneTrust provides Standard Contractual Clauses (SCCs) and a Data Processing Agreement (DPA) to EU customers, which can be signed directly in the admin console. Enterprise plans offer EU data residency with processing and storage in European data centres, removing the cross-border transfer concern for organisations with strict data localisation requirements.
To configure OneTrust correctly for GDPR and ePrivacy compliance: run a cookie scan to discover all cookies before configuring categories; configure the banner to require explicit opt-in (no pre-ticked boxes) for non-essential categories; enable prior blocking so non-essential scripts do not load before consent is obtained; implement Google Consent Mode v2 if using Google tags; sign the OneTrust DPA in the admin console; enable consent logging to maintain an auditable record; update your privacy policy to reference OneTrust and each cookie category. Test the banner behaviour in each target country to verify geolocation rules apply correctly.
Deploying OneTrust as a CMP carries low inherent privacy risk. The tool processes consent preferences rather than sensitive personal data. A DPIA may become relevant when OneTrust's broader privacy programme features are used at scale: DSR portals handling subject access requests across large populations, vendor risk assessments involving special category data, or data mapping initiatives covering high-risk processing activities. In those cases, document OneTrust as a sub-processor in your records of processing activities (RoPA) and assess each processing activity individually.
Websites using OneTrust must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA is generally not required for deploying OneTrust as a CMP. It may be warranted in specific deployments where OneTrust's privacy programme features process large volumes of sensitive personal data, such as DSR workflows, vendor risk assessments, or data mapping involving special category data.
Sample consent text
This website uses OneTrust to manage your cookie and tracking preferences. OneTrust is a strictly necessary tool that records your consent choices and does not itself require your prior consent to operate. You can change your preferences at any time via the cookie settings link.
Third-party domains contacted
cdn.cookielaw.orggeolocation.onetrust.comprivacyportal.onetrust.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| OptanonAlertBoxClosed | Strictly Necessary | 12 months | Records the date and time the OneTrust cookie consent banner was last dismissed by the visitor |
| OptanonConsent | Strictly Necessary | 12 months | Stores the visitor's cookie consent choices per category as a URL-encoded string, used by OneTrust to enforce consent on subsequent page loads |
OneTrust is an essential service, but transparency matters. Manage all your consent with FlowConsent.
No. OneTrust is the consent management tool and is treated as strictly necessary under the ePrivacy Directive. Cookies set by OneTrust (OptanonConsent and OptanonAlertBoxClosed) record the visitor's consent decisions and cannot function without being set before consent is given. European DPAs broadly support this interpretation. No prior consent is needed to load the OneTrust script.
OneTrust sets two first-party cookies: OptanonAlertBoxClosed (12 months) records when the consent banner was last dismissed, and OptanonConsent (12 months) stores a detailed string encoding the visitor's consent choices per category. Both are strictly necessary for the CMP to function. No advertising or analytics cookies are set by OneTrust itself.
Yes. OneTrust integrates natively with Google Consent Mode v2 via its Google Tag Manager template or direct API integration. When configured, OneTrust passes consent signals (analytics_storage, ad_storage, ad_user_data, ad_personalization) to Google tags in real time. This is mandatory for EU/EEA advertisers using Google Ads and GA4 since March 2024.
Yes, by default. Consent logs are stored on US infrastructure (Fastly CDN). OneTrust provides Standard Contractual Clauses and a DPA signable in the admin console. Enterprise plans offer EU data residency. For organisations with strict data localisation requirements, negotiate EU residency before deploying OneTrust.
Yes. OneTrust acts as a data processor when handling consent logs on your behalf. Sign the OneTrust Data Processing Agreement available directly in the admin console under Account Settings. Review the sub-processor list and SCCs. For enterprise plans requesting EU data residency, confirm this is reflected in the DPA.
Key configuration steps: (1) Run the OneTrust cookie scanner to categorise all cookies on your site. (2) Set the banner to require opt-in for non-essential categories. (3) Enable prior blocking so non-consented tags do not fire. (4) Implement Consent Mode v2 for Google tags. (5) Configure geotargeting to show GDPR banners to EU/EEA visitors and CCPA banners to California visitors. (6) Enable consent logging. (7) Update your privacy policy to disclose OneTrust and each cookie category.
A DPIA is generally not required for deploying OneTrust as a cookie consent tool. The risk is low because OneTrust processes consent preferences rather than sensitive personal data. A DPIA may be warranted if you use OneTrust's DSR portal, vendor risk management, or data mapping features at significant scale involving special category data. Document OneTrust as a sub-processor in your RoPA.
EU-based CMP alternatives include Axeptio (France), Didomi (France), Usercentrics (Germany), Cookiebot by Usercentrics (Denmark), and Tarteaucitron (France). These offer EU data residency by default, eliminating US transfer concerns. For WordPress-specific needs, Complianz (Netherlands) is a strong option. OneTrust with EU data residency configured is itself a compliant choice.