Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
TrustArc is a Consent Management Platform (CMP) and privacy management software offering cookie banners, IAB TCF v2.2 integration, DSAR workflows and assessment automation.
TrustArc is a privacy and consent management platform operated by TrustArc Inc., headquartered in San Francisco (formerly TRUSTe). The platform combines a Consent Management Platform (cookie banner, IAB TCF v2.2 vendor list, geolocation rules), a Privacy Management dashboard (records of processing, DPIA automation, DSAR workflows, assessments), training modules and a TrustArc Seal certification programme.
The TrustArc cookie banner sets first party cookies on the publisher domain (notice_preferences, notice_behavior, notice_gdpr_prefs, notice_preferences) plus the IAB TCF v2.2 cookie (euconsent-v2) when the publisher participates in the TCF. The cookies store the user consent decision, the consent date, the displayed banner version and the granted purposes. TrustArc also drops cmapi_* cookies on trustarc.com to synchronise consent across multiple publisher domains under the same TrustArc account.
The CMP cookies that store the user consent decision are considered strictly necessary by CNIL, EDPB and ICO and fall under the exemption of article 5(3) ePrivacy. No prior consent is therefore required to set them. However the banner must offer an unambiguous Reject All button on the same layer as Accept, the choices must be specific and granular, and the banner must not pre tick any non essential cookie. The TCF integration must comply with the IAB Europe TCF v2.2 specification.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
TrustArc is a registered IAB Europe CMP and supports the TCF v2.2 signal. When the publisher participates in the TCF, the euconsent-v2 cookie is set and the TC string is propagated to advertising vendors. Note that the Belgian APD ruled in 2022 that the TCF v1.1 was non compliant and IAB Europe adjusted the framework to TCF v2.2. Publishers should keep the TrustArc CMP integration up to date and verify that the vendor list matches their actual partner stack.
TrustArc Inc. is US based. The CMP responses are typically served from a global edge network, with an EU hosting option for the Privacy Management platform. Transfers rely on EU SCCs and the EU US Data Privacy Framework when TrustArc Inc. is certified. The TCF v2.2 consent record is stored on the user device, but TrustArc may keep a server side audit log for evidence purposes.
Sign the TrustArc DPA with EU SCCs. Configure the banner with Accept All, Reject All and Personalise on the first layer. Disable pre ticked boxes. Map non essential cookies to specific purposes. Activate the EU hosting option for the Privacy Management platform when handling EU subject data. Audit the TCF vendor list every quarter. Categorise TrustArc cookies as Strictly Necessary in your cookie policy and explain why they are exempt from prior consent.
Websites using TrustArc must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA is generally not required for the CMP cookies themselves (which fall under the strictly necessary exemption), but the broader TrustArc Privacy Management platform that processes DSAR requests, assessments and data inventories may justify a DPIA when handling sensitive personal data.
Sample consent text
We use TrustArc as our Consent Management Platform to collect and record your cookie preferences. TrustArc sets a single cookie storing your consent decisions, which is required by GDPR to demonstrate that we obtained valid consent. This CMP cookie is strictly necessary and is set without a separate consent request.
Third-party domains contacted
trustarc.comtrust-svc.nettruste.comconsent.trustarc.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| notice_preferences | Strictly Necessary | 1 year | Stores the user cookie consent preferences (purposes accepted, refused, granular choices) for the TrustArc banner. |
| notice_behavior | Strictly Necessary | 1 year | Stores the user banner interaction state (banner dismissed, link clicked) to avoid re-displaying the banner on every page. |
| notice_gdpr_prefs | Strictly Necessary | 1 year | Stores the GDPR specific consent preferences set in the TrustArc Preference Center. |
| euconsent-v2 | Strictly Necessary | 13 months | IAB Europe TCF v2.2 standard consent string that records the user vendor and purpose choices for participating advertising partners. |
| cmapi_* | Strictly Necessary | 13 months | TrustArc cookie set on trustarc.com to synchronise consent across multiple publisher domains under the same TrustArc account. |
TrustArc is an essential service, but transparency matters. Manage all your consent with FlowConsent.
TrustArc sets first party cookies on the publisher domain (notice_preferences, notice_behavior, notice_gdpr_prefs) plus euconsent-v2 when the publisher uses the IAB TCF v2.2 module. Third party cookies cmapi_* can be set on trustarc.com to synchronise consent across multiple publisher domains.
No. CMP cookies that store the user consent decision are strictly necessary and fall under the article 5(3) ePrivacy exemption. They can be set without a prior consent request.
Legitimate interest (article 6(1)(f) GDPR) and legal obligation (article 6(1)(c) GDPR) for the CMP cookies that document compliance with GDPR consent obligations.
TrustArc Inc. is US based. CMP responses are served from a global edge network. Transfers rely on EU SCCs and the EU US Data Privacy Framework when TrustArc is certified.
A DPIA is generally not needed for the CMP itself. The broader TrustArc Privacy Management platform (DSAR workflows, assessments) may justify a DPIA when handling sensitive personal data at scale.
Configure Accept All, Reject All and Personalise on the first layer. Disable pre ticked boxes. Map non essential cookies to specific purposes. Activate EU hosting. Audit the TCF vendor list. Sign the TrustArc DPA with EU SCCs.
Didomi (Paris), OneTrust (US/UK), Cookiebot (Cybot, Denmark), Usercentrics (Munich), Iubenda (Italy), Axeptio (Lyon), CookieFirst (Netherlands), Quantcast Choice (US/UK). All offer IAB TCF v2.2 support, EU hosting and granular controls.
List the notice_preferences, notice_behavior, notice_gdpr_prefs cookies as Strictly Necessary. Document the euconsent-v2 cookie if TCF is used. Identify TrustArc Inc. as processor in the privacy notice and explain why the CMP cookies are exempt from prior consent.