OneTrust is privacy, security, and data governance software that marketing uses as our privacy and compliance solution on our websites. The marketing operations team works closely with our legal team and is primarily responsible for our privacy and compliance on our websites including cookie preferences.
To access OneTrust, please create an access request. OneTrust is provisioned through Okta SSO via a Google group. A user is added via the Google group which is directly connected to Okta SSO and OneTrust. All users are added as a
Project Manager. Please specify the role needed in OneTrust in the access request so it can be updated once you have access. See system default roles available below.
Custom roles can also be created. More in this support article (login required).
See the epic for more information.
The scanner simulates a user from Ireland (where OneTrust servers are located).
www. If you scanned a domain with
wwwit will not capture domains with prefixes.
GitLaborganization to assign the domain scan to.
More Details, you have additional options to use in the scan including limiting the scan to a number of pages (default is 1,000), limiting to a specific path within the site, clearing previous scan history, scanning pages with query parameters, targeting pages to scan within the site, or including sitemaps URIs.
In the list of websites that have been scanned, you can hover over any domain and click the 3-dot icon on the right-hand side. Clicking this icon provides additional options for that particular website scan including:
Inspectfeature in Google Chrome
about.gitlab.com2 separate domains with this option enabled.
name=first,name=last. Separate multiple parameters with commas. The scan will search through the domain with those noted parameters. Ensure the domain you enter includes
?at the end of the URL.
https://; use case: certain pages that might not be accessible to users or you want to scan this specific web page. For multiple pages, add a line break.
When a scan is completed, you can view the results by clicking into the scan from the
Websites menu. You'll be taken to a scan dashboard that visualizes the results of the scan which includes information about:
Show dropdown, you can view a summary of all scans for that particular domain and view previous individual scans with a date/time stamp.
From the main scan results page, you can also select these 6 categories to dive further into those specific results.
View categories of cookies including the name of the specific cookie. This information comes from and is compared to OneTrust's cookie database (cookiepedia.co.uk). You can export these results by clicking
Export in this view. After clicking
Export you can choose the specific scan to export results from. When the export is ready for download, a notification will appear within the OneTrust tenant as the bell icon in the top-most menu.
From the bell icon, you can download the results (
Categorizationsin the left-hand menu of the cookie compliance module.
These cookie categories are standard and the defaults provided by OneTrust:
You also have the ability to create a new cookie cateogory.
Cookies in the
Unknown category need to be categorized manually with help from developers, third-party vendors, or through a Google search.
Cookiestab under the
Edit Cookieoverlay, you can select a different category for the cookie, add a description for the cookie, update the lifespan of the cookie, note whether it's a first-party or third-party cookie, and select the domains to manually assign the cookie to. Changing the lifespan of the cookie is for auditing purposes and does not change the functionality on the website.
Add Cookieto manually add a cookie and input all the information regarding that cookie from step 4. Note: Host is not necessarily the domain where the cookie is but where the cookie is hosted. This will not add the cookie to the domain you input, but rather an exisiting cookie on the domain that is not part of the audit.
Add New Template.
Most popular: Flat, bottom position
Colors are in RGB or hexadecimal code.
There are also options for custom CSS (not available in preview).
allow allbutton, show
cookie settingsbutton, cookie settings button name, cookie settings button style (link or button), show
reject allbutton, show
Select the languages which you want to localize the cookie banner to. Also select the default language. You can set up different cookie banner options by language. Ensure that the language matches our policies. Toggling the
show advanced langauges option shows country-specific versions of languages.
styling, you can choose to override the styling from the cookie banner to have a different styling for the preference center. This includes an option to add a logo and changing the accordion type for the cookie categories.
Notice there are different options in the preference center under layout as well. Depending on the options chosen, some features may not be available (example: choosing the
tab layout removes the accordion feature for the cookie categories). Custom CSS is also available for the preference center.
There are options for WCAG (Web Content Accessibility Guidelines) best practices for accessibilty in the preference center.
Show cookies listto show a link to the user with
cookie detailsrelated to the category they selected in the preference center.
You can group the cookie categories as well as adding another group of cookie categories for a better user experience (example: new group called "ads" with the targeting and social media cookie categories grouped underneath).
This is the comprehensive list of cookies that is available to the user to view. In
styling, you can adjust color options for title, cookie group name, table header text, table header background, and primary text. Toggle the table format on or off. There are options for custom CSS here as well. In
content, you can adjust the options for the cookie list title, description, host, cookies column, and
cookies used label. Toggle the
show lifespan on or off.
Ensure any changes you make are approved by legal and saved within the OneTrust tenant.
Geolocation Rulesin the cookie compliance menu.
Default Consent Policyexsits out of the box.
Create Newto create a new geolocation rule group.
rule group details, a default
globalrule exists which would apply these settings globally regardless of country. To add a country or region specific rule, click
Add ruleand update the options accordingly.
Show Banneron or off. If unchecked, no banner will display but settings take effect.
Do Not Trackby the cookie category.
Behaviorsyou can toggle the behavior for this rule in conjunction with the cookie banner and whether that paritcular behavior will
accept all cookiesor not as well as closing the banner.
Assign to Domains.
Scriptsin the left menu of the
Test scripts are available to roll out new changes. The test scripts are not domain specific. The test script matches the production script functionality except:
Publishing the test scripts will not affect the live production scripts.
Production scripts are for use in live websites. Fatest page load speed. Published changes will take up to 4 hours to show.
The script tags need to be placed as the first element in the
<head> of the site. It is important that the OneTrust script is placed before other scripts on the site to ensure users have a chance to consider their cookie preferences before cookies are potentially dropped on their machines.
Scripts implemented in root domains are also applied to subsequent subdomains and paths. Scripts implemented on subdomains are only applied to subdomains.
In order to push changes to production, click
Publish Production Scripts and note any changes to the script as you may have to re-copy and re-implement the script in the
<head> of the site.
Publish Test. Here you can choose which version of the script to publish. You will also be alerted to which features may or may not be compatible with a script version including the field name, old value, and new value. Click
Here you can confirm the publication settings of the script. Note: enabling or disabling some of these settings may change the embed script and would have to be re-implemented on the site.
off, all languages will be published
on, the banner template HTML and CSS will not be fetched from server as the
on, the preference center template HTML and CSS will not be fetched from server as the
Publish Test Scripts. Implement the script into the HTML of your staging site.
This will display either
Do Not Sell My Data button or
Cookie Settings button based on where the site visitors come from according to the geolocation rule group associated with the domain. The script has a class that can be customized through CSS.
These two methods initialize the OneTrust Publisher SDK. The
initializeOneTrustPublishersSDK method fetches all of the resources configured in geolocation rules, templates, and vendors. The
loadPreferenceCenter method is used to load the banner or preference center. By passing in
true, the preference center will always load. By passing in
false, the banner will be displayed for initial consent and re-consent.