Implementing the OneTrust Cookie Banner

Make data privacy for your website simple with OneTrust, a privacy management and website cookie data classification solution.  OneTrust offers a way for you to scan and classify cookies on your website, and a website cookie banner to provide users information on how their data is collected and used and allow users to manage preferences and consent.

Ohio State has identified its privacy policy with regards to personal data and website cookies. Using OneTrust, your website can meet requirements for General Data Protection Regulations (GDPR) in the European Union and with the California Consumer Privacy Act (CCPA). Plus, Your website visitors will enjoy increased transparency to the information collected by cookies.  At Ohio State, the Privacy Team has partnered with Marketing Enablement to make it even simpler to get compliant, through Google Tag Manager.
 

What does the cookie banner look like on my site?

We're working on creating consistent experiences across Ohio State websites. The OneTrust cookie banner and supporting experience has been designed to assure your website users that they are navigating Ohio State. With OneTrust, there are 4 user interface (UI) components in this solution: the banner, the These videos and instructions will help you learn more about the cookie banner. 

How easy is OneTrust to implement?

Depending on the number of sites you manage and the number of cookies served, this is an easy solution to add to your pages.

Here are some answers to common questions

Q. What does the cookie banner look like to users?

There’s a working example at https://insights.osu.edu/ The banner will be slightly different according to a visitor's location, for instance, coming from the E.U. or Ohio. 
 

Q. What sites need a cookie banner?

Marketing sites, utility sites, Information sites where we actively track or drop cookies need to have OneTrust added. There are some exception sites where anonymity for sensitive information is required. Examples https://titleix.osu.edu or  https://ombudsman.osu.edu/  

Also, only sites that are public-facing need OneTrust. Intranets or sites behind a log-in do not offer the option to opt out of cookies.
 

Q. What about Ohio State sites someone else hosts for us?

All sites should be preparing for privacy management, so if you have a vendor operating a site for Ohio State, they, too, should have their own cookie-acceptance strategy.

If your site(s) are going to be rebuilt in the near future it will be best to wait for the new site before going through this process. If the site is just being moved as is, it can be scanned now. If you normally work with 3rd party vendors to maintain your sites, can you work with them to get us the email address of who will be doing the work? We can get them the access they will need.

Q. I’m having trouble logging into OneTrust.

Let IT Support know if you have trouble. They can verify that you have the correct access.
 

Q. My site contains so many cookies. How do I even begin to know what these are for?

We know it’s an undertaking, but you should be tracking what information you’re tracking (no pun intended!). Ohio State site managers are ultimately responsible for the cookies served to site visitors. This could be a good time to clean house and delete cookies that are no longer serving a purpose.

The OneTrust tool will attempt to categorize most cookies for you. Focus on the list of uncategorized cookies. Consult this list of cookies with categories that other groups have found on their sites.  Also, see the section of the implementation guide that discusses finding where cookies are being set on your site.
 

Q. Is there a faster way to locate YouTube or Vimeo embeds in my pages?

We have created a Monsido content policy that can scan your site, looking for these embeds. If you would like this added to your Monsido scan, please email marketing enablement to request: Add the OneTrust Cookie Check policy to my Monsido web scan.
 

Q. My site contains embedded YouTubevideos, added by my content teams. How will they know how to add these?

One possible option would be to offer a content block or component that your site editors can use to add video embeds instead of directly pasting in the embed codes. We can also provide a web tool and/or apithat can convert iframes into the correct format. Let us know if that would be helpful.

Q. What if I don’t know how to classify a cookie or I amon the fence between two categories? 

Check the list of common cookies and see if these have been classified for the group. That way, we can be consistent in how we are classifying the cookies.

Q. Do I have to instrument blocking on all cookie sources?

You must block any non-essential cookies that are set via on-page code. You can ignore any essential cookies or those that are served from the global Google tag manager (GTM) container, which are being managed/blocked by University Marketing. 

Q. How can I test this, without causing problems for my site?

Don’t change anything for visitors while we are testing. We are starting with a version of the script that will not show a banner and will accept all cookies (current behavior). This is just to test that the script is unblocking tags correctly. 

Once all tags have been blocked and you verified that they are being re-activated with OneTrust, we can turn on the banner version of the script which will then show the banner for visitors. You will then have to add the snippet to each footer to allow users to change their cookie preferences as desired. 

We will need to coordinate when the cookies are blocked and the banner version script can be turned on. We can control this on a site by site basis if necessary, but it is probably more efficient to change all your sites over once your changes are fully deployed.  

Here's another way to test your banner. If you add a URL parameter of cookie_banner=full to the URL of a webpage using the Global container, it will load the full version of the banner so that you can fully test the banner without making it live for everyone. This will make it easier for you to test and may eliminate the need for us to activate the non-banner version of the script on your site for testing.

Here are the other options that are available. In each case, the parameter given will override whatever is set in GTM.

  • cookie_banner=full (production version)
  • cookie_banner=test (non-banner version)
  • cookie_banner=none (no OneTrust script will load– Global container will load all tags)

Q. If my page is giving a 404 or a server error, do I still need to provide OneTrust for cookie management?

Yes, wherever we are tracking pages, this solution should be implemented.


About cookie banners

There are different ways sites deploy a cookie banner to inform users. The Ohio State experience is easily managed with scripts ready to deploy a cookie banner and preference management center.
 
Ohio State will serve the necessary consent-collection based on a user’s IP location. European Union visitors will receive a GDPR-compliant experience. All others will receive a general cookie acceptance which is also CCPA-compliant. Example of a cookie banner at a website footer:
 
Two different sites are covered by the consent models:
 
  1. All University Sites (osu.edu) will be covered by the consent options for University GTM. Even though we have a vast network of subdomains, users perceive us as one site, therefore we will treat cookie consent as one site. Each site can specify and scan for their respective cookies.
  2. All Wexner Medical Center sites (wexnermedical.osu.edu) will be covered by a separate Medical Center GTM and consent. This gives patients and families greater peace of mind for the collection practices related to care.

     


Last Update: January 27, 2022