Implementing the OneTrust Cookie Banner

Q. What does the cookie banner look like to users?

There’s a working example at https://insights.osu.edu/ The banner will be slightly different according to a visitor's location, for instance, coming from the E.U. or Ohio. 
 

Q. What sites need a cookie banner?

Marketing sites, utility sites, Information sites where we actively track or drop cookies need to have OneTrust added. There are some exception sites where anonymity for sensitive information is required. Examples https://titleix.osu.edu or  https://ombudsman.osu.edu/  

Also, only sites that are public-facing need OneTrust. Intranets or sites behind a log-in do not offer the option to opt out of cookies.
 

Q. What about Ohio State sites someone else hosts for us?

All sites should be preparing for privacy management, so if you have a vendor operating a site for Ohio State, they, too, should have their own cookie-acceptance strategy.

If your site(s) are going to be rebuilt in the near future it will be best to wait for the new site before going through this process. If the site is just being moved as is, it can be scanned now. If you normally work with 3rd party vendors to maintain your sites, can you work with them to get us the email address of who will be doing the work? We can get them the access they will need.

Q. I’m having trouble logging into OneTrust.

Let IT Support know if you have trouble. They can verify that you have the correct access.
 

Q. My site contains so many cookies. How do I even begin to know what these are for?

We know it’s an undertaking, but you should be tracking what information you’re tracking (no pun intended!). Ohio State site managers are ultimately responsible for the cookies served to site visitors. This could be a good time to clean house and delete cookies that are no longer serving a purpose.

The OneTrust tool will attempt to categorize most cookies for you. Focus on the list of uncategorized cookies. Consult this list of cookies with categories that other groups have found on their sites.  Also, see the section of the implementation guide that discusses finding where cookies are being set on your site.
 

Q. Is there a faster way to locate YouTube or Vimeo embeds in my pages?

We have created a Monsido content policy that can scan your site, looking for these embeds. If you would like this added to your Monsido scan, please email marketing enablement to request: Add the OneTrust Cookie Check policy to my Monsido web scan.
 

Q. My site contains embedded YouTubevideos, added by my content teams. How will they know how to add these?

One possible option would be to offer a content block or component that your site editors can use to add video embeds instead of directly pasting in the embed codes. We can also provide a web tool and/or apithat can convert iframes into the correct format. Let us know if that would be helpful.

Q. What if I don’t know how to classify a cookie or I amon the fence between two categories? 

Check the list of common cookies and see if these have been classified for the group. That way, we can be consistent in how we are classifying the cookies.

Q. Do I have to instrument blocking on all cookie sources?

You must block any non-essential cookies that are set via on-page code. You can ignore any essential cookies or those that are served from the global Google tag manager (GTM) container, which are being managed/blocked by University Marketing. 

Q. How can I test this, without causing problems for my site?

Don’t change anything for visitors while we are testing. We are starting with a version of the script that will not show a banner and will accept all cookies (current behavior). This is just to test that the script is unblocking tags correctly. 

Once all tags have been blocked and you verified that they are being re-activated with OneTrust, we can turn on the banner version of the script which will then show the banner for visitors. You will then have to add the snippet to each footer to allow users to change their cookie preferences as desired. 

We will need to coordinate when the cookies are blocked and the banner version script can be turned on. We can control this on a site by site basis if necessary, but it is probably more efficient to change all your sites over once your changes are fully deployed.  

Here's another way to test your banner. If you add a URL parameter of cookie_banner=full to the URL of a webpage using the Global container, it will load the full version of the banner so that you can fully test the banner without making it live for everyone. This will make it easier for you to test and may eliminate the need for us to activate the non-banner version of the script on your site for testing.

Here are the other options that are available. In each case, the parameter given will override whatever is set in GTM.

• cookie_banner=full (production version)
• cookie_banner=test (non-banner version)
• cookie_banner=none (no OneTrust script will load– Global container will load all tags)

Q. If my page is giving a 404 or a server error, do I still need to provide OneTrust for cookie management?

Yes, wherever we are tracking pages, this solution should be implemented.