Background on the CCPA and Downstream Communication
Under the California Consumer Privacy Act (CCPA), businesses must provide consumers with a means for processing their opt-out of sale requests with options such as a "Do Not Sell" button or link on their web site. Businesses may sell consumer data through advertising and tracking cookies on the consumer's browser. Likewise, businesses may also sell consumer data which is collected and stored in external systems or customer relationship management (CRM) platforms.
If the sale of data is handled via advertising cookies, then a cookie banner implementation to manage consumer consent may suffice. However, if a business needs to communicate with downstream systems when a consumer invokes their opt-out of the sale right, then that preference must be shared with and upheld by those downstream entities.
The Request Submission Event feature is a supported solution to integrated 'Do Not Sell' requests and downstream system communication. When consumers submit their request through a web form, an iframe and event listener will communicate a PostMessage event that tells your site, the parent page, which URL to expect and what event data is shared by the child page, your company's branded web form. Consumers will not be able to see the "Do Not Sell" button or link on the parent company site after their web form submission. This should indicate a successful request submission and initiation of the fulfillment process to the consumer.
Customer Requirements
Whitelist Target URLs
OneTrust web forms can be embedded on a variety of web sites. To prevent phishing or scam attempts, Request Submission Event requires specification of which website the web form will be embedded on or the website that will be expecting the event.
You will need to identify these Target URLs in the web form settings when enabling Request Submission Event.
Web Form Settings
-
Go to the Settings tab in the Web Form Customization screen of your desired web form.
-
In the Web Form Security section, enable the Post an Event on Click of Submit Button setting. The Target Window URL(s) block appears.
-
Enter the base URL of the website that should expect the event in the Target Window URL(s) field.
Note
Click the Add icon button to safelist additional URLs.
-
Click the Save button.
-
Click the Publish button to update your changes.
Note
The following documentation uses sample scripts to demonstrate an implementation approach. Specific script implementation is up to your organization's discretion and business needs.
HTML Source and Event Listener Script
-
Generate a link of your published web form.
-
In your "Do Not Sell" html, update the iframe's source URL with the published web form link.
<iframe
src="https://privacyportal-staging-cdn.1trust.ninja/dsarwebform/6025b9cb-78fb-4863-b4e9-0a2a6b1012c7/fcaa66b9-f001-4789-82b0-90863bd6cbd5.html
style="
width: 100%;
height: 600px;
"
></iframe> -
For the event listener script, update the event.origin script with the event origin URL the parent site should expect. This should be the web form URL that is embedded in an iframe on the parent site.
<script>
window.addEventListener("message", function(event) {
if (event.origin != 'https://privacyportal-staging-cdn.2trust.ninja') {
// something from an unknown domain, let's ignore it
return;
}
alert( "received msg from parent: "+ event.data);
});
</script> -
Save your HTML.
Note
You may need to refresh your parent page for the changes to take effect.
Message Content
When the web form is submitted, the payload will contain metadata in the user's preferred language about the request such as request type, country, and state. However, no personally identifiable information (PII) will be shared in the message payload.
Note
When geolocation details are shared, such as country or state, OneTrust does so using the ISO 3166 code standard (e.g. California = CA; United States = US).
