OneTrust cookies are first-party cookies, unless otherwise specified, with a path set to the domain scanned and associated with your banner script. These cookies are dropped when the OneTrust Banner is integrated and are necessary for it to function. Each OneTrust cookie is dropped in a particular scenario explained below in detail.
Note
There is a cookie attribute named SameSite, which allows developers to explicitly declare the intent of a cookie’s scope. OneTrust Cookies are set to SameSite Lax. For more information, see Setting SameSite Cookies.
HttpOnly is never set for OneTrust Cookies due to the nature of the HttpOnly attribute. If this attribute is set, the cookie will not be accessible to the JavaScript.
This first-party cookie fires on a website when the OneTrust Banner CDN is deployed on that site. The consent status of a visitor is indicated using the first party OptanonConsent cookie.
When test scripts are placed on any site, the OptanonConsent cookie is dropped on the browser and is written to the domain where scripts are placed, not necessarily the domain for which the script was generated.
Example Scenario
The website onetrust.com is scanned in the OneTrust tool. The test scripts for onetrust.com are placed on a different website, onetoso.com. Notice that when test scripts are leveraged, the cookie is written to the domain where it is deployed, in this scenario it is onetoso.com.
Below, the Network tab shows that the domain scanned in the tool is onetrust.com and the ScriptType utilized on the page https:onetoso.com/domain1.html is TEST.
When production scripts are placed on a site, the OptanonConsent cookie is dropped on the browser and is written to the domain for which the script is specific to. In this scenario, if the domain scanned is onetrust.com and production scripts are placed on the live website (www.onetrust.com) and/or its sub-domains, the cookie is written to the root domain (.onetrust.com).
The below network call [data domain script].json provides information in detail.
Every domain scanned in the OneTrust tool will have a unique data-domain-script ID associated. The network call [data domain script].json will be generated with that data-domain-script ID associated with the scanned domain.
The value of the OptanonConsent cookie can be decoded within the Developer Tools section of your browser by checking the Show URL decoded box for a cookie value.
Decoded Example Cookie
isGpcEnabled=0&datestamp=Mon+Mar+27+2023+22:48:10+GMT-0400+(Eastern+Daylight+Time)&version=202303.1.0&browserGpcFlag=0&isIABGlobal=false&hosts=&consentId=6fcfe4fe-8de9-4101-bdf9-5dad0faf2611&interactionCount=0&landingPath=https://onetoso.com/domain1.html&GPPCookiesCount=1&groups=C0001:1,C0003:1,SSPD_BG:1,C0004:1,C0002:1&geolocation=US;MI&AwaitingReconsent=true
When consent is given or a necessary user interaction is performed per configuration, the script sets a first party cookie called OptanonAlertBoxClosed.
User Interactions on the Banner and Preference Center
This cookie is used to determine if a visitor should be shown the Banner. It is persistent and has a default lifespan of one year.
Note
The frequency at which you require your users to reconsent (the cookie's expiration) is determined by the Reconsent will occur after field in . For more information, see Configuring Geolocation Rules.
When OptanonAlertBoxClosed is dropped on a browser, it indicates an interaction from the user and that the banner will not be shown until the expiration of the cookie.
For example:
Once the OptanonAlertBoxClosed cookie expires and the value of OptanonConsent is reset completely to the default preferences, surfacing the Banner again for the user to interact:
Scenario 1
Show Banner is disabled in the geolocation rule, and the Preference Center is surfaced via footer link:
Scenario 2
Show Banner is enabled in the geolocation rule.
This cookie is dropped on a browser when the IAB CCPA script is deployed on your site. This cookie is read by third-party vendors to action consent.
For more information, see IAB CCPA: Configuring the US Privacy String with Cookie Consent.
The string consists of four digits: an integer and three Y/N boolean values. Hypens are used if the string is not applicable in the particular geolocation that the user is visiting from. Below are several examples of the privacy string with descriptions of each digit.
It is mandatory to specify the geolocation in which the IAB CCPA framework will be applicable. The options are as follows:
All (Global)
US (United States Only)
CA (California Only)
If the user is located outside of the specified geolocation, the value of the usprivacy string includes hypens (1---) indicating the IAB CCPA framework is not applicable in that user’s area.
Used to store IAB TCF v2 preferences if the consent policy setting Set Global EU Consent is enabled in .
Note
Support for IAB Global scope is deprecated in version 6.22. This deprecation enhances compliance with IAB TCF 2.0 requirements. If you previously had global scope enabled, it has been disabled and you should re-publish any domain scripts.
Used to store IAB TCF v2 preferences. Because the IAB global scope is deprecated, Set Global EU Consent has been disabled. This will be a first party cookie and the OptanonConsent cookie’s isIABGlobal value will be set to false. The cookie’s lifespan is one year by default.
The cookie value is an encoded consent string that vendors registered with the IAB framework can read to determine users’ consent. The size of this string can impact performance on your site if it gets too large, so it is recommended that you only enable ad tech vendors that you’re working with in your IAB Vendor List.
For more information on managing your IAB Global Vendor List, see Managing the IAB TCF Global Vendor List.
For more information on eupubconsent-v2, see IAB TCF 2.0 Consent String.
The string containing the vendors can be decoded using tools such as an IAB Decoder .
OTAdditionalConsentString
This cookie drops on the browser when Google Additional Consent mode is enabled within a template. For more information, see Using Google Additional Consent.
The additional consent (AC) string is stored in this first party cookie. The AC String is comprised of the following:
Part 1: A specification version number, such as "1";
Part 2: A separator symbol "~"
Part 3: A dot-separated list of user-consented Google Ad Tech Provider (ATP) IDs. Example: "1~1.35.41.101"
The expiration of the cookie is the same as the OneTrust cookies and also depends on the re-consent frequency defined in the associated geolocation rule.
For example, the AC string "1~1.35.41.101" means that the site visitor has consented to Google ATP Vendors with IDs 1, 35, 41 and 101, and the string is created using the format defined in the v1.0 specification
Note
The size of this cookie can impact site performance if it becomes too large so it is recommended to only enable vendors that you are actively working with.
OneTrustWPCCPAGoogleOptOut
The cookie is set based on user consent from the otCCPAiab.js. This cookie has a value of true or false, based on if the user opts in or out of the otCCPAiab associated category.
If user has opted out of cookie category associated with IAB CCPA, the cookie value is set to true.
If the user has opted in to the cookie category associated with IAB CCPA, the cookie value is set to false.
This cookie is only set when the script src is the Google Ad Manager URL, which is the default script for IAB CCPA implementation. More information is available here.
For more information, see IAB CCPA: Configuring the US Privacy String with Cookie Consent.
This cookie isn’t written by OneTrust, but it is included with our script. Description from Cookiepedia:
Cookie associated with sites using CloudFlare, used to speed up page load times. According to CloudFlare it is used to override any security restrictions based on the IP address the visitor is coming from. It does not contain any user identification information.
Note
This cookie has been deprecated by CloudFlare. For more information, see Deprecating the __cfduid Cookie. You can confirm this by viewing the cookies set on a site with a OneTrust CDN. If you are still seeing this cookie within your tenant and/or in a live cookie list, rescan the domain(s) to which the cookie belongs. The cookie should no longer be picked up in a scan.
