OneTrust Consent Management Platform and Data Protection – What Website Operators Need to Know

If a website operator uses OneTrust as a Consent Management Platform (CMP), OneTrust processes data for the purpose of managing user consents and data protection compliance on the basis of legitimate interests and partly on the basis of consent. OneTrust is a data protection and compliance platform that enables website operators to manage cookies, tracking tools and other data-processing services and to document consent records. This privacy policy is aimed at website operators and explains which information about OneTrust legally belongs in one's own privacy policy.

A. Purpose and Function of OneTrust CMP

A Consent Management Platform (CMP) is a tool that helps website operators manage consents from visitors. OneTrust displays a consent banner (cookie banner) on a website that asks the visitor which cookies and tracking tools they allow. OneTrust stores the visitor's response and shares these consents with other tools (e.g. Google Analytics, advertising networks).

OneTrust is integrated by embedding a JavaScript tag on the website. This tag loads the OneTrust banner, captures visitor interactions with the banner and stores the consent decisions.

In addition to the banner, OneTrust also offers:

• Consent management: Storage and management of consent records
• Mapping to data protection frameworks: Integration with IAB TCF (Transparency and Consent Framework)
• Audit trails: Documentation of consents for compliance purposes
• Cookie scanning: Automatic detection of cookies and services on the website

The particularity of OneTrust: OneTrust itself processes data (consent data), which means that OneTrust is not only a tool but itself acts as a data processor and must be included in the privacy policy.

B. Mandatory Disclosures in the Privacy Policy on OneTrust

Pursuant to GDPR Art. 13(1)(c) a website operator must disclose the purposes of the processing. Art. 13(1)(d) requires the legal bases, Art. 13(1)(e) the recipients or categories of recipients. Art. 13(1)(f) requires that third-country transfers be disclosed and justified.

Particularity: OneTrust also independently processes consent data, therefore OneTrust must be designated both as processor (for the management of consents on behalf of the website operator) and as independent data controller (for the storage of consent records and audit trails).

A topic-oriented approach is recommended here: A section "Consent management and data protection compliance" should explain that OneTrust is used to manage visitor consents.

C. Provider of OneTrust: OneTrust LLC

Legal name: OneTrust LLC
Address: 1200 Abernathy Road, Building 1200, Suite 1500, Atlanta, GA 30328, USA
Country of seat: USA (Georgia)
EU branch: OneTrust also has branches in Europe (e.g. Ireland)
Role: Processor (for consent management) and independent data controller (for consent records and compliance data)

DPF status: OneTrust LLC is not certified on the DPF list. Therefore, the data transfer to the USA is based on Standard Contractual Clauses (SCC). The website operator should check before use whether and on what basis OneTrust transfers data to the USA (to be verified by the operator).

Privacy Policy: https://www.onetrust.com/privacy-notice/

Data Processing Addendum (DPA): OneTrust provides a DPA, which website operators should conclude with OneTrust. The DPA regulates the processing of personal data (in particular consent data), sub-processors and third-country transfers.

D. Data Processing by OneTrust – Workflow

E. Data Collected when Using OneTrust

OneTrust automatically collects data that is necessary for consent management and compliance.

This data can be classified into the following standardised data class types:

• Web server log data: IP address, date/time, URL, referrer, browser/OS/device, technical metadata
• Device and browser information: Browser type, browser version, operating system, device identifier
• Unique identifiers: Cookies, device ID, visitor ID, which OneTrust uses to identify the visitor
• Consent data: Which cookies were allowed, which were rejected, date/time of the decision, consent text the visitor saw
• User interactions: Clicks on banner buttons (accept, reject, settings), mouse movements, scroll movements
• Rough location data: IP-based rough location at country/region level
• Configuration data: Which services are on the website, which cookies are used (when OneTrust cookie scanning is active)

This information is based on provider information and publicly accessible sources (OneTrust documents its data collection in technical documentation and the privacy policy).

F. Purposes of Use when Using OneTrust

OneTrust is generally used for the following purposes:

• Consent management: Capture, storage and management of visitor consents for cookies and tracking tools
• Compliance: Evidence of consents for GDPR compliance, compliance with regulations
• Legal enforcement: Consent records as evidence vis-à-vis authorities or in legal disputes
• Integration with IAB TCF: Participation in the IAB Europe Transparency and Consent Framework
• Product development: Internal evaluations to improve the OneTrust platform and security
• Security and abuse protection: Detection of bot attacks or anomalies

G. Legal Bases for OneTrust

OneTrust is a compliance and consent management tool. The following legal bases are relevant for the data processing:

1. Legitimate interests (Art. 6(1)(f) GDPR): The website operator has a legitimate interest in managing and providing evidence of consents. This is necessary for GDPR compliance. A balancing of interests typically shows that this interest outweighs.

2. Legal obligation (Art. 6(1)(c) GDPR): For the management of consents in compliance with GDPR and TDDDG, the data processing by OneTrust is partly legally obligated.

3. Consent (Art. 6(1)(a) GDPR): Insofar as OneTrust uses data for other purposes (e.g. product development, security), OneTrust may also rely on consent.

Note: A case-by-case examination is necessary. OneTrust use is mainly justified by legitimate interests and legal obligations, but OneTrust may also need consent for certain secondary uses.

H. Special Features and Notes on OneTrust

• Dual role: OneTrust acts as processor (for consent management on behalf of the website operator) and as independent data controller (for the long-term storage of consent records and audit trails).
• Lacking DPF certification: OneTrust LLC is not DPF-certified. The data transfer to the USA takes place on the basis of Standard Contractual Clauses (SCC). The website operator should clarify this (to be verified by the operator).
• IAB TCF integration: OneTrust integrates with IAB Europe's Transparency and Consent Framework (TCF), which means that consent data may also be passed on to other TCF partners.
• Long-term storage: OneTrust often stores consent records for several years (sometimes 7+ years) to meet audit requirements.
• Sub-processors: OneTrust uses sub-processors (e.g. for hosting, security, data analysis). A current list should be available in the DPA.
• Data security: OneTrust is ISO 27001 certified and implements encryption, access controls and other security measures.
• User rights: Visitors can withdraw their consents at any time and request their consent data from OneTrust.

I. FAQ on OneTrust CMP

J. Conclusion and Recommendations on OneTrust

OneTrust is an indispensable compliance tool for websites that have to manage cookie consents. From a data protection perspective, OneTrust is particularly interesting because the tool itself processes data and therefore has to be mentioned in the privacy policy.

Website operators should note that OneTrust does not only act as processor (for management on behalf of the operator), but also as independent data controller (for the storage of consent records and audit trails). A Data Processing Addendum (DPA) with OneTrust is required.

A topic-oriented approach in the privacy policy that explains under "Consent management and compliance" that OneTrust is used to manage consents is sufficient. A recipient annex to the privacy policy further increases clarity.

Website operators should check whether the storage period of consent records is consistent with their compliance requirements and whether the transfer to IAB TCF partners is acceptable.