2020 cookies expert reference guide

Copyright © 2017 OneTrust LLC. All rights reserved. Proprietary & Confidential.
The training environment provided to you is only for use during the OneTrust Certification
Training Program. You will only have access to log in for the duration of training.
Training URL: training.onetrust.com
Please refer to your instructor for the password to your environment.
We recommend accessing the training environment in incognito/private browser mode.

OneTrust Certification Program Reference Guide
Support and Resources
3
Support and Resources................................................................................................................. 4
1 Support Resources.................................................................................................................................. 4
1.1 Support Infrastructure .............................................................................................................. 4
1.2 Support Documentation ........................................................................................................... 5
1.3 Product Release Notes and Maintenance Notices ................................................................... 5

1 Support Resources
1.1 Support Infrastructure
Request Support on Tenant
Submit a support desk ticket directly to the OneTrust Support Team through your tenant.
1. To get help from OneTrust support personnel, click on the question mark icon in the top
navigation and click Get Help.
2. Click Contact Us at the bottom of the window. Enter a message, Click the Element (if applicable)
and click Send. A member of our Support team will get back to you shortly.
Contact the OneTrust Support Team
• Email: support@onetrust.com
• Phone: +1 (844) 900-0472

5
1.2 Support Documentation
✓ Email support@onetrust.com from your work email if you have any issues with access to the
support portal (https://my.onetrust.com/s/) and documentation.
✓ Email your OneTrust Account Executive or sales@onetrust.com from your work email for access to
the support portal (https://my.onetrust.com/s/) and documentation.
1.3 Product Release Notes and Maintenance Notices
Product release notes and maintenance notices are available in the support portal:
https://my.onetrust.com/s/ under Product Updates at the top of the page.
Subscribe to Product Release Notes with the following steps:
1. Select All Groups at the bottom of the page
2. Click on the Product Updates group
3. Select Join Group on the right side, then Manage Notifications to set the frequency of
how often you receive updates via email
Subscribe to Maintenance Notices with the following steps:
1. Select System Status and Scheduled Maintenance at the bottom of the page
2. Click on Subscribe, and enter contact information
3. Click Subscribe to Alerts

Cookie Consent
Cookie Consent
OneTrust Cookie Consent provides website owners with a transparent mechanism for obtaining
required cookie consent from website visitors and respecting Do Not Track requests, helping
organizations comply with EU Cookie Laws. Cookie Compliance includes continuous website scanning
against a 5.5M cookie database, flexible interface for managing visitor consent, and customizable visitor
preferences center.
Cookie Consent ............................................................................................................................. 2
Terminology.................................................................................................................................................... 8
Cookie ................................................................................................................................................ 8
First Party Cookie ............................................................................................................................. 8
Third Party Cookie............................................................................................................................ 8
Session Cookie .................................................................................................................................. 8
Persistent Cookie ............................................................................................................................. 8
Domain............................................................................................................................................... 8
Active ................................................................................................................................................. 9
Inactive .............................................................................................................................................. 9
Always Active .................................................................................................................................... 9
Do Not Track ..................................................................................................................................... 9
Inactive Landing Page ...................................................................................................................... 9
GDPR Article Overview................................................................................................................................. 10
1.1 ePrivacy Directive.................................................................................................................... 10
1.2 Article 7: Conditions for Consent ........................................................................................... 10
1.3 Article 21: Right to Object ....................................................................................................... 11
Cookie Consent & Website Scanning.......................................................................................................... 11
Execution in OneTrust.................................................................................................................................. 18
Scan
Determine
Baseline
Results
View Results
Banner
Create Banner
Policy
Categorize and
Define Policy
Integrate
Implement
Script

Cookie Consent
7
1.4 EXERCISE: Scan Website .......................................................................................................... 22
1.5 EXERCISE: Review Scan............................................................. Error! Bookmark not defined.
1.6 EXERCISE: Build Cookie Banner .............................................................................................. 24
1.7 EXERCISE: Add Language......................................................................................................... 24
1.8 EXERCISE: Set Consent ............................................................................................................ 40
1.9 EXERCISE: Assign Cookies ....................................................................................................... 42
1.10 EXERCISE: Enable IAB .............................................................................................................. 46
1.11 EXERCISE: Set Preference........................................................................................................ 52
1.12 EXERCISE: Embed Script .......................................................................................................... 57
1.13 EXERCISE: Validate Cookie Script ............................................................................................ 63

Cookie Consent
Terminology
Cookie
Text file stored on a client machine that may later be retrieved by a web server. Allows web servers to
keep track of user’s browser activities and connect individual web requests into a session.
First Party Cookie
Cookie placed by the website visited.
Third Party Cookie
Cookies placed by a party other than the website visited
Session Cookie
Cookies stored only as long as the browser is open
Persistent Cookie
Cookies with a defined lifespan set by the developer of the cookie
Domain
Unique identifier address where users can access a specific website.

Cookie Consent
9
Active
Cookies will be set unless and until the visitor opts-out of this group. This is the initial status for groups
with the Implied Consent model.
Inactive
Cookies will not be set until visitors actively allow them. This is the initial status for groups with the
Explicit Consent model.
Always Active
Use this where you do not want to give visitors control over these cookies. The Strictly Necessary group is
Always Active by default and cannot be changed.
Do Not Track
If the user’s browser sends a DNT=1 header (request not to track), cookies will not be set unless the user
changes their preference in the interface. If the DNT header is not received, or is set to 0, then the group
is ‘Active’ and cookies will be set.
Inactive Landing Page
Cookies will not be set on the first page but set automatically when the user navigates to a second page
or reloads the first page. This is the initial status for groups with the Soft Opt-in model.

Cookie Consent
Regulation Overview
ePrivacy Directive
Protection of privacy in the electronic communications sector
• Not part of GDPR; is a separate piece of legislation which means that it can be different in
each member state.
• States that cookies need consent, but each member state defines consent differently.
• GDPR’s definition of consent makes the e-privacy directive more strict in all member
states
GDPR Article 5 (3) – Confidentiality of the Communications
• “storing of information, or the gaining of access to information already stored, in the
terminal equipment of a…user is only allowed on condition that the subscriber or the
user concerned has given his or her consent”
• “[Except where]…strictly necessary in order…to provide the service”
Summary: Consent must be obtained to store or access cookies on a user’s terminal equipment
Scope: All cookies except for those strictly necessary to provide service
Other Requirements: Purpose of processing must be presented clearly and comprehensively
GDPR – Article 7: Conditions for Consent
Article 7 (2)
• “consent shall be…in an intelligible and easily accessible form, using clear and plain
language”
Article 7 (3)
• “the data subject shall have the right to withdraw his or her consent at any time”
• “shall be as easy to withdraw as to give consent”
Summary: Controllers shall be able to demonstrate that they have obtained valid consent
Scope: All processing based on consent

Cookie Consent
11
Other Requirements:
• Clearly distinguishable from the other matters
• Intelligible and easily accessible form
• Clear and plain language
• Right to withdraw consent (must be as easy to withdraw as to give)
• Performance of a contract cannot be conditional on consent if the processing is not
necessary for the contract
GDPR – Article 21: Right to Object
Article 21 (2)
• “where personal data are processed for direct marketing purposes, the data subject
shall have the right to object at any time”
Article 21 (3)
• “where the data subject objects to processing for direct marketing purposes, the
personal data shall no longer be processed”
CCPA – 1798.115: Right to Know about Sale or Disclosure
A consumer shall have the right to request that a business…disclose to that consumer:
• (1) The categories of personal information that the business collected about the
consumer.
• (2) The categories of personal information that the business sold about the consumer
and the categories of third parties to whom the personal information was sold
• (3) The categories of personal information that the business disclosed about the
consumer for a business purpose.
CCPA – 1798.135: Compliance Obligations with regards to Right to
Opt Out
• Provide a clear and conspicuous link on the business’s Internet homepage, titled “Do Not
Sell My Personal Information”… to opt-out of the sale of the consumer’s personal
information.
• Include a description of a consumer’s rights pursuant to Section 1798.120, along with
a separate link to the “Do Not Sell My Personal Information”

Cookie Consent
CCPA – TCF 2.0 Frameworks
Why Work with TCF v2.0?
• TCF v2.0 enables consumers to grant or withhold consent and also exercise their ‘right to
object’ to data being processed. Consumers also gain more control over whether and how
vendors may use certain features of data processing, for example, the use of precise
geolocation.

Cookie Consent
13
Website Scanning & Cookie Consent in OneTrust

Cookie Consent
Terms and Concepts

Cookie Consent
15
Example

Cookie Consent

Cookie Consent
17

Cookie Consent
Execution in OneTrust – Steps

Cookie Consent
19
Execution in OneTrust – Phases

Cookie Consent
Execution in OneTrust

Cookie Consent
21

Cookie Consent
EXERCISE: Scan Website
✓ Navigate to Cookie Compliance → Websites
✓ Click Add Website
✓ Run a New Website Scan
o Scan a website of your choosing
o Use Advanced Setting to limit the scan to 5 pages

Cookie Consent
23

Cookie Consent
EXERCISE: Build Cookie Banner
✓ Navigate to Cookie Compliance → Templates
✓ Select banner layout and colors for Banner (on Banner tab of template)
✓ Enable Allow All button in Content → Button Set
EXERCISE: Customize Preference Center
✓ Select banner layout and colors for Preference Center (on Preference Center tab of template)
EXERCISE: Add Language to Cookie Banner Template
✓ Click Manage Languages to add a language
✓ Add Spanish – Spain

Cookie Consent
25

Cookie Consent
27

Cookie Consent
29

Cookie Consent
31

Cookie Consent
EXERCISE: Define Geolocation Rule – Add Rule
✓ Navigate to Cookie Compliance → Geolocation Rules
✓ Select the Default Consent Policy rule group
✓ Add Rule called “GDPR”
✓ Select the Region EU
✓ Select the template
✓ Select the Status as Opt-in
✓ Save
✓ Assign to Domain

Cookie Consent
33

Cookie Consent
35

Cookie Consent
37

Cookie Consent
39

Cookie Consent
EXERCISE: Review Scan Results
✓ Review Scan Results Dashboard by clicking the website in Cookie Compliance → Websites
✓ Review Cookie Details
✓ Export Scan Results

Cookie Consent
41

Cookie Consent
EXERCISE: Create Category and Assign Cookies
✓ In Cookie Compliance → Cookiepedia: Categorizations, go to Categorizations tab
✓ Create Category
✓ Go to Cookies tab
✓ Move a cookie from one group to another
✓ Move an unknown cookie to a group
EXERCISE: Configure Hosts
✓ In Cookie Compliance → Cookiepedia: Categorizations, go to Hosts tab
✓ Click on one of the listed Hosts
✓ Edit the Display Name

Cookie Consent
43

Cookie Consent
EXERCISE: Define Sub-groups
✓ In Cookie Compliance → Templates
✓ Click on one of the templates
✓ Go to Advanced Configuration on the Preference Center tab
✓ Bundle group
✓ Add sub-group by clicking Group Categories button
✓ Edit bundle group description
✓ Re-organize groups

Cookie Consent
45

Cookie Consent
47

Cookie Consent
EXERCISE: Enable IAB
✓ Navigate to Cookie Compliance → Vendors
✓ Create Vendor List
✓ Deactivate Vendors
✓ Enable Capture Records of Consent toggle for a rule group

Cookie Consent
49

Cookie Consent
51

Cookie Consent
53

Cookie Consent
55

Cookie Consent
57

Cookie Consent
59

Cookie Consent
EXERCISE: Embed Script
✓ Navigate to: https://one.com
✓ Username: onetrusttest@gmail.com
✓ Password: Cookies11
✓ Publish Testing/Staging Script
✓ Insert Testing/Staging Cookies Script Tag into <head>
✓ Insert the Cookies Setting Button after </body>

Cookie Consent
61

Cookie Consent
63

Cookie Consent
65

Cookie Consent
67
EXERCISE: Validate Cookie Script
✓ Using Chrome, navigate to: cookiepro.com
✓ Inspect Page
✓ Accept Cookies and see changes
EXERCISE: Enable Consent Logging
✓ Enable Capture Records of Consent toggle for the Default Consent Policy rule group
✓ Select Cookie ID as Unique Site Visitor ID

Glossary
69
Glossary
A
Adequacy Decision – A declaration made by the European Commission that a country outside of the EEU
offers an adequate level of protection, and therefore is acceptable for cross-border data transfers.
Affirmative Act – A clear action taken that indicates consent has been given, is not passive.
Asset – Anything that can store or process personal data. This can include an application, website,
database, or even a filing cabinet.
Asset Map – A visual map that shows the location of all assets.
Automated Decision Making – Making a decision or creating a profile based completely on
technological means without human involvement
B
Binding Corporate Rules (BCRs) – A set of strict and binding rules put in place by multinational
companies and organizations that describe how personal data must be processed and protected. This
allows the transfer of personal data outside the EEA, without having an Adequacy Decision. Data may be
transferred between countries but must remain within the organization.
Biometric Data – A “special category” of data relating to physical, physiological, or behavioral
characteristics of a person that can identify or confirm identity of a person.
C

Glossary
California Consumer Protection Act (CCPA) – Signed into law in 2018, to be affective in 2020, this act
introduces new privacy rights for individuals living within the state of California. First sweeping privacy
law in the United States.
Cookies – A small text file that a website may drop on a user’s device for the sake of tracking certain
categories of information.
Cookies (1st
Party) – Cookies dropped by the website the user is visiting.
Cookies (3rd
Party) – Cookies dropped by a website or company different than the one the user is
visiting. Most commonly, targeting or social media cookies.
Cookies (Persistent) – Cookies that continue to live on a user’s device after they have left the website
from which the cookie was dropped.
Cookies (Session) – Cookies that are no longer active after a user leaves a website or ends a session with
the website.
Consent – Any freely given, specific, informed and unambiguous indication that the data subject agrees
to specific processing. Consent must be as easy to withdraw as it is to give. Consent must be given
through Affirmative Action.
Controller – The entity that determines the purposes, conditions and means of the processing of
personal data.
D
Data Element – Pieces of collected information that together, build a complete look at Data.

Glossary
71
Data Erasure – Also known as the Right to be Forgotten, it entitles the data subject to have the data
controller erase their personal data, stop further dissemination of the data, and potentially have third
parties stop processing of the data.
Data Portability – The requirement for controllers to provide the data subject with a copy of the data
they’ve provided to the controller. The provided data must be easy to read and can be given to the data
subject directly, or to another controller upon request.
Data Protection Officer (DPO) – An expert on data privacy who works independently within an
organization to ensure compliance with GDPR policies and procedures.
Data Protection Impact Assessment (DPIA) – An assessment required under GDPR, used to identify,
assess, and mitigate risks within an organization’s data processing policies and activities.
Data Subject – A natural person whose personal data is processed by a controller or processor.
Derogation – An exemption or exception from a law.
Directive – A legislative act that sets out a goal for all EU countries to achieve, but each country can meet
this goal in their own way, with their own national laws.
E
ePrivacy Directive – A directive passed in 2002 and amended in 2009 that addresses privacy regarding
digital communication, digital marketing, and cookies.

Glossary
Encrypted Data – Personal data that is protected through technological measures to ensure that the
data is only accessible/readable by those with specified access.
European Data Protection Board (EDPB) – Formerly known as Article 29 Working Party (A29 WP), it is an
advisory body made up of DPAs from each EU member state and the European Commission.
F
Freely Given – Consent is considered freely given if the data subject is able to exercise a real choice, and
there is no risk significant negative consequences if they do not give consent.
G
General Data Protection Regulation (GDPR) – A regulation on data protection and privacy for all
residents of the European Economic Area. Passed in 2016, in effect in 2018.
Genetic Data – Data pertaining to unique information about the health or physiology of an individual.
I
Informed – Having all necessary information needed to make a conscious decision or giving consent.
M
Main Establishment – A location, chosen by the data controller, for a company or organization where it
is headquartered and therefore subject to any local laws or directives.
P

Glossary
73
Personal Data – Any information related to a natural person or ‘Data Subject’, that can be used to
directly or indirectly identify the person.
Personal Data Breach – A breach of security leading to the accidental or unlawful access to, destruction,
misuse, etc. of personal data.
Processor – An entity that processes data on behalf of a Data Controller, considered a third party.
Privacy by Design (PbD) – A principle that calls for the inclusion of data protection from the onset of the
designing of systems, rather than as an addition.
Privacy Impact Assessment – A tool used to identify and reduce the privacy risks of organizations by
analyzing the personal data that are processed and the policies that are in place to protect the data.
Processing – Any activity performed on personal data, whether or not by automated means, including
collection, use, recording, etc.
Profiling – Any automated processing of personal data intended to evaluate, analyze, or predict data
subject behavior, is done without human interference.
Pseudonymization – taking away key identifiers out of personal data so that alone, it cannot be
attributed to one single individual. The data is still not completely anonymous but is not identifiable
without other pieces of data.
R
Recipient – The entity to which the personal data is disclosed.

Glossary
Records of Processing Activities (RoPA) – Each data controller must have a detailed record of all
processing activities that are acted upon data that they have collected. Sometimes called an “Article 30
Report.”
Regulation – A binding legislative act that must be applied in specifically spelled out ways, in its entirety,
across the European Union.
Restriction of Processing – A right of a data subject to limit the future processing of their stored
personal data.
Right to be Forgotten – Also known as Data Erasure, it entitles the data subject to have the data
controller erase their personal data, cease further dissemination of the data, and potentially have third
parties cease processing of the data.
Right to Access – Also known as Subject Access Right, it entitles the data subject to have access to and
information about the personal data that a controller has concerning them.
S
Specific – Consent cannot be gathered for broad or unspecified uses. The data subject must give consent
for specific and clearly spelled out uses and must be consulted if the use changes.
Supervisory Authority (SA) – A public authority which is established by a member state that oversees
the execution of GDPR regulations.
U

Glossary
75
Unambiguous – Data subject consent must be the given affirmatively and without doubt. The data
subject must have clear understanding of what their data will be used for, and it must be obvious that the
data subject has consented to the particular processing.

2020 cookies expert reference guide

Recommended

Recommended

More Related Content

What's hot

What's hot (19)

Similar to 2020 cookies expert reference guide

Similar to 2020 cookies expert reference guide (20)

Recently uploaded

Recently uploaded (20)

2020 cookies expert reference guide