3. OneTrust Certification Program Reference Guide
Support and Resources
3
Support and Resources
Support and Resources................................................................................................................. 4
1 Support Resources.................................................................................................................................. 4
1.1 Support Infrastructure .............................................................................................................. 4
1.2 Support Documentation ........................................................................................................... 5
1.3 Product Release Notes and Maintenance Notices ................................................................... 5
5. OneTrust Certification Program Reference Guide
Support and Resources
5
1.2 Support Documentation
✓ Email support@onetrust.com from your work email if you have any issues with access to the
support portal (https://my.onetrust.com/s/) and documentation.
✓ Email your OneTrust Account Executive or sales@onetrust.com from your work email for access to
the support portal (https://my.onetrust.com/s/) and documentation.
1.3 Product Release Notes and Maintenance Notices
Product release notes and maintenance notices are available in the support portal:
https://my.onetrust.com/s/ under Product Updates at the top of the page.
Subscribe to Product Release Notes with the following steps:
1. Select All Groups at the bottom of the page
2. Click on the Product Updates group
3. Select Join Group on the right side, then Manage Notifications to set the frequency of
how often you receive updates via email
Subscribe to Maintenance Notices with the following steps:
1. Select System Status and Scheduled Maintenance at the bottom of the page
2. Click on Subscribe, and enter contact information
3. Click Subscribe to Alerts
9. OneTrust Certification Program Reference Guide
Cookie Consent
9
Active
Cookies will be set unless and until the visitor opts-out of this group. This is the initial status for groups
with the Implied Consent model.
Inactive
Cookies will not be set until visitors actively allow them. This is the initial status for groups with the
Explicit Consent model.
Always Active
Use this where you do not want to give visitors control over these cookies. The Strictly Necessary group is
Always Active by default and cannot be changed.
Do Not Track
If the user’s browser sends a DNT=1 header (request not to track), cookies will not be set unless the user
changes their preference in the interface. If the DNT header is not received, or is set to 0, then the group
is ‘Active’ and cookies will be set.
Inactive Landing Page
Cookies will not be set on the first page but set automatically when the user navigates to a second page
or reloads the first page. This is the initial status for groups with the Soft Opt-in model.
11. OneTrust Certification Program Reference Guide
Cookie Consent
11
Other Requirements:
• Clearly distinguishable from the other matters
• Intelligible and easily accessible form
• Clear and plain language
• Right to withdraw consent (must be as easy to withdraw as to give)
• Performance of a contract cannot be conditional on consent if the processing is not
necessary for the contract
GDPR – Article 21: Right to Object
Article 21 (2)
• “where personal data are processed for direct marketing purposes, the data subject
shall have the right to object at any time”
Article 21 (3)
• “where the data subject objects to processing for direct marketing purposes, the
personal data shall no longer be processed”
CCPA – 1798.115: Right to Know about Sale or Disclosure
A consumer shall have the right to request that a business…disclose to that consumer:
• (1) The categories of personal information that the business collected about the
consumer.
• (2) The categories of personal information that the business sold about the consumer
and the categories of third parties to whom the personal information was sold
• (3) The categories of personal information that the business disclosed about the
consumer for a business purpose.
CCPA – 1798.135: Compliance Obligations with regards to Right to
Opt Out
• Provide a clear and conspicuous link on the business’s Internet homepage, titled “Do Not
Sell My Personal Information”… to opt-out of the sale of the consumer’s personal
information.
• Include a description of a consumer’s rights pursuant to Section 1798.120, along with
a separate link to the “Do Not Sell My Personal Information”
67. OneTrust Certification Program Reference Guide
Cookie Consent
67
EXERCISE: Validate Cookie Script
✓ Using Chrome, navigate to: cookiepro.com
✓ Inspect Page
✓ Accept Cookies and see changes
EXERCISE: Enable Consent Logging
✓ Navigate to Cookie Compliance → Geolocation Rules
✓ Enable Capture Records of Consent toggle for the Default Consent Policy rule group
✓ Select Cookie ID as Unique Site Visitor ID
69. OneTrust Certification Program Reference Guide
Glossary
69
Glossary
A
Adequacy Decision – A declaration made by the European Commission that a country outside of the EEU
offers an adequate level of protection, and therefore is acceptable for cross-border data transfers.
Affirmative Act – A clear action taken that indicates consent has been given, is not passive.
Asset – Anything that can store or process personal data. This can include an application, website,
database, or even a filing cabinet.
Asset Map – A visual map that shows the location of all assets.
Automated Decision Making – Making a decision or creating a profile based completely on
technological means without human involvement
B
Binding Corporate Rules (BCRs) – A set of strict and binding rules put in place by multinational
companies and organizations that describe how personal data must be processed and protected. This
allows the transfer of personal data outside the EEA, without having an Adequacy Decision. Data may be
transferred between countries but must remain within the organization.
Biometric Data – A “special category” of data relating to physical, physiological, or behavioral
characteristics of a person that can identify or confirm identity of a person.
C
71. OneTrust Certification Program Reference Guide
Glossary
71
Data Erasure – Also known as the Right to be Forgotten, it entitles the data subject to have the data
controller erase their personal data, stop further dissemination of the data, and potentially have third
parties stop processing of the data.
Data Portability – The requirement for controllers to provide the data subject with a copy of the data
they’ve provided to the controller. The provided data must be easy to read and can be given to the data
subject directly, or to another controller upon request.
Data Protection Officer (DPO) – An expert on data privacy who works independently within an
organization to ensure compliance with GDPR policies and procedures.
Data Protection Impact Assessment (DPIA) – An assessment required under GDPR, used to identify,
assess, and mitigate risks within an organization’s data processing policies and activities.
Data Subject – A natural person whose personal data is processed by a controller or processor.
Derogation – An exemption or exception from a law.
Directive – A legislative act that sets out a goal for all EU countries to achieve, but each country can meet
this goal in their own way, with their own national laws.
E
ePrivacy Directive – A directive passed in 2002 and amended in 2009 that addresses privacy regarding
digital communication, digital marketing, and cookies.
73. OneTrust Certification Program Reference Guide
Glossary
73
Personal Data – Any information related to a natural person or ‘Data Subject’, that can be used to
directly or indirectly identify the person.
Personal Data Breach – A breach of security leading to the accidental or unlawful access to, destruction,
misuse, etc. of personal data.
Processor – An entity that processes data on behalf of a Data Controller, considered a third party.
Privacy by Design (PbD) – A principle that calls for the inclusion of data protection from the onset of the
designing of systems, rather than as an addition.
Privacy Impact Assessment – A tool used to identify and reduce the privacy risks of organizations by
analyzing the personal data that are processed and the policies that are in place to protect the data.
Processing – Any activity performed on personal data, whether or not by automated means, including
collection, use, recording, etc.
Profiling – Any automated processing of personal data intended to evaluate, analyze, or predict data
subject behavior, is done without human interference.
Pseudonymization – taking away key identifiers out of personal data so that alone, it cannot be
attributed to one single individual. The data is still not completely anonymous but is not identifiable
without other pieces of data.
R
Recipient – The entity to which the personal data is disclosed.
75. OneTrust Certification Program Reference Guide
Glossary
75
Unambiguous – Data subject consent must be the given affirmatively and without doubt. The data
subject must have clear understanding of what their data will be used for, and it must be obvious that the
data subject has consented to the particular processing.