Integrating OneTrust and Google Tag Manager: A Simplified Guide

Streamlining Complexity: A Minimalistic Guide to Integrating OneTrust and Google Tag Manager. Simplifying GDPR Compliance and Tag Management.

Introduction

OneTrust is a popular software for privacy regulation compliance, helping companies align with standards like GDPR. Google Tag Manager, in contrast, is the toolbox that enables the seamless addition of tracking mechanisms for platforms such as Google Analytics. This article demystifies harmonizing these two systems, ensuring that GTM tags adhere to users’ cookie choices via OneTrust.

While similar guides exist, they often leave readers tangled in complexity. Here, we aim to provide a clear and engaging path to integration, cutting through the confusion and offering a step-by-step approach that respects user consent and data collection needs. Let’s dive in.

In a typical scenario, a visitor landing on a website with OneTrust implemented is greeted by a cookie consent popup. This is the visitor’s first checkpoint, where they can either:

  1. Accept all cookies,
  2. Reject all cookies, or
  3. Selectively choose which cookies to accept.

When a user selects one of the above, an event named OneTrustGroupsUpdated is triggered, and the OptanonConsent cookie is updated to reflect the user’s choices.

On the Google Tag Manager (GTM) side, we need to take a two-pronged approach:

  1. Assume Default Denial: Initially, we presume consent for tracking is denied until explicit permission is granted. This conservative stance ensures compliance by default.
  2. Capture User Preferences: After the user makes a decision, GTM must capture this and translate it into its corresponding consent settings: ad_storage, analytics_storage, functionality_storage, personalization_storage, security_storage.

These settings are then utilized to control tag firing. Tags linked to specific consent types will only execute if their corresponding consent settings are marked as “granted.” This ensures the website’s tracking practices align with the user’s privacy preferences.

Initial Setup for OneTrust and GTM Configuration

Embarking on integrating OneTrust with Google Tag Manager requires careful initial setup. This means establishing a clean working environment and configuring consent settings appropriately:

  1. Establish a New Workspace: In GTM, create a workspace specifically for this integration, perhaps named “OneTrust Integration into GTM.” This will help you keep changes organized and isolated until they’re ready to go live.
  2. Enable Consent Overview: Within the “Admin” section of GTM, select “Container Settings”. Look for “Additional settings” and ensure that “Enable Consent Overview” is activated. This feature will give you a bird’s-eye view of consent statuses across all tags.
  3. Understanding Built-In Consent Checks: Some tags, such as those for Google Analytics 4 (GA4), come with “Built-In Consent checks.” This means they automatically verify certain consent types—like analytics_storage and ad_storage—before firing. You do not need to set these consents manually for such tags, as they are inherently built to respect these predefined requirements.
  4. Setting Additional Consent Checks: To manage additional consent requirements, head to the “Tags” menu and click on the shield icon. Here, you can define consent settings for each tag under “Consent Settings.” “Not set” implies that a tag does not require any additional consent beyond the built-in checks. Another option is “No additional consent required,” which relies solely on the standard consent checks built into the tag. For example, standard Google Analytics 4 (GA4) tags require ad_storage and analytics_storage consents. If these default settings align with your data collection policies, you can choose “No additional consent required” for these GA4 tags. Consequently, these tags will only activate if a user has consented to both ad_storage and analytics_storage. Select “Require additional consent for tag to fire” when applying stricter consent checks. For instance, if you’re deploying a Google Analytics 4 (GA4) tag, which typically requires analytics_storage and ad_storage consents, you might also want to ensure the user has consented to security_storage due to your specific security protocols. In this scenario, you would explicitly configure GTM to include security_storage as an additional requirement. Only when all three consents - analytics_storage, ad_storage, and security_storage - are granted by the user, would the GA4 tag be allowed to fire.

For simplicity’s sake, we will configure all relevant tags to verify the following consent types explicitly:

  • ad_storage
  • analytics_storage
  • functionality_storage
  • personalization_storage
  • security_storage

To set consent requirements for your tags in Google Tag Manager, follow these step-by-step instructions:

  1. In Google Tag Manager, go to “Tags.”
  2. Find and select the tags to update.
  3. Click the shield icon to access consent settings.
  4. In “Consent Settings,” choose the additional consents needed.
  5. Save your settings.

By this stage, we anticipate that a new workspace dedicated to the integration has been established within Google Tag Manager. The ‘Consent Overview’ feature should be enabled, providing visibility over the consent status of all tags. Additionally, consent settings for each tag should be meticulously configured to align with user preferences and regulatory requirements.

Creating GTM Variables

The next step is to ensure that tags in GTM respect user consent settings from OneTrust. To do this, you must first create GTM User-Defined Variables that will capture and store the user’s consent preferences for different types of cookies.

In GTM, set up the variables as follows:

  1. Choose User-Defined Variables and select the Custom JavaScript variable type.
  2. You can insert the JavaScript snippet that reads the OneTrust cookie and checks for consent for a specific category. Here’s an example code for analytics_storage consent type: 
     function() {
     var consentCookie = ; 
     return consentCookie.indexOf('C0002:1') !== -1 ? 'granted' : 'denied'; 
 }
  3. Name this variable accordingly, for example, ‘JS - Analytics Storage.’
  4. After setting up, save the variable.

You’ll need to repeat this process for each consent type. By the end of this step, you should have five GTM variables created:

  • ‘JS - Ad Storage’
  • ‘JS - Analytics Storage’
  • ‘JS - Functionality Storage’
  • ‘JS - Personalization Storage’
  • ‘JS - Security Storage’

In addition, please create the following “OptanonConsent” GTM variable:

Creating the “OptanonConsent” GTM Variable:

  1. In GTM, navigate to “Variables” and “User-Defined Variables.”
  2. Click “New” and select the “1st Party Cookie” variable type.
  3. Name the variable “OptanonConsent.”
  4. For “Cookie Name”, enter “OptanonConsent.”
  5. Check the “URI-Decode” option.
  6. Save the variable.

This variable will capture the OneTrust cookie value, which we’ll use for consent checks.

The specific consent cookie value, like ‘C0002:1’ in the example, might be different based on your OneTrust configuration. You must adjust the code to match the consent categories in your OneTrust consent model.

We would use these variables later on to update user consent preferences.

Now, you must establish the default consent state. This is crucial as it ensures your website respects user privacy by default. Here’s how you set it up:

  1. Create a New Tag: Name it “Consent Mode — Default.”
  2. Tag Type: Use the “Consent Mode (Google tags)” template provided by Simo Ahava, a respected figure in digital analytics. This template simplifies the process, allowing you to avoid manual coding.
  3. Configure the Tag: Set the consent command to “Default”. Within “Consent settings”, under “Required for Google Services”, mark all consent types as ‘denied’.
  4. Modify the Template as Needed: Access the “Templates” menu in GTM. Select the relevant tag template. Navigate to “Fields” and then to the ‘settings’ subfield. Make necessary adjustments to align with your company’s consent requirements.
  5. Set the Trigger: Use the “Consent Initialization — All Pages” trigger. Ensure this tag fires first on every page to establish the default ‘denied’ state until the user consents.

Setting up the “Consent Mode — Default” tag lays the groundwork for compliant tracking, dictating that no Google service will proceed with data collection until the user’s consent preferences are verified and respected.

Once the default consent state is set, updating the consent status in real-time as users make their choices is essential. Here’s the process to do just that:

  1. Create a New Tag: Name it “Consent Mode — Update.”
  2. Tag Type: Utilize the “Consent Mode (Google tags)” template by Simo Ahava for consistency and ease of use.
  3. Configure the Tag: Set the consent command within the tag to “Update.” In “Consent Settings” under “Required for Google Services,” link each consent type to its corresponding GTM variable. For example, connect analytics_storage to the “JS - Analytics Storage” variable.
  4. Determine the Trigger: Choose a Custom Event trigger. Set the event name to OneTrustGroupsUpdated, corresponding to the event fired by OneTrust when a user makes their cookie preferences known.

By deploying the “Consent Mode — Update” tag, you ensure that GTM captures and applies the user’s consent preferences as soon as they are made, allowing tags to fire or block in accordance with those choices. This maintains compliance and respects user privacy throughout their visit.

Testing Your OneTrust and GTM Integration

Once you’ve set up your tags and triggers in GTM, verifying that everything works as intended is critical. Testing involves several scenarios to ensure user consent is accurately captured and respected. Here’s how to proceed:

  1. Enter GTM Preview Mode: Enable Preview mode in GTM to test your setup in real time.
  2. Accepting All Cookies: Visit your website and, when prompted, accept all cookies. Check that all tags, especially those reliant on consent, fire as expected.
  3. Rejecting All Cookies: Reset your cookies, then revisit your site and reject all cookies. Observe that no tags fire, confirming that consent is being honored.
  4. Partial Consent Acceptance: Depending on your configuration, you may have tags that require specific consent. Accept only the necessary cookies for those tags and reject others. Please ensure the tags fire only when their specific consents are granted.

To reset the consent status on your site, use the developer tools in your browser.

  • For Mac users: To access developer tools, use the shortcut Command + Option + I. Alternatively, right-click on any element on the page and select “Inspect” from the context menu.
  • For Windows users: The shortcut to open developer tools is Ctrl + Shift + I. You can also right-click on any page element and choose “Inspect” to enter the developer tools.

Go to the “Application” tab, find the “Cookies” section, right-click on them, and select “Delete.”

Finalizing the Setup:

After thorough testing and confirming that all scenarios are handled correctly, you can merge your “OneTrust Integration into GTM” workspace with the default workspace.

With these steps, you’ve diligently tested and confirmed that your site’s consent management matches user preferences. Merging the workspace signifies a job well done, and your website is now better equipped to build trust and ensure compliance.

I’ve provided the GTM container configuration as a downloadable JSON file to facilitate your integration. Download the GTM container configuration file here.

Quick steps to import into GTM:

  1. Go to your GTM account and select ‘Admin’ > ‘Import Container’.
  2. Upload the JSON file to a new or existing workspace.
  3. Review the changes, then publish.

Please always test before publishing to ensure it’s compatible with your site.

Establishing New Tags Post-OneTrust Integration

The implementation of tags within Google Tag Manager post OneTrust integration continues to follow prior practices, with the notable inclusion of consent consideration. Practitioners must select ‘Advanced Settings’ upon tag creation, proceeding thereafter to ‘Consent Settings’, to pinpoint and establish consent requirements.

Tags that launch with pageview present a unique challenge due to the near-instantaneous nature of their firing, often preceding user consent. To effectively manage this, it’s recommended to establish an alternative trigger, labeled OneTrustGroupsUpdatedConsentSaved.

How to create OneTrustGroupsUpdatedConsentSaved Trigger

First, introduce a trigger that fires on OneTrustGroupsUpdated event, then connect it to a custom HTML tag furnished with the following script:

<script>
  setTimeout(function() {
    dataLayer.push({'event': 'OneTrustGroupsUpdatedConsentSaved'});
  }, 1000); // Wait for 1000 milliseconds (1 second)
</script>

This script, which incubates the custom event OneTrustGroupsUpdatedConsentSaved for a stipulated 1-second duration, ensures that GTM can adequately recognize and respond to updated consent state information.

#OneTrust #GoogleTagManager #PrivacyCompliance #GDPR #DataPrivacy #ConsentManagement #DigitalAnalytics #CookieConsent #WebTracking #MarketingTech #AdTech #WebDevelopment #TagManagement #UserConsent #Compliance #PrivacyTech #MarTech #Analytics #DigitalMarketing #TechGuide

If you found this article useful and would like to support my work, consider buying me a coffee! Just click on the button below and follow the instructions to make a donation. Your support helps me create more valuable content. Thank you!