Global Privacy Control and Do Not Track in OneTrust

Table of Contents

• Problem Description
• Why This Matters
• Common Misconceptions
• Step-by-Step Configuration
• Advanced Configuration Options
• Verification Checklist
• Common Issues and Solutions
• Testing Your Implementation
• Best Practices
• Monitoring and Maintenance
• Related Documentation

---

Problem Description

You've implemented OneTrust consent management and are showing privacy notifications, but your site isn't actually respecting Global Privacy Control (GPC) or Do Not Track (DNT) signals from users' browsers. Many organizations think that simply displaying the consent banner is sufficient, but these privacy signals require specific configuration at the category level within OneTrust to be properly enforced.

Why This Matters

Legal Compliance

• CCPA/CPRA: GPC signals are legally binding "Do Not Sell" requests
• GDPR: DNT signals indicate user privacy preferences
• State Laws: Multiple states recognize GPC as a valid opt-out mechanism

User Experience

• Users expect their privacy choices to be respected
• Browser privacy settings should automatically apply to your site
• Failure to honor these signals can lead to user frustration and legal issues

Common Misconceptions

❌ "Showing the banner is enough"

Reality: The banner only collects explicit consent. GPC/DNT signals require separate configuration.

❌ "OneTrust handles this automatically"

Reality: You must explicitly enable and configure signal handling for each category.

❌ "It's only for California users"

Reality: GPC is a global standard, and DNT is supported by all major browsers.

Step-by-Step Configuration

Step 1: Enable GPC Signal Handling

1. Navigate to OneTrust Admin Panel

   • Go to Admin → Data Governance → Cookie Compliance
   • Or use: https://yourcompany.onetrust.com/app/admin/

2. Access Privacy Signal Settings

   • Go to Settings → Privacy Signals
   • Look for "Global Privacy Control" section
   • Enable "Process GPC Signals"

3. Configure GPC Behavior

   • Set "Default Action" to "Opt Out" (recommended)
   • Enable "Override User Consent" when GPC is detected
   • Choose whether to show notification when GPC is active

Step 2: Enable Do Not Track Signal Handling

1. In the Same Privacy Signals Section

   • Find "Do Not Track" configuration
   • Enable "Process DNT Signals"
   • Set "DNT Behavior" to "Respect DNT"

2. Configure DNT Response

   • Choose how to respond when DNT is enabled
   • Options typically include:
     • Block all tracking
     • Show enhanced privacy options
     • Require explicit opt-in

Step 3: Configure Category-Level Settings

This is the critical step most people miss!

1. Go to Cookie Categories

   • Navigate to Cookies → Cookie Categories
   • You'll see categories like:
     • Necessary/Strictly Necessary
     • Analytics/Performance
     • Marketing/Advertising
     • Functionality
     • Personalization

2. For Each Category, Configure GPC Handling

   • Click on each category
   • Go to "Privacy Signal Settings" tab
   • Enable "Respect GPC Signal"
   • Set "GPC Action" for that category:
     • Necessary: Usually "Allow" (required for site function)
     • Analytics: "Block" when GPC detected
     • Marketing: "Block" when GPC detected
     • Functionality: "Block" when GPC detected
     • Personalization: "Block" when GPC detected

3. For Each Category, Configure DNT Handling

   • In the same "Privacy Signal Settings" tab
   • Enable "Respect DNT Signal"
   • Set "DNT Action" for that category:
     • Necessary: Usually "Allow" (required for site function)
     • Analytics: "Block" when DNT detected
     • Marketing: "Block" when DNT detected
     • Functionality: "Block" when DNT detected
     • Personalization: "Block" when DNT detected

Step 4: Configure Script Blocking Rules

1. Go to Script Management

   • Navigate to Scripts → Script Management
   • For each script that should respect privacy signals

2. Set Privacy Signal Rules

   • Enable "Respect Privacy Signals"
   • Choose which signals to respect (GPC, DNT, or both)
   • Set blocking behavior when signals are detected

Step 5: Test Your Configuration

1. Test GPC Signal

   • Use browser extensions that send GPC signals
   • Check that cookies/scripts are blocked appropriately
   • Verify consent banner shows correct state

2. Test DNT Signal

   • Enable DNT in browser settings
   • Visit your site and check behavior
   • Verify tracking is properly blocked

Advanced Configuration Options

Custom GPC Response Logic

// Example: Custom GPC handling in OneTrust
if (navigator.globalPrivacyControl) {
  // GPC is enabled
  OneTrust.SetGPCStatus(true);
  // Apply category-specific blocking
  OneTrust.BlockCategory('analytics');
  OneTrust.BlockCategory('marketing');
}

DNT Signal Processing

// Example: DNT signal handling
if (navigator.doNotTrack === "1" || 
    navigator.doNotTrack === "yes" || 
    window.doNotTrack === "1") {
  // DNT is enabled
  OneTrust.SetDNTStatus(true);
  // Apply enhanced privacy settings
  OneTrust.EnhancePrivacyMode();
}

Category-Specific Overrides

// Example: Category-specific privacy signal handling
const categorySettings = {
  'analytics': {
    gpc: 'block',
    dnt: 'block',
    fallback: 'ask'
  },
  'marketing': {
    gpc: 'block',
    dnt: 'block',
    fallback: 'block'
  },
  'functionality': {
    gpc: 'ask',
    dnt: 'ask',
    fallback: 'allow'
  }
};

Verification Checklist

GPC Configuration

• GPC signal processing is enabled
• Each category has GPC settings configured
• GPC signals override user consent when appropriate
• Scripts respect GPC signals
• Consent banner reflects GPC status

DNT Configuration

• DNT signal processing is enabled
• Each category has DNT settings configured
• DNT signals are properly respected
• Enhanced privacy mode is available
• Tracking is blocked when DNT is enabled

Category-Level Settings

• Necessary category allows required cookies/scripts
• Analytics category blocks when signals detected
• Marketing category blocks when signals detected
• Functionality category has appropriate settings
• Personalization category respects signals

Common Issues and Solutions

Issue 1: GPC Signals Not Being Detected

Cause: Browser doesn't support GPC or signal not being sent Solution:

• Test with GPC-enabled browsers (Chrome 90+, Firefox 89+)
• Use GPC browser extensions for testing
• Verify OneTrust GPC detection is working

Issue 2: DNT Not Working in Modern Browsers

Cause: Many browsers have deprecated DNT support Solution:

• Focus on GPC as primary signal
• Use DNT as fallback for older browsers
• Implement custom privacy preference detection

Issue 3: Categories Still Loading Despite Signals

Cause: Category-level settings not properly configured Solution:

• Double-check each category's privacy signal settings
• Ensure "Respect GPC Signal" is enabled for each category
• Verify blocking rules are set to "Block" when signals detected

Issue 4: Scripts Ignoring Privacy Signals

Cause: Script blocking rules not configured Solution:

• Configure each script to respect privacy signals
• Set appropriate blocking behavior
• Test with browser developer tools

Testing Your Implementation

1. Browser Testing

• Test in Chrome, Firefox, Safari, Edge
• Use incognito/private mode
• Test with privacy-focused browsers (Brave, Firefox Focus)

2. Signal Testing

• Use GPC browser extensions
• Enable/disable DNT in browser settings
• Test with multiple signal combinations

3. Category Verification

• Check each cookie category behavior
• Verify scripts are properly blocked
• Confirm consent banner shows correct state

4. Legal Compliance Testing

• Verify GPC signals are treated as opt-out requests
• Check that DNT signals are respected
• Ensure proper documentation of signal handling

Best Practices

1. Default to Privacy-First

• Set GPC/DNT actions to "Block" by default
• Only allow necessary cookies/scripts when signals detected
• Provide clear opt-in mechanisms for enhanced functionality

2. Consistent Category Handling

• Apply the same privacy signal logic across similar categories
• Document your signal handling approach
• Train your team on privacy signal requirements

3. Regular Testing

• Test privacy signal handling monthly
• Verify compliance with new browser versions
• Monitor for changes in privacy signal standards

4. User Communication

• Explain how privacy signals affect user experience
• Provide clear information about signal handling
• Offer alternative ways to manage privacy preferences

Monitoring and Maintenance

1. Signal Detection Monitoring

• Track how often GPC/DNT signals are received
• Monitor signal processing success rates
• Alert on signal handling failures

2. Compliance Auditing

• Regular reviews of privacy signal handling
• Verify compliance with applicable laws
• Update configurations as regulations change

3. Performance Impact

• Monitor impact of privacy signal processing
• Optimize signal handling for performance
• Balance privacy with user experience

Related Documentation

• OneTrust Cookie Categorization Issues
• OneTrust GTM Integration
• Common OneTrust Issues
• OneTrust Best Practices

---

Rember: Simply showing a consent banner is not enough. You must explicitly configure OneTrust to respect GPC and DNT signals at the category level for these privacy controls to be properly enforced on your website.