OneTrust and Tealium Tag Manager Integration
Table of Contents
- Problem Description
- Common Causes
- Step-by-Step Configuration
- Common Configuration Issues
- Advanced Configuration
- Troubleshooting Checklist
- Testing Your Setup
- Still Having Issues?
- Related Documentation
Problem Description
Tealium Tag Manager is supposed to respect OneTrust consent preferences, but tags are firing regardless of user consent choices. Analytics, marketing, and other tracking scripts are running even when users haven't given permission.
Common Causes
1. OneTrust Not Set for Automatic Blocking
OneTrust is configured to only show the banner without actually blocking scripts.
2. Tealium Consent API Not Configured
Tealium Tag Manager isn't properly configured to use OneTrust consent signals.
3. Missing Consent Integration
The connection between OneTrust and Tealium isn't properly established.
4. Incorrect Load Rules Configuration
Tealium load rules aren't set up to check consent status before firing tags.
Step-by-Step Configuration
Step 1: Verify OneTrust Automatic Blocking
-
Navigate to OneTrust Admin Panel
- Go to
Admin→Data Governance→Cookie Compliance - Or use:
https://yourcompany.onetrust.com/app/admin/
- Go to
-
Check Script Blocking Settings
- Go to
Scripts→Script Management - Verify that "Automatic Script Blocking" is enabled
- Check that scripts are properly categorized
- Go to
-
Verify Cookie Categories
- Go to
Cookies→Cookie Inventory - Ensure cookies are assigned to correct categories
- Verify blocking rules are set for each category
- Go to
Step 2: Configure Tealium Consent API
-
Enable Consent API in Tealium
- In Tealium iQ, go to
Settings→Consent Management - Enable "Consent API"
- Configure consent categories to match OneTrust categories
- In Tealium iQ, go to
-
Set Up Consent Categories
- Map Tealium consent categories to OneTrust categories:
analytics→ OneTrust Analytics category (C0002)advertising→ OneTrust Marketing category (C0004)functionality→ OneTrust Functionality category (C0003)personalization→ OneTrust Personalization category (C0005)
- Map Tealium consent categories to OneTrust categories:
Step 3: Set Up OneTrust-Tealium Integration
-
Create OneTrust Consent Extension
Create a Tealium extension that reads OneTrust consent status:
// Tealium Extension: OneTrust Consent Reader
(function() {
var extension = {
name: 'OneTrust Consent Reader',
version: '1.0.0',
init: function() {
// Wait for OneTrust to load
this.checkOneTrust();
},
checkOneTrust: function() {
if (typeof OneTrust !== 'undefined' && typeof OnetrustActiveGroups !== 'undefined') {
this.updatealiumConsent();
} else {
// Retry after a short delay
setTimeout(function() {
this.checkOneTrust();
}.bind(this), 100);
}
},
updatealiumConsent: function() {
// Map OneTrust categories to Tealium consent
var consent = {
analytics: OnetrustActiveGroups.includes('C0002'),
advertising: OnetrustActiveGroups.includes('C0004'),
functionality: OnetrustActiveGroups.includes('C0003'),
personalization: OnetrustActiveGroups.includes('C0005')
};
// Update Tealium consent API
if (typeof utag !== 'undefined' && utag.consent) {
utag.consent.set(consent);
}
}
};
return extension;
})();
-
Create OneTrust Consent Event Listener
Add this code to listen for OneTrust consent changes:
// Listen for OneTrust consent changes
function updatealiumConsent() {
if (typeof OneTrust === 'undefined' || typeof OnetrustActiveGroups === 'undefined') {
return;
}
// Map OneTrust categories to Tealium consent
var consent = {
analytics: OnetrustActiveGroups.includes('C0002'),
advertising: OnetrustActiveGroups.includes('C0004'),
functionality: OnetrustActiveGroups.includes('C0003'),
personalization: OnetrustActiveGroups.includes('C0005')
};
// Update Tealium consent
if (typeof utag !== 'undefined' && utag.consent) {
utag.consent.set(consent);
}
}
// Listen for OneTrust consent updates
document.addEventListener('OneTrustGroupsUpdated', updatealiumConsent);
// Initial consent check when page loads
if (document.readyState === 'loading') {
document.addEventListener('DOMContentLoaded', updatealiumConsent);
} else {
updatealiumConsent();
}
Step 4: Configure Tealium Load Rules
-
Create Consent-Based Load Rules
In Tealium iQ, create load rules that check consent status:
For Analytics Tags:
- Go to
Tags→ Select your analytics tag - In "Load Rules", add condition:
utag.consent.get('analytics') === true
For Marketing Tags:
- Go to
Tags→ Select your marketing tag - In "Load Rules", add condition:
utag.consent.get('advertising') === true
For Functionality Tags:
- Go to
Tags→ Select your functionality tag - In "Load Rules", add condition:
utag.consent.get('functionality') === true
- Go to
-
Set Default Consent State
Configure Tealium to default to "denied" consent:
// Set default consent to denied
if (typeof utag !== 'undefined' && utag.consent) {
utag.consent.set({
analytics: false,
advertising: false,
functionality: false,
personalization: false
});
}
Step 5: Handle Global Privacy Control (GPC)
-
Check for GPC Signal
Add GPC signal detection to your consent logic:
function checkGPCAndUpdateConsent() {
// Check for Global Privacy Control signal
var gpcEnabled = navigator.globalPrivacyControl === true;
if (gpcEnabled) {
// GPC signal detected - deny all non-necessary consent
if (typeof utag !== 'undefined' && utag.consent) {
utag.consent.set({
analytics: false,
advertising: false,
functionality: false,
personalization: false
});
}
return;
}
// No GPC signal - check OneTrust consent
updatealiumConsent();
}
// Check GPC on page load
checkGPCAndUpdateConsent();
// Listen for GPC changes (if supported)
if (navigator.globalPrivacyControl !== undefined) {
Object.defineProperty(navigator, 'globalPrivacyControl', {
get: function() {
return this._gpc || false;
},
set: function(value) {
this._gpc = value;
checkGPCAndUpdateConsent();
},
configurable: true
});
}
Step 6: Configure Tealium Container Load Order
-
Ensure Proper Script Load Order
Load OneTrust before Tealium:
<!-- Load OneTrust first -->
<script src="https://cdn.cookielaw.org/scripttemplates/otSDKStub.js"
data-domain-script="your-domain-script-id"
type="text/javascript"
charset="UTF-8"></script>
<!-- Then load Tealium -->
<script type="text/javascript">
(function(a,b,c,d){
a='//tags.tiqcdn.com/utag/your-account/your-profile/your-environment/utag.js';
b=document;c='script';d=b.createElement(c);d.src=a;
d.type='text/javascript';d.async=true;
a=b.getElementsByTagName(c)[0];a.parentNode.insertBefore(d,a);
})();
</script>
<!-- OneTrust-Tealium integration script -->
<script type="text/javascript">
// OneTrust-Tealium integration code (from Step 3)
function updatealiumConsent() {
if (typeof OneTrust === 'undefined' || typeof OnetrustActiveGroups === 'undefined') {
return;
}
var consent = {
analytics: OnetrustActiveGroups.includes('C0002'),
advertising: OnetrustActiveGroups.includes('C0004'),
functionality: OnetrustActiveGroups.includes('C0003'),
personalization: OnetrustActiveGroups.includes('C0005')
};
if (typeof utag !== 'undefined' && utag.consent) {
utag.consent.set(consent);
}
}
document.addEventListener('OneTrustGroupsUpdated', updatealiumConsent);
if (document.readyState === 'loading') {
document.addEventListener('DOMContentLoaded', updatealiumConsent);
} else {
updatealiumConsent();
}
</script>
Step 7: Test the Integration
-
Browser Console Verification
Open DevTools → Console and verify consent status:
// Check OneTrust consent
console.log('OneTrust Active Groups:', OnetrustActiveGroups);
// Check Tealium consent
console.log('Tealium Analytics Consent:', utag.consent.get('analytics'));
console.log('Tealium Advertising Consent:', utag.consent.get('advertising'));
-
Network Tab Testing
- Clear browser data and refresh
- Verify no tracking requests fire initially
- Accept consent in OneTrust banner
- Verify tracking requests now fire
- Deny consent and refresh
- Ensure tracking requests remain blocked
Common Configuration Issues
Issue 1: Tags Still Firing Without Consent
Cause: Load rules not properly configured or consent API not initialized
Solution:
- Verify load rules check
utag.consent.get()before firing - Ensure consent is set to "denied" by default
- Check that OneTrust integration script runs before Tealium tags load
Issue 2: Consent State Not Updating
Cause: OneTrust events not properly connected to Tealium
Solution:
- Verify
OneTrustGroupsUpdatedevent listener is attached - Check that OneTrust script loads before Tealium
- Ensure
utag.consent.set()is called when consent changes
Issue 3: GPC Signal Not Respected
Cause: GPC detection not implemented or not checked before consent
Solution:
- Implement GPC signal detection before checking OneTrust consent
- Set Tealium consent to "denied" when GPC is detected
- Ensure GPC check happens on every page load
Issue 4: Tags Fire Before Consent Check
Cause: Tealium container loads before OneTrust consent is determined
Solution:
- Load OneTrust script before Tealium container
- Delay Tealium tag execution until consent is determined
- Use Tealium's consent API to block tags until consent is set
Advanced Configuration
Custom Consent Mapping
If your OneTrust categories don't match standard Tealium categories:
function mapOneTrustToTealiumConsent() {
if (typeof OneTrust === 'undefined' || typeof OnetrustActiveGroups === 'undefined') {
return {
analytics: false,
advertising: false,
functionality: false,
personalization: false
};
}
// Custom mapping based on your OneTrust configuration
return {
analytics: OnetrustActiveGroups.includes('C0002'), // Your analytics category ID
advertising: OnetrustActiveGroups.includes('C0004'), // Your marketing category ID
functionality: OnetrustActiveGroups.includes('C0003'), // Your functionality category ID
personalization: OnetrustActiveGroups.includes('C0005') // Your personalization category ID
};
}
// Update Tealium consent
var consent = mapOneTrustToTealiumConsent();
if (typeof utag !== 'undefined' && utag.consent) {
utag.consent.set(consent);
}
Consent State Persistence
Ensure consent state persists across page loads:
// Save consent state to localStorage
function saveConsentState(consent) {
try {
localStorage.setItem('tealium_consent', JSON.stringify(consent));
} catch (e) {
// Handle localStorage errors
}
}
// Load consent state from localStorage
function loadConsentState() {
try {
var saved = localStorage.getItem('tealium_consent');
if (saved) {
return JSON.parse(saved);
}
} catch (e) {
// Handle localStorage errors
}
return null;
}
// Update consent and save
function updateAndSaveConsent() {
var consent = mapOneTrustToTealiumConsent();
if (typeof utag !== 'undefined' && utag.consent) {
utag.consent.set(consent);
saveConsentState(consent);
}
}
Server-Side Consent Forwarding
If using Tealium's server-side capabilities, forward consent to server:
// Forward consent to Tealium server-side
function forwardConsentToServer(consent) {
if (typeof utag !== 'undefined' && utag.view) {
utag.view({
consent: consent,
event: 'consent_update'
});
}
}
// Update consent and forward to server
document.addEventListener('OneTrustGroupsUpdated', function() {
var consent = mapOneTrustToTealiumConsent();
updateAndSaveConsent();
forwardConsentToServer(consent);
});
Troubleshooting Checklist
- OneTrust automatic blocking is enabled
- Tealium Consent API is enabled
- OneTrust script loads before Tealium container
- OneTrust-Tealium integration script is present
-
OneTrustGroupsUpdatedevent listener is attached - Tealium load rules check consent status
- Default consent is set to "denied"
- GPC signal detection is implemented
- Consent state persists across page loads
- No JavaScript errors in console
Testing Your Setup
-
Clear Browser Data
- Clear cookies and local storage
- Refresh the page
-
Check Initial State
- Verify no tracking scripts load initially
- Check Tealium consent shows "denied" for all categories
- Verify OneTrust banner appears
-
Accept Consent
- Accept all cookies in OneTrust banner
- Verify Tealium consent updates to "granted" for accepted categories
- Verify tracking scripts now load properly
-
Deny Consent
- Deny cookies and refresh
- Ensure Tealium consent remains "denied"
- Ensure tracking scripts remain blocked
-
Test GPC Signal
- Enable GPC in browser (if supported)
- Verify Tealium consent automatically set to "denied"
- Verify tracking scripts remain blocked
Still Having Issues?
If the problem persists:
-
Check OneTrust Logs
- Look for consent events in OneTrust admin
- Verify script blocking is working
- Check category IDs match your configuration
-
Tealium Debug Mode
- Enable Tealium debug mode
- Check consent state in real-time
- Verify load rules are evaluating correctly
-
Browser Console Debugging
// Check OneTrust status
console.log('OneTrust loaded:', typeof OneTrust !== 'undefined');
console.log('Active Groups:', OnetrustActiveGroups);
// Check Tealium status
console.log('Tealium loaded:', typeof utag !== 'undefined');
console.log('Tealium consent API:', typeof utag.consent !== 'undefined');
console.log('Analytics consent:', utag.consent ? utag.consent.get('analytics') : 'N/A'); -
Browser Extensions
- Disable ad blockers and privacy extensions
- Test in incognito/private mode
- Try different browsers
Related Documentation
- OneTrust GTM Integration - Google Tag Manager integration
- OneTrust Privacy Signals - GPC and DNT signal handling
- OneTrust Custom Implementation - Advanced OneTrust API usage
- Common OneTrust Issues - Troubleshooting guide
- OneTrust Best Practices - Best practices for OneTrust