OneTrust Consent Management for Web

Integrate the RudderStack JavaScript SDK with the OneTrust SDK.

The JavaScript SDK seamlessly integrates with the OneTrust SDK. It lets you map the OneTrust cookie/consent groups to RudderStack’s consent purposes. RudderStack, in turn, uses this consent information to enable/disable tracking and sending the data.

How the OneTrust-JavaScript SDK integration works

Whenever a user starts browsing a website, OneTrust pops up a modal to take consent from the user. This modal contains a list of cookie groups representing the GDPR consent purposes that the user needs to decline or accept.

The JavaScript SDK fetches these consented groups and the destination (OneTrust category) mappings specified in the RudderStack dashboard. Depending on these settings, the SDK filters the destinations.

Setting up the integration

The following sections highlight the steps to set up the JavaScript SDK integration with OneTrust.


You must have a OneTrust account with a subscription to their Cookie Consent product.

Step 1: Configuring OneTrust

Follow these steps to configure OneTrust for your website/web app:

  1. Navigate to Websites > Add Websites.
  2. Enter your top-level website URL to scan and click Start Scan.
  3. Go to the Categorizations tab and define the new categories or modify the existing ones, as required.
The categories should be associated with/attached to at least one cookie to be displayed in your RudderStack dashboard’s OneTrust modal.
  1. Go to the Scripts tab, select the domain to be published and click Publish to publish the script.

You need to enable OneTrust for your JavaScript source. To do so, specify the consent category IDs defined in OneTrust (Step 1) for each destination connected to that source.

OneTrust category ID in consent settings

Step 3: Setting up your website

  1. Load the OneTrust script that you published in your web app in Step 1:
<!-- OneTrust Cookies Consent Notice start for -->
        data-domain-script="xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" >
<script type="text/javascript">
        // Required OneTrust callback
        function OptanonWrapper() { }
<!-- OneTrust Cookies Consent Notice end for -->
You must first load the OneTrust script and then load the JavaScript SDK only if the user provides their consent. This is because the SDK determines whether to send events to a destination based on the user’s consent. If a user denies consent in OneTrust, then Rudderstack does not load the destination SDKs or send any events to them.
  1. One way to load the JavaScript SDK after the user provides the consent is to modify the OptanonWrapper() callback function provided by OneTrust. You also need to add the consentManagement option in the load() call and set provider as oneTrust:

Replace the write keyThe write key (or source write key) is a unique identifier for your source. RudderStack uses this key to send events from a source to the specified destination. and data plane URLThe data plane URL is the location where events are routed and sent to the RudderStack backend for processing. You can find this URL in the home page of your RudderStack dashboard. in the snippet with their actual values.

For JavaScript SDK v3, the load option for configuring consent management has changed. See Breaking Changes for more information.

If a user updates the consent settings, you must refresh the web page for the changes to take effect in the SDK.

Once completed, RudderStack reads the consented categories and filters the destinations accordingly.

Additional settings for cloud mode

You can specify your OneTrust cookie categories when sending events from your JavaScript source via the cloud mode. Follow these steps:

  1. Set up your JavaScript source in the RudderStack dashboard.
  2. Connect it to a new or existing destination.
  3. In the destination’s connection settings, enter the OneTrust category ID in the Category ID field:
OneTrust category ID in consent settings

When sending events via cloud mode, make sure you enter the category ID corresponding to the OneTrust cookie category. Specifying the category name will not work.

You can find the category IDs in your OneTrust dashboard under Preference & Consent Management > Cookie Compliance > Categorizations > Categories.


What happens if the JavaScript SDK is loaded before the OneTrust modal is closed?

In this case, the JavaScript SDK will not be able to capture the user consent. Hence, it will load all the connected destinations and all the events will flow through to them.

If you are using a consent manager other than OneTrust, you can configure the cookie categories to show on your website whenever a user visits.

Next, you need to create an internal mapping between these cookie categories and the destinations configured in RudderStack. For example:

  • Analytical cookie: Amplitude, Google Analytics
  • Targeting cookie: Bing Ads, Google Ads
  • Marketing cookie: Braze, Mailchimp,

When the user provides consent, you should fetch the consent (via the API or SDK provided by your consent manager) and filter the destinations depending on the consent. Once you have the list of destinations for which the user has provided consent, you can load the JavaScript SDK only for those destinations.

For example, if a user has provided consent for an analytical cookie, then you can load the JavaScript SDK as shown:

   integrations: {
       All: false,
       "Amplitude": true,
       "Google Analytics": true
       // only provide the destinations the user has provide consent for
   // pass other initialization options

Questions? Contact us by email or on Slack