Young man in sleepwear suffering from headache in morning
|

Implementing Consent Mode V2 with OneTrust CookiePro

Here is the official documentation not behind a password wall. https://my.onetrust.com/s/article/UUID-d81787f6-685c-2262-36c3-5f1f3369e2a7?language=en_US&topicId=0TO1Q000000ItVuWAK

The recent introduction of Consent Mode V2 marks a significant step forward in how companies manage user consent and privacy. In this blog post, I will explain what Consent Mode V2 is, why it's important, and how to implement it with OneTrust CookiePro. Most other tutorials I have seen use Cookiebot which is my CMP of choice but you have to work with what your clients have and many have Cookie Pro.

What is Consent Mode V2?

Consent Mode V2 is an update to Google's framework designed to help websites manage user consent for analytics and advertising cookies. This enhanced version provides more granular control over cookie settings, allowing businesses to respect user consent while still gathering valuable insights. Its from the EU but the UK still has adopted it too, so despite Brexit, its all the same. You can read more about the Digital Markets Act Here.

Why is Consent Mode V2 Important?

The importance of Consent Mode V2 lies in its ability to share with Google the consent status of different tags. If you do not have the right permissions, Google cannot use certain signals in Ads, so your campaigns will not be as effective. PMax relies on various signals and will be hampered if this is not implemented.

Google have also confirmed account suspension is a possibility if you do not have the correct consent settings. Its not likely it will affect you though as Google has a team of people who can implement consent mode V2 and if you spend a lot, they'll fix it you for free.

Implementing Consent Mode V2 with OneTrust CookiePro

Implementing Consent Mode V2 with OneTrust CookiePro involves several steps. They are roughly the same for all CMPs.

Step 1: Update Your OneTrust CookiePro Settings

First, ensure your OneTrust CookiePro is displaying the right framework. It has to be the TCF2.2 framework, not the GDPR template. You can view the page here

Thanks to Sandeep in the comments. You can still use the GDPR one if you are only tracking. The IAB TCF 2.2 is for Ad serving.

Step 2: Get the Script – Make sure its not blocking

Get your script and make sure its not set to autoblock everything. You need to let Tag Manager fire and cookiepro sort out the consent with consent mode. Autoblocking everything is bad practice as GTM can be used to place non tracking scripts.

Step 3: Integrate the scripts on your site

There are 3 scripts you need to place on your site. First is the default consent status.

This might be redundant as stated in the comments “When using CMP Template; there is no need to use the ‘set default' script as the template will have a section to set defaults from the view.” I don't see any harm in setting it anyway.

<script> 
  // Define dataLayer and the gtag function. 
  window.dataLayer = window.dataLayer || []; 
  function gtag(){dataLayer.push(arguments);} 
 
  // Default ad_storage to 'denied'. 
  gtag('consent', 'default', { 
        ad_storage: "denied", 
        analytics_storage: "denied", 
        functionality_storage: "denied", 
        personalization_storage: "denied", 
        security_storage: "denied",  
        ad_user_data: “denied”,
        ad_personalization: “denied”, 
'wait_for_update': 500 
 
  }); 
</script> 

This sets everything to denied. Then you place GTM and Cookie Pro in any order after.

If you are using WordPress I would recommend using something like wpcode to manage the tags. If you hardcode the tags in, you are asking for trouble. Its best practice to separate the logic from the presentation. Hardcoding things in to header.php will cause issues if you ever upgrade and forget to update or some plugins rewrite header.php for various reasons.

If you have it in a plugin, everyone knows where it is and if anyone changes the theme, it will still work.

Step 4: Enable options in GTM

You need to install the OneTrust CMP integration. Just look in the community gallery and install it

Fill in your details and get it to fire on consent initialisation. I set the src URL to cookie-cdn-cookiepro.com. Check you have the right one for your site. It didn't work for me when selecting a different source.

You have go to admin –> container settings and enable consent mode.

Step 5: Set up triggers

For Google Tags, they don't need anything special. You can use Page View, DOM Ready, Window Loaded, etc. Thats assuming you want to send cookieless pings. If you want to use basic mode, then you need to fire it like any other tag and require the additional consent. Basic mode is harder to implement than advanced mode!

For other tags, you need to create a custom event called, OneTrustGroupsUpdated and use that to trigger your non-Google tags. You also need to set the required permissions, eg, ads_storage or analytics_storage.

If you have an existing installation, you can get rid of all the checking for C0002 and just use the additional consent needed section.

Step 6: Test and Publish

You can test in preview mode and see the tags firing at the right points. The only tricky thing is on first view in advanced mode. You will see a cookieless ping and then when you accept cookies nothing appears to happen. It took me ages to work out but the CMP just deals with that. You don't need to do anything clever like check for if a cookieless ping has been sent and then send the real tag later.

Conclusion

Implementing Consent Mode V2 with OneTrust CookiePro is tricky. I am almost certain this is correct but I've seen so many people get it wrong, that I can't be sure I am right.

You can check in your GA4 in the stream settings.

This content is probably best as a video, so I will record one. Let me know in the comments if you have any questions or if you think I have it wrong. I also offer a 15 minute free consultation, so you can just ask me any questions about this.

Similar Posts

12 Comments

  1. Hi there!

    Mine said: ”A tag read consent state before a default was set”, I set codes in wordpress and onetrust in TGM. Can you help me to solve this? Thanks!

    1. Try updating the default settings script to not delay. An earlier version of my script had a 500 second delay in it.

  2. Sounds like you didn’t set the default consent on the site. Did you set everything to denied at the top of the page?

    Feel free to book a call and I’ll go through it.

  3. Hi, thanks for the tutorial! I was not able to find any such on the CookiePro website 🙁

    But it seems the tutorial describes just setting up new templates.
    Do you know any way to migrate an existing template based on the GDPR template? Or do I have to discard the old template and create a new one from scratch?

  4. Hi Jan

    I don’t know. I would just set up a new template based on the TCF2.2. You can raise a ticket with cookiepro maybe and ask them.

  5. Hi Ben,

    Just a quick update on the above article,

    1) you can use the GDPR template with the GCM V2.

    2) When using CMP template, we do not need to set the defaults as the template has default setting. Thanks

  6. I can see 2 problem in the above steps:

    – GDPR template can be used normally in this setup.
    – TCF 2.2 template is only concerned with ad serving and for domains which do not serve ads they can use a GDRP template.
    – When using CMP Template; there is no need to use the ‘set default’ script as the template will have a section to set defaults from the view.

  7. If you don’t have autoblocking enabled, how do you stop non-essential cookies being created before consent has been given?

    Without autoblocking there will a ton of cookies being set outside of tag manager on most sites, such as from CMS, third party scripts, social media embedded content etc.

    1. Put everything in gtm. Hard coding scripts on the site is difficult to manage and can slow your site down.

      If you cannot do that, there are tags you can use to tell the tags to wait for consent

  8. If you have the hard coded ‘set default’ script AND CookiePro is doing it, is there a risk it doesn’t switch to ‘granted’ when the user accepts cookies in the cookie bar as we’re setting it twice?

Leave a Reply

Your email address will not be published. Required fields are marked *