Privacy policy clauses for OneTrust
OneTrust is an enterprise consent and privacy management platform that enables websites to collect, manage, and document user consent for cookies and data processing activities. Websites use OneTrust to demonstrate legal compliance with privacy regulations like GDPR and CCPA by providing transparent consent mechanisms and maintaining audit trails of user preferences.
Free scan · No signup · Results in 60 seconds
When does OneTrust trigger privacy obligations?
Installation triggers immediate obligations
The moment OneTrust's consent management platform (CMP) is deployed on your site or app, you are collecting and processing consent records—data that itself requires lawful basis and transparent handling. OneTrust typically loads a banner that captures user choices and stores consent state in local storage or cookies; this data collection activity is *itself* subject to GDPR Article 6 (lawful basis) and ePrivacy Directive Article 5(3) (prior consent for non-essential cookies).
Which regulations apply
GDPR (EU/EEA users): Applies if you have any visitor from the EU, UK, or EEA. OneTrust's deployment means you must comply with Articles 6 (lawful basis), 7 (valid consent), 13/14 (transparency), and 12 (plain language).
CCPA (California): If your site is accessible to California residents and you collect personal information, CCPA Section 1798.100 (right to know) and 1798.120 (right to delete) apply. OneTrust consent logs are personal information and must be deletable.
ePrivacy Directive (EU): Article 5(3) explicitly requires prior informed consent for cookies or tracking—the *exact* use case for OneTrust.
First concrete step
Before publishing OneTrust: map every cookie, pixel, and SDK that will fire on your domain and assign each to a consent category (essential, analytics, marketing, etc.). Document the legal basis for each category in plain language. If you cannot justify non-essential collection without consent, do not load those scripts until consent is confirmed.
