Sitecore – Implementing tracking consent in Sitecore 10+ with OneTrust

Within Sitecore 10+, a lot has changed in regards to tracking consent and being GDPR compliant. Sitecore 10 introduced default functionality out of the box, which you can use to configure explicit consent for tracking as is shown in the documentation.

To make sure a contact isn’t tracked unless he gives his consent, all you have to do is to set the option explicitConsentForTrackingIsRequired to true on your website. You can do this trough a patch file, or when using SXA, you can configure this within your Site Grouping.

As soon as this setting is set to true, a contact isn’t tracked anymore. No analytics data is stored for this contact, unless we tell Sitecore explicitly to do so.

Giving explicit consent

All you have to do to give consent, is to use the GiveConsent method on the IConsentManager service which is configured by default within Sitecore. This will result in a cookie being set which stores the consent for the given website.

To easily integrate this with for example OneTrust, i’ve taken the following route:

  • Create a controller endpoint that uses the IConsentManager to explicity set the consent for the current contact.
  • Call the controller endpoint automatically trough javascript if the proper consent is given trough OneTrust.

The Sitecore part

The code examples below are required to register the controller within Sitecore, to configure the route and of course to implement a controller that uses the IConsentManager interface.

Controller

using System.Web.Mvc;
using Sitecore.Analytics.Tracking.Consent;

namespace Example
{
    public class TrackingConsentController : Controller
    {
        private readonly IConsentManager _consentManager;

        public TrackingConsentController(IConsentManager consentManager)
        {
            _consentManager = consentManager;
        }

        public ActionResult GiveConsent()
        {
            _consentManager.GiveConsent(null);
            return new EmptyResult();
        }
    }
}

Register routes pipeline processor

using System.Web.Mvc;
using System.Web.Routing;
using Sitecore.Pipelines;

namespace Example
{
    public class RegisterRoutes
    {
        public void Process(PipelineArgs args)
        {
            RouteTable.Routes.MapRoute(
                "TrackingConsent",
                "api/TrackingConsent/{action}",
                new { controller = "TrackingConsent" },
                new[] { "Example" }
            );
        }
    }
}

Dependency registration

using Microsoft.Extensions.DependencyInjection;
using Sitecore.DependencyInjection;

namespace Example
{
    public class RegisterDependencies : IServicesConfigurator
    {
        public void Configure(IServiceCollection serviceCollection)
        {
            serviceCollection.AddTransient<TrackingConsentController>();
        }
    }
}

Configuration file

<configuration xmlns:patch="http://www.sitecore.net/xmlconfig/" xmlns:set="http://www.sitecore.net/xmlconfig/set/" xmlns:role="http://www.sitecore.net/xmlconfig/role/">
  <sitecore>
    <pipelines>
      <initialize>
        <processor type="Example.RegisterRoutes, Example"
                   patch:after="processor[@type='Sitecore.Pipelines.Loader.EnsureAnonymousUsers, Sitecore.Kernel']"/>
      </initialize>
    </pipelines>
    <services>
      <configurator type="Example.RegisterDependencies, Example" />
    </services>
  </sitecore>
</configuration>

The frontend part

When using OneTrust, you can easily configure a script to be only loaded if a visitor has given consent for a specific category. All we have to do is add a script to the page with type text/plain and a specific class to reflect the category we require, for example optanon-category-C0002 which in our case is “Performance cookies”.

<script type="text/plain" class="optanon-category-C0002">
    if(document.cookie.indexOf('SC_TRACKING_CONSENT') == -1)
    {
        fetch("/api/trackingconsent/giveconsent");
    }
</script>

The script above isn’t executed before the user gives consent trough OneTrust. OneTrust then changes the script type from text/plain to text/javascript which then is being executed by your browser. The script then checks if there’s already a cookie named SC_TRACKING_CONSENT, because if that cookie exists, the visitor already gave consent.

If no cookie exists, it calls the newly created controller, which then invokes the IConsentManager to give consent after which the visitor is being tracked.

4 Replies to “Sitecore – Implementing tracking consent in Sitecore 10+ with OneTrust”

  1. Hi,

    Your blog seems helpful but can you please confirm why did you pass null value into _consentManager.GiveConsent(null);

    1. Hi,

      The GiveConsent method has one argument which takes a KnownContactIdentifier. When a identifier is passed into this method, it calls the ContactIdentificationManager.IdentityAs method.
      Because we don’t know who the contact is yet, we pass null to the GiveConsent method.

  2. This works for me but can you please suggest how to revoke consent if the cookie category C0002 is rejected because if the cookie category is rejected, the script is rendered a splain text.

    1. If the consent is revoked, the cookies are automatically being removed by OneTrust (if you’ve categorized them correctly). The script is rendered as text/plain, and isn’t executed by the browser anymore, which means that a new tracking cookie won’t be set.

Leave a Reply

Your email address will not be published. Required fields are marked *