VENDOR CODE PACKAGE

OneTrust Guide
VMware IT
Table of Contents
INTRODUCTION.....................................................................................................................................3

WHY THIS CHANGE?............................................................................................................................3

IMPACT ON THIRD PARTY SITES/MICROSITES...........................................................................3

ONETRUST UX FOR VMWARE...........................................................................................................4

IMPLEMENTATION INSTRUCTIONS................................................................................................5

1. ADD THE FOLLOWING METATAGS IN THE HEAD................................................................................5

2.ADD JQUERY, DEMANDBASE LIB , UTAG.SYNC.JS & DATA LAYER IN THE PAGE SOURCE CODE.......6
3.ADD A COOKIE SETTINGS BUTTON OR LINK IN THE PAGE.................................................................7
4.REMOVE EVIDON SITE NOTICE TAG & REFERENCES.......................................................................8
5.ADD ONETRUST LOAD RULES TO TEALIUM TAGS & EXTENSIONS...................................................9
6.HANDLE THIRD PARTY TRACKERS OUTSIDE THE TEALIUM TAG MANAGER WITH
ONETRUSTCALLBACK.......................................................................................................................13

FINAL STEP THAT MUST BE DONE TO ACHIEVE FULL COMPLIANCE...............................16

SAMPLE URLS WHERE IMPLEMENTATION IS IN PLACE........................................................17

HOW TO SET UP TESTING TOOLS..................................................................................................17

METHOD 1: IF THE SITE’S LOWER ENVIRONMENT (DEV, TEST, UAT, ETC.) IS NOT WITHIN THE
VMWARE FIREWALL OR WHEN A SITE GOES LIVE WITH ONETRUST CHANGES.................................17
METHOD 2: IF THE SITE’S LOWER ENVIRONMENT (DEV, TEST, UAT, ETC.) IS WITHIN THE VMWARE
FIREWALL..........................................................................................................................................18
SCENARIO 1: NON-EU REGION..........................................................................................................20
SCENARIO 2: EU REGION....................................................................................................................21

TOOLS REQUIRED...............................................................................................................................23

FAQ AND TROUBLESHOOTING.......................................................................................................23

WALKTHROUGH VIDEOS..................................................................................................................23

DOCUMENT POINTS OF CONTACT.................................................................................................23

1
Introduction
VMware is revising cookie notification and consent management capability in order to remain compliant
with changing GDPR, ePrivacy and other relevant regulations that cover the compliance of cookie
processing and management. The new regulations require that we make the consent more granular and
categorized. In order to achieve this, we are moving from our current Cookie Consent Management tool
provided by Evidon to a new Cookie Consent Management tool provided by OneTrust.

Why this change?

 Evidon does not offer any grouping or categorization of cookies; (Consent must be given as all or
nothing)

 We are missing details in the cookie policy describing what kind of cookies are being used and
for what purposes

 We rely on an opt-out mechanism as opposed to an explicit opt-in

 We only allow opt-out for third-party cookies when we should have opt-in for every category of
cookies

 Some of the cookies for Adobe Technologies are dropped (even for EU users) before consent is
given

 We need to have increased governance on cookie-consent expiration

Impact on Third Party Sites/Microsites

All microsite owners must implement the OneTrust Code on their microsites and remove any existing
reference to Evidon code or other existing cookie consent solution.

2
OneTrust UX for VMware
Once you’ve followed the instructions in this guide, you will see the new OneTrust user experience
rendered on your site.

The experience for a site visitor from a NON-EU country will include only a cookie settings button on the
screen (or a text link in the footer if preferred). From the button, site visitors can get to the cookie
preference center to modify their cookie settings if they wish.

The experience for a site visitor from an EU country will include the full cookie banner on the screen.
From the banner, site visitors can get to the cookie preference center to modify their cookie settings if
they wish.

3
Implementation Instructions
Below Instructions are assuming your site has Tealium as Tag Manager and
Evidon as Cookie Compliance Manager

1. Add the following Metatags in the head

Place the following Metatags in the <head> section of your site's HTML Mark Up right at the top:

Lower Environment:

<meta name="microsites-utag" content="https://tags.tiqcdn.com/utag/vmware/<tealium-profile-privacy>/qa/utag.js">

<meta name="microsites-at-utag" content="https://tags.tiqcdn.com/utag/vmware/<tealium-profile-privacy>/qa/utag.js">

<meta name="onetrust-data-domain" content="xxxxxxxxxxxxxxxx-test" > [make sure there are no blankspaces In this value]

Production:

<meta name="microsites-utag" content="https://tags.tiqcdn.com/utag/vmware/<tealium-profile-privacy>/prod/utag.js">

<meta name="microsites-at-utag" content="https://tags.tiqcdn.com/utag/vmware/<tealium-profile-privacy>/prod/utag.js">

<meta name="onetrust-data-domain" content="xxxxxxxxxxxxxxxx">[make sure there are no blankspaces In this value]

Example:

<meta name="microsites-utag" content="https://tags.tiqcdn.com/utag/vmware/microsites-privacy/prod/utag.js">

<meta name="microsites-at-utag" content="https://tags.tiqcdn.com/utag/vmware/microsites-at-privacy/prod/utag.js">

<meta name="onetrust-data-domain" content=" bcb7219b-ac9b-4a71-be52-df3059b378c0">

**How to Identify Tealium Profile? Tealium Profile here Is equal to microsites In the following example path:
https://tags.tiqcdn.com/utag/vmware/microsites/prod/utag.js

**Please refer to the existing Tealium Profile on your page source, and append -privacy to it. Eg: If the Tealium Profile is
microsites, then New Tealium profile becomes microsites-privacy.

**xxxxxxxxxxxxx refers to data-domain script of OneTrust Site Notice Tag. To get this value please reach out to :

One Trust Help: OneTrustHelp@vmware.com (Internal VMware Users)

(For site owners/vendors outside VMware, you may Email your VMware business contact to ask them to
request this value through the internal DL above.)

4
2.Add Jquery, Demandbase Lib , Utag.sync.js & Data Layer In the page
source code
Please make sure following scripts are the first and the foremost javascript Inclusions on your page in the
<head> tag. Please keep the below order and priority of the scripts to avoid any racing conditions or
dependency Issues:

Lower Environment:

<script src="/<your-site-path>/jquery.min.js"></script> [ In case you have your own jquery version available ]

OR

<script src="https://www.vmware.com/content/dam/digitalmarketing/onetrust/assets/js/jquery-1.11.0.min.js"></script>

<script type="text/javascript" src="https://api.demandbase.com/api/v2/ip.js?key=e1f90d4a92d08428627aa34a78d58cc3e866c

84f&amp;var=db" ></script>

<script type="text/javascript" src="https://tags.tiqcdn.com/utag/vmware/<tealium-profile- privacy>/qa/utag.sync.js"></script>

<script src="//www.vmware.com/files/templates/inc/utag_data.js"></script>

Production Environment:

<script src="/<your-site-path>/jquery.min.js"></script> [ In case you have your own jquery version available ]

OR

<script src="https://www.vmware.com/content/dam/digitalmarketing/onetrust/assets/js/jquery-1.11.0.min.js"></script>

<script type="text/javascript" src="https://api.demandbase.com/api/v2/ip.js?key=e1f90d4a92d08428627aa34a78d58cc3e866c

84f&amp;var=db"></script>

<script type="text/javascript" src="https://tags.tiqcdn.com/utag/vmware/<tealium- profile-privacy>/prod/utag.sync.js"></script>

<script src="//www.vmware.com/files/templates/inc/utag_data.js"></script>

Example:

<script src="https://www.vmware.com/content/dam/digitalmarketing/onetrust/assets/js/jquery-1.11.0.min.js"></script>

<script type="text/javascript" src="https://api.demandbase.com/api/v2/ip.js?

key=e1f90d4a92d08428627aa34a78d58cc3e866c84f&var=db"></script>

<script type="text/javascript" src="https://tags.tiqcdn.com/utag/vmware/microsites-privacy/prod/utag.sync.js"></script>

<script src="//www.vmware.com/files/templates/inc/utag_data.js"></script>

5
3.Add a Cookie Settings button or link in the page
We have two options for implementing the Cookie Settings feature :

Option 1: If you want the Cookie Settings to appear in the lower right corner as a floating button , place
the following code just anywhere In the <body> tag ( refer example -> vmworld.com)

<button id="ot-sdk-btn" class="ot-sdk-show-settings"> Cookie Settings</button>

Screenshot:

Option 2: If you want the Cookie Settings to appear in the footer as a link, place the following code in
your footer( refer example -> my.vmware.com)

<a class="ot-sdk-show-settings"> Cookie Settings</a>

Screenshot:

4.Remove Evidon Site Notice Tag & References

Remove the Evidon Site Notice Tag and any References to Evidon from the site. A sample script is
provided below showing the most common Evidon code present on most the sites. This needs to be taken
out.

Look for window.evidon through the search option in DEV Tools in the browser to find the below code:

(function(id) {
function append(scriptid, url, async) {

6
 var d = document,
sn = 'script',
f = d.getElementsByTagName(sn)[0];
if (!f) f = d.head;
var s = d.createElement(sn);
s.async = true;
s.id = scriptid;
s.src = url;
f.parentNode.insertBefore(s, f);

if (url.indexOf("country.js") > -1) {

s.onload = function() {
window.isEU = isEU();
};
}
}

function getRootDomain() {
var parts = window.location.hostname.split('.');
if (parts.length === 2) rootDomain = parts[0];
else if (parts.length > 2) {
// see if the next to last value is a common tld
var part = parts[parts.length - 2];
if (part === 'com' || part === 'co') {
rootDomain = parts[parts.length - 3]; // go back one more
} else {
rootDomain = part;
}
}

return rootDomain;
}

window.evidon = {};
window.evidon.id = id;
var cdn = '//c.evidon.com/',
rootDomain = getRootDomain(),
noticecdn = cdn + 'sitenotice/';
append('evidon-notice', noticecdn + 'evidon-sitenotice-tag.js', false);
append('evidon-location', cdn + 'geo/country.js', true);
append('evidon-themes', noticecdn + id + '/snthemes.js', true);
if (rootDomain) append('evidon-settings', noticecdn + id + '/' + rootDomain + '/settings.js', true);

function isEU() {
var curr;
var euCountries = ["gb", "uk", "fr", "de", "at", "be", "bg", "hr", "cy", "cz", "dk", "ee", "fi", "lv", "gr", "hu", "ie", "it", "lt", "lu",
"mt", "nl", "pl", "pt", "ro", "sk", "si", "es", "se"];
var eu = false;

if (window.evidon) {
if (window.evidon.location !== undefined && window.evidon.location) {
curr = window.evidon.location.code;
} else if (window.evidon.notice !== undefined && window.evidon.notice.country) {
curr = window.evidon.notice.country.code;
}
}
for (i = 0; i < euCountries.length; i++) {
if (curr == euCountries[i]) {

7
 console.log(("EU country"));
eu = true;
break;
}
}
console.log(curr);
return eu;
}

window.evidon.priorConsentCallback = function() {
// fire thirdparty trackers/ads/integrations/cookie-dropping-code ---> Do not remove this section under Evidon
Calback while removing Evidon Snippet as , this would be required to be wrapped in OneTrustCallback. Separate out
this section and use it in OneTrustCallback . How to use OneTrustCallback explained in upcoming section 8. Handle
Thirdparty Trackers outside Tealium in OneTrustCallback
}

})(4478);

**If the above Evidon Callback has any methods like loadTealium or methods that have references to files like
utag.sync.js or utag_data.js or utag.js , or if these files are directly getting called in the calback please remove
those references as they are already being handled in Step 1 & Step 2 of the document

5.Add OneTrust Load Rules to Tealium Tags & Extensions

**This section is only for Sites that have following Tealium profiles:

main
store
magento

**Identify your Tealium Profile by typing window.utag.cfg.path in browser console of the site

**If the value returned has one of the above values then you can proceed with the below instructions:

Navigate to -privacy version of your identified Tealium Profile , by selecting the option in the
Profile Dropdown

8
Create a Data Layer Variable for OptanonConsent Cookie:

Create a Load Rule for every OT Cookie Category:

9
Open the Tags page, open the tag, then add the load rule to the tag:

Add the following OneTrust Site Notice Tag in utag.sync.js template by following steps shown in
the screenshot:

var datadomain = document.querySelector('meta[name="onetrust-data-domain"]');

var ddscript = datadomain.getAttribute("content");
var oneTrustScript = document.createElement('script');

10
oneTrustScript.src = "https://cdn.cookielaw.org/scripttemplates/otSDKStub.js";
oneTrustScript.type = "text/javascript";
oneTrustScript.charset = "UTF-8";
oneTrustScript.setAttribute('data-domain-script', ddscript);
document.head.appendChild(oneTrustScript);
function OptanonWrapper() {}

To add the load rule for Adobe Target, Visitor API and to handle Privacy Messages, please refer to
the below scripts path for reference:

https://tags.tiqcdn.com/utag/vmware/microsites-privacy/qa/utag.sync.js

Please click below Excel file Link for Tealium Tags Categorization:

https://www.vmware.com/content/dam/digitalmarketing/onetrust/assets/xls/TealiumTagsCategorizationL
egal.xlsx

6.Handle third party trackers outside the Tealium Tag Manager with
OneTrustCallback
Cookies themselves cannot be directly blocked; however, most cookies that fall under the legislation are
set through inserted scripts or tags, such as JavaScript or HTML iFrames. This includes most analytics
and third-party cookies, such as advertising cookies.

Therefore, to comply with the law, these scripts should be blocked, or substituted for non-cookie
alternatives whenever consent has been withheld or withdrawn. To achieve this, you can use one of
several custom JavaScript helper methods along with a OneTrust wrapper control function.

11
OneTrust Wrapper Control: There are 2 ways to do it . Explained as Solution #1 & Solution #2 below

Solution 1:

This is one of the most efficient methods of preventing cookies controlled by script tags from being
dropped before consent is given. This method requires the least amount of change to your site. It is
recommended that you use this approach whenever possible.

Normal script tags look like this:

<script type="text/javascript"> //Cookie Dropping Code</script>

Using script type re-writing, you need to change the scripts to:

<script type="text/plain" class="optanon-category-C000X"> //Cookie Dropping Code</script>

C000X Is the ID of the Cookie Category and that can have values like: C0002, C0003, C0004 , C0005

When the above code loads, JavaScript inside the tags will not run, and no cookies will be set. Then,
when the Cookie Consent code loads, if cookies for the associated group have consent, it will
dynamically change the tag to: script type=text/JavaScript – the code inside the tags will then be
recognized and run as normal.However sometimes there can be racing condition issues and cookies may
fire even without consent. In such cases you can switch to full proof Custom Approach below.

Solution 2: Alternative Custom Approach

Normal script tags look like this:

<script type="text/javascript"> Cookie Dropping Code</script>

Using the Custom OneTrust Wrapper , you need to change the scripts to :

<script type="text/javascript" >

if (document.cookie.indexOf('OptanonConsent') > -1 && document.cookie.indexOf('groups=') > -1) {

if (decodeURIComponent(document.cookie).indexOf('C000X:1') > -1 ) {
//Cookie Dropping Code
}
}
else{waitForConsentCookie();}

var waitForConsent;

function waitForConsentCookie() {
if (document.cookie.indexOf('OptanonConsent') > -1 && document.cookie.indexOf('groups=') > -1) {
clearTimeout(waitForConsent);
if (decodeURIComponent(document.cookie).indexOf('C000X:1') > -1 ) {
//Cookie Dropping Code
}

12
}
else{waitForConsent=setTimeout(waitForConsentCookie, 250);}
}

</script>

C000X Is the ID of the Cookie Category and that can have values like: C0002, C0003, C0004 , C0005

**Refer to the table below to deduce your interpretations of the category for the Cookie Dropping code/tag

**However please note the same will be have to be run by Legal for review and final confirmation

**Please reach out to below point of contacts to know more on the Legal Process:

One Trust Help: OneTrustHelp@vmware.com (Internal VMware Users)

(For site owners/vendors outside VMware, you may Email your VMware business contact to ask them to
request this value through the internal DL above.)

Cookie Categories and Definitions

Action: Action:
Cookie EU Site Visitor Non-EU
Category Site Visitor Definition
Strictly Will fire Will fire Strictly necessary cookies are always enabled
Necessary immediately. immediately. since they are essential for our website to
C0001 function. They enable core functionality such as
Note: The tool does Note: The tool security, network management, and website
not allow for does not allow for accessibility. You can set your browser to block
disabling this disabling this or alert you about these cookies, but this may
category of category of affect how the website functions. For more
cookies. cookies. information please visit www.aboutcookies.org
or www.allaboutcookies.org.
Note: The OneTrust tool does not allow for

13
 disabling this category of cookies.

Will NOT fire until Will fire Performance cookies are used to analyze the
opt-in “Accept All” immediately. user experience to improve our website by
action has been Will be blocked collecting and reporting information on how you
taken. once opt-out action use it. They allow us to know which pages are
has been taken and the most and least popular, see how visitors
Performance screen refresh has move around the site, optimize our website and
C0002 been done. make it easier to navigate.

Will NOT fire until Will fire Functional cookies help us keep track of your
opt-in “Accept All” immediately. past browsing choices so we can improve
action has been Will be blocked usability and customize your experience. These
taken. once opt-out action cookies enable the website to remember your
has been taken and preferred settings, language preferences,
Functional screen refresh has location and other customizable elements such
C0003 been done. as font or text size.

Will NOT fire until Will fire Advertising cookies are used to send you
opt-in “Accept All” immediately. relevant advertising and promotional
action has been Will be blocked information. They may be set through our site
taken. once opt-out action by third parties to build a profile of your
has been taken and interests and show you relevant advertisements
screen refresh has on other sites. These cookies do not directly
been done. store personal information but their function is
Advertising based on uniquely identifying your browser and
C0004 internet device.

Will NOT fire until Will fire Social media cookies are intended to facilitate
opt-in “Accept All” immediately. the sharing of content and to improve the user
action has been Will be blocked experience. We do not control social media
taken. once opt-out action cookies and they do not allow us to gain access
has been taken and to your social media accounts. Please refer to the
Social Media screen refresh has relevant social media platform’s privacy policies
C0005 been done. for more information.

FINAL STEP that MUST be done to achieve FULL

COMPLIANCE
Cookie Tag Mapping of a Sample Profile for reference
 Your site Is not completely compliant without creating a mapping between cookies and tags
through OneTrust

 To trigger this activity please send email with your site URL and request to scan to:

14
 OneTrustHelp@vmware.com (Internal VMware Users)

(For site owners/vendors outside VMware, you may Email your VMware business contact to
ask them to kick off this review process through the internal DL above.)

 Your site may include tags or cookies that have not been previously encountered by VMware
privacy. In this case, you will be given a list of these “new” items and asked to provide a
definition of what they are and how they function along with your best guess recommendation as
to the category in which they belong (see above). This will then be reviewed/modified/approved
by VMware privacy team.

 Once your site is fully compliant, you will become NON-compliant any time you add a tag or
cookie that was not previously reviewed/categorized by VMware privacy. If you plan to make a
change to your site that results in new tags/cookies being added, you must kick off this review
process again.

 To trigger this activity please send email with your site URL and request to review to:
OneTrustHelp@vmware.com (Internal VMware Users)

(For site owners/vendors outside VMware, you may Email your VMware business contact to
ask them to kick off this review process through the internal DL above.)

Sample URLs where Implementation is in Place

 https://www.vmworld.com/en/index.html
 https://my.vmworld.com/widget/vmware/vmworld2020/catalog?

How to set up Testing Tools

Method 1: If the Site’s lower environment (Dev, Test, UAT, etc.) is not within the
VMware firewall or when a site goes live with OneTrust Changes

**Please clear browser cache & cookies every time you switch between EU and Non-EU regions

Install Free VPN Proxy Unblocker Browser plugin: Hola

15
Select an EU country from list to test the EU experience

Method 2: If the Site’s lower environment (Dev, Test, UAT, etc.) is within the
VMware firewall

Install Switcheroo Redirector from the Chrome Web Store

16
Configure Switcheroo to enable functionality in Incognito Mode

Configure Switcheroo with redirection URLs

Redirection Rules (applies to all methods of redirection - using Chrome Switcheroo extension)

17
 Fr

htt
tes

Append countryCode=<code> parameter to the page URL before testing

**Please clear browser cache & cookies every time you switch between EU and Non-EU regions

Examples:

EU Region : https://www.vmworld.com/en/index.html?countryCode=DE
Non-EU Region: https://www.vmworld.com/en/index.html?countryCode=US

What scenarios to Test

Scenario 1: Non-EU Region
A user visiting the site from a Non-EU country. For such users, only the Cookie Settings button should be
shown on the website (See Example Below:)

By clicking the Cookie Settings button, the user will be able to turn tracking on or off for Performance
cookies, Advertising cookies, Social media cookies and Functional cookies (See Example Below)

18
Users should be able to see individual cookies listed under each category (See Example Below ).

By Default implicit consent is assumed for non-EU visitors and all cookies will drop with initial page
load.

If a user turns off consent for a certain cookie, the category tags related to that cookie will not fire from
that point forward. The cookie itself will remain as is.

If a user wants cookies deleted from his/her own device, he/she must go to the browser settings page and
clear cache and cookies from their browsers.

Scenario 2: EU Region
A user visits the site from an EU Country.

For such users the blue OneTrust cookie banner should be visible on the website as shown in the image
below.

No cookies should drop until a user engages with the Cookie Consent banner and makes a category
selection in the cookie preference center or clicks on the Accept All Cookies button.

19
By clicking the Cookie Settings button the user will be able to turn tracking on or off for Performance
cookies, Advertising cookies, Social media cookies and Functional cookies (see below image).

Users should be able to see individual cookies listed under each category (per below image).

20
Tools Required
Chrome - Switcheroo, Hola VPN Proxy

FAQ and Troubleshooting

To come

Walkthrough Videos
To come

Document Points of Contact

One Trust Help: OneTrustHelp@vmware.com (Internal VMware Users)

(For site owners/vendors outside VMware, you may Email your VMware business contact to ask them to
make contact through the internal DL above.)

21
22