Consent Handbook - 2023

OneTrust Consent & Preference
Management Expert
Certification Program Handbook
Privacy & Data

Governance
DISCLAIMER:
No part of this document may be reproduced in any form without the written permission of the copyright owner.
The contents of this document are subject to revision without notice due to continued progress in methodology, design, and manufacturing. OneTrust LLC shall have no
Proprietary/Internal
liability for any error or damage of any kind resulting from the use of this document.
OneTrust products, content and materials are for informational purposes only and not for the purpose of providing legal advice. You sh ould contact your attorney to obtain
advice with respect to any particular issue.
OneTrust Consent & Preference Management Expert Reference Guide
The training environment provided to you is only for use during the OneTrust Certification Training Program
You will only have access to login for the duration of training
Training URL: training.onetrust.com
Please refer to your instructor for the password to your environment
Copyright © 2022 OneTrust LLC. Proprietary & Confidential.
2
Contents
OneTrust Consent & Preference Management Expert Certification Program Handbook..............................5
Introduction ............................................................................................................................................................6
Resources & Support .............................................................................................................................................7
Sales ....................................................................................................................................................................7
Technical Support ..............................................................................................................................................7
Partner Support ..................................................................................................................................................7
My.OneTrust.com ...............................................................................................................................................8
Tenant Support Request ....................................................................................................................................8
Regulation overview, terms, and concepts .........................................................................................................9
GDPR Article 4 – Definitions ..............................................................................................................................9
GDPR Article 7 – Conditions for consent .........................................................................................................9
Terms & concepts: consent as a legal basis................................................................................................. 10
Terms & concepts: types of consent ............................................................................................................. 11
LGPD, articles 5, 7 & 8..................................................................................................................................... 11
CPRA, sections 1798.120 & 1798.125 ............................................................................................................ 13
Consent & Preference Management overview ................................................................................................ 14
Consent & Preference Management module overview .............................................................................. 14
Three architecture components of consent.................................................................................................. 14
Key terminology .............................................................................................................................................. 15
Best practices and implementation considerations .................................................................................... 15
Consent & Preference Management use case ................................................................................................. 16
Zentoso use case ............................................................................................................................................. 16
Functional overview ........................................................................................................................................... 16
Functional execution in OneTrust ................................................................................................................. 16
What is a data subject? ................................................................................................................................... 16
What is a data element? ................................................................................................................................. 16
Exercise: create a custom data element.................................................................................................... 18
3
What is a purpose?.......................................................................................................................................... 19
Exercise: create a purpose .......................................................................................................................... 19
What are custom preferences? ...................................................................................................................... 20
Exercise: create custom preferences ......................................................................................................... 21
Best practices for purposes vs. custom preferences ................................................................................... 22
Collection point best practices ....................................................................................................................... 23
What is a consent interaction? ....................................................................................................................... 23
What is a collection point? ............................................................................................................................. 24
Exercise: create a collection point ............................................................................................................. 26
What is a preference center?.......................................................................................................................... 27
Build a preference center ............................................................................................................................ 27
Customize the branding .............................................................................................................................. 27
Integrate the preference center .................................................................................................................. 27
Manage languages: ..................................................................................................................................... 27
Manage preference center settings ........................................................................................................... 28
Exercise: build a preference center............................................................................................................ 28
Technical overview ............................................................................................................................................. 31
Technical execution steps .............................................................................................................................. 31
Integrating with user interfaces ..................................................................................................................... 32
Exercise: integrate the SDK for collecting consent records through a webform collection point ..... 35
Integrating with client systems ...................................................................................................................... 37
Exercise: test API consent creation ............................................................................................................ 40
Bulk import consent transactions .................................................................................................................. 41
Exercise: bulk import consent transactions .............................................................................................. 42
Glossary ............................................................................................................................................................... 44
A ........................................................................................................................................................................ 44
B ........................................................................................................................................................................ 44
C ........................................................................................................................................................................ 44
4
D ........................................................................................................................................................................ 45
E......................................................................................................................................................................... 46
F ......................................................................................................................................................................... 46
G ........................................................................................................................................................................ 46
I .......................................................................................................................................................................... 47
M ....................................................................................................................................................................... 47
P......................................................................................................................................................................... 47
R ........................................................................................................................................................................ 48
S ........................................................................................................................................................................ 48
U ........................................................................................................................................................................ 48
OneTrust Consent & Preference Management

Expert Certification Program Handbook
Prepared for:
OneTrust Consent & Preference Management Expert certification attendees
Version 202209.2.7
5
Introduction
Welcome to this OneTrust certification program reference handbook, your comprehensive guide to becoming a
certified OneTrust Consent & Preference Management Expert.
OneTrust automates privacy impact assessments and data mapping, identifies privacy risks, and enforces risk
management and control activities in an integrated and agile approach. More specifically, the Consent &
Preference Management module can help your organization automate compliance and enhance customer
experiences by enabling consent and preference collection. The OneTrust platform will serve as a single source
of truth for all consent receipts.
Automate compliance:
▪ Capture consent and preferences
▪ Centralize consent for compliance proof
▪ Educate customers with privacy policies
Empower customers:
▪ Provide choices to your audience
▪ Enable customers to choose communication options
▪ Add touchpoints with a preference center
Build trust:
▪ Communicate values and brand promise
▪ Deliver transparent user experiences
▪ Honor consent and preference choices
The result is the ability to demonstrate accountability and compliance with EU’s data protection requirements
and globally across privacy jurisdictions and frameworks.
6
Resources & Support

Sales
▪ Email: Sales@onetrust.com
▪ Phone Numbers:
▪ London: +44 (800) 011-9778
▪ Atlanta: +1 (844) 228-4440
▪ Munich: +49 (175) 371-2983
Technical Support
▪ Email: support@onetrust.com
▪ Phone Number: +1 (844) 900-0472
Partner Support
▪ Email: partnersupport@onetrust.com
This partner support can assist with:
▪ Scheduling Client Demonstrations
▪ Submitting an RFI/RFP with OneTrust
▪ Client Referrals
▪ Account Strategy & Alignment
▪ Additional Resources & Collateral
Other resources include:
▪ Product Demonstration Videos
▪ OneTrust Overview Brochure
▪ How OneTrust Helps with GDPR Whitepaper
▪ SmartPrivacy Workshops Registration
7
▪ OneTrust Pricing Model
My.OneTrust.com
• Website: my.OneTrust.com
My OneTrust is a platform that can be accessed by all OneTrust customers and partners for additional
resources which include, but it not limited to:
▪ OneTrust Knowledge
▪ Release Notes
▪ Schedule Maintenance
▪ Live System Status
▪ Submit a Ticket
▪ Developer Portal
▪ Get OneTrust Certified
Tenant Support Request

You can submit a support desk ticket directly to the OneTrust Support Team through your tenant by following
these steps:
▪ Log into OneTrust
▪ Click the Launch Pad in the top left corner
▪ Click “Get Help” in the bottom right of the menu
▪ Use the knowledge portal to search for solutions
▪ If no solutions are found, click the “Contact Us” button
▪ Fill out your inquiry in the message portal that appears
▪ Click “Send”
8
Regulation overview, terms, and concepts

GDPR Article 4 – Definitions
“(7) | ‘controller’ means the natural or legal person, public authority, agency, or other body which, alone or jointly
with others, determines the purposes and means of the processing of personal data; where the purposes and
means of such processing are determined by Union or Member State law, the controller or the specific criteria
for its nomination may be provided for by Union or Member State law;”
“(8) | ‘processor’ means a natural or legal person, public authority, agency, or other body which processes
personal data on behalf of the controller;”
“(11) | ‘consent’ of the data subject means any freely given, specific, informed, and unambiguous indication of
the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement
to the processing of personal data relating to him or her;”
Summary
Controllers determine the purposes and means of processing
Controllers must adhere to certain presentation and collection of consent
Scope
All processing based on consent
Other Requirements
▪ Freely given
▪ Specific
▪ Informed
▪ Unambiguous
GDPR Article 7 – Conditions for consent

“1. Where processing is based on consent, the controller shall be able to demonstrate that the data subject
has consented to processing of his or her personal data.
9
2. If the data subject's consent is given in the context of a written declaration which also concerns other
matters, the request for consent shall be presented in a manner which is clearly distinguishable from the other
matters, in an intelligible and easily accessible form, using clear and plain language. Any part of such a
declaration which constitutes an infringement of this Regulation shall not be binding.
3. The data subject shall have the right to withdraw his or her consent at any time. The withdrawal of consent
shall not affect the lawfulness of processing based on consent before its withdrawal. Prior to giving consent,
the data subject shall be informed thereof. It shall be as easy to withdraw as to give consent.
4. When assessing whether consent is freely given, utmost account shall be taken of whether, inter alia, the
performance of a contract, including the provision of a service, is conditional on consent to the processing of
personal data that is not necessary for the performance of that contract.”
Summary
Controllers shall be able to demonstrate that they have obtained valid consent
Scope
All processing based on consent
Other Requirements
▪ Clearly distinguishable from the other matters
▪ Intelligible and easily accessible form
▪ Clear and plain language
▪ Right to withdraw consent
▪ Performance of a contract cannot be conditional on consent,
if the processing is not necessary for the contract
Terms & concepts: consent as a legal basis

Consent of the data subject means any freely given, specific, informed, and unambiguous indication of the data
subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the
processing of personal data relating to him or her
Freely given: “As a general rule, the GDPR prescribes that if the data subject has no real choice, feels compelled
to consent or will endure negative consequences if they do not consent, then consent will not be valid.”
Reference: EDPB Guidelines on consent
Specific: “…Consent of the data subject must be given in relation to ‘one or more specific’ purposes and that a
data subject has a choice in relation to each of them. The requirement that consent must be ‘specific’ aims to
ensure a degree of user control and transparency for the data subject. “
10

Informed: “Providing information to data subjects prior to obtaining their consent is essential in order to enable
them to make informed decisions, understand what they are agreeing to, and for example exercise their right
to withdraw their consent. “
Unambiguous: “…Consent requires a statement from the data subject or a clear affirmative act which means
that it must always be given through an active motion or declaration. It must be obvious that the data subject
has consented to the particular processing.”
Affirmative action: “A ’clear affirmative act’ means that the data subject must have taken a deliberate action to
consent to the particular processing ... Consent can be collected through a written or (a recorded) oral statement,
including by electronic means. “
Terms & concepts: types of consent

Explicit consent: “The term explicit refers to the way consent is expressed by the data subject. It means that
the data subject must give an express statement of consent. An obvious way to make sure consent is explicit
would be to expressly confirm consent in a written statement.”
Reference: EDPB Guidelines on Consent
Implied consent: “presumed consents that were based on a more implied form of action by the data subject”
Reference: EDPB Guidelines on Consent
Opt-in: an active affirmative indication of choice; i.e., checking a box signaling a desire to share his or her
information
Opt-out: taking an action (such as unchecking a box) to signal a desire to not share his or her information
LGPD, articles 5, 7 & 8

Article 5: Definition of consent
XII – consent: free, informed, and unambiguous manifestation whereby the data subject agrees to her/his
processing of personal data for a given purpose;”
Article 7: Legal bases or circumstances under which data processing may be carried out
Article 8: Conditions for obtaining, re-obtaining and proving receipt of consent, as well as conditions for
revocation of consent
11
12
CPRA, sections 1798.120 & 1798.125

Section 1798.120: Right to opt-out of sale of personal information
A consumer shall have the right to direct a business not to sell or share the personal information with a third
party.
Section 1798.125: Right to not be discriminated against; financial incentives
A business shall not discriminate against a consumer because they exercised any of the consumer's rights
under the CPRA. This includes withdrawing consent or opting out of the sale of personal information.
A business may offer financial incentives for the collection of personal information; and may offer a different
price, rate, level, or quality of goods or services to the consumer if that price or difference is reasonably
related to the value provided to the business by the consumer's data.
13
Consent & Preference Management overview

Consent & Preference Management module overview
Three architecture components of consent
14
Key terminology
▪ Data subject: the individual who consents to their personal data being processed
▪ Data element: additional details related to a data subject that can be updated via the OneTrust preference
center
▪ Purpose of processing: reason why a business is collecting and using personal data
▪ Collection point: systems or in-person sign-ups where data subject provides information to your business
for processing purposes
▪ Preference center: OneTrust hosted form that allows for a data subject to easily update their profile
information and preferences
Best practices and implementation considerations

▪ Consent management considerations
Before starting to build tools or integrate with existing collection points, we need to identify all purposes of
processing and confirm these purposes with legal and privacy teams.
▪ System requirements
Other pieces we need to consider are the systems we use to gather and track consent. And then which systems
rely on consent being fed back into the tool.
Example: OneTrust tracks and gathers consent and preferences. HubSpot and Salesforce rely on consent to
send emails and segment users.
▪ Data subject and reporting requirements
When capturing consent, you will want to identify your data subject, and that’s where you are going to use data
elements. You can create and customize data elements to act as descriptors and potential identifiers for your
collection points. Example of data elements include first name, last name, address, mobile and email. Data
elements bring structure to the data being collected across your organization’s collection points.
When you build these data elements, you will also define your main identifier, the data element you will use to
uniquely identify each data subject. Most of the time, it’s going to be the email address or phone number. Some
organizations using third-party services can also choose to use third-party unique ID as a main identifier.
In terms of reporting, you will have to decide whether you want to capture consent at an individual transaction
level (e.g., consent withdrawn, not given, etc.) or only track when consent is granted for a specific reason or
purpose.
15
Consent & Preference Management use case

Zentoso use case
Zentoso wants a single source of truth for their consents and preferences. They also want their customers to
be able to easily manage any of their preferences and profile information on a single platform.
Zentoso collects consent for marketing communications and tracks acceptance of terms and conditions at point
of sign-up. They also capture consent for information sharing on upcoming events & activities newsletter and
data analytics via a third-party system.
Zentoso Company is a global corporation and therefore wants to ensure they meet regulatory requirements
across the globe including the CPRA opt-out of sale. Any changes must also be reflected in their marketing
tool as both field teams and automated campaigns will need to check for this consent.
Functional overview
Functional execution in OneTrust
What is a data subject?

GDPR Requirement: purpose of processing
Who is receiving marketing communication from us?
What is a data element?

The data elements are the related data that are collected from data subject.
16
Data Element Deep Dive:

You can create and customize data elements to act as descriptors and potential identifiers for your collection
points and preference centers.
Text input: provides a field where free text entries can be made without restriction.
Date: provides a calendar where a date can be selected. The required format is MM/DD/YYYY.
Selection: provides a list of options that you predefine from which a data subject can select.
Email: provides a field where a valid formatted email can be entered.
Phone Number: provides a field where a valid phone number that includes the country code and plus (+) sign
can be entered. The required format is a valid country code along with the phone number.
Country: provides a list of countries from which a data subject can select.
State: provides a list of U.S. states from which a data subject can select.
Number: provides a field where any numerical digit can be entered.
17
What about Zentoso? Zentoso needs to track the following data elements:
▪ Email (to be used as main identifier)
▪ First name
▪ Last name
▪ Customer type
Exercise: create a custom data element

Learn how to create data elements to describe and identify data subjects
Step 1: Click Launchpad,
then click the Consent module
Note: You can click on the star right to the Consent title to add the module to your Favorites,
so, it stays at the top of your Launchpad Menu
Step 2: Click the Data Elements tab under the Setup section on the left
Step 3: Click Add New at the top right
Step 4: Name = Customer Type
Step 5: Data Element Type = Text Input
Note: Organization(s) is optional. Select the organizations to which you want to link the purpose of processing.
If an organization is not selected in this field, the consent will be visible to all users.
Also, you can select the Can be used as an identifier check box to indicate that the data element identifies or
could potentially identify the data subject
Select the Contains personally identifiable information check box to indicate if sensitive information is present
on the data element. This allows the tracking of PII present on data elements for the purpose of enforcing
retention policies and review procedures.
Step 6: Click the blue Create button
18
What is a purpose?
GDPR Requirement: Purpose of Processing
Do you consent to receiving marketing communication from us?
Purposes are the reasons why you will be collecting and processing a data subject's consent.
Manage versions of a purpose
If the purpose you want to modify is already published, you will need to create a new version of the purpose to
make additional changes. The new version of the purpose will then be placed in Draft status. If you decide that
you no longer want the draft version of the purpose, you can delete the draft on the Version History pane. Only
Draft purposes can be deleted.
Manage translations for a purpose
When you initially create the purpose, the name and description that you enter will be used internally in the
application to help you identify the purpose of processing. The default language that you selected when creating
the purpose will be automatically added to the Translations table on the Supported Languages tab along with
the content you entered for the name and description.
When purposes are displayed publicly, like in collection points and preference centers, it is the translations that
will be used for both the default language and additional languages in which you want to translate the purpose.
Modifications to the translations can be made on the Supported Languages tab.
To manage several languages in a collection point or preference center, you need to define the various
translations for the purposes you want to display.
What about Zentoso? Zentoso needs to define the following purposes:

▪ Terms & conditions
▪ Marketing communications
▪ Upcoming events & activities newsletter
Exercise: create a purpose

Learn how to create purposes to document why you need to collect consent
1. First purpose: Terms & conditions
Step 1: In the Consent & Preference Management Module,
Click the Purposes tab under the Setup section on the left
19

Step 3: Purpose Name = Terms & conditions
Step 4: Description = Terms & conditions
Note: Organization(s) is optional. Select the organizations to which you want to link the purpose of processing.
If an organization is not selected in this field, the consent will be visible to all users.
Step 5: Default Language = English
Step 6: Click the blue Create Purpose button
Step 7: Click on the title of the purpose you just created, it should be in Draft
Step 8: Click on Publish
Step 9: In the pop-up modal that appears, click on Publish
2. Second purpose: Marketing communications

Repeat steps 1 to 9
3. Third purpose: Upcoming events & activities newsletter

Repeat steps 1 to 6, please leave this purpose in Draft
What are custom preferences?

You can create different purposes to help data subjects understand why you would like to collect and process
their personal information. Further, you can associate custom preferences with these purposes of processing
to provide data subjects with more granular options for which they can grant consent that can capture a wider
range of their preferences.
Examples:
▪ Frequency:
Daily, Weekly, Monthly, Annually
▪ Medium of Communication:
SMS, Phone, Postal, Email
Note: Topics are the legacy version of custom preferences
20
What about Zentoso? Zentoso needs to create the following groups of custom preferences:
▪ Method of communication
Email
Phone
Post
▪ Types of newsletters
Product Updates
Promotions
Exercise: create custom preferences

Learn how to create custom preferences to allow for preferences granularity
First group of Custom Preferences: Methods of communication
Step 1: In the Consent & Preference Management Module,
Click the Custom Preferences tab under the Setup section on the left
Step 3: Name = Method of Communication
Step 4: Selection Type = MultiChoice
Step 5: Display As = Checkboxes
Note: Organization(s) is optional. Select the organization(s) that the custom preference will be visible to. Only
users linked to those organizations will be able to view the custom preference.
Step 7: Description = Method of Communication
Note: Enable the Required setting to make this field required when a data subject is submitting preference
selections
Step 8: Add New Option = Add 3 separate options: Email, Phone, Post
Step 9: Click on the blue Create button
21
Second group of Custom Preferences: Types of newsletters

Repeat steps 1 to 9,
Step 3: Name = Types of Communications
Step 8: Add New Option = Add 2 separate options: Product Updates, Promotions
Now, add these custom preferences to a purpose by following these steps:

Step 1: Click Purposes on the left side of the screen under Setup
Step 2: Click the Upcoming events & activities newsletter purpose you created earlier
Step 3: Select the Custom Preferences Tab
Step 4: Then click on the blue Select Custom Preferences button
Step 5: Select the 2 custom preference you created
Step 6: Click Add
Best practices for purposes vs. custom preferences

When should you create an additional purpose vs a preference?
Things to consider:
▪ Reporting
When viewing a data subject’s details would you want that to stand out immediately?
Purposes are more easily identifiable and form the backbone of data subject reporting.
▪ User interface
How do you want your forms and preference centers to look?
Preferences typically take the form of things such as Communication medium, Frequency, Types of
Newsletters, etc.
22
Collection point best practices

Collection points define the points of interaction where consent is initially gathered and recorded, and they can
be set up to reflect digital interactions, such as web forms and website banners, and analog interactions, such
as phone conversations, physical mail, or in-person interactions.
▪ Consent collection considerations
▪ Web/signup form
▪ Marketing/automation system
▪ In person events
▪ CRM
What is a consent interaction?

Actions that unmistakably support the conclusion that consent has been given.
Form Submission Only - The web form includes a standard HTML Submit button that a data subject can click
to give consent
Opt In Checkbox + Form Submission - The web form includes blank check boxes that a data subject can
select to indicate consent for those selections before submitting the form
Uncheck to Opt Out + Form Submission - The web form includes pre-selected options that a data subject will
have to clear before submitting the form, otherwise a consent record will be created for those options
Check to Opt Out + Form Submission - The web form includes blank check boxes that a data subject will have
to select to indicate no consent for those selections before submitting the form
Custom Single Trigger - The web form includes a single action that is not an HTML submit button that a data
subject can use to give consent
Custom Conditional Trigger - The web form includes two (or more) actions or conditions, which are not
standard HTML form actions, that a data subject must complete or meet to give consent
23
What is a collection point?
Custom API:
Used if you want to integrate with API.
For example, if your collected consent via another system.
Mobile Application:
Used if you’re collecting consent via an iOS or Android Application.
Web Form:
Used if your collection point is a webform and you want to integrate with JavaScript.
Offline / Bulk Import:
Used if you want to import consent from Excel files upload. Useful if you're collecting consent offline, or on
paper forms.
Cookie Compliance:
Linked to the Cookie Consent module of OneTrust, to capture user interactions with the banner.
NEW: ONETRUST HOSTED COLLECTION POINT
Build and Design Collection Point form within the OneTrust platform. Customize fields, layout, and design
within the platform – no HTML experience required!
24
Collection points define the points of interaction where consent is initially gathered and recorded, and they can
be set up to reflect digital interactions, such as web forms and website banners, and analog interactions, such
as phone conversations, physical mail, or in-person interactions.
Define a visual representation of a collection point

▪ Processing purposes
Link the collection point to the purposes previously created.
▪ Data subject identifier
Used to indicate the type of unique identifier used for your data subjects. It is usually the e-mail address.
▪ Consent interaction type
Pick among the interaction types previously defined.
▪ Data elements
This field is optional. You can indicate which other data elements you are collecting on this webform / system.
(First Name, Last Name, etc.)
Manage collection point settings:

HOSTED SDK: The Hosted SDK makes it easier to join OneTrust collection points with your webform by not
requiring edits to be made to the scripting within your website form
DOUBLE OPT-IN: This will send a confirmation e-mail to the data subject in order to confirm its identity and
the related consent
COLLECTION POINT EVENTS: This must be enabled to allow 3rd Party Integrations to this collection point via
our OneTrust Integrations
What about Zentoso? Zentoso needs to create the following collection points:
▪ Registration webform
Consent Interaction – Form Submission Only
▪ Custom API
Designed for third party system to write Consent requests to OneTrust
25
Exercise: create a collection point

Learn how to create records of existing or new collection points to integrate with OneTrust
First collection point: Web Form
Step 1: Click the Collection Points tab on the left side
Step 2: Click the blue Add New button on the top right of the screen
Step 3: Click the blue Select button on the panel Website Web Form
Step 4: Name = Expert Cert Webform
Step 5: Description = Expert Cert Webform
Step 6: Organization = OneTrust
Step 7: Processing Purpose = Marketing Communications
Step 8: Data Subject Identifier = Email
Step 9: Consent Interaction Type = Form Submission Only
Step 10: Data Elements = FirstName, LastName
Step 11: Click the blue Create Collection Point button
Step 12: Go to the Settings tab,
Toggle on the following options:
- Enable Collection Point Events
- Single Data Subject Update Event Type
Second collection point: Custom API

Step 2: Click the blue Add New button on the top right of the screen
Step 3: Click the blue Select button on the panel Custom API
Step 4: Name = Expert Cert API Integration
Step 5: Description = Expert Cert API Integration
26
Step 7: Processing Purpose = Marketing Communications

Step 8: Data Subject Identifier = Email
Step 9: Click the blue Create Collection Point button
- Enable Collection Point Events
What is a preference center?

The preference center provides data subjects with the ability to give, update or withdraw consent as needed
whenever they interact with the preference center.
Build a preference center

Set up the preference center’s purposes
At any time, you can come here to modify the purposes that will be displayed in your Preference Center.
Note: You can decide to give the option to opt-out to OneTrust’s automated e-mails.
Customize the branding

You can setup your own labels and custom CSS – if you have a CSS sheet hosted on your side
Integrate the preference center

You can copy the first link on your website, and the data subjects will be able to log into their preference
center and update their consents
You can provide the second link directly to a specific Data Subject so he can access his preference center
without login. The tokenid piece is individual and retrievable via API
Manage languages:
You can setup a collection point in several languages
This will allow the Data Subject to switch the translations of the purposes to the wanted language
27
This would only work if you defined translations for the related purposes
Manage preference center settings

At the Preference Center level, you can define additional settings under the Details and Settings tabs
▪ Edit the Name, Organization, and Description
▪ Enable Phone Number Verification when using a mobile device
▪ Enable SSO to allow access to this preference center via an IdP.
▪ Send Preference Center Emails to Data Subject when they save their Preferences
▪ Send an email when the Data Subject updates their profiles
▪ Send an email when the Data Subject Unsubscribes from All Purposes
What about Zentoso? Zentoso wants to build the following preference center:
One preference center with two pages
▪ Page 1 – Update Profile Information
▪ Page 2 – Choose Consent and Preferences
Exercise: build a preference center

Learn how to enable a preference center to allow data subjects to update their preferences
Step 1: Click Preference Centers tab on the left of the screen
Step 2: Click the Add New button at the top right
Step 3: Name = Expert Cert Preference Center
Step 6: Description = Expert Cert Preference Center
Step 5: Click the blue Create button at the bottom right of the screen
28
Page 1 Profile Info

Step 1: Click the white Add Page button at the top right of the screen
Step 2: Page Name = Profile Information
Please verify that the Enable Section Navigation option is toggled ON
Step 3: Click the blue Create Button
Step 4: Click the (…) button at the top right of New Section,
then click Edit
Step 5: Add the title = Profile Information and then click on the blue Save button
Step 6: Click and drag the Data Elements block from the Individual Elements section under the Profile
Information section
Step 7: Select FirstName, LastName, CompanyName, Country
Step 8: Click on the blue Save Page button on the bottom right corner
Page 2 Preference Choice

Step 1: Click the white Add Page button at the top right of the screen
Step 2: Page Name = Preference Information
Please verify that the Enable Section Navigation option is toggled ON
Step 3: Click the blue Create Button
Step 4: Click the (…) button at the top right of New Section,
then click Edit
Step 5: Add the title = Preference Information and then click on the blue Save button
Step 6: Click and drag the Purposes block from the Individual Elements section
under the Preference Information section
Step 7: Select Marketing Communications, Upcoming Events and Activities Newsletter
Step 8: Click the blue Save Button
Step 9: Click on the blue Save Page button on the bottom right corner
Further customization of the Preference Center

Step 1: Go to the Branding tab at the top next to Builder at the top left of the menu
29
Feel free to play around with options and customize look of Preference Center
- Enable Preference Center Events
Step 3: Click the Save button at the bottom right, then click Publish at the top right
Step 4: Click the Context (…) button then click Preview
30
Technical overview
Technical execution steps
31
Integrating with user interfaces

Learn how to integrate the SDK webform for collecting consent records through an existing webform
If you have an existing webform, on your website, that you use to collect consent, this method allows you to
integrate the webform with the OneTrust platform.
This enables to generate consent receipts in OneTrust whenever the webform is used to submit consent.
32
First step:
Dive into the source code of your webform, you can inspect your webform code from your browser
Then, map the IDs from the SDK (in OneTrust), with your web form’s IDs
Second step:
Go back to the record of the collection point you created, the webform collection point,
Then, map this information in the Form Fields Mapping section of the Integrations tab
This will allow the SDK to correctly capture the contents of the HTML field within your form and submit it as
part of the consent receipt.
33
Third step:
Once you've finished mapping the fields, you can integrate the SDK by clicking the Copy SDK button and
pasting it into your existing web form source code.
Step four:
Once you’ve integrated the existing webform with the OneTrust application,
It is time to submit consent through the webform and verify the consent receipt in the OneTrust application.
34
Exercise: integrate the SDK for collecting consent records through a webform collection
point
Part 1: Form Fields Mapping
Step 1: Open https://jsfiddle.net/ in your browser
Step 2: Copy the code from this Activity Document
Note: this is the source code of the webform used to submit consent
Step 3: Paste the copied code in the HTML section pane of the JSFiddle editor
Step 4: Click on Tidy at the top right of HMTL section pane
Step 5: Go back to the OneTrust Training Environment
Step 6: Click Launchpad, then click the Consent module
Step 8: Click on the Expert Cert Webform collection point
Step 9: Click on Create New Version
Step 10: Click on the Integrations tab, stay on the SDK section
Step 11: Scroll down to the Form Fields Mapping section and click Edit
Step 12: Edit the following fields:
FirstName = change to lower case f
LastName = change to lower case l
Identifier ID = exampleInputEmail1
Step 13: Click the blue Save button from the Form Fields Mapping section
Step 14: Click the blue Publish button to publish your collection point
35
Part 2: SDK Integration

Step 1: Scroll up to the SDK Integration section
Step 2: Copy the code from Step 1 by clicking on the white Copy button
Step 3: Go back to the https://jsfiddle.net page you have open, and paste the code you just copied within the
<head> tag of the webpage and before <title>
Step 4: Click Tidy
Step 5: Go back to the OneTrust Training Environment,
and got to Step 2 of the SDK Integration section
Step 6: Copy the code from the Example
It should look like: <form class="ot-form-consent" action="" data-ot-cp-id="xxxxxxxxxxx.-draft" method="post">
Step 7: Paste the code you just copied within the <h1>Expert Cert Webform</h1> tag of the webpage and
remove the existing <form> tag
Change the last part of the code from draft to active
Step 8: Click Tidy and then Run from the top left corner
Step 9: Now it is time to test the webform,
Fill out form with your email
Step 10: Click on Submit
Part 3: Verify consent receipt in OneTrust Training Environment

Step 1: Go back to the OneTrust Training Environment
Step 2: Click the Data Subjects tab on the left side under Reporting
Step 3: Refresh the page,
The email you submitted through the Webform should now be visible
Click on the email: you should also see the First and Last Name data elements added
36
Integrating with client systems

Learn how to test an API call to connect with 3 rd party systems to push a consent record into OneTrust
The Consent Receipts API allows an external application to submit a request to store consent transactions for
individual collection points. Each Collection Point must first be set up in OneTrust to generate a valid request
token. So basically, for this use case, you will want to use the API method if you want to generate a consent
receipt from a third-party application into OneTrust. In this section, we are going to test the API call to allow the
integration between that third party application and OneTrust.
37
38
39
Exercise: test API consent creation

Step 1: Click Launchpad, then click the Consent module
Step 3: Click on the Expert Cert API Integration collection point
Step 4: Click on the Integrations tab
Step 5: Open https://reqbin.com in your browser
Step 6: Change the request call from GET to POST
Copy the URL of the Collection Point from the Integrations tab
Step 8: Go back to Reqbin,
Paste in the URL in Reqbin
Copy API Token of the Collection Point
Navigate to the Headers tab
Step 11: Type ‘apiToken:’
Step 12: Paste OneTrust API Token after colon
Step 13: In Reqbin navigate to Content
Go back to the OneTrust Training Environment,
Click on the white Copy Example Payload
Then paste the Example Payload into the Content section
Step 15: Click on the blue Send button (next to the URL)
Step 17: Click the Data Subjects tab on the left side under Reporting
Step 18: Check to see if a Data Subject with the email example@otprivacy.com was created
40
Bulk import consent transactions

Learn how to bulk import consent records into OneTrust by using an import template (Excel format)
You can import consent records into the OneTrust application in bulk using the templates available on the Import
Templates screen in Global Settings. Once you've downloaded and completed the respective import template,
you can upload it back into the application using either the Import Templates screen or the Bulk Import screen.
41
Exercise: bulk import consent transactions

Part 1: Download and Edit the Excel File
Step 1: Click on Global Settings (gear icon) at the top right side of the screen,
then scroll down to the Data Import section
Step 2: Click on Import Templates
Step 3: Click on the blue Download button of the Create / Update Data Subject Consent template
Step 4: Open the file from your Downloads
Step 5: Under the DataSubject column,
Type your email address
Step 6: For PurposeName,
Copy and paste a purpose from the Options tab of the file,
Choose Marketing Communications
Step 7: For CollectionPointName,
Copy and paste a collection point from the Options tab of the file,
Choose Expert Cert Webform
Note: The chosen Purpose should already be linked to the chosen Collection Point
Step 8: For TransactionType,
Copy and paste a purpose from the Options tab of the file,
Choose CONFIRMED
Step 9: Enter a Date in the format YYYY-MM-DDTHH:MM:SS (UTC)
Note: This is a strict format that should be followed to avoid errors
Example: 2022-07-15T00:00:00
Step 10: Save
Part 2: Upload the Excel File

Step 1: Click on Global Settings (gear icon) at the top right side of the screen,
then scroll down to the Data Import section
Step 2: Click on Bulk Import
42
Step 3: Click on New Import

Step 3: Fill out the required information:
Import Name = Expert Cert Import Test
Import Type = Create Update Data Subject Consent
File = Upload the saved file
Step 4: Click on the blue Submit button
Step 5: You should see the uploaded file and a Success message for the Status
Note: If there is an Error message, download the file and see the error(s) by clicking the notification bell at the
top of the Bulk Import landing page
Fix any error(s) listed at the far right of the file and retry
43
Glossary
A
Adequacy Decision – A declaration made by the European Commission that a country outside of the EEU offers
an adequate level of protection, and therefore is acceptable for cross-border data transfers.
Affirmative Act – A clear action taken that indicates consent has been given, is not passive.
Asset – Anything that can store or process personal data. This can include an application, website, database, or
even physical storage.
Asset Map – A visual map that shows the location of all assets.
Automated Decision Making – Making a decision or creating a profile based completely on technological means
without human involvement
B
Binding Corporate Rules (BCRs) – A set of strict and binding rules put in place by multinational companies and
organizations that describe how personal data must be processed and protected. This allows the transfer of
personal data outside the EEA, without having an Adequacy Decision. Data may be transferred between
countries but must remain within the organization.
Biometric Data – A “special category” of data relating to physical, physiological, or behavioral characteristics of
a person that can identify or confirm the identity of a person.
C
California Privacy Rights Act (CPRA) – The CPRA passed on November 4, 2020 and entered into effect on
January 1, 2023. The CPRA aims to address specific elements of the CCPA that the backers feel come up short.
Changes included new consumer rights, a new category of personal information and use and retention
limitations on personal information
44
Cookies – A small text file that a website may drop on a user’s device for the sake of tracking certain categories
of information.
Cookies (1st Party) – Cookies dropped by the website the user is visiting.
Cookies (3rd Party) – Cookies dropped by a website or company different than the one the user is visiting. Most
commonly, targeting or social media cookies.
Cookies (Persistent) – Cookies that continue to live on a user’s device after they have left the website from
which the cookie was dropped.
Cookies (Session) – Cookies that are no longer active after a user leaves a website or ends a session with the
website.
Consent – Any freely given, specific, informed and unambiguous indication that the data subject agrees to
specific processing. Consent must be as easy to withdraw as it is to give. Consent must be given through
Affirmative Action.
Controller – The entity that determines the purposes, conditions and means of the processing of personal data.
D
Data Element – Pieces of collected information that together, build a complete look at Data.
Data Erasure – Also known as the Right to be Forgotten, it entitles the data subject to have the data controller
erase their personal data, stop further dissemination of the data, and potentially have third parties stop
processing of the data.
Data Portability – The requirement for controllers to provide the data subject with a copy of the data they’ve
provided to the controller. The data provided must be easy to read and can be given to the data subject directly,
or to another controller upon request.
45
Data Protection Officer (DPO) – An expert on data privacy who works independently within an organization to
ensure compliance with GDPR policies and procedures.
Data Protection Impact Assessment (DPIA) – An assessment required under GDPR, used to identify, assess,
and mitigate risks within an organization’s data processing policies and activities.
Data Subject – A natural person whose personal data is processed by a controller or processor.
Derogation – An exemption or exception from a law.
Directive – A legislative act that sets out a goal for all EU countries to achieve, but each country can meet this
goal in their own way, with their own national laws.
E
ePrivacy Directive – A directive passed in 2002 and amended in 2009 that addresses privacy regarding digital
communication, digital marketing, and cookies.
Encrypted Data – Personal data that is protected through technological measures to ensure that the data is only
accessible/readable by those with specified access.
European Data Protection Board (EDPB) – Formerly known as Article 29 Working Party (A29 WP), it is an advisory
body made up of DPAs from each EU member state and the European Commission.
F
Freely Given – Consent is considered freely given if the data subject is able to exercise a real choice, and there
is no significant negative consequence if they do not give consent.
G
General Data Protection Regulation (GDPR) – A regulation on data protection and privacy for all residents of the
European Economic Area. Passed in 2016, in effect in 2018.
46
Genetic Data – Data pertaining to unique information about the health or physiology of an individual.
I
Informed – Having all necessary information needed to make a conscious decision or giving consent.
M
Main Establishment – A location, chosen by the data controller, for a company or organization where it is
headquartered and therefore subject to any local laws or directives.
P
Personal Data – Any information related to a natural person or ‘Data Subject’, that can be used to directly or
indirectly identify the person.
Personal Data Breach – A breach of security leading to the accidental or unlawful access to, destruction, misuse,
etc. of personal data.
Processor – An entity that processes data on behalf of a Data Controller, considered a third party.
Privacy by Design (PbD) – A principle that calls for the inclusion of data protection from the onset of the designing
of systems, rather than as an addition.
Privacy Impact Assessment – A tool used to identify and reduce the privacy risks of organizations by analyzing
the personal data that is processed and the policies that are in place to protect the data.
Processing – Any activity performed on personal data, whether or not by automated means, including collection,
use, recording, etc.
Profiling – Any automated processing of personal data intended to evaluate, analyze, or predict data subject
behavior, is done without human interference.
47
Pseudonymisation – taking away key identifiers out of personal data so that alone, it cannot be attributed to one
single individual. The data is still not completely anonymous but is not identifiable without other pieces of data.
R
Recipient – The entity to which the personal data is disclosed.
Records of Processing Activities – Each data controller must have a detailed record of all processing activities
that are acted upon data that they have collected. Sometimes called an “Article 30 Report.”
Regulation – A binding legislative act that must be applied in specifically spelled out ways, in its entirety, across
the European Union.
Restriction of Processing – A right of a data subject to limit the future processing of their stored personal data.
Right to be Forgotten – Also known as Data Erasure, it entitles the data subject to have the data controller erase
their personal data, cease further dissemination of the data, and potentially have third parties cease processing
of the data.
Right to Access – Also known as Subject Access Right, it entitles the data subject to have access to and
information about the personal data that a controller has concerning them.
S
Specific – Consent cannot be gathered for broad or unspecified uses. The data subject must give consent for
specific and clearly spelled out uses and must be consulted if the use changes.
Supervisory Authority (SA) – A public authority which is established by a member state that oversees the
execution of GDPR regulations.
U
Unambiguous – Data subject consent must be given affirmatively and without doubt. The data subject must
have a clear understanding of what their data will be used for, and it must be obvious that the data subject has
consented to the particular processing.
48
49

Consent Handbook - 2023

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Consent Handbook - 2023

Uploaded by

Copyright:

Available Formats

OneTrust Consent & Preference

Privacy & Data

Training URL: training.onetrust.com

Please refer to your instructor for the password to your environment

Copyright © 2022 OneTrust LLC. Proprietary & Confidential.

Copyright © 2022 OneTrust LLC. Proprietary & Confidential.

Copyright © 2022 OneTrust LLC. Proprietary & Confidential.

OneTrust Consent & Preference Management

Copyright © 2022 OneTrust LLC. Proprietary & Confidential.

Copyright © 2022 OneTrust LLC. Proprietary & Confidential.

Resources & Support

Copyright © 2022 OneTrust LLC. Proprietary & Confidential.

▪ OneTrust Pricing Model

Tenant Support Request

Copyright © 2022 OneTrust LLC. Proprietary & Confidential.

Regulation overview, terms, and concepts

GDPR Article 7 – Conditions for consent

Copyright © 2022 OneTrust LLC. Proprietary & Confidential.

Terms & concepts: consent as a legal basis

Copyright © 2022 OneTrust LLC. Proprietary & Confidential.

Reference: EDPB Guidelines on consent

Terms & concepts: types of consent

LGPD, articles 5, 7 & 8

Copyright © 2022 OneTrust LLC. Proprietary & Confidential.

Copyright © 2022 OneTrust LLC. Proprietary & Confidential.

CPRA, sections 1798.120 & 1798.125

Copyright © 2022 OneTrust LLC. Proprietary & Confidential.

Consent & Preference Management overview

Three architecture components of consent

Copyright © 2022 OneTrust LLC. Proprietary & Confidential.

Best practices and implementation considerations

Copyright © 2022 OneTrust LLC. Proprietary & Confidential.

Consent & Preference Management use case

What is a data subject?

What is a data element?

Copyright © 2022 OneTrust LLC. Proprietary & Confidential.

Data Element Deep Dive:

Copyright © 2022 OneTrust LLC. Proprietary & Confidential.

Exercise: create a custom data element

Copyright © 2022 OneTrust LLC. Proprietary & Confidential.

What about Zentoso? Zentoso needs to define the following purposes:

Exercise: create a purpose

Copyright © 2022 OneTrust LLC. Proprietary & Confidential.

Step 2: Click Add New at the top right

2. Second purpose: Marketing communications

3. Third purpose: Upcoming events & activities newsletter

What are custom preferences?

Copyright © 2022 OneTrust LLC. Proprietary & Confidential.

Exercise: create custom preferences

Copyright © 2022 OneTrust LLC. Proprietary & Confidential.

Second group of Custom Preferences: Types of newsletters

Now, add these custom preferences to a purpose by following these steps:

Best practices for purposes vs. custom preferences

Copyright © 2022 OneTrust LLC. Proprietary & Confidential.

Collection point best practices

What is a consent interaction?

Copyright © 2022 OneTrust LLC. Proprietary & Confidential.

What is a collection point?

Copyright © 2022 OneTrust LLC. Proprietary & Confidential.

Define a visual representation of a collection point

Manage collection point settings:

Copyright © 2022 OneTrust LLC. Proprietary & Confidential.

Exercise: create a collection point

Second collection point: Custom API