Professional Documents
Culture Documents
Consent Handbook - 2023
Consent Handbook - 2023
Management Expert
Certification Program Handbook
DISCLAIMER:
No part of this document may be reproduced in any form without the written permission of the copyright owner.
The contents of this document are subject to revision without notice due to continued progress in methodology, design, and manufacturing. OneTrust LLC shall have no
Proprietary/Internal
liability for any error or damage of any kind resulting from the use of this document.
OneTrust products, content and materials are for informational purposes only and not for the purpose of providing legal advice. You sh ould contact your attorney to obtain
advice with respect to any particular issue.
OneTrust Consent & Preference Management Expert Reference Guide
The training environment provided to you is only for use during the OneTrust Certification Training Program
You will only have access to login for the duration of training
2
OneTrust Consent & Preference Management Expert Reference Guide
Contents
OneTrust Consent & Preference Management Expert Certification Program Handbook..............................5
Introduction ............................................................................................................................................................6
Resources & Support .............................................................................................................................................7
Sales ....................................................................................................................................................................7
Technical Support ..............................................................................................................................................7
Partner Support ..................................................................................................................................................7
My.OneTrust.com ...............................................................................................................................................8
Tenant Support Request ....................................................................................................................................8
Regulation overview, terms, and concepts .........................................................................................................9
GDPR Article 4 – Definitions ..............................................................................................................................9
GDPR Article 7 – Conditions for consent .........................................................................................................9
Terms & concepts: consent as a legal basis................................................................................................. 10
Terms & concepts: types of consent ............................................................................................................. 11
LGPD, articles 5, 7 & 8..................................................................................................................................... 11
CPRA, sections 1798.120 & 1798.125 ............................................................................................................ 13
Consent & Preference Management overview ................................................................................................ 14
Consent & Preference Management module overview .............................................................................. 14
Three architecture components of consent.................................................................................................. 14
Key terminology .............................................................................................................................................. 15
Best practices and implementation considerations .................................................................................... 15
Consent & Preference Management use case ................................................................................................. 16
Zentoso use case ............................................................................................................................................. 16
Functional overview ........................................................................................................................................... 16
Functional execution in OneTrust ................................................................................................................. 16
What is a data subject? ................................................................................................................................... 16
What is a data element? ................................................................................................................................. 16
Exercise: create a custom data element.................................................................................................... 18
3
OneTrust Consent & Preference Management Expert Reference Guide
What is a purpose?.......................................................................................................................................... 19
Exercise: create a purpose .......................................................................................................................... 19
What are custom preferences? ...................................................................................................................... 20
Exercise: create custom preferences ......................................................................................................... 21
Best practices for purposes vs. custom preferences ................................................................................... 22
Collection point best practices ....................................................................................................................... 23
What is a consent interaction? ....................................................................................................................... 23
What is a collection point? ............................................................................................................................. 24
Exercise: create a collection point ............................................................................................................. 26
What is a preference center?.......................................................................................................................... 27
Build a preference center ............................................................................................................................ 27
Customize the branding .............................................................................................................................. 27
Integrate the preference center .................................................................................................................. 27
Manage languages: ..................................................................................................................................... 27
Manage preference center settings ........................................................................................................... 28
Exercise: build a preference center............................................................................................................ 28
Technical overview ............................................................................................................................................. 31
Technical execution steps .............................................................................................................................. 31
Integrating with user interfaces ..................................................................................................................... 32
Exercise: integrate the SDK for collecting consent records through a webform collection point ..... 35
Integrating with client systems ...................................................................................................................... 37
Exercise: test API consent creation ............................................................................................................ 40
Bulk import consent transactions .................................................................................................................. 41
Exercise: bulk import consent transactions .............................................................................................. 42
Glossary ............................................................................................................................................................... 44
A ........................................................................................................................................................................ 44
B ........................................................................................................................................................................ 44
C ........................................................................................................................................................................ 44
4
OneTrust Consent & Preference Management Expert Reference Guide
D ........................................................................................................................................................................ 45
E......................................................................................................................................................................... 46
F ......................................................................................................................................................................... 46
G ........................................................................................................................................................................ 46
I .......................................................................................................................................................................... 47
M ....................................................................................................................................................................... 47
P......................................................................................................................................................................... 47
R ........................................................................................................................................................................ 48
S ........................................................................................................................................................................ 48
U ........................................................................................................................................................................ 48
5
OneTrust Consent & Preference Management Expert Reference Guide
Introduction
Welcome to this OneTrust certification program reference handbook, your comprehensive guide to becoming a
certified OneTrust Consent & Preference Management Expert.
OneTrust automates privacy impact assessments and data mapping, identifies privacy risks, and enforces risk
management and control activities in an integrated and agile approach. More specifically, the Consent &
Preference Management module can help your organization automate compliance and enhance customer
experiences by enabling consent and preference collection. The OneTrust platform will serve as a single source
of truth for all consent receipts.
Automate compliance:
▪ Capture consent and preferences
▪ Centralize consent for compliance proof
▪ Educate customers with privacy policies
Empower customers:
▪ Provide choices to your audience
▪ Enable customers to choose communication options
▪ Add touchpoints with a preference center
Build trust:
▪ Communicate values and brand promise
▪ Deliver transparent user experiences
▪ Honor consent and preference choices
The result is the ability to demonstrate accountability and compliance with EU’s data protection requirements
and globally across privacy jurisdictions and frameworks.
6
OneTrust Consent & Preference Management Expert Reference Guide
Technical Support
▪ Email: support@onetrust.com
▪ Phone Number: +1 (844) 900-0472
Partner Support
▪ Email: partnersupport@onetrust.com
This partner support can assist with:
▪ Scheduling Client Demonstrations
▪ Submitting an RFI/RFP with OneTrust
▪ Client Referrals
▪ Account Strategy & Alignment
▪ Additional Resources & Collateral
Other resources include:
▪ Product Demonstration Videos
▪ OneTrust Overview Brochure
▪ How OneTrust Helps with GDPR Whitepaper
▪ SmartPrivacy Workshops Registration
7
OneTrust Consent & Preference Management Expert Reference Guide
My.OneTrust.com
• Website: my.OneTrust.com
My OneTrust is a platform that can be accessed by all OneTrust customers and partners for additional
resources which include, but it not limited to:
▪ OneTrust Knowledge
▪ Release Notes
▪ Schedule Maintenance
▪ Live System Status
▪ Submit a Ticket
▪ Developer Portal
▪ Get OneTrust Certified
8
OneTrust Consent & Preference Management Expert Reference Guide
9
OneTrust Consent & Preference Management Expert Reference Guide
2. If the data subject's consent is given in the context of a written declaration which also concerns other
matters, the request for consent shall be presented in a manner which is clearly distinguishable from the other
matters, in an intelligible and easily accessible form, using clear and plain language. Any part of such a
declaration which constitutes an infringement of this Regulation shall not be binding.
3. The data subject shall have the right to withdraw his or her consent at any time. The withdrawal of consent
shall not affect the lawfulness of processing based on consent before its withdrawal. Prior to giving consent,
the data subject shall be informed thereof. It shall be as easy to withdraw as to give consent.
4. When assessing whether consent is freely given, utmost account shall be taken of whether, inter alia, the
performance of a contract, including the provision of a service, is conditional on consent to the processing of
personal data that is not necessary for the performance of that contract.”
Summary
Controllers shall be able to demonstrate that they have obtained valid consent
Scope
All processing based on consent
Other Requirements
▪ Clearly distinguishable from the other matters
▪ Intelligible and easily accessible form
▪ Clear and plain language
▪ Right to withdraw consent
▪ Performance of a contract cannot be conditional on consent,
if the processing is not necessary for the contract
10
OneTrust Consent & Preference Management Expert Reference Guide
11
OneTrust Consent & Preference Management Expert Reference Guide
12
OneTrust Consent & Preference Management Expert Reference Guide
13
OneTrust Consent & Preference Management Expert Reference Guide
14
OneTrust Consent & Preference Management Expert Reference Guide
Key terminology
▪ Data subject: the individual who consents to their personal data being processed
▪ Data element: additional details related to a data subject that can be updated via the OneTrust preference
center
▪ Purpose of processing: reason why a business is collecting and using personal data
▪ Collection point: systems or in-person sign-ups where data subject provides information to your business
for processing purposes
▪ Preference center: OneTrust hosted form that allows for a data subject to easily update their profile
information and preferences
15
OneTrust Consent & Preference Management Expert Reference Guide
Functional overview
Functional execution in OneTrust
16
OneTrust Consent & Preference Management Expert Reference Guide
Text input: provides a field where free text entries can be made without restriction.
Date: provides a calendar where a date can be selected. The required format is MM/DD/YYYY.
Selection: provides a list of options that you predefine from which a data subject can select.
Email: provides a field where a valid formatted email can be entered.
Phone Number: provides a field where a valid phone number that includes the country code and plus (+) sign
can be entered. The required format is a valid country code along with the phone number.
Country: provides a list of countries from which a data subject can select.
State: provides a list of U.S. states from which a data subject can select.
Number: provides a field where any numerical digit can be entered.
17
OneTrust Consent & Preference Management Expert Reference Guide
What about Zentoso? Zentoso needs to track the following data elements:
▪ Email (to be used as main identifier)
▪ First name
▪ Last name
▪ Customer type
18
OneTrust Consent & Preference Management Expert Reference Guide
What is a purpose?
GDPR Requirement: Purpose of Processing
Do you consent to receiving marketing communication from us?
Purposes are the reasons why you will be collecting and processing a data subject's consent.
Manage versions of a purpose
If the purpose you want to modify is already published, you will need to create a new version of the purpose to
make additional changes. The new version of the purpose will then be placed in Draft status. If you decide that
you no longer want the draft version of the purpose, you can delete the draft on the Version History pane. Only
Draft purposes can be deleted.
Manage translations for a purpose
When you initially create the purpose, the name and description that you enter will be used internally in the
application to help you identify the purpose of processing. The default language that you selected when creating
the purpose will be automatically added to the Translations table on the Supported Languages tab along with
the content you entered for the name and description.
When purposes are displayed publicly, like in collection points and preference centers, it is the translations that
will be used for both the default language and additional languages in which you want to translate the purpose.
Modifications to the translations can be made on the Supported Languages tab.
To manage several languages in a collection point or preference center, you need to define the various
translations for the purposes you want to display.
19
OneTrust Consent & Preference Management Expert Reference Guide
20
OneTrust Consent & Preference Management Expert Reference Guide
What about Zentoso? Zentoso needs to create the following groups of custom preferences:
▪ Method of communication
Email
Phone
Post
▪ Types of newsletters
Product Updates
Promotions
21
OneTrust Consent & Preference Management Expert Reference Guide
22
OneTrust Consent & Preference Management Expert Reference Guide
Opt In Checkbox + Form Submission - The web form includes blank check boxes that a data subject can
select to indicate consent for those selections before submitting the form
Uncheck to Opt Out + Form Submission - The web form includes pre-selected options that a data subject will
have to clear before submitting the form, otherwise a consent record will be created for those options
Check to Opt Out + Form Submission - The web form includes blank check boxes that a data subject will have
to select to indicate no consent for those selections before submitting the form
Custom Single Trigger - The web form includes a single action that is not an HTML submit button that a data
subject can use to give consent
Custom Conditional Trigger - The web form includes two (or more) actions or conditions, which are not
standard HTML form actions, that a data subject must complete or meet to give consent
23
OneTrust Consent & Preference Management Expert Reference Guide
Custom API:
Used if you want to integrate with API.
For example, if your collected consent via another system.
Mobile Application:
Used if you’re collecting consent via an iOS or Android Application.
Web Form:
Used if your collection point is a webform and you want to integrate with JavaScript.
Offline / Bulk Import:
Used if you want to import consent from Excel files upload. Useful if you're collecting consent offline, or on
paper forms.
Cookie Compliance:
Linked to the Cookie Consent module of OneTrust, to capture user interactions with the banner.
NEW: ONETRUST HOSTED COLLECTION POINT
Build and Design Collection Point form within the OneTrust platform. Customize fields, layout, and design
within the platform – no HTML experience required!
24
OneTrust Consent & Preference Management Expert Reference Guide
Collection points define the points of interaction where consent is initially gathered and recorded, and they can
be set up to reflect digital interactions, such as web forms and website banners, and analog interactions, such
as phone conversations, physical mail, or in-person interactions.
What about Zentoso? Zentoso needs to create the following collection points:
▪ Registration webform
Consent Interaction – Form Submission Only
▪ Custom API
Designed for third party system to write Consent requests to OneTrust
25
OneTrust Consent & Preference Management Expert Reference Guide
26
OneTrust Consent & Preference Management Expert Reference Guide
Manage languages:
You can setup a collection point in several languages
This will allow the Data Subject to switch the translations of the purposes to the wanted language
27
OneTrust Consent & Preference Management Expert Reference Guide
This would only work if you defined translations for the related purposes
What about Zentoso? Zentoso wants to build the following preference center:
One preference center with two pages
▪ Page 1 – Update Profile Information
▪ Page 2 – Choose Consent and Preferences
28
OneTrust Consent & Preference Management Expert Reference Guide
29
OneTrust Consent & Preference Management Expert Reference Guide
Feel free to play around with options and customize look of Preference Center
Step 2: Go to the Settings tab,
Toggle on the following options:
- Enable Preference Center Events
- Single Data Subject Update Event Type
Step 3: Click the Save button at the bottom right, then click Publish at the top right
Step 4: Click the Context (…) button then click Preview
30
OneTrust Consent & Preference Management Expert Reference Guide
Technical overview
Technical execution steps
31
OneTrust Consent & Preference Management Expert Reference Guide
If you have an existing webform, on your website, that you use to collect consent, this method allows you to
integrate the webform with the OneTrust platform.
This enables to generate consent receipts in OneTrust whenever the webform is used to submit consent.
32
OneTrust Consent & Preference Management Expert Reference Guide
First step:
Dive into the source code of your webform, you can inspect your webform code from your browser
Then, map the IDs from the SDK (in OneTrust), with your web form’s IDs
Second step:
Go back to the record of the collection point you created, the webform collection point,
Then, map this information in the Form Fields Mapping section of the Integrations tab
This will allow the SDK to correctly capture the contents of the HTML field within your form and submit it as
part of the consent receipt.
33
OneTrust Consent & Preference Management Expert Reference Guide
Third step:
Once you've finished mapping the fields, you can integrate the SDK by clicking the Copy SDK button and
pasting it into your existing web form source code.
Step four:
Once you’ve integrated the existing webform with the OneTrust application,
It is time to submit consent through the webform and verify the consent receipt in the OneTrust application.
34
OneTrust Consent & Preference Management Expert Reference Guide
Exercise: integrate the SDK for collecting consent records through a webform collection
point
Part 1: Form Fields Mapping
Step 1: Open https://jsfiddle.net/ in your browser
Step 2: Copy the code from this Activity Document
Note: this is the source code of the webform used to submit consent
Step 3: Paste the copied code in the HTML section pane of the JSFiddle editor
Step 4: Click on Tidy at the top right of HMTL section pane
Step 5: Go back to the OneTrust Training Environment
Step 6: Click Launchpad, then click the Consent module
Step 7: Click the Collection Points tab on the left side
Step 8: Click on the Expert Cert Webform collection point
Step 9: Click on Create New Version
Step 10: Click on the Integrations tab, stay on the SDK section
Step 11: Scroll down to the Form Fields Mapping section and click Edit
Step 12: Edit the following fields:
FirstName = change to lower case f
LastName = change to lower case l
Identifier ID = exampleInputEmail1
Step 13: Click the blue Save button from the Form Fields Mapping section
Step 14: Click the blue Publish button to publish your collection point
35
OneTrust Consent & Preference Management Expert Reference Guide
36
OneTrust Consent & Preference Management Expert Reference Guide
The Consent Receipts API allows an external application to submit a request to store consent transactions for
individual collection points. Each Collection Point must first be set up in OneTrust to generate a valid request
token. So basically, for this use case, you will want to use the API method if you want to generate a consent
receipt from a third-party application into OneTrust. In this section, we are going to test the API call to allow the
integration between that third party application and OneTrust.
37
OneTrust Consent & Preference Management Expert Reference Guide
38
OneTrust Consent & Preference Management Expert Reference Guide
39
OneTrust Consent & Preference Management Expert Reference Guide
40
OneTrust Consent & Preference Management Expert Reference Guide
You can import consent records into the OneTrust application in bulk using the templates available on the Import
Templates screen in Global Settings. Once you've downloaded and completed the respective import template,
you can upload it back into the application using either the Import Templates screen or the Bulk Import screen.
41
OneTrust Consent & Preference Management Expert Reference Guide
42
OneTrust Consent & Preference Management Expert Reference Guide
43
OneTrust Consent & Preference Management Expert Reference Guide
Glossary
A
Adequacy Decision – A declaration made by the European Commission that a country outside of the EEU offers
an adequate level of protection, and therefore is acceptable for cross-border data transfers.
Affirmative Act – A clear action taken that indicates consent has been given, is not passive.
Asset – Anything that can store or process personal data. This can include an application, website, database, or
even physical storage.
Asset Map – A visual map that shows the location of all assets.
Automated Decision Making – Making a decision or creating a profile based completely on technological means
without human involvement
B
Binding Corporate Rules (BCRs) – A set of strict and binding rules put in place by multinational companies and
organizations that describe how personal data must be processed and protected. This allows the transfer of
personal data outside the EEA, without having an Adequacy Decision. Data may be transferred between
countries but must remain within the organization.
Biometric Data – A “special category” of data relating to physical, physiological, or behavioral characteristics of
a person that can identify or confirm the identity of a person.
C
California Privacy Rights Act (CPRA) – The CPRA passed on November 4, 2020 and entered into effect on
January 1, 2023. The CPRA aims to address specific elements of the CCPA that the backers feel come up short.
Changes included new consumer rights, a new category of personal information and use and retention
limitations on personal information
44
OneTrust Consent & Preference Management Expert Reference Guide
Cookies – A small text file that a website may drop on a user’s device for the sake of tracking certain categories
of information.
Cookies (1st Party) – Cookies dropped by the website the user is visiting.
Cookies (3rd Party) – Cookies dropped by a website or company different than the one the user is visiting. Most
commonly, targeting or social media cookies.
Cookies (Persistent) – Cookies that continue to live on a user’s device after they have left the website from
which the cookie was dropped.
Cookies (Session) – Cookies that are no longer active after a user leaves a website or ends a session with the
website.
Consent – Any freely given, specific, informed and unambiguous indication that the data subject agrees to
specific processing. Consent must be as easy to withdraw as it is to give. Consent must be given through
Affirmative Action.
Controller – The entity that determines the purposes, conditions and means of the processing of personal data.
D
Data Element – Pieces of collected information that together, build a complete look at Data.
Data Erasure – Also known as the Right to be Forgotten, it entitles the data subject to have the data controller
erase their personal data, stop further dissemination of the data, and potentially have third parties stop
processing of the data.
Data Portability – The requirement for controllers to provide the data subject with a copy of the data they’ve
provided to the controller. The data provided must be easy to read and can be given to the data subject directly,
or to another controller upon request.
45
OneTrust Consent & Preference Management Expert Reference Guide
Data Protection Officer (DPO) – An expert on data privacy who works independently within an organization to
ensure compliance with GDPR policies and procedures.
Data Protection Impact Assessment (DPIA) – An assessment required under GDPR, used to identify, assess,
and mitigate risks within an organization’s data processing policies and activities.
Data Subject – A natural person whose personal data is processed by a controller or processor.
Directive – A legislative act that sets out a goal for all EU countries to achieve, but each country can meet this
goal in their own way, with their own national laws.
E
ePrivacy Directive – A directive passed in 2002 and amended in 2009 that addresses privacy regarding digital
communication, digital marketing, and cookies.
Encrypted Data – Personal data that is protected through technological measures to ensure that the data is only
accessible/readable by those with specified access.
European Data Protection Board (EDPB) – Formerly known as Article 29 Working Party (A29 WP), it is an advisory
body made up of DPAs from each EU member state and the European Commission.
F
Freely Given – Consent is considered freely given if the data subject is able to exercise a real choice, and there
is no significant negative consequence if they do not give consent.
G
General Data Protection Regulation (GDPR) – A regulation on data protection and privacy for all residents of the
European Economic Area. Passed in 2016, in effect in 2018.
46
OneTrust Consent & Preference Management Expert Reference Guide
Genetic Data – Data pertaining to unique information about the health or physiology of an individual.
I
Informed – Having all necessary information needed to make a conscious decision or giving consent.
M
Main Establishment – A location, chosen by the data controller, for a company or organization where it is
headquartered and therefore subject to any local laws or directives.
P
Personal Data – Any information related to a natural person or ‘Data Subject’, that can be used to directly or
indirectly identify the person.
Personal Data Breach – A breach of security leading to the accidental or unlawful access to, destruction, misuse,
etc. of personal data.
Processor – An entity that processes data on behalf of a Data Controller, considered a third party.
Privacy by Design (PbD) – A principle that calls for the inclusion of data protection from the onset of the designing
of systems, rather than as an addition.
Privacy Impact Assessment – A tool used to identify and reduce the privacy risks of organizations by analyzing
the personal data that is processed and the policies that are in place to protect the data.
Processing – Any activity performed on personal data, whether or not by automated means, including collection,
use, recording, etc.
Profiling – Any automated processing of personal data intended to evaluate, analyze, or predict data subject
behavior, is done without human interference.
47
OneTrust Consent & Preference Management Expert Reference Guide
Pseudonymisation – taking away key identifiers out of personal data so that alone, it cannot be attributed to one
single individual. The data is still not completely anonymous but is not identifiable without other pieces of data.
R
Recipient – The entity to which the personal data is disclosed.
Records of Processing Activities – Each data controller must have a detailed record of all processing activities
that are acted upon data that they have collected. Sometimes called an “Article 30 Report.”
Regulation – A binding legislative act that must be applied in specifically spelled out ways, in its entirety, across
the European Union.
Restriction of Processing – A right of a data subject to limit the future processing of their stored personal data.
Right to be Forgotten – Also known as Data Erasure, it entitles the data subject to have the data controller erase
their personal data, cease further dissemination of the data, and potentially have third parties cease processing
of the data.
Right to Access – Also known as Subject Access Right, it entitles the data subject to have access to and
information about the personal data that a controller has concerning them.
S
Specific – Consent cannot be gathered for broad or unspecified uses. The data subject must give consent for
specific and clearly spelled out uses and must be consulted if the use changes.
Supervisory Authority (SA) – A public authority which is established by a member state that oversees the
execution of GDPR regulations.
U
Unambiguous – Data subject consent must be given affirmatively and without doubt. The data subject must
have a clear understanding of what their data will be used for, and it must be obvious that the data subject has
consented to the particular processing.
48
OneTrust Consent & Preference Management Expert Reference Guide
49