OneTrust is a so-called consent solution for websites. The provider comes from the USA, or the UK, we don't really know. The tool has other pitfalls besides the location issue. CookieLaw and Optanon are offshoots of OneTrust.
Introduction
A Consent Tool, often also referred to as Cookie Consent, is embedded on a website to comply with data protection regulations. As far as theory goes. In practice it looks different. This applies especially to OneTrust, because the provider seems to have a flexible location.
OneTrust has even more weaknesses though. To get ahead of things: Using this tool almost promises a website that is already illegal. I'll explain what's meant by that right away.
OneTrust apparently took over the providers Optanon and Cookie Law some time ago. All three former providers are now united under OneTrust in my opinion. This can be seen, for example, in the files used by the consent tool.
I recently conducted an investigation of all the popular consent tools I'm familiar with and dubbed it Cookiegeddon, because the result was so disastrous.
Flexible consent request
Similar to the Google Corporation, it is not entirely clear which companies process the data that one entrusts to them. As mentioned above, OneTrust lists two locations, but does not directly name a primary responsible party. The US location is highly problematic for well-known reasons (unsafe third country, cf. Article 44 GDPR). The UK location is also no longer the best since Brexit when it comes to data protection rights. Currently, a transition period has been set. Update: The United Kingdom received an adequacy decision from the EU. However
More flexible than the provider's location is actually the consent query itself. OneTrust uses a so-called Geolocation to find out which country the current visitor of the website probably comes from. To do this, a variant of OneTrust calls up the address https://geolocation.onetrust.com/cookieconsentpub/v1/geo/location. The data that are determined by geolocation and transmitted to the currently visited website are particularly:
This alone looks anything but privacy-friendly and does not exactly inspire confidence in a consent tool. The location was quite precise in my test, although not very accurate. The location determined was around 12 kilometers away from my actual location as the crow flies.
On January 20, 2021 at least, the European Commission imposed a fine of €7.8 million for unlawful geo-blocking practices.
If the user is from Germany, he receives a full consent inquiry. Full value here means that OneTrust does everything possible with the tool. And that's unfortunately not much.
If allegedly the user is from certain other countries, a consent query may not appear at all. This would be unlawful in itself and create serious data protection problems, as can easily be proven. I was unable to reproduce the country-dependent display, but I can only assume it. In any case, the quite detailed geolocation of a user by a consent tool is highly questionable in itself.
If one calls a website that has been tampered with by OneTrust in the privacy-friendly Tor Browser, the consent request does not appear. Maybe it's not even about the country that the Tor Browser pretends to be from, but rather about a security setting in the browser:
A consent solution must of course be designed in such a way that even if the "solution" does not function, a GDPR-compliant website is still found. In the worst case, no tool would actually be loaded. With OneTrust, however, in the worst case the consent tool is not loaded, which results in all tools requiring consent being loaded directly. The so-called cookie blocker is ultimately there to reload problematic tools and not to reduce existing problems.
The reason is that OneTrust sets itself "on top". Instead of adjusting the loading instructions on the website for integrated tools as a matter of course, an attempt is made to artificially suppress the loading of tools. If then the suppressor (the consent tool) is missing, nothing will be suppressed either.
There are no excuses for this. Every website must be designed in such a way that unauthorized data transfers are excluded from the outset until further notice.
Data retrieval from an unsafe third country?
Compounding this is that in order to build the consent window, the domain onetrust.com is queried. This seems to vary depending on the implementation or installed version of OneTrust and likely has to do with the ambiguity of the tool (see above: Optanon, Cookie Law).
According to WHOIS search, the domain onetrust.com is registered by a company based in Panama:
For the domain a so-called WhoisGuard was used, which conceals the actual identity of the domain owner. For this, in doubt, is responsible for the person operating the website, who uses OneTrust. See Article 12 GDPR (transparent information). Much fun finding out who the domain owner of onetrust.com is, if someone ever asks and requests information.
In any case, according to https://www.onetrust.com/, the domain is assigned to the company OneTrust, LLC (see footer of the website). The legal form indicates that it is an American company.
Data transfers to the US are unlawful without consent. See Article 44 GDPR as well as the ECJ ruling on Privacy Shield.
When the onetrust.de website is accessed, the Google Tag Manager is loaded without consent (as of March 2022). This seems inappropriate to me in view of Google's excessive data processing.
Cookie Law
A subsidiary of Onetrust is Cookie Law. The tool was apparently taken over by OneTrust and is technically largely identical to OneTrust. Upon my test retrieval of a website that uses Cookie Law, the IP address 104.16.148.64 is retrieved for loading Cookie Law scripts. A IP location service locates this network address as follows:
Apparently a data retrieval is taking place, which is related to the USA, an insecure third country. This is problematic without consent according to Art. 44 GDPR.
If consent is required for a consent request, then the benefit of the service for the consent request requiring consent is close to zero.
The consent window of OneTrust
The appearance and content of OneTrust can certainly be customized. I have picked a random example that looks like this:
In my practical test of popular consent tools, there are two more examples of OneTrust
Revocation notice
As you can see, the font size is quite small and the amount of text on the first image is quite large. This could be viewed critically (if you are ever in court or have a supervisory authority on your back). In any case, it is written:
"With the help of the toggle buttons next to it, you can set your cookie preferences, which you can change at any time when visiting our website.".
This is not a legally secure revocation notice:
- The "adjacent buttons" are no longer there after you have given your consent, because the window closes after all
- For me, changing and revoking are two different things
- Where a revocation can be called for, it is not mentioned, but according to Art. 7 GDPR it is prescribed.
Reject instead of consent
As can be seen in the Consent Popup, a rejection is not directly possible. I already consider this to be legally wrong on its own. See Article 4 No. 11 GDPR and the Consideration 42: "It should only be assumed that she has given her consent voluntarily if she has a real or free choice and is therefore able to refuse or withdraw consent without suffering any disadvantages".
Insufficient information
There are so many false statements and misrepresentations that only a selection can follow here. Example one:
Who might be the Provider of __cfduid? As far as I know, onetrust.com is not a company reference.
Is __cfduid actually a cookie, a service or a Thing? Fairly speaking one has to say that the specification only comes after clicking on Show cookies. So it's probably cookies. But what then is the service (the tool) to which the cookie presumably belongs?
What does "4 years" mean? I understand it, but a German citizen doesn't have to be able to speak English.
The description is also in English and therefore not available.
Only someone who deals with data protection knows what 3rd Party means. ([1])
Example number two:
I'm not sure if the name S is correct. I haven't seen a Google cookie with this name yet. Contact me if it officially exists.
Provider and purpose descriptions are missing again. Instead of writing Sitzung, the English term Session is used.
Information on whether data is transferred to unsafe third countries is also missing, as is information on the associated service.
In this way, almost any explanation by OneTrust can be criticized. I on being strict here as I believe it would also be the case in court.
Loading tools without consent
The coronation for a Consent Tool: The supposedly secured website loads a tool without consent, which requires consent. It gets even worse when the Consent Tool itself asks for consent for another tool and the tool is still loaded without consent. An example of this is a loaded YouTube Video Script, also with cookies. The one with the cookies could have been easily prevented…
Conclusion
OneTrust sucks and does more harm than good, that's my opinion. I'm also willing to write this because the provider itself can't get it right with their own tool. Here's proof on the website onetrust.de, which after language selection calls up onetrust.com:
The screenshot shows at least the following defects:
- The cookie _ga is classified as a first-party cookie . That is only from a technical point of view correct and interests nobody except me and a few others. From a data protection law perspective, the cookie is used by Google Analytics.
- We are on the German-speaking website. Nevertheless, the descriptions are predominantly in English.
- The service name is missing again
- The description is missing, because it's in English and thus appears as unintelligible for a German reader
- The information is unclear: 1 year, 1st Party
There is hardly much more you can do wrong in a consent request.
Offshoot of OneTrust
Optanon and Cookie Law were apparently taken over by OneTrust and are technically almost identical to OneTrust.
According to my observations, the only difference is in the technical details for the initial call of the Consent Tool. Each of the three offshoots uses its own identification number and its own type of technical implementation to define this identification.
Here are two examples. First, the definition of the cookie ID from Cookie Law, as it is often called:
consent2.setAttribute('data-domain-script', 'xxxxxxxxx-xxxx-xxxx-xb97-xxxxxxxxxxxx');
Instead of the x-signs, hexadecimal numbers are coded in the actual identification.
For Optanon, however, the technical implementation of the ID looks like this:
<script type="text/javascript" src="[https://cdn.cookielaw.org/consent/xxxxxxxx-xxxx-xxxx-x752-](view-source:https://cdn.cookielaw.org/consent/d5bb5995-9e5d-4971-a752-c49709ede890-test/OtAutoBlock.js)xxxxxxxxxxxx\-test/OtAutoBlock.js"></script>
For Cookie First there is actually a certain similarity, even though the main data seems to be structured differently than at OneTrust. The ID has the same structure nonetheless.
<script src="[https://consent.cookiefirst.com/banner.js](view-source:https://consent.cookiefirst.com/banner.js)" data-cookiefirst-key="xxxxxxxx-xxxx-xxxx-x225-xxxxxxxxxxxx"></script>
After the ID has been set once, however it was done, data is retrieved for displaying the consent popup. This seems to happen in the same way every time. The return contents and structure of the result were at least always the same in my tests for the branches of OneTrust.
Everything that applies to OneTrust is also true for Optanon and Cookie Law in my experience. The logic of my tool, which can automatically read consent queries on a website, is at least the same for these two variants once the Cookie-ID has been determined.
Conclusion
If someone uses OneTrust on their website, they were misadvised or had bad luck with the search. Luckily, almost any mistake can be corrected. It's best to adjust the website right away and remove OneTrust.
After that it's worth thinking about which tools are still really needed. ([1])
Would you like to investigate whether your consent tool could be legally compliant? Then take a look at my checklist for consent requests on websites.
If you want to save yourself some work, read the article five reasons why cookie popups can't be reliable. There you'll find facts and evidence for this statement.
There will soon be a tool that can be used to generate an affected person request for websites with consent tools. This request will contain any defects found as well as questionable texts. For popular consent solutions, the tool will provide a well-founded data subject request, including the necessary legal basis, virtually at the touch of a button.
My name is Klaus Meffert. I have a doctorate in computer science and have been working professionally and practically with information technology for over 30 years. I also work as an expert in IT & data protection. I achieve my results by looking at technology and law. This seems absolutely essential to me when it comes to digital data protection. My company, IT Logic GmbH, also offers consulting and development of optimized and secure AI solutions.