Professional Documents
Culture Documents
Consent Expert Handbook v20230814
Consent Expert Handbook v20230814
Consent Expert Handbook v20230814
Management Expert
Certification Program Handbook
Privacy &
Data Governance
DISCLAIMER:
No part of this document may be reproduced in any form without the written permission of the copyright owner.
The contents of this document are subject to revision without notice due to continued progress in methodology, design, and manufacturing. OneTrust LLC shall have no
Proprietary/Internal
liability for any error or damage of any kind resulting from the use of this document.
OneTrust products, content and materials are for informational purposes only and not for the purpose of providing legal advice. You should contact your attorney to obtain
advice with respect to any particular issue.
OneTrust Consent & Preference Management Expert
The training environment assigned to you is only provided for training and certification purposes
You will have access to login for the duration of the training and approximatively 5 days after the training
URL: training.onetrust.com
Please refer to your instructor for the username/password to your assigned environment
2
OneTrust Consent & Preference Management Expert
Contents
OneTrust Consent & Preference Management Expert Certification Program Handbook ............................ 6
Introduction...................................................................................................................................................... 7
Resources & Support....................................................................................................................................... 8
Sales ............................................................................................................................................................. 8
Technical Support ........................................................................................................................................ 8
Partner Support ............................................................................................................................................ 8
My.OneTrust.com ........................................................................................................................................ 9
Tenant Support Request .............................................................................................................................. 9
Regulation overview, terms, and concepts .................................................................................................. 10
GDPR Article 4 – Definitions ...................................................................................................................... 10
GDPR Article 7 – Conditions for consent .................................................................................................. 11
LGPD, articles 5, 7 & 8................................................................................................................................ 12
CCPA, sections 1798.120 & 1798.125 ........................................................................................................ 13
Terms & concepts: consent as a legal basis ............................................................................................. 14
Terms & concepts: types of consent ......................................................................................................... 15
Consent & Preference Management overview ............................................................................................ 16
Consent & Preference Management module overview ........................................................................... 16
Three architecture components of consent .............................................................................................. 16
Key terminology ......................................................................................................................................... 17
Best practices and implementation considerations ................................................................................. 17
Consent & Preference Management use case ............................................................................................. 18
Zentoso use case........................................................................................................................................ 18
Functional overview ...................................................................................................................................... 18
Functional execution in OneTrust ............................................................................................................. 18
What is a data subject? .............................................................................................................................. 19
What is a data element? ............................................................................................................................ 19
Exercise 1: create a custom data element ............................................................................................ 21
3
OneTrust Consent & Preference Management Expert
What is a purpose?..................................................................................................................................... 22
Exercise 2: create a purpose .................................................................................................................. 23
What are custom preferences? .................................................................................................................. 24
Exercise 3: create custom preferences .................................................................................................. 25
Best practices for purposes vs. custom preferences ................................................................................ 26
Collection point best practices .................................................................................................................. 27
What is a consent interaction? .................................................................................................................. 27
What is a collection point?......................................................................................................................... 28
Exercise 4: create a collection point ...................................................................................................... 30
What is a preference center? ..................................................................................................................... 32
Build a preference center ....................................................................................................................... 32
Customize the branding ......................................................................................................................... 32
Integrate the preference center .............................................................................................................. 32
Manage languages: ................................................................................................................................ 32
Manage preference center settings ....................................................................................................... 32
Exercise 5: build a preference center .................................................................................................... 33
Technical overview ........................................................................................................................................ 36
Technical execution steps.......................................................................................................................... 36
Integrating with user interfaces................................................................................................................. 37
Exercise 6: integrate the SDK for collecting consent records through a webform collection point . 40
Integrating with client systems ................................................................................................................. 42
Exercise 7: test API consent creation .................................................................................................... 45
Bulk import consent transactions .............................................................................................................. 46
Exercise 8: bulk import consent transactions....................................................................................... 47
4
OneTrust Consent & Preference Management Expert
Glossary ......................................................................................................................................................... 49
A .................................................................................................................................................................. 49
B .................................................................................................................................................................. 49
C .................................................................................................................................................................. 49
D .................................................................................................................................................................. 50
E .................................................................................................................................................................. 51
F .................................................................................................................................................................. 51
G .................................................................................................................................................................. 51
I ................................................................................................................................................................... 52
M ................................................................................................................................................................. 52
P .................................................................................................................................................................. 52
R .................................................................................................................................................................. 53
S .................................................................................................................................................................. 53
U .................................................................................................................................................................. 53
5
OneTrust Consent & Preference Management Expert
6
OneTrust Consent & Preference Management Expert
Introduction
Welcome to this OneTrust certification program reference handbook, your comprehensive guide to becoming a
certified OneTrust Consent & Preference Management Expert.
OneTrust automates privacy impact assessments and data mapping, identifies privacy risks, and enforces risk
management and control activities in an integrated and agile approach. More specifically, the Consent &
Preference Management module can help your organization automate compliance and enhance customer
experiences by enabling consent and preference collection. The OneTrust platform will serve as a single source
of truth for all consent receipts.
Automate compliance:
▪ Capture consent and preferences
▪ Centralize consent for compliance proof
▪ Educate customers with privacy policies
Empower customers:
▪ Provide choices to your audience
▪ Enable customers to choose communication options
▪ Add touchpoints with a preference center
Build trust:
▪ Communicate values and brand promise
▪ Deliver transparent user experiences
▪ Honor consent and preference choices
The result is the ability to demonstrate accountability and compliance with EU’s data protection requirements
and globally across privacy jurisdictions and frameworks.
7
OneTrust Consent & Preference Management Expert
Technical Support
▪ Email: support@onetrust.com
▪ Phone Number: +1 (844) 900-0472
Partner Support
▪ Email: partnersupport@onetrust.com
This partner support can assist with:
▪ Scheduling Client Demonstrations
▪ Submitting an RFI/RFP with OneTrust
▪ Client Referrals
▪ Account Strategy & Alignment
▪ Additional Resources & Collateral
Other resources include:
▪ Product Demonstration Videos
▪ OneTrust Overview Brochure
▪ How OneTrust Helps with GDPR Whitepaper
▪ SmartPrivacy Workshops Registration
▪ OneTrust Pricing Model
8
OneTrust Consent & Preference Management Expert
My.OneTrust.com
• Website: my.OneTrust.com
My OneTrust is a platform that can be accessed by all OneTrust customers and partners for additional
resources which include, but it not limited to:
▪ OneTrust Knowledge
▪ Release Notes
▪ Schedule Maintenance
▪ Live System Status
▪ Submit a Ticket
▪ Developer Portal
▪ Get OneTrust Certified
9
OneTrust Consent & Preference Management Expert
“(7) | ‘controller’ means the natural or legal person, public authority, agency, or other body which, alone or jointly
with others, determines the purposes and means of the processing of personal data; where the purposes and
means of such processing are determined by Union or Member State law, the controller or the specific criteria
for its nomination may be provided for by Union or Member State law;”
“(8) | ‘processor’ means a natural or legal person, public authority, agency, or other body which processes
personal data on behalf of the controller;”
“(11) | ‘consent’ of the data subject means any freely given, specific, informed, and unambiguous indication of
the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement
to the processing of personal data relating to him or her;”
Summary
Controllers determine the purposes and means of processing
Controllers must adhere to certain presentation and collection of consent
Scope
All processing based on consent
Other Requirements
▪ Freely given
▪ Specific
▪ Informed
▪ Unambiguous
10
OneTrust Consent & Preference Management Expert
Summary
Controllers shall be able to demonstrate that they have obtained valid consent
Scope
All processing based on consent
Other Requirements
▪ Clearly distinguishable from the other matters
▪ Intelligible and easily accessible form
▪ Clear and plain language
▪ Right to withdraw consent
▪ Performance of a contract cannot be conditional on consent,
if the processing is not necessary for the contract
11
OneTrust Consent & Preference Management Expert
Article 7: Legal bases or circumstances under which data processing may be carried out
Article 8: Conditions for obtaining, re-obtaining and proving receipt of consent, as well as conditions for
revocation of consent
12
OneTrust Consent & Preference Management Expert
Section 1798.125: Price discrimination based upon the exercise of the opt-out right
A business shall not discriminate against a consumer because they exercised any of the consumer's rights
under the CCPA. This includes withdrawing consent or opting out of the sale of personal information.
A business may offer financial incentives for the collection of personal information; and may offer a different
price, rate, level, or quality of goods or services to the consumer if that price or difference is reasonably
related to the value provided to the business by the consumer's data.
13
OneTrust Consent & Preference Management Expert
Freely given: “As a general rule, the GDPR prescribes that if the data subject has no real choice, feels compelled
to consent or will endure negative consequences if they do not consent, then consent will not be valid.”
Reference: EDPB Guidelines on consent
Specific: “…Consent of the data subject must be given in relation to ‘one or more specific’ purposes and that a
data subject has a choice in relation to each of them. The requirement that consent must be ‘specific’ aims to
ensure a degree of user control and transparency for the data subject. “
Reference: EDPB Guidelines on consent
Informed: “Providing information to data subjects prior to obtaining their consent is essential in order to enable
them to make informed decisions, understand what they are agreeing to, and for example exercise their right
to withdraw their consent. “
Reference: EDPB Guidelines on consent
Unambiguous: “…Consent requires a statement from the data subject or a clear affirmative act which means
that it must always be given through an active motion or declaration. It must be obvious that the data subject
has consented to the particular processing.”
Reference: EDPB Guidelines on consent
Affirmative action: “A ’clear affirmative act’ means that the data subject must have taken a deliberate action to
consent to the particular processing ... Consent can be collected through a written or (a recorded) oral statement,
including by electronic means. “
Reference: EDPB Guidelines on consent
14
OneTrust Consent & Preference Management Expert
Explicit consent: “The term explicit refers to the way consent is expressed by the data subject. It means that
the data subject must give an express statement of consent. An obvious way to make sure consent is explicit
would be to expressly confirm consent in a written statement.”
Reference: EDPB Guidelines on Consent
Implied consent: “presumed consents that were based on a more implied form of action by the data subject”
Reference: EDPB Guidelines on Consent
15
OneTrust Consent & Preference Management Expert
16
OneTrust Consent & Preference Management Expert
Key terminology
▪ Data subject: the individual who consents to their personal data being processed
▪ Data element: additional details related to a data subject that can be updated via the OneTrust preference
center
▪ Purpose of processing: reason why a business is collecting and using personal data
▪ Collection point: systems or in-person sign-ups where data subject provides information to your business
for processing purposes
▪ Preference center: OneTrust hosted form that allows for a data subject to easily update their profile
information and preferences
17
OneTrust Consent & Preference Management Expert
Functional overview
Functional execution in OneTrust
18
OneTrust Consent & Preference Management Expert
19
OneTrust Consent & Preference Management Expert
Text input: provides a field where free text entries can be made without restriction.
Date: provides a calendar where a date can be selected. The required format is MM/DD/YYYY.
Selection: provides a list of options that you predefine from which a data subject can select.
Email: provides a field where a valid formatted email can be entered.
Phone Number: provides a field where a valid phone number that includes the country code and plus (+) sign
can be entered. The required format is a valid country code along with the phone number.
Country: provides a list of countries from which a data subject can select.
State: provides a list of U.S. states from which a data subject can select.
Number: provides a field where any numerical digit can be entered.
What about Zentoso? Zentoso needs to track the following data elements:
▪ Email (to be used as main identifier)
▪ First name
▪ Last name
▪ Customer type
20
OneTrust Consent & Preference Management Expert
21
OneTrust Consent & Preference Management Expert
What is a purpose?
GDPR Requirement: Purpose of Processing
Do you consent to receiving marketing communication from us?
Purposes are the reasons why you will be collecting and processing a data subject's consent.
22
OneTrust Consent & Preference Management Expert
23
OneTrust Consent & Preference Management Expert
What about Zentoso? Zentoso needs to create the following groups of custom preferences:
▪ Method of communication
Email
Phone
Post
▪ Types of newsletters
Product Updates
Promotions
24
OneTrust Consent & Preference Management Expert
25
OneTrust Consent & Preference Management Expert
26
OneTrust Consent & Preference Management Expert
Opt In Checkbox + Form Submission - The web form includes blank check boxes that a data subject can
select to indicate consent for those selections before submitting the form
Uncheck to Opt Out + Form Submission - The web form includes pre-selected options that a data subject will
have to clear before submitting the form, otherwise a consent record will be created for those options
Check to Opt Out + Form Submission - The web form includes blank check boxes that a data subject will have
to select to indicate no consent for those selections before submitting the form
Custom Single Trigger - The web form includes a single action that is not an HTML submit button that a data
subject can use to give consent
Custom Conditional Trigger - The web form includes two (or more) actions or conditions, which are not
standard HTML form actions, that a data subject must complete or meet to give consent
27
OneTrust Consent & Preference Management Expert
28
OneTrust Consent & Preference Management Expert
▪ Data elements
This field is optional. You can indicate which other data elements you are collecting on this webform / system.
(First Name, Last Name, etc.)
What about Zentoso? Zentoso needs to create the following collection points:
▪ Registration webform
Consent Interaction – Form Submission Only
▪ Custom API
Designed for third party system to write Consent requests to OneTrust
29
OneTrust Consent & Preference Management Expert
30
OneTrust Consent & Preference Management Expert
31
OneTrust Consent & Preference Management Expert
Manage languages:
You can setup a collection point in several languages
This will allow the Data Subject to switch the translations of the purposes to the wanted language
This would only work if you defined translations for the related purposes
32
OneTrust Consent & Preference Management Expert
What about Zentoso? Zentoso wants to build the following preference center:
One preference center with two pages
▪ Page 1 – Update Profile Information
▪ Page 2 – Choose Consent and Preferences
33
OneTrust Consent & Preference Management Expert
34
OneTrust Consent & Preference Management Expert
35
OneTrust Consent & Preference Management Expert
Technical overview
Technical execution steps
36
OneTrust Consent & Preference Management Expert
If you have an existing webform, on your website, that you use to collect consent, this method allows you to
integrate the webform with the OneTrust platform.
This enables to generate consent receipts in OneTrust whenever the webform is used to submit consent.
37
OneTrust Consent & Preference Management Expert
First step:
Dive into the source code of your webform, you can inspect your webform code from your browser
Then, map the IDs from the SDK (in OneTrust), with your web form’s IDs
Second step:
Go back to the record of the collection point you created, the webform collection point,
Then, map this information in the Form Fields Mapping section of the Integrations tab
This will allow the SDK to correctly capture the contents of the HTML field within your form and submit it as
part of the consent receipt.
38
OneTrust Consent & Preference Management Expert
Third step:
Once you've finished mapping the fields, you can integrate the SDK by clicking the Copy SDK button and
pasting it into your existing web form source code.
Step four:
Once you’ve integrated the existing webform with the OneTrust application,
It is time to submit consent through the webform and verify the consent receipt in the OneTrust application.
39
OneTrust Consent & Preference Management Expert
Exercise 6: integrate the SDK for collecting consent records through a webform collection
point
Part 1: Form Fields Mapping
Step 1: Open https://jsfiddle.net/ in your browser
Step 2: Copy the code from this Activity Document
Note: this is the source code of the webform used to submit consent
Step 3: Paste the copied code in the HTML section pane of the JSFiddle editor
Step 4: Click on Tidy at the top right of HMTL section pane
Step 5: Go back to the OneTrust Training Environment
Step 6: Click Launchpad, then click the Consent module
Step 7: Click the Collection Points tab on the left side
Step 8: Click on the Zentoso Webform collection point
Step 9: Click on Create New Version
Step 10: Click on the Integrations tab, stay on the SDK section
Step 11: Scroll down to the Form Fields Mapping section and click Edit
Step 12: Edit the following fields:
FirstName = change to lower case f
LastName = change to lower case l
Identifier ID = exampleInputEmail1
Step 13: Click the blue Save button from the Form Fields Mapping section
Step 14: Click the blue Publish button to publish your collection point
40
OneTrust Consent & Preference Management Expert
41
OneTrust Consent & Preference Management Expert
The Consent Receipts API allows an external application to submit a request to store consent transactions for
individual collection points. Each Collection Point must first be set up in OneTrust to generate a valid request
token. So basically, for this use case, you will want to use the API method if you want to generate a consent
receipt from a third-party application into OneTrust. In this section, we are going to test the API call to allow the
integration between that third party application and OneTrust.
42
OneTrust Consent & Preference Management Expert
43
OneTrust Consent & Preference Management Expert
44
OneTrust Consent & Preference Management Expert
45
OneTrust Consent & Preference Management Expert
You can import consent records into the OneTrust application in bulk using the templates available on the Import
Templates screen in Global Settings. Once you've downloaded and completed the respective import template,
you can upload it back into the application using either the Import Templates screen or the Bulk Import screen.
46
OneTrust Consent & Preference Management Expert
47
OneTrust Consent & Preference Management Expert
48
OneTrust Consent & Preference Management Expert
Glossary
A
Adequacy Decision – A declaration made by the European Commission that a country outside of the EU offers
an adequate level of protection, and therefore is acceptable for cross-border data transfers.
Affirmative Act – A clear action taken that indicates consent has been given, is not passive.
Asset – Anything that can store or process personal data. This can include an application, website, database, or
even physical storage.
Asset Map – A visual map that shows the location of all assets.
Automated Decision Making – Making a decision or creating a profile based completely on technological means
without human involvement
B
Binding Corporate Rules (BCRs) – A set of strict and binding rules put in place by multinational companies and
organizations that describe how personal data must be processed and protected. This allows the transfer of
personal data outside the EEA, without having an Adequacy Decision. Data may be transferred between
countries but must remain within the organization.
Biometric Data – A “special category” of data relating to physical, physiological, or behavioral characteristics of
a person that can identify or confirm the identity of a person.
C
California Consumer Privacy Act (CCPA) – Signed into law in 2018, to be affective in 2020, this act introduces
new privacy rights for individuals living within the state of California. First sweeping privacy law in the United
States. In November of 2020, California voters approved Proposition 24, the CPRA, which amended the CCPA
and added new additional privacy protections that began on January 1, 2023.
49
OneTrust Consent & Preference Management Expert
Cookies – A small text file that a website may drop on a user’s device for the sake of tracking certain categories
of information.
Cookies (1st Party) – Cookies dropped by the website the user is visiting.
Cookies (3rd Party) – Cookies dropped by a website or company different than the one the user is visiting. Most
commonly, targeting or social media cookies.
Cookies (Persistent) – Cookies that continue to live on a user’s device after they have left the website from
which the cookie was dropped.
Cookies (Session) – Cookies that are no longer active after a user leaves a website or ends a session with the
website.
Consent – Any freely given, specific, informed and unambiguous indication that the data subject agrees to
specific processing. Consent must be as easy to withdraw as it is to give. Consent must be given through
Affirmative Action.
Controller – The entity that determines the purposes, conditions and means of the processing of personal data.
D
Data Element – Pieces of collected information that together, build a complete look at Data.
Data Erasure – Also known as the Right to be Forgotten, it entitles the data subject to have the data controller
erase their personal data, stop further dissemination of the data, and potentially have third parties stop
processing of the data.
Data Portability – The requirement for controllers to provide the data subject with a copy of the data they’ve
provided to the controller. The data provided must be easy to read and can be given to the data subject directly,
or to another controller upon request.
50
OneTrust Consent & Preference Management Expert
Data Protection Officer (DPO) – An expert on data privacy who works independently within an organization to
ensure compliance with GDPR policies and procedures.
Data Protection Impact Assessment (DPIA) – An assessment required under GDPR, used to identify, assess,
and mitigate risks within an organization’s data processing policies and activities.
Data Subject – A natural person whose personal data is processed by a controller or processor.
Directive – A legislative act that sets out a goal for all EU countries to achieve, but each country can meet this
goal in their own way, with their own national laws.
E
ePrivacy Directive – A directive passed in 2002 and amended in 2009 that addresses privacy regarding digital
communication, digital marketing, and cookies.
Encrypted Data – Personal data that is protected through technological measures to ensure that the data is only
accessible/readable by those with specified access.
European Data Protection Board (EDPB) – Formerly known as Article 29 Working Party (A29 WP), it is an advisory
body made up of DPAs from each EU member state and the European Commission.
F
Freely Given – Consent is considered freely given if the data subject is able to exercise a real choice, and there
is no significant negative consequence if they do not give consent.
G
General Data Protection Regulation (GDPR) – A regulation on data protection and privacy for allresidents of the
European Economic Area. Passed in 2016, in effect in 2018.
51
OneTrust Consent & Preference Management Expert
Genetic Data – Data pertaining to unique information about the health or physiology of an individual.
I
Informed – Having all necessary information needed to make a conscious decision or giving consent.
M
Main Establishment – A location, chosen by the data controller, for a company or organization where it is
headquartered and therefore subject to any local laws or directives.
P
Personal Data – Any information related to a natural person or ‘Data Subject’, that can be used to directly or
indirectly identify the person.
Personal Data Breach – A breach of security leading to the accidental or unlawful access to, destruction, misuse,
etc. of personal data.
Processor – An entity that processes data on behalf of a Data Controller, considered a third party.
Privacy by Design (PbD) – A principle that calls for the inclusion of data protection from the onset of the designing
of systems, rather than as an addition.
Privacy Impact Assessment – A tool used to identify and reduce the privacy risks of organizations by analyzing
the personal data that is processed and the policies that are in place to protect the data.
Processing – Any activity performed on personal data, whether or not by automated means, including collection,
use, recording, etc.
Profiling – Any automated processing of personal data intended to evaluate, analyze, or predict data subject
behavior, is done without human interference.
52
OneTrust Consent & Preference Management Expert
Pseudonymisation – taking away key identifiers out of personal data so that alone, it cannot be attributed to one
single individual. The data is still not completely anonymous but is not identifiable without other pieces of data.
R
Recipient – The entity to which the personal data is disclosed.
Records of Processing Activities – Each data controller must have a detailed record of all processing activities
that are acted upon data that they have collected. Sometimes called an “Article 30 Report.”
Regulation – A binding legislative act that must be applied in specifically spelled out ways, in its entirety, across
the European Union.
Restriction of Processing – A right of a data subject to limit the future processing of their stored personal data.
Right to be Forgotten – Also known as Data Erasure, it entitles the data subject to have the data controller erase
their personal data, cease further dissemination of the data, and potentially have third parties cease processing
of the data.
Right to Access – Also known as Subject Access Right, it entitles the data subject to have access to and
information about the personal data that a controller has concerning them.
S
Specific – Consent cannot be gathered for broad or unspecified uses. The data subject must give consent for
specific and clearly spelled out uses and must be consulted if the use changes.
Supervisory Authority (SA) – A public authority which is established by a member state that oversees the
execution of GDPR regulations.
U
Unambiguous – Data subject consent must be given affirmatively and without doubt. The data subject must
have a clear understanding of what their data will be used for, and it must be obvious that the data subject has
consented to the particular processing.
53