OneTrust
OneTrust is a cloud-based data privacy management compliance platform.
Websites Using OneTrust
What Is OneTrust?
OneTrust is the market-leading consent-management and privacy platform that helps organizations collect, store, and honor visitor choices about cookies, tracking, and personal data. When you land on a website and see a cookie banner asking you to accept, reject, or customize tracking, there is a strong chance OneTrust is the software powering that experience behind the scenes.
OneTrust is widely regarded as one of the most adopted consent and privacy platforms in the enterprise market, particularly among large companies that must comply with regulations such as the EU General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA) and its successor the CPRA, and a growing patchwork of regional privacy laws. Its consent banner, originally known as the Cookie Consent product and historically associated with the CookiePro brand, is one of the most recognizable on the public web.
The platform is far broader than a cookie banner alone. OneTrust packages consent and preference management alongside data-mapping, vendor risk, data-subject-request handling, and broader governance, risk, and compliance tooling. For the purposes of website technology detection, however, the component you encounter is almost always the consent-management interface: the banner, the preference center, and the JavaScript that enforces a visitor's choices by controlling which scripts and cookies are allowed to run.
OneTrust is a hosted, server-side and script-delivered service rather than a browser extension or a plugin you install into a single CMS. A website embeds a small OneTrust script, and the banner, rules, and category definitions are managed in OneTrust's cloud console and delivered from OneTrust's content delivery network. Because that script and its supporting assets load from recognizable OneTrust domains, the platform is comparatively straightforward to detect from the outside, which is exactly why a server-side analyzer like StackOptic can flag it reliably.
It helps to understand who OneTrust is built for. The platform deliberately targets mid-market and enterprise organizations, multinational brands, and any business whose data-handling footprint is large enough that manual compliance is no longer realistic. A small personal blog rarely needs OneTrust; a global retailer juggling dozens of marketing tags across multiple legal jurisdictions almost always does. That positioning explains the depth of OneTrust's configuration options, its emphasis on auditability, and its support for the technical frameworks that programmatic advertising relies on.
How OneTrust Works
At its core, OneTrust intercepts the tracking technologies on a page and gates them behind the visitor's recorded consent. A site owner first runs OneTrust's cookie scanner, which crawls the website and catalogs the cookies and tags it finds. Those cookies are then sorted into categories, typically Strictly Necessary, Performance, Functional, and Targeting or Advertising, so the platform knows which ones require permission and which are exempt.
On the front end, the website loads the OneTrust SDK. The flagship script is usually otSDKStub.js, a small loader that pulls in the full consent logic and the rules configured for that specific site, identified by a data attribute called the data-domain-script. When a visitor arrives, OneTrust displays the banner and, until a choice is made, blocks scripts in the non-essential categories. Developers integrate this by either tagging script elements with a category class or by routing tags through a tag manager that reads OneTrust's consent signal.
Once the visitor interacts with the banner, OneTrust records the decision and writes it to cookies, most notably the OptanonConsent and OptanonAlertBoxClosed cookies, which together encode which categories were accepted and when. On subsequent page loads, the SDK reads those cookies and allows or suppresses each category accordingly. A persistent preference center, reachable from a small "cookie settings" link or floating icon, lets visitors change their mind at any time, and OneTrust updates the stored consent in response.
For programmatic advertising, OneTrust can operate as a registered Consent Management Platform under the IAB Transparency and Consent Framework (TCF). In that mode it generates a standardized TC string that downstream ad-tech vendors read to determine what processing the user has permitted, and it exposes the framework's __tcfapi JavaScript function so other scripts can query consent in a vendor-neutral way. OneTrust also supports the IAB's Global Privacy Platform and US-state signals, which is part of why large publishers and advertisers gravitate to it.
A useful way to picture the workflow is to follow a single visit end to end. A first-time visitor loads the page; the OneTrust stub script fires before marketing tags do; the banner appears and non-essential scripts are held back. The visitor clicks "Accept All," OneTrust writes the OptanonConsent cookie, releases the targeting and analytics scripts, and updates the TC string for any TCF vendors. A returning visitor who previously rejected tracking loads the same page, OneTrust reads their stored choice, and the marketing tags simply never execute. All of this is configured in OneTrust's console and enforced by the embedded script, with no per-page coding once the integration is in place.
How to Tell if a Website Uses OneTrust
OneTrust leaves several reliable fingerprints. Because StackOptic analyzes a URL from the server side, it inspects the same signals you can check manually with browser tools, View Source, or a detection extension.
The loader script and CDN domains. The single strongest signal is a request for otSDKStub.js or the fuller otBannerSdk.js, typically served from OneTrust's CDN at cdn.cookielaw.org (and sometimes cdn.onetrust.com or geolocation.onetrust.com). Seeing a script tag pointing at cookielaw.org is close to definitive.
The data-domain-script attribute. The OneTrust script tag carries a data-domain-script attribute whose value is a long identifier (often ending in -test on staging). This attribute is how OneTrust knows which configuration to load and is a clear tell in the page source.
Optanon cookies. After interaction, OneTrust sets cookies named OptanonConsent and OptanonAlertBoxClosed. The "Optanon" prefix is unmistakable; finding these in DevTools' Application tab confirms OneTrust.
Banner DOM markup. The consent banner and preference center use container elements with IDs and classes such as #onetrust-banner-sdk, #onetrust-consent-sdk, and the optanon class family. Inspecting the banner element reveals this structure.
The TCF API. On sites running OneTrust as an IAB TCF CMP, the window.__tcfapi function is present and OneTrust-specific globals appear in the console.
Here is how to check each signal yourself:
| Method | What to do | What OneTrust reveals |
|---|---|---|
| View Source | Open the page, right-click, "View Page Source" | The otSDKStub.js script tag and its data-domain-script attribute |
| Browser DevTools (Network) | Open DevTools, reload, filter the Network tab | Requests to cdn.cookielaw.org and OneTrust SDK files |
| Browser DevTools (Application) | Inspect Cookies under Application/Storage | OptanonConsent and OptanonAlertBoxClosed cookies |
| DevTools Console | Type window.__tcfapi or inspect #onetrust-banner-sdk | TCF API presence and OneTrust banner DOM |
| Wappalyzer | Run the extension on the live page | Identifies "OneTrust" under cookie compliance |
A quick command-line check is curl -s https://example.com | grep -i "cookielaw.org". If that returns a match, you are almost certainly looking at OneTrust. For a broader walkthrough of stack detection, see our guides on how to find out what technology a website uses and how to check what JavaScript libraries a website uses.
It is worth noting how these signals behave on production sites. Some organizations proxy the OneTrust script through their own domain or rename assets to reduce third-party requests, which can hide the cookielaw.org hostname. Even then, the Optanon cookie names and the #onetrust-banner-sdk DOM container are deeply tied to how the SDK operates and are rarely changed. Combining several signals, a script reference, a cookie name, and a banner element ID, yields a confident verdict even on heavily customized deployments. Server-side analysis is especially valuable here because it fetches the unmodified HTML directly, without the noise a browser introduces by executing scripts and rewriting the DOM.
Key Features
- Cookie consent banner and preference center. Configurable, multilingual banner with granular category controls and a persistent settings panel.
- Automatic cookie scanning. A crawler that discovers and categorizes cookies and tags so nothing tracks without classification.
- Script blocking and tag governance. Holds non-essential scripts until consent is granted, integrating with major tag managers.
- IAB TCF and GPP support. Operates as a registered CMP, generating standardized consent strings for programmatic advertising.
- Geolocation-aware rules. Shows different banner behavior by region to match GDPR, CCPA/CPRA, and other local requirements.
- Consent record-keeping. Stores auditable proof of when and how each visitor consented, useful for regulatory accountability.
- Broader privacy suite. Connects consent to data mapping, vendor risk, and data-subject-request workflows in the wider OneTrust platform.
Pros and Cons
Pros
- The most widely recognized enterprise consent platform, with deep coverage of global privacy regulations.
- Strong auditability and record-keeping that satisfy strict compliance and legal requirements.
- Native IAB TCF and GPP support that publishers and ad-tech partners expect.
- Granular, geolocation-aware configuration that adapts behavior by jurisdiction.
Cons
- Enterprise-oriented pricing and complexity that can be excessive for small sites.
- The SDK adds front-end weight and an additional render-blocking dependency if misconfigured.
- Initial setup, categorization, and tag tagging require real effort to get right.
- Some advanced governance modules are separate products beyond the consent banner.
OneTrust vs Alternatives
OneTrust sits at the enterprise end of the consent-management market. The table below compares it with common alternatives.
| Platform | Positioning | TCF support | Best for |
|---|---|---|---|
| OneTrust | Enterprise privacy and consent suite | Yes (registered CMP) | Large, regulated, multinational organizations |
| Osano | Approachable consent and data-privacy platform | Yes | SMBs and mid-market wanting simpler setup |
| Cookiebot (Usercentrics) | Consent management with strong cookie scanning | Yes | Sites prioritizing automated cookie discovery |
| Quantcast Choice | Publisher-focused, advertising-centric CMP | Yes | Ad-supported publishers in the IAB ecosystem |
| Custom/open-source banner | Self-built consent script | Usually no | Simple sites with minimal compliance needs |
If a site turns out to use a different consent tool, the same detection techniques apply; you can compare OneTrust directly with Osano to see how an enterprise suite differs from a more approachable platform.
Use Cases
OneTrust is most at home in large, regulated organizations that operate across multiple jurisdictions. Multinational retailers, financial institutions, healthcare companies, and media publishers use it to present compliant cookie banners, enforce consent, and keep auditable records that stand up to regulatory scrutiny.
It also suits ad-supported publishers that must participate in the IAB TCF to monetize programmatic inventory, enterprises consolidating consent with broader data-governance and vendor-risk programs, and any business expanding into new regions where local privacy laws demand region-specific banner behavior. For competitive and market research, detecting OneTrust on a prospect's site signals an organization mature enough to invest in enterprise privacy tooling, which is meaningful context for vendors selling compliance, security, or martech products.
Consider a few concrete scenarios. A global ecommerce brand might deploy OneTrust so that European visitors see a GDPR-compliant reject-all option while US visitors see a CCPA-style "do not sell or share" link, all from one configuration. A digital publisher might run OneTrust as its IAB CMP so that every ad-tech vendor receives a valid TC string and the publisher can prove consent for programmatic demand. A multinational enterprise might tie its website banner into the same OneTrust platform that powers its internal data-mapping and data-subject-request processes, creating a single source of truth for consent.
From a sales-intelligence perspective, OneTrust detection is a strong qualifying signal in its own right. As explained in our overview of what technographics are and how to use tech-stack data to qualify leads, the presence of an enterprise consent platform indicates budget, regulatory exposure, and a sophisticated marketing operation, exactly the profile many B2B vendors want to prioritize.
Frequently Asked Questions
Is OneTrust a cookie banner or a full privacy platform?
Both. The component most visitors encounter is the cookie consent banner and preference center, but that is one module within a broader privacy, governance, and risk platform. Many organizations adopt OneTrust first for consent management and later expand into its data-mapping, vendor-risk, and data-subject-request tooling. For website detection purposes, the consent script and banner are what you will see.
How can I tell if a website uses OneTrust for free?
Yes, you can confirm it at no cost. View the page source and look for a script referencing otSDKStub.js on cdn.cookielaw.org, along with a data-domain-script attribute. Check DevTools' Application tab for OptanonConsent and OptanonAlertBoxClosed cookies, and inspect the banner for the #onetrust-banner-sdk element. Free tools like Wappalyzer also identify OneTrust automatically.
Does OneTrust support IAB TCF and GDPR or CCPA compliance?
OneTrust supports the IAB Transparency and Consent Framework as a registered Consent Management Platform, generating the standardized TC string that programmatic ad-tech vendors require, and it also supports the IAB Global Privacy Platform. It provides configurable banner behavior designed to help organizations meet GDPR, CCPA/CPRA, and other regional requirements, including geolocation-based rules. Compliance ultimately depends on correct configuration and broader organizational practices, not the tool alone.
What are the OptanonConsent and OptanonAlertBoxClosed cookies?
These are the cookies OneTrust writes to remember a visitor's consent choices. OptanonConsent encodes which cookie categories the visitor accepted or rejected, and OptanonAlertBoxClosed records that the banner was dismissed and when. On return visits, the SDK reads these cookies to decide which scripts and tags are allowed to run. Their distinctive "Optanon" naming makes them a clear OneTrust fingerprint.
Can OneTrust slow down a website?
Like any third-party consent script, OneTrust adds a network request and some JavaScript execution, and if it is configured to load synchronously before other content it can affect perceived performance. Properly implemented, with the loader placed thoughtfully and tags gated rather than duplicated, the impact is usually modest. Teams concerned about speed can review our guide on how to make your website load faster for general optimization techniques.
Want to detect OneTrust and the rest of a site's stack automatically? Run any URL through StackOptic at https://stackoptic.com.
Alternatives to OneTrust
Compare OneTrust
Analyze a Website
Check if any website uses OneTrust and discover its full technology stack.
Analyze Now