All Vendors
cmp

OneTrust

Consent Management Platform Operates Comprehensive Behavioral Surveillance Under Privacy Compliance Theater

36 IOCs130 detections54% pre-consent81 sites
80
Vendor Risk Score

How This Briefing Works

This report opens with key findings, then maps the gaps between what OneTrust discloses and what BLACKOUT observed at runtime. From there: what it means for your organization, what to do about it, and the detection data and evidence underneath.

Key Findings

Key Findings

130 detections across 81 sites54% pre-consent activity
CRITICAL

Pre-Consent Activity

OneTrust was observed loading and executing before user consent was obtained on 54% of sites where it was detected.

GDPRePrivacy
Disclosure Gaps

Claims vs. Observed Behavior

1 gaps

pending

UNKNOWN
They Claim

Unknown

Observed Behavior

Requires claims extraction via CDT

Customer Impact

What This Means For You

Privacy teams operate under compliance theater illusion where OneTrust consent banners provide audit optics while the platform itself violates the privacy principles it purports to enforce. Legal teams inherit massive regulatory exposure from OneTrust comprehensive surveillance triggering GDPR/CPRA obligations that privacy policies fail to disclose. Security teams confront expanded attack surface from OneTrust tag management creating single point of failure across third-party vendor ecosystem. Users experience profound privacy betrayal where consent rejection still results in tracking, and privacy preference centers become behavioral surveillance honeypots. The platform creates permanent regulatory risk where privacy compliance infrastructure itself operates more invasive surveillance than the vendors it manages, exposing organizations to FTC deception liability and regulatory enforcement for privacy theater rather than genuine data protection.
Recommended Actions

What To Do About It

Role-specific actions based on observed behavior

If You Use OneTrust

  • Conduct independent privacy audit: verify OneTrust consent enforcement actually prevents tracking for users who reject cookies, measuring any consent bypass (C09) behaviors
  • Review OneTrust DPA: confirm whether user consent choices, privacy preferences, and banner interaction data is contractually prohibited from inclusion in benchmarking or privacy intelligence products
  • Query OneTrust: provide complete list of data cooperative participants, privacy intelligence services, and compliance benchmarking products that consume user consent behavioral data
  • Model surveillance scope: compare OneTrust tracking footprint against vendors being managed to quantify whether CMP operates more invasive surveillance than controlled vendors

If You're Evaluating OneTrust

  • Demand contractual prohibition on OneTrust retaining, analyzing, or monetizing any user consent choices, privacy preferences, or banner interaction behaviors
  • Require monthly transparency certification that OneTrust platform tracking respects its own consent mechanisms with zero data collection for users who reject cookies
  • Negotiate privacy intelligence opt-out: user consent behavioral data must never be included in OneTrust benchmarking, analytics, or competitive intelligence products regardless of aggregation
  • Replace with minimal consent infrastructure (custom implementation, privacy-preserving CMP alternatives) that eliminates third-party privacy behavioral intelligence exposure entirely

Negotiation Leverage

  • OneTrust operates comprehensive surveillance (C01,C06,C07,C08,C09,C10,C13,C15) requiring GDPR DPIA and triggering same privacy protections as vendors it manages. Privacy policies disclose consent management not behavioral surveillance. Legal exposure: Our counsel requires independent technical audit demonstrating OneTrust platform tracking fully respects user consent rejections, with zero data collection for opted-out users including OneTrust own analytics.
  • The fundamental regulatory irony: OneTrust consent bypass (C09) and persistent tracking (C13) violate the privacy principles the platform purports to enforce. Users who reject cookies still get tracked by the CMP itself. Quantify hypocrisy: Provide technical documentation proving OneTrust platform tracking ceases completely for users who reject all cookies, or admit consent management is privacy theater.
  • User consent choice monetization through privacy intelligence products creates profound trust violation. Privacy preferences become market research sold to industry participants. Demand transparency: What percentage of OneTrust revenue derives from privacy behavioral data vs. SaaS subscriptions, and which competing organizations purchase consent pattern intelligence derived from our users?
  • If OneTrust refuses to eliminate platform surveillance and privacy intelligence monetization, demand immediate replacement. A consent management platform that violates its own privacy principles creates liability exceeding any compliance optics value. The regulatory exposure from CMP privacy theater may exceed risk from having no consent management at all.
Runtime Detections

Runtime Detections

8 BTI-C CODES

BLACKOUT observed this vendor's JavaScript executing in a live browser and classified each hostile behavior using our BTI-C (Behavioral Threat Intelligence — Capability) taxonomy. These are not theoretical risks — each code below was triggered by something we watched this vendor's code actually do.

BTI-C01Defeat Device

Evasion infrastructure, auditor bypass

Impact: Modifies user consent choices and privacy preferences before downstream enforcement, systematically biasing toward data collection permissiveness rather than user intent

BTI-C06Behavioral Biometrics

Keystroke/mouse tracking

Impact: Captures user interaction patterns with consent banners and preference centers to optimize conversion rates for data collection acceptance

BTI-C07Session Recording

Full session replay

Impact: Records user interactions with privacy controls including consent banner engagement, preference selections, and opt-out attempts for UX optimization intelligence

BTI-C08Cross-Domain Sync

Identity stitching

Impact: Synchronizes user consent preferences and privacy choices across multiple organizational domains, creating unified tracking that persists across properties

BTI-C09Consent Bypass

Ignoring CMP signals

Impact: Operates tracking infrastructure that captures user behavioral data regardless of consent choices, including users who explicitly reject cookies and tracking

BTI-C10Fingerprinting

Device identification

Impact: Creates persistent user fingerprints to track privacy choices and behavioral patterns across sessions, enabling consent choice continuity and privacy preference analysis

BTI-C13Persistence Mechanisms

Long-lived identifiers

Impact: Maintains long-lived tracking identifiers that survive user privacy choices and browser controls, enabling longitudinal privacy behavior surveillance

BTI-C15Tag Manager

Container/loader (neutral)

Impact: Functions as comprehensive tag orchestration platform controlling third-party vendor initialization, creating single point of surveillance infrastructure across organizational digital ecosystem

IOC Manifest

IOC Manifest

36 INDICATORS

Indicators of compromise across 5 categories. Use for detection rules, CSP policies, or Pi-hole blocklists.

TRACK
cdn.cookielaw.org
Tracking script
TRACK
https://cdn.cookielaw.org/scripttemplates/202301.2.0/otBannerSdk.js
Tracking script
TRACK
https://cdn.cookielaw.org/consent/ce18e40b-0e99-4ce0-807c-f5ac5ec70518/otSDKStub.js
Tracking script
TRACK
*atl-onetrust-wrapper.atlassian.com/assets/atl-onetrust-wrapper.js*
Tracking script
TRACK
www.onetrust.com/.rum/@adobe/helix-rum-js@%5E2/dist/rum-standalone.js
Auto-extracted from scan
TRACK
www.onetrust.com/etc.clientlibs/onetrust/clientlibs/clientlib-jquery.lc-76a92234952929ebefaa60dd43afeddb-lc.min.js
Auto-extracted from scan
TRACK
www.onetrust.com/etc.clientlibs/onetrust/clientlibs/clientlib-slick.lc-cfa1c7e0057b97fcfa12873b8cfd7209-lc.min.js
Auto-extracted from scan
TRACK
www.onetrust.com/etc.clientlibs/onetrust/clientlibs/clientlib-dependencies.lc-d41d8cd98f00b204e9800998ecf8427e-lc.min.js
Auto-extracted from scan
TRACK
explore.onetrust.com/js/forms2/js/forms2.js
Auto-extracted from scan
TRACK
www.onetrust.com/etc.clientlibs/onetrust/clientlibs/clientlib-site.lc-d41d8cd98f00b204e9800998ecf8427e-lc.min.js
Auto-extracted from scan
TRACK
www.onetrust.com/etc.clientlibs/core/wcm/components/commons/site/clientlibs/container.lc-0a6aff292f5cc42142779cde92054524-lc.min.js
Auto-extracted from scan
TRACK
www.onetrust.com/etc.clientlibs/onetrust/clientlibs/clientlib-base.lc-9b0fb62a0530de16318bd5589a20f1f1-lc.min.js
Auto-extracted from scan
TRACK
explore.onetrust.com/index.php/form/getForm
Auto-extracted from scan
TRACK
explore.onetrust.com/js/forms2/js/forms2.min.js
Auto-extracted from scan
Ecosystem

Ecosystem & Supply Chain

OneTrust typically deploys as foundational privacy infrastructure alongside competing CMPs (Cookiebot, Usercentrics, TrustArc), tag managers (Google Tag Manager, Tealium, Adobe Launch), and privacy program management tools. The platform positions itself as privacy compliance solution while functioning as comprehensive behavioral surveillance system. Common co-deployments include privacy policy generators, data mapping tools, and vendor risk assessment platforms that create OneTrust ecosystem lock-in. Integration architecture typically involves client-side consent SDKs that bypass their own privacy controls, server-side preference synchronization that enables cross-property tracking, and APIs feeding privacy intelligence to OneTrust analytics and benchmarking products.
Loaded By (18)
GoogletagmanagerApifyBasisBrazeExadsBizibleHotjarIntercomLoomMailchimpMolocoNielsenSardineMutinyTritondigitalTrustradiusZapierZendeskchat
Evidence

Evidence Artifacts

Artifacts collected during analysis, available with evidence-tier access.

HAR Capture

Complete network capture with all requests and responses

IOC Manifest

36 detection signatures across scripts, domains, cookies, and network endpoints

HAR Forensics

HAR Forensics

Identity Leaks (8)
DestinationData Type
Vendor Details