Passing Consent to WebView
Overview
iOS supports this feature.
tvOS not supported because tvOS UIs don't support opening WebViews.
Passing consent into SFSafariViewController is not supported as you cannot execute JavaScript.
Many mobile applications use webviews to display content to end users. In many cases, the website being displayed will also have the Cookies CMP implemented. This can result in scenarios where a user will save their consent settings on the native app and then be prompted by a CMP banner again in the webview.
To prevent this negative user experience, the SDK provides a way for consent gathered on the native app to be passed into the webview and ingested by the Cookies CMP.
How It Works
- The SDK saves user consent locally on the app.
- The app retrieves the consent in the form of a formatted JavaScript from the SDK.
- The app injects/passes the consent payload into webview.
- When the website is loaded, the OneTrust Cookies CMP reads the consent payload.
- The Cookies CMP updates user consent on the site and suppresses the banner, if any.
Setup
- Make sure the OneTrust SDK is successfully initialized at least once.
- Create a frame for your webview, including a
WKUserContentController
instance. Do not launch it just yet. - Call
getOTConsentJSForWebView()
to retrieve the consent JS variable (var OTExternalConsent
) needed. - Create a custom
WKUserScript
instance and pass the JS variable as thesource
parameter. - Pass the
WKUserScript
instance with JS variable added to yourWKUserContentController
by calling theaddUserScript()
method. - Open the WebView and the OTExternalConsent variable should be set on the web page.
// Create WebView controller
var userContent = WKUserContentController()
// Call OT SDK method to retrieve the JS variable
if let js = OTPublishersHeadlessSDK.shared.getOTConsentJSForWebView() {
print("Consent from sdk : \(js)")
// Pass JS from SDK method to a custom WebView script
let script = WKUserScript(source: js, injectionTime: .atDocumentStart, forMainFrameOnly: false)
// Add the custom WebView script to WebView controller
userContent.addUserScript(script)
}
Example Output
var OTExternalConsent = {
"USPrivacy": "1---",
"addtlString": "",
"consentedDate": "Tue, 6 Apr 2021 16:13:41 +0100",
"groups": "C0002:1,C0003:1,C0005:0,C0004:0,C0001:1",
"tcString":"CPEPMp6PEPMp6AcABBFRBUCgAAAAAAAAAChQHrAA...",
"gppString":"DBABzw~1YNY~BVQqAA...."
}
Values Passed to Cookies CMP
Key | Type | Description |
---|---|---|
consentedDate | Date | Timestamp for the last consent update by the user. |
groups | string | The category id and the corresponding consent status. 0 is opted out, 1 is opted in. |
USPrivacy | string | The IAB US Privacy string for CCPA use cases. |
tcString | string | The IAB TCF string for GDPR use cases using TCF framework. |
addtlString | string | The Google Additional Consent string for GDPR use cases using TCF framework. |
gppString | string | The IAB GPP string for US State privacy laws |
TC Strings support up to 4096 characters.
FAQs
Are there timing considerations?
Yes, the JavaScript must be evaluated before the OneTrust Cookies CMP loads on the page.
Is there anything I need to do on the Cookies CMP (web side)?
No configuration required. The only requirement is for the Cookies CMP to be published to at least version 6.14.0.
What happens if the categories in Mobile differ from those on Web?
For this feature to work, you need to be using the same/nearly the same categories on Web as you do on Mobile. If the Mobile SDK does not capture consent for a category that Cookies CMP is expecting, then the Cookies CMP banner will display as not all consents have been collected.
In some situations, this may require creating “dummy SDKs” to present additional categories in the Mobile SDK that the web solution is expecting.
What if the user changes the consent on the WebView?
This consent will not feed back into the native app. It is recommended that the application prevent access to the preference center from within the webview.
What consent categories and purposes are able to be sent down?
- Regular OneTrust categories
- IAB CCPA US Privacy String
- IAB TCF Encoded TC String
- User's last consented timestamp
- Google Additional Consent string
Updated 6 months ago