Persisting Consent
This page describes how consent persists from one instance to the next.
The APIs utilized by the Server-Side CMP API solution are stateless in nature so every request received will be considered new. Because of this, a new object called OTConsentObject
was introduced in order to maintain the user's consent data from one instance/session to the next.
Here's a sample of the OTConsentObject. The application is not responsible for creating or manipulating the object, the API will handle the logic.
OTConsentObject:
{
'lastLaunchDate': 'date number timestamp',
'shouldShowBanner’: 0/1,
'dsid': "String",
'appId': "String",
'cdn': "String",
'isAnonymous': 0/1,
'expiryDate': 'date number timestanp';
'lastConsentedDate': 'date number timestamp',
'lastInteractionType': "String" ,
'groupConsents': {‘C0001’: 0, 'C0002': 1},
'sdkConsents': {‘S001’: 0, 'S002': 1},
}
As the application calls any of the 4 APIs in scope, the CMP API will convert the object into a Base64 format and return it in the response under otConsentString
.
Here's a sample of the otConsentString
:
eyJsYXN0TGF1bmNoRGF0ZSI6MTcxMzIxMTQyNjI4Nywic2hvdWxkU2hvd0Jhbm5lciI6MSwiZHNJZCI6ImI4NzViMzgyLTBhYzctNDlhOC1iZTI3LTM5MDg3OWNkNDAyYSIsImFwcElkIjoiM2UxODg1NjEtNTBmNi00NTMwLWJiNDktYWExNzgzNDM4MWM3LXRlc3QiLCJjZG4iOiJjZG4uY29va2llbGF3Lm9yZyIsImlzQW5vbnltb3VzIjoxLCJleHBpcnlEYXRlIjoxNzQ0NzQ3NDI2NTMxLCJsYXN0Q29uc2VudERhdGUiOjE3MTMyMTE0MjY1MzEsImxhc3RJbnRlcmFjdGlvblR5cGUiOiJQcmVmZXJlbmNlIENlbnRlciAtIENvbmZpcm0iLCJncm91cENvbnNlbnRzIjp7IkMwMDAxIjoxLCJDMDAwMyI6MSwiQzAwMDIiOjAsIkMwMDA0IjoxfSwic2RrQ29uc2VudHMiOnsiYWJkZmE0NjgtMmY4Ny00YzAzLWFlOWItOGZjMzFkMzQxYzZjIjoxLCIyMjUzZWM1Mi0xOGI0LTQ4NjgtOTAyZi0wMmY5YTE5ZTc5ODQiOjEsImIzNjgzMDc3LThkZjYtNDI2My05NjcyLTE0NmZjZmRlYmE4OCI6MCwiODhjZGQ5ZGYtNjNhZS00YmI3LThiZmMtNGFmNDg4MmNmZmI1IjoxfX0=
otConsentString
decoded:
{
"lastLaunchDate": 1713211426287,
"shouldShowBanner": 1,
"dsId": "b875b382-0ac7-49a8-be27-390879cd402a",
"appId": "3e188561-50f6-4530-bb49-aa17834381c7-test",
"cdn": "cdn.cookielaw.org",
"isAnonymous": 1,
"expiryDate": 1744747426531,
"lastConsentDate": 1713211426531,
"lastInteractionType": "Preference Center - Confirm",
"groupConsents": {
"C0001": 1,
"C0003": 1,
"C0002": 0,
"C0004": 1
},
"sdkConsents": {
"abdfa468-2f87-4c03-ae9b-8fc31d341c6c": 1,
"2253ec52-18b4-4868-902f-02f9a19e7984": 1,
"b3683077-8df6-4263-9672-146fcfdeba88": 0,
"88cdd9df-63ae-4bb7-8bfc-4af4882cffb5": 1
}
}
It will then be the application's responsibility to store the otConsentString
in local storage and send it in subsequent calls for any of the APIs used. The consent string should be updated once a new one from the latest API used is received. The next page/section goes into more detail about how to send it in the API call.
Example workflow:
- ☃️ First time user, banner in scope ☃️
App launched ➡️ Banner API called, nootConsentString
is passed in the header ➡️ Store theotConsentString
returned from the banner response ➡️ User taps 'Allow All' on the banner ➡️
Save and Log consent API called withotConsentString
passed in the header along with preferences set in the payload ➡️
Update theotConsentString
stored with the latest one from the save consent API
- ☃️ Returning user, preferences changed ☃️
App launched ➡️ Banner API called with last savedotConsentString
to check if a banner should be shown ➡️ Store newotConsentString
from the banner API response ➡️ Call preference center API withotConsentString
passed in the header ➡️ Store newotConsentString
from preferences API response ➡️ User rejects all ➡️ Save consent API called withotConsentString
passed in the header along with preferences set in the payload ➡️ Replace previousotConsentString
with the new one from save consent API
IMPORTANT
Ensure the string is not modified or corrupted or the OneTrust API worker may not be able to ingest and decode it as expected.
FAQ
- Is there a size limit of the
otConsentString
?
The string should not exceed a typical size of 8 - 16kb. The request header itself has a size limit of 32kb.
Updated 6 months ago