About the Cookie Consent and Disclosure Banner
The consent banner and preference manager are powered by OneTrust. This banner assists in the display and tracking of a user’s cookie preference. It is up to you to ensure tracking cookies are not set. Upon a user’s choice to allow or decline the use of cookies, a cookie is set to save the user’s desired cookie preferences called “OptanonConsent”. This cookie is designed to be universally accessible to all umich.edu websites. If no selection has been made then it should be treated as if the user has declined cookies.
When to use Cookie Consent and Disclosure Banner
We currently support geolocation where only users in the EU will see the banner. The Cookie Consent and Disclosure Banner will give your users the option to opt-in to analytics and advertising cookies.
For More Information
If you have technical questions about the plugins or banner message code, please email the OVPC Digital team at umdigital@umich.edu.
For more information about GDPR at the University of Michigan, visit the General Data Protection Regulation (GDPR) Compliance program website. For questions regarding university GDPR compliance policy, you can email gdpr-program@umich.edu.
For more general information about privacy, please email the U-M Privacy team and privacy@umich.edu.
Banner Integration
Below are the current integration methods that this banner officially supports.
WordPress Integration
If you are running WordPress, you can simply install and activate the U-M Cookie Consent plugin. This plugin also integrates with the Site Kit by Google Analytics plugin to not use google analytics tracking cookies. This plugin contains two action hooks that can be used to set or delete cookies based on user preference.
Non-Wordpress Integration
To add the cookie consent banner to non-wordpress websites, you can simply include the following javascript on your site. This script automatically loads required styles and scripts in order to display the message.
<script src="https://cdn.cookielaw.org/consent/03e0096b-3569-4b70-8a31-918e55aa20da/otSDKStub.js" type="text/javascript" charset="UTF-8" data-domain-script="03e0096b-3569-4b70-8a31-918e55aa20da" ></script>
Review the 3rd Party System Compliance documentation for additional information on how to bring common services into compliance.
Privacy Policy URL
The privacy policy url for the banner and preference manager is hard coded to /privacy/. For example if your site is “president.umich.edu” the link will go to president.umich.edu/privacy/. You may need to setup a redirect for that path to your actual privacy policy. The wordpress plugin is designed where if a page does not resolve at /privacy/ then a redirect will occur defaulting the user to umich.edu/about/privacy/.
The U-M Privacy Office maintains a template for privacy notices for U-M websites and services, and offers support for the development of privacy notices. You can contact the U-M Privacy Office at privacy@umich.edu.
Preference Manager
In order to show the preference manager after a user has made a selection, you can do one of the following:
HTML
You may desire to override the default look of the button:
<button id="ot-sdk-btn" class="ot-sdk-show-settings">Cookie Settings</button>
An example of this can be found on the Gateway privacy notice under the “Manage Cookies” heading.
JavaScript
execute the following in javascript as desired:
Banner Testing
For development sites you can you use the following script:
<script src="https://cdn.cookielaw.org/consent/03e0096b-3569-4b70-8a31-918e55aa20da-test/otSDKStub.js" type="text/javascript" charset="UTF-8" data-domain-script="03e0096b-3569-4b70-8a31-918e55aa20da-test" ></script>
The banner can be forced to display by using a VPN and selecting a EU country OR by adding a couple URL parameters to your site:
https://MYDOMAIN.TLD/?otreset=true&otgeo=de
OneTrust Categories
OneTrust has a default set of categories that we have grouped in to two user displayed categories. These are defined as follows:
Strictly Necessary Cookies
- C0001 (Strictly Necessary)
- C0003 (Functional)
Analytics & Advertising Cookies
- C0002 (Performance)
- C0004 (Targeting)
- C0005 (Social Media)
Google Consent Mode Integration
This is enabled by default which means that when a users explicitly accepts or rejects cookies OneTrust will issue the consent update automatically. However this does require that the OneTrust script be placed after the GTAG/GTM script as well as the default consent to be configured. For non-EU users you will need to either set a default consent for EU and Non-EU users or add the additional bit of code as shown in the Google Analytics (gtag.js) / GA4 information below.
Google Storage Categories to OneTrust category assignments
- Ad Storage: C0004 (Targeting)
- Analytics Storage: C0002 (Performance)
- Functionality Storage: C0003 (Functional)
- Personalization Storage: C0004 (Targeting)
- Ad User Data: C0004 (Targeting)
- Ad Personalization: C0004 (Targeting)
3rd Party System Compliance
After the OneTrust Consent system loads it will execute a global function named OptanonWrapper. In this you can add necessary code to maintain cookie compliance.
function OptanonWrapper(){
if( OnetrustActiveGroups.includes("C0004") ) {
// ALLOW TRACKING
}
else {
// DISALLOW TRACKING
}
}
As an alternative you can use the following which will trigger automatically upon preference change
window.addEventListener('OneTrustGroupsUpdated',event =>{
if( event.detail.includes( 'C0004' ) ) {
// ALLOW TRACKING
}
else {
// DISALLOW TRACKING
}
});
We have a simple php class available that decodes the OneTrust cookie and can be used to easily determine a users preferred cookie preference.
if( UMOneTrust::get('targeting') ) {
echo 'COOKIES ALLOWED';
}
OneTrust is configured to automatically integrate consent preferences with GA4, however it does require a specific implementation in order to work correctly. First you will want to add the OneTrust implementation script after the GA4 code. In addition you will need to configure the default consent preferences by adding a little bit of code to your GA4 script.
<script async src="https://www.googletagmanager.com/gtag/js?id=G-0000000000"></script>
<script>
window.dataLayer = window.dataLayer || [];
function gtag(){dataLayer.push(arguments);}
// START: CODE TO ADD
gtag("consent", "default", {
ad_storage : "denied",
analytics_storage : "denied",
functionality_storage : "denied",
personalization_storage: "denied",
ad_user_data : "denied",
ad_personalization : "denied",
wait_for_update : 500
});
// END: CODE TO ADD
gtag('js', new Date());
gtag('config', 'G-0000000000');
</script>
After the OneTrust script you will want to add the following code. This code will make sure the consent preferences are updated correctly:
<script type="text/javascript">
function OptanonWrapper(){
// performance
if( OnetrustActiveGroups.includes("C0002") ) {
gtag( "consent", "update", {
analytics_storage: "granted"
});
}
// functional
if( OnetrustActiveGroups.includes("C0003") ) {
gtag( "consent", "update", {
functional_storage: "granted"
});
}
// targeting
if( OnetrustActiveGroups.includes("C0004") ) {
gtag( "consent", "update", {
ad_storage : "granted",
ad_user_data : "granted",
ad_personalization : "granted",
personalization_storage: "granted"
});
}
else {
// remove google _ga* cookies as google doesn't remove them when tracking is declined
document.cookie.split(';').forEach( (cookie) => {
const [ name ] = cookie.split('=');
if( name.trim().match( /^_ga(_.+)?$/ ) ) {
document.cookie = name + '=;path=/;domain=.'+ window.location.host.replace(/^(.*\.)?(.+\..+)$/,'$2') +';expires=Thu, 01 Jan 1970 00:00:01 GMT';
}
});
}
};
</script>
If you are using Google Tag Manager to manager your GA4 analytics you will need make changes to your configuration in order to be compliant. OneTrust has some documentation surrounding these changes (NOTE: login required, can create account):
- Cookie Consent Integration with Google Consent Mode (see Using Tag Manager section)
- Using Google Analytics (GA4) with Cookie Consent
Alternatively you can simply add the following before your GTM script:
<script type="text/javascript">
window.dataLayer = window.dataLayer || [];
function gtag(){dataLayer.push(arguments);}
// Default ad_storage to "denied".
gtag("consent", "default", {
ad_storage : "denied",
analytics_storage : "denied",
functionality_storage : "denied",
personalization_storage: "denied",
ad_user_data : "denied",
ad_personalization : "denied",
wait_for_update : 500
});
</script>
You will need to add the following:
AFTER:
var _paq = window._paq = window._paq || [];
ADD:
_paq.push(['requireConsent']); _paq.push(['requireCookieConsent']);
Then add the following after the Matomo script:
<script type="text/javascript">
window.addEventListener('OneTrustGroupsUpdated',event =>{
if( event.detail.includes( 'C0002' ) ) {
_paq.push(['setConsentGiven']);
}
else {
_paq.push(['forgetConsentGiven']);
}
if( event.detail.includes( 'C0004' ) ) {
_paq.push(['setCookieConsentGiven']);
}
else {
_paq.push(['forgetCookieConsentGiven']);
}
});
</script>
For other integrations where you cannot use the above methods you will need to decode the cookie value. The value is a URL query parameter string. Within it is a parameter called groups whos value is a comma delimited string of group codes and values e.g. (groups=C0001:1,C0003:0,C0004:0,C0002:0). The primary one to be concerned about here is the value for C0004 which is the code for Targeting cookies. The value for the codes are either a “1” or a “0” for allow or deny.
Screen capture showing the President’s site as viewed for the first time from an EU member state (in this example, Germany).
