U-M Cookie Disclosure

Example of the Cookie Consent Banner

About the Cookie Consent and Disclosure Banner

The consent banner and preference manager are powered by OneTrust. This banner assists in the display and tracking of a user’s cookie preference. It is up to you to ensure tracking cookies are not set. Upon a user’s choice to allow or decline the use of cookies, a cookie is set to save the user’s desired cookie preferences called “OptanonConsent”. This cookie is designed to be universally accessible to all umich.edu websites. If no selection has been made then it should be treated as if the user has declined cookies.

When to use Cookie Consent and Disclosure Banner

We currently support geolocation where only users in the EU will see the banner. The Cookie Consent and Disclosure Banner will give your users the option to opt-in to analytics and advertising cookies.

For More Information

If you have technical questions about the plugins or banner message code, please email the OVPC Digital team at umdigital@umich.edu.

For more information about GDPR at the University of Michigan, visit the General Data Protection Regulation (GDPR) Compliance program website. For questions regarding university GDPR compliance policy, you can email gdpr-program@umich.edu.

For more general information about privacy, please email the U-M Privacy team and privacy@umich.edu.


Banner Integration

The banner is only supported on the following domains:

  • umich.edu
  • umflint.edu
  • umdearborn.edu

Below are the current integration methods that this banner officially supports.

WordPress Integration

If you are running WordPress, you can simply install and activate the U-M Cookie Consent plugin.  This plugin also integrates with the Site Kit by Google Analytics plugin to not use google analytics tracking cookies.  This plugin contains two action hooks that can be used to set or delete cookies based on user preference.

Non-Wordpress Integration

To add the cookie consent banner to non-wordpress websites, you can simply include the following javascript on your site.  This script automatically loads required styles and scripts in order to display the message. Use the script associated with the domain of your site.

umich.edu
<script src="https://cdn.cookielaw.org/consent/03e0096b-3569-4b70-8a31-918e55aa20da/otSDKStub.js" type="text/javascript" charset="UTF-8" data-domain-script="03e0096b-3569-4b70-8a31-918e55aa20da" ></script>
umflint.edu
<script src="https://cdn.cookielaw.org/consent/018f776d-a3b7-74f3-8fec-065496d9a96f/otSDKStub.js" type="text/javascript" charset="UTF-8" data-domain-script="018f776d-a3b7-74f3-8fec-065496d9a96f" ></script>
umdearborn.edu
<script src="https://cdn.cookielaw.org/consent/018f779a-dc12-7048-a377-bb381a930bf2/otSDKStub.js" type="text/javascript" charset="UTF-8" data-domain-script="018f779a-dc12-7048-a377-bb381a930bf2" ></script>

Review the 3rd Party System Compliance documentation for additional information on how to bring common services into compliance.


Privacy Policy URL

The privacy policy url for the banner and preference manager is hard coded to /privacy/.  For example if your site is “president.umich.edu” the link will go to president.umich.edu/privacy/.  You may need to setup a redirect for that path to your actual privacy policy.  The wordpress plugin is designed where if a page does not resolve at /privacy/ then a redirect will occur defaulting the user to their domains privacy statement.

The U-M Privacy Office maintains a template for privacy notices for U-M websites and services, and offers support for the development of privacy notices. You can contact the U-M Privacy Office at privacy@umich.edu.

Preference Manager

In order to show the preference manager after a user has made a selection, you can do one of the following:

HTML

You may desire to override the default look of the button:

<button id="ot-sdk-btn" class="ot-sdk-show-settings">Cookie Settings</button>

An example of this can be found on the Gateway privacy notice under the “Manage Cookies” heading.

Example of the Cookie Consent Preference Button.

JavaScript

execute the following in javascript as desired:

OneTrust.ToggleInfoDisplay();

Banner Testing

For development sites you can you use the following script:

umich.edu
<script src="https://cdn.cookielaw.org/consent/03e0096b-3569-4b70-8a31-918e55aa20da-test/otSDKStub.js" type="text/javascript" charset="UTF-8" data-domain-script="03e0096b-3569-4b70-8a31-918e55aa20da-test" ></script>
umflint.edu
<script src="https://cdn.cookielaw.org/consent/018f776d-a3b7-74f3-8fec-065496d9a96f-test/otSDKStub.js" type="text/javascript" charset="UTF-8" data-domain-script="018f776d-a3b7-74f3-8fec-065496d9a96f-test" ></script>
umdearborn.edu
<script src="https://cdn.cookielaw.org/consent/018f779a-dc12-7048-a377-bb381a930bf2-test/otSDKStub.js" type="text/javascript" charset="UTF-8" data-domain-script="018f779a-dc12-7048-a377-bb381a930bf2-test" ></script>

The banner can be forced to display by using a VPN and selecting a EU country OR by adding a couple URL parameters to your site:

https://MYDOMAIN.TLD/?otreset=true&otgeo=de

OneTrust Categories

OneTrust has a default set of categories that we have grouped in to two user displayed categories.  These are defined as follows:

Strictly Necessary Cookies
  • C0001 (Strictly Necessary)
  • C0003 (Functional)
Analytics & Advertising Cookies
  • C0002 (Performance)
  • C0004 (Targeting)
  • C0005 (Social Media)

Google Consent Mode Integration

This is enabled by default which means that when a users explicitly accepts or rejects cookies OneTrust will issue the consent update automatically.  However this does require that the OneTrust script be placed after the GTAG/GTM script as well as the default consent to be configured.  For non-EU users you will need to either set a default consent for EU and Non-EU users or add the additional bit of code as shown in the Google Analytics (gtag.js) / GA4 information below.

Google Storage Categories to OneTrust category assignments
  • Ad Storage: C0004 (Targeting)
  • Analytics Storage: C0002 (Performance)
  • Functionality Storage: C0003 (Functional)
  • Personalization Storage: C0004 (Targeting)
  • Ad User Data: C0004 (Targeting)
  • Ad Personalization: C0004 (Targeting)

3rd Party System Compliance

OneTrust is configured to automatically integrate consent preferences with GA4, however it does require a specific implementation in order to work correctly.  The recommended approach is as follows:

First you will want to add the OneTrust implementation script after the GA4 code.  In addition you will need to configure the default consent preferences by adding a little bit of code to your GA4 script.

1) Add default consent preferences to your site first:

<script>
    window.dataLayer = window.dataLayer || [];
    function gtag(){dataLayer.push(arguments);}
    gtag("consent", "default", {
        ad_storage             : "denied", 
        analytics_storage      : "denied", 
        functionality_storage  : "denied", 
        personalization_storage: "denied", 
        ad_user_data           : "denied",
        ad_personalization     : "denied", 
        wait_for_update        : 500 
    });
</script>

2) Add your Google Analytics (gtag.js) or Tag Manager (gtm.js) provided code:

<script async src="https://www.googletagmanager.com/gtag/js?id=G-0000000000"></script>
<script>
    window.dataLayer = window.dataLayer || [];
    function gtag(){dataLayer.push(arguments);}
    gtag('js', new Date());
    gtag('config', 'G-0000000000');
</script>

3) Add the OneTrust consent script:

<script src="https://cdn.cookielaw.org/consent/03e0096b-3569-4b70-8a31-918e55aa20da/otSDKStub.js" type="text/javascript" charset="UTF-8" data-domain-script="03e0096b-3569-4b70-8a31-918e55aa20da" ></script>

4) Finally add the following code.  This code will make sure the consent preferences are updated correctly:

<script type="text/javascript">
function OptanonWrapper(){
    // performance
    if( OnetrustActiveGroups.includes("C0002") ) {
        gtag( "consent", "update", {
            analytics_storage: "granted"
        });
    }
    // functional
    if( OnetrustActiveGroups.includes("C0003") ) { 
        gtag( "consent", "update", {
            functional_storage: "granted"
        });
    }
    // targeting
    if( OnetrustActiveGroups.includes("C0004") ) {
        gtag( "consent", "update", {
            ad_storage : "granted",
            ad_user_data : "granted",
            ad_personalization : "granted",
            personalization_storage: "granted"
        });
    }
    else {
        // remove google _ga* cookies as google doesn't remove them when tracking is declined
        document.cookie.split(';').forEach( (cookie) => {
            const [ name ] = cookie.split('=');
            if( name.trim().match( /^_ga(_.+)?$/ ) ) {
                document.cookie = name + '=;path=/;domain=.'+ window.location.host.replace(/^(.*\.)?(.+\..+)$/,'$2') +';expires=Thu, 01 Jan 1970 00:00:01 GMT';
            }
        });
    }

    // trigger event for use in Tag Manager
    window.dataLayer.push({ event: 'um_consent_updated' });
};
</script>
Google Tag Manager Notes

If you need to trigger tags based on a users consent you can create a trigger and attach it to your tag (requires code example in step 4 in order to work):

Type: Custom Event
Name: um_consent_updated

OneTrust has some integration documentation that might be of help (NOTE: login required, can create account).  The documentation has instructions for using Tag Manager to load the OneTrust consent banner using a Tag Template.  If you use this method it will ask for a “Data Domain Script” and the value you are looking for is “03e0096b-3569-4b70-8a31-918e55aa20da”.

You will need to add the following:

AFTER:

var _paq = window._paq = window._paq || [];

ADD:

_paq.push(['requireConsent']);
_paq.push(['requireCookieConsent']);

Then add the following after the Matomo script:

<script type="text/javascript">
    window.addEventListener('OneTrustGroupsUpdated',event =>{
        if( event.detail.includes( 'C0002' ) ) {
            _paq.push(['setConsentGiven']);
        }
        else {
            _paq.push(['forgetConsentGiven']);
        }
        if( event.detail.includes( 'C0004' ) ) {
            _paq.push(['setCookieConsentGiven']);
        }
        else {
            _paq.push(['forgetCookieConsentGiven']);
        }
    });
</script>

After the OneTrust Consent system loads it will execute a global function named OptanonWrapper.  In this you can add necessary code to maintain cookie compliance.

function OptanonWrapper(){
    if( OnetrustActiveGroups.includes("C0004") ) {
        // ALLOW TRACKING
    }
    else {
        // DISALLOW TRACKING
    }
}

As an alternative you can use the following which will trigger automatically upon preference change

window.addEventListener('OneTrustGroupsUpdated',event =>{
    if( event.detail.includes( 'C0004' ) ) {
        // ALLOW TRACKING
    }
    else {
        // DISALLOW TRACKING
    }
});

We have a simple php class available that decodes the OneTrust cookie and can be used to easily determine a users preferred cookie preference.

if( UMOneTrust::get('targeting') ) {
    echo 'COOKIES ALLOWED';
}

For other integrations where you cannot use the above methods you will need to decode the cookie value.  The value is a URL query parameter string.  Within it is a parameter called groups whos value is a comma delimited string of group codes and values e.g. (groups=C0001:1,C0003:0,C0004:0,C0002:0).  The primary one to be concerned about here is the value for C0004 which is the code for Targeting cookies.  The value for the codes are either a “1” or a “0” for allow or deny.

Screen capture showing the President’s site as viewed for the first time from an EU member state (in this example, Germany).

Screen capture showing the President's site as viewed for the first time from an EU member state (in this example, Germany).