Name: ConsentScope
Author: ConsentScope

OneTrust is the enterprise standard for consent management. It powers thousands of high-traffic websites, including many Fortune 500 companies. But enterprise-grade features come with enterprise-grade complexity. If your OneTrust implementation is showing the banner yet still leaking cookies, you are not alone. This guide covers the most common root causes and gives you a practical debugging workflow.

How OneTrust blocking actually works

OneTrust uses a combination of geolocation rules, category-based script suppression and template configuration. Unlike simpler CMPs, it does not rely on a single global script. Instead, it evaluates the user's location, the domain, the page path and the active template before deciding which scripts to block.

Component	Purpose	What breaks
Geolocation rules	Determine which banner template to show based on IP	Wrong region mapping shows a non-blocking template
Categorization	Classify each cookie/script into necessary, functional, analytics, advertising	Missing or wrong category lets scripts through
Script suppression	Replace blocked scripts with placeholders	Inline scripts, dynamically injected tags, or non-standard loaders bypass suppression
Cookie classification	Identify cookies found during scans	New cookies added between scans are unclassified

Issue 1: Geolocation rules show the wrong template

OneTrust can be configured to show a strict "Opt-in" banner for EU visitors and a relaxed "Opt-out" banner for US visitors. If your geolocation database is outdated or your CDN masks the real IP, EU users might see the US template. That template often allows analytics cookies by default.

How to check geolocation configuration

Log in to the OneTrust admin panel.
Navigate to Geolocation Rules under your domain configuration.
Verify that your country is mapped to a template with Opt-in behavior.
Check the IP detection method. If you use a CDN (Cloudflare, Akamai, Fastly), ensure the X-Forwarded-For header is trusted.
Test from a VPN endpoint in Germany, France and Poland.

Issue 2: Scripts load before the OneTrust library

This is the same classic race condition we see with Cookiebot, but OneTrust makes it harder to spot because the library is often loaded via a complex tag manager setup. If GTM, Tealium or Adobe Launch loads before OneTrust initializes, those tags fire unimpeded.

The fix is conceptually simple: load OneTrust first. In practice, this means moving the OneTrust loader above your tag manager container in the HTML. If your CMS injects scripts automatically (WordPress plugins, Shopify apps, Wix), you may need to customize the theme template or use a priority hook.

Issue 3: Unclassified cookies slip through

OneTrust relies on periodic scans to build its cookie database. If a developer adds a new marketing pixel or A/B testing tool between scans, OneTrust does not recognize it. Unclassified cookies are treated differently depending on your admin settings. In many default configurations, they are allowed until manually categorized.

Set a safe default for unclassified cookies

In the OneTrust admin panel, find the setting for unclassified cookies and change it to "Block until classified". This is the safest GDPR-compliant default. Yes, it might accidentally block a legitimate cookie until you categorize it, but that is better than leaking a tracking pixel.

Issue 4: Custom banners bypass script suppression

OneTrust lets you design fully custom banners with CSS and JavaScript. If your custom banner does not properly integrate with the OneTrust consent API, the user might click "Accept" without the library registering the choice. Or worse, the banner might auto-dismiss without recording any consent at all.

Use the official OneTrust JavaScript API: OptanonActiveGroups and OneTrust.OnConsentChanged.
Do not create your own "Accept" button that simply hides the banner. It must call the official consent-granted method.
Test the custom banner on staging with DevTools open. Confirm that OptanonActiveGroups updates after every interaction.

OneTrust debug workflow for developers

Open Chrome DevTools and go to the Console.
Type OptanonActiveGroups and press Enter. You should see a comma-separated list of active consent groups. Before consent, it should be empty or only contain "C0001" (strictly necessary).
Reload the page. Check Application > Cookies immediately. No non-essential cookies should appear.
Interact with the banner (accept all, reject all, customize). Re-check OptanonActiveGroups. It should now reflect your choice.
Check Network tab for requests to known tracking domains. They should only appear after consent.
If cookies appear early, find the responsible script in the Elements tab and check whether it is wrapped in a OneTrust placeholder.

Detect OneTrust leaks automatically

Stop manual console debugging. ConsentScope tracks cookies, storage and scripts in real time and tells you exactly what fires before consent on your OneTrust-powered site.

Get ConsentScope Free

FAQ

Why does OneTrust show different banners for the same user?

Check your geolocation rule priority, CDN headers and any A/B tests running on the banner template. Also verify that the user is not switching between mobile and desktop, which may use separate configurations.

How often does OneTrust scan for new cookies?

Depending on your plan, scans run monthly or quarterly. For active development environments, run a manual scan after every release.

Can I block cookies server-side with OneTrust?

OneTrust is primarily a client-side solution. Server-side blocking requires custom integration with their API or a separate server-side consent module. Most websites rely on client-side suppression.

OneTrust Cookie Consent Not Working? Common Issues and Fixes