SuperGeekery: A blog probably of interest only to nerds by John F Morton.

A blog prob­a­bly of inter­est only to nerds by John Morton.

01Feb2022

OneTrust block­ing video play­back due to pri­va­cy setting

I always feel like somebodys watching me
This image is from the film "It Follows". A good and creepy movie.

I have sev­er­al clients that use OneTrust for cook­ie con­sent. Each orga­ni­za­tion has dif­fer­ent con­fig­u­ra­tions for its OneTrust implementation.

Today we encoun­tered a tricky sit­u­a­tion that I want­ed to share. This par­tic­u­lar orga­ni­za­tion’s OneTrust con­fig­u­ra­tion is set to auto” which means OneTrust will active­ly enforce the user’s cook­ie pref­er­ences with­out much con­fig­u­ra­tion. The auto” set­ting makes imple­ment­ing OneTrust much eas­i­er, but we hit a road­block when it came to allow­ing video play­back for users who choose not to have track­ing enabled. 

We have a page with a play but­ton that, when clicked, inserts an iframe with the Vimeo play­er with Javascript. When the iframe is pro­gram­mat­i­cal­ly cre­at­ed, we first check the OneTrust cook­ie pref­er­ences, and only if the user has active­ly accept­ed track­ing cook­ies, do we track the video. We use Vimeo’s dnt attribute (see the docs here) which allows us to tell Vimeo whether do not track” is true or false for this video. In the fol­low­ing iframe we set dnt equal to 1 which means do not track” is turned on, which pre­vents tracking.

<iframe src="https://player.vimeo.com/video/12345?autoplay=1&muted=0&dnt=1"></iframe>
Vimeo dnt parameter 01 FEB2022

Screenshot of Vimeo player parameters for `dnt` parameter, 01FEB2022

This means we are han­dling the user’s track­ing pref­er­ences. But OneTrust’s auto fea­ture does not detect the dnt=1 in the iframe and still pre­vents this video from playing. 

OneTrust rewrites the iframe after it is insert­ed into the page, replac­ing the src with a data-src attribute. It also adds the class optanon-category-C0004. The iframe basi­cal­ly ends up like this.

<iframe src="https://player.vimeo.com/video/12345?autoplay=1&muted=0&dnt=1" class='optanon-category-C0004'></iframe>

Obvi­ous­ly, with­out an src attribute, the video would not play.

A solu­tion

If you are con­fi­dent you are han­dling the OneTrust set­tings a user has set, you can over­ride the auto set­ting on a tag-lev­el basis. There is a page on Cook­iePro by OneTrust that men­tions the data-ot-ignore attribute to tell OneTrust to skip this tag. The exam­ple shown on that page uses a script tag, but it will also work on an iframe with an src attribute. Here’s how the iframe I men­tioned at the begin­ning looks after adding that attribute. 

<iframe src="https://player.vimeo.com/video/12345?autoplay=1&muted=0&dnt=1" data-ot-ignore></iframe>

You’ll see we are not track­ing by set­ting dnt=1 and we’re telling OneTrust to leave this tag alone with data-ot-ignore since we’re hand­ing the track­ing. Now the videos will play on our page and not track a user.

Ser­vices are rewrit­ten by OneTrust auto

Vimeo is not the only tag that will be inter­cept­ed by OneTrust. The list from their site is long. If you’ve found your way to this post, you might be using any of the fol­low­ing ser­vices that are being auto­mat­i­cal­ly rewrit­ten by OneTrust. If you’re con­fi­dent that you are respect­ing the user’s wish­es, the data-ot-ignore attribute might work for you too.

  • addthis​.com
  • addtoany​.com
  • adsrvr​.org
  • ama​zon​-adsys​tem​.com
  • bing​.com
  • bounce​ex​change​.com
  • bouncex​.net
  • criteo​.com
  • criteo​.net
  • dai​ly​mo​tion​.com
  • dou​bleclick​.net
  • everettech​.net
  • face​book​.com
  • face​book​.net
  • goog​lead​ser​vices​.com
  • googlesyn​di​ca​tion​.com
  • krxd​.net
  • liadm​.com
  • linkedin​.com
  • out​brain​.com
  • rubi​con​pro​ject​.com
  • sharethis​.com
  • Taboola​.com
  • twit​ter​.com
  • vimeo​.com
  • yahoo​.com
  • youtube​.com

Good luck. Respect pri­va­cy and don’t track peo­ple that don’t want to be tracked.