CMP Comparison

Does OneTrust Make You CCPA Compliant? An Audit View

OneTrustis a consent management platform, not a network-layer auditor. Here’s what it does well, and what it structurally can’t see.

What OneTrust does well

OneTrust is one of the most widely deployed consent management platforms, and for good reason: it gives legal and privacy teams a real interface for configuring cookie categories, publishing a compliant banner, and blocking the specific scripts you tell it to block. In our audit of 50 live sites, OneTrust reliably enforced the rules it was configured with.

What OneTruststructurally can’t see

A CMP manages consent intent— the rules it’s configured with. It doesn’t verify what actually fires on the wire. These gaps aren’t unique to OneTrust; they’re structural to client-side consent management as a category, based on our audit of 50 live sites.

Shadow pixels bypass the configured rule set

A CMP blocks what it knows about at configuration time. When a vendor's pixel starts sharing data with additional third-party networks after installation — a "shadow pixel" — the CMP's rule set doesn't update automatically. Our audit found this on 78% of the sites reviewed, regardless of which CMP was in place.

Pixel piggybacking loads scripts the CMP never sees

An authorized script (a chat widget, an embed) can load additional third-party scripts of its own — trackers that were never registered in the CMP and so were never categorized or blocked. This showed up on 65% of audited sites.

Server-side tracking is invisible to client-side consent tools

OneTrust operates in the browser. It cannot see traffic that a server-side tag manager or server-side analytics pipeline sends directly, outside the page the CMP is running on. The dashboard can report "blocked" while the server continues forwarding data.

No independent verification that GPC opt-outs actually stop network traffic

A CMP can be configured to recognize the Global Privacy Control signal, but recognizing the signal and actually halting every downstream request are different things. Verifying that outcome requires inspecting real network traffic after the signal is sent — something outside what a consent-management dashboard reports on itself.

Frequently asked questions

Does OneTrust make my site CCPA compliant on its own?

OneTrust helps you configure and publish the consent mechanisms CCPA/CPRA requires, such as opt-out links and cookie categorization. It does not independently verify that every tracker on your site actually stops firing after a consumer opts out — that requires network-layer inspection, which is a different function than consent management.

Can OneTrust detect shadow pixels or piggybacked tags?

OneTrust scans and categorizes the scripts it's told about at setup and during periodic re-scans. Shadow pixels — trackers a vendor adds after the initial install — and piggybacked tags loaded inside another script are not part of that configured rule set, so they can go undetected until a fresh scan or an independent network-level audit catches them.

Does OneTrust catch server-side tracking?

No consent management platform that operates client-side, including OneTrust, can see traffic sent directly from your servers or a server-side tag manager. That traffic bypasses the browser entirely, so it falls outside what any CMP dashboard reports.

Should I replace OneTrust with an audit tool like Privisy?

No — they solve different problems. OneTrust manages consent collection and banner configuration. Privisy is an independent audit layer that verifies what's actually happening at the network level, including whether OneTrust's own blocking rules are taking effect in practice. Most teams run both.

Verify your OneTrust setup with an independent audit

Run a free, instant network-layer scan to see exactly what fires on your site, before or after consent.

Run a Free Scan