What is OneTrust

OneTrust is a consent management platform (CMP) that is supported in our Pugpig Bolt apps. It provides a way for users to have control over their personal data and how it is used by other services in the app, such as analytics, push notification or ads.

OneTrust can appear in the app as two separate screens: the Consent Banner and Preferences. You can use any user-facing names you'd like within the app for these screens. In a future version of Bolt we'll be revising this down to just the Consent Banner, as the Preferences are directly accessible from that banner.

OneTrust is fully supported as of Bolt iOS and Android 3.23, though a lighter-touch implementation has been available to customers since Bolt iOS and Android 3.12. Full support for Bolt Web will be added in the coming month, but we do have the ability to show the banner via Google Tag Manager on any version of Bolt Web.

The choices are then stored as per the IAB's CMP API specifications. For example, for Europe the TCF 2.2 specification would be used. Other SDKs in your app that are compliant with the IAB's standards are expected to pick up these choices and alter their functionality accordingly. The exact way they do this is dependent on the provider themselves, and cannot be altered by Pugpig.

If the user has not seen the consent dialogue and made their choices, the SDKs will not have information to access and will follow the default behaviour described in their documentation. In most cases this means the user will be opted-in. This will no longer apply if the app is on Bolt 3.23+, existing users who update the app to get on this version will see the consent modal.

Additionally, as of Bolt 3.22, these choices are passed to our webviews, such as timelines and the content, so that they can be included in our Google Ad Manager requests, more information on why this is important can be found in the specific documentation on this.

As always, your consent and privacy policies are entirely your choice. Pugpig Bolt aims to give you the tools necessary to implement this policy in your app, but we can't guide you on what you should or should not be doing, this is better left to your legal teams!

Screens

Settings	Consent banner	Preferences

Geolocation rules

OneTrust allows you to set different behaviours by region. This is particularly important for customers with audiences in both GDPR regions and outside of them. In these cases we can enforce interacting with the consent modal on start up where necessary, while for other regions it will only accessible from the settings tab. This is controlled with the “Show banner” flag on the individual Geolocation rules

What is required for OneTrust set up

For us to add OneTrust to your app, we will require the following:

• Mobile App ID
• CDN Location
• Language Code.

These can all be found in your OneTrust account. Under SDK's in the left-hand menu of Mobile App Consent select the app in question, the “Instructions” tab will then display the necessary data. You should provide us the Mobile App ID and CDN Location for the production environment, unless you explicitly want to use the test environment during pre-release. 

We currently support one language of the SDK, if your app is predominantly in English this will be EN, otherwise let us know which language code you'd prefer.

You're then free to submit your ipa and apk/aab to OneTrust for scanning, this will identify the different third-parties being used in your app and use those to automatically populate the modal.

For your side of the integration, you'll need to configure everything in the OneTrust console, such as the styling, copy and options.

It's crucial that the version of OneTrust that you have published aligns with the version which is baked into the Bolt/app version you are using! The OneTrust screens will not be displayed if this is not the case (for example, if a different version is subsequently published in the OneTrust dashboard).

On 3.17.5 we baked in OneTrust version 202309.1.0[.0].

In 3.21 we've added the ability to support per-build OneTrust versioning. Where possible we recommend being on the most up-to-date version of the SDK.