Unified Consent Configuration Guide

A quick-start guide for implementing unified consent across multiple domains and devices.

Summary

This guide describes how to implement the TrustArc Unified Consent system so that a single authenticated user's consent preferences are shared seamlessly across all your grouped domains and devices.

Backend
Generate an HMAC-SHA256 signature server-side using TrustArc credentials.
Frontend
Inject the user context into the page template before loading the CCM script.
Sync
Consent syncs immediately on first visit; updates propagate within 24 hours.
Implementation Steps
1
Backend: Generate Signature Server-Side

On every page render that requires unified consent, generate an HMAC-SHA256 signature using your TrustArc secret key and the authenticated user's stable identifier. The secret key must never leave the server.

ⓘ Prerequisites
You will need the following values from TrustArc:
CCM_SECRET_KEY — base64-encoded secret key
CCM_KEY_ID — key identifier

Store these in your secret manager or environment variables. Never commit them to source control.
constcrypto=require('crypto');
 
functiongenerateAuthMac(secretKey, userId) {
  consthmac = crypto.createHmac('sha256', Buffer.from(secretKey,'base64'));
  hmac.update(userId);
  returnhmac.digest('base64');
}
 
// In your page rendering logic
app.get('/', (req, res) => {
  constuserId = req.user.uuid;   // your authenticated user identifier
 
  // CCM_SECRET_KEY and CCM_KEY_ID are provided by TrustArc
  constauthMac =generateAuthMac(CCM_SECRET_KEY, userId);
 
  res.render('index', {
    ccmUserId:  userId,
    ccmAuthMac: authMac,
    ccmKeyId:   CCM_KEY_ID
  });
});

▸ Adapt the pattern above to your backend technology or framework.

2
Frontend: Add User Context

In your page template, inject the user context object before the CCM script loads. The order is critical — window.truste.eu.user must exist when the consent script initializes.

⚠ Order matters
Always place the user context script above the CCM notice script tag. Reversing the order will break consent synchronization.
<!-- Step 1: Inject user context generated server-side -->
<scripttype="text/javascript">
  window.truste      = window.truste      || {};
  window.truste.eu  = window.truste.eu  || {};
  window.truste.eu.user = {
    id:           '<%= ccmUserId %>',   // From your server
    authMac:      '<%= ccmAuthMac %>',  // Generated server-side
    authSecretId: '<%= ccmKeyId %>'    // From environment config
  };
</script>
 
<!-- Step 2: Load CCM script as usual -->
<scriptsrc="https://consent.trustarc.com/notice?domain=yourdomain.com&js=bb&noticeType=bb"
       type="text/javascript"></script>
3
Testing

Use the following end-to-end test with the same authenticated user across two grouped domains:

①  Consent on Site A
While authenticated as user X, accept or customize consent preferences on domain A.
②  Visit Site B
Still authenticated as user X, navigate to the second grouped domain.
③  Verify sync
Confirm no banner appears and that preferences from Site A are applied automatically.
Frequently Asked Questions
👥  General Questions
Do users need to log in for this to work?
Yes. You must identify the user with a consistent user_id (such as their email or internal user ID). Anonymous users will still see consent banners on each domain and device.
What user identifier should I use?
Use any consistent, privacy-compliant identifier:
  Internal user ID
  Hashed username
  Do not use: IP addresses, session IDs, or temporary identifiers
Can I use this with unauthenticated users?
No. The feature requires a user identifier to link consent across domains and devices. For unauthenticated users, consent remains instance-specific.
⚙  Instance Configuration
What if my instances have different categories?
All grouped instances must have matching categories. If categories do not match, consent cannot be synchronised.
What happens if I change categories on one instance after grouping?
Consent synchronisation may fail or produce unexpected results. Ensure category changes are applied across all grouped instances simultaneously.
↻  Consent Synchronization
How fast is consent synchronized?
Immediate — when a user first visits a new domain or device (if consent already exists).
Within 24 hours — for updates to existing consent preferences.
What if a user changes their preferences?
The change is stored immediately. Other devices and domains will see the update within 24 hours. You can trigger a manual sync by clearing the consent_sync cookie.
Does the banner show on every device?
Possibly on the first visit per device. However, if the user has already consented on another device and the same user_id is provided, the banner will not appear on subsequent visits.
How long is consent stored?
Based on your CCM configuration — between 1 and 13 months.
🔒  Security & Privacy
Can someone forge a signature?
Not without access to your secret key. The signature must be generated server-side, and the secret key must never be exposed to the client or committed to version control.
Do I need to update my consent banner or privacy policy?
Yes. TrustArc recommends updating your banner copy and/or privacy policy to include details about the Unified Consent feature — specifically that consent preferences are shared across your browsers, apps, and websites.
Are there countries or regions where this functionality is not recommended?
This feature is primarily designed to improve user experience and reduce repeated consent requests, in compliance with regulations such as CCPA/CPRA. Consult your legal team regarding any country- or region-specific restrictions before enabling it.