A quick-start guide for implementing unified consent across multiple domains and devices.
Summary This guide describes how to implement the TrustArc Unified Consent system so that a single authenticated user's consent preferences are shared seamlessly across all your grouped domains and devices.
|
1 | Backend: Generate Signature Server-Side |
On every page render that requires unified consent, generate an HMAC-SHA256 signature using your TrustArc secret key and the authenticated user's stable identifier. The secret key must never leave the server.
ⓘ Prerequisites You will need the following values from TrustArc: • CCM_SECRET_KEY — base64-encoded secret key • CCM_KEY_ID — key identifier Store these in your secret manager or environment variables. Never commit them to source control. |
constcrypto=require('crypto');
functiongenerateAuthMac(secretKey, userId) {
consthmac = crypto.createHmac('sha256', Buffer.from(secretKey,'base64'));
hmac.update(userId);
returnhmac.digest('base64');
}
// In your page rendering logic
app.get('/', (req, res) => {
constuserId = req.user.uuid; // your authenticated user identifier
// CCM_SECRET_KEY and CCM_KEY_ID are provided by TrustArc
constauthMac =generateAuthMac(CCM_SECRET_KEY, userId);
res.render('index', {
ccmUserId: userId,
ccmAuthMac: authMac,
ccmKeyId: CCM_KEY_ID
});
});
|
▸ Adapt the pattern above to your backend technology or framework.
2 | Frontend: Add User Context |
In your page template, inject the user context object before the CCM script loads. The order is critical — window.truste.eu.user must exist when the consent script initializes.
⚠ Order matters Always place the user context script above the CCM notice script tag. Reversing the order will break consent synchronization. |
<!-- Step 1: Inject user context generated server-side -->
<scripttype="text/javascript">
window.truste = window.truste || {};
window.truste.eu = window.truste.eu || {};
window.truste.eu.user = {
id: '<%= ccmUserId %>', // From your server
authMac: '<%= ccmAuthMac %>', // Generated server-side
authSecretId: '<%= ccmKeyId %>' // From environment config
};
</script>
<!-- Step 2: Load CCM script as usual -->
<scriptsrc="https://consent.trustarc.com/notice?domain=yourdomain.com&js=bb¬iceType=bb"
type="text/javascript"></script>
|
3 | Testing |
Use the following end-to-end test with the same authenticated user across two grouped domains:
① Consent on Site A While authenticated as user X, accept or customize consent preferences on domain A. | → | ② Visit Site B Still authenticated as user X, navigate to the second grouped domain. | → | ③ Verify sync Confirm no banner appears and that preferences from Site A are applied automatically. |
user_id (such as their email or internal user ID). Anonymous users will still see consent banners on each domain and device.✓ Internal user ID
✓ Hashed username
✗ Do not use: IP addresses, session IDs, or temporary identifiers
Within 24 hours — for updates to existing consent preferences.
consent_sync cookie.user_id is provided, the banner will not appear on subsequent visits.