"Nothing could've gone better. Great experience working with FLLR."
A national quick-service restaurant brand with a rapidly growing digital footprint found itself at a familiar crossroads. Like many consumer brands operating across web, mobile, and customer support channels, their privacy program had evolved in pieces. Cookie consent lived on the website. Mobile app permissions followed a different logic. Call center opt-outs were handled manually. None of it was fully connected.
What caught our eye was the timing. Global Privacy Control (GPC) opt-out requirements were no longer theoretical. Regulators were actively enforcing them, and the gap between stated compliance and operational reality was becoming harder to ignore. For this brand, the question was simple and uncomfortable. If a customer opts out anywhere, does it actually propagate everywhere?
The Challenge
On paper, the company had the right tools. They were already using OneTrust for consent management and mParticle as their customer data platform. In practice, those systems were not speaking the same language.
Several issues surfaced quickly:
- GPC signals detected on the website were not consistently enforced across downstream systems.
- Call center opt-outs lived outside the digital consent stack entirely. An agent could record a preference, but it did not automatically disable cookies or tracking technologies.
- Web and mobile consent were treated as separate experiences, with no reliable way to sync user choices across devices.
- Re-consent events triggered in one channel were not flowing back into OneTrust, creating drift over time.
The bottom line was risk. A user could explicitly opt out via GPC or a customer service call and still be tracked elsewhere. That is exactly the kind of inconsistency regulators focus on, and it undermines customer trust just as quickly.
Our Approach
We started with a reality check. This was not a OneTrust problem or an mParticle problem. It was an implementation problem.
Our team was brought in to design an end-to-end consent architecture that treated user choice as a first-class data signal, not a UI event. That meant a few non-negotiables:
- One system of record for consent.
- Authenticated consent where identity was known.
- Real-time propagation of opt-outs and re-consents across all channels.
- Enforcement that actually turned technologies off, not just logged preferences.
We performed a quick audit of the existing OneTrust configuration, mParticle event flows, and call center processes. From there, we designed a consent model that could support GPC signals, authenticated users, and cross-device synchronization without creating operational drag for marketing or support teams.
Implementation
Authenticated Consent Flow
The implementation rolled out in tightly coordinated phases. First, we re-architected the consent flow in OneTrust to support authenticated users. This allowed consent decisions to be tied to a known identity when available, rather than relying solely on anonymous cookies that break down across devices.
CDP Integration
Next came the integration with the CDP. We connected OneTrust consent states directly into mParticle so that every downstream destination received a consistent, enforceable signal. When a user opted out, data stopped flowing. When a user re-consented, that state was reflected upstream and downstream automatically.
Call Center Workflow
A critical piece was the call center workflow. We designed and implemented logic so that when a customer opted out through an agent, that choice immediately disabled cookies and tracking technologies tied to that user. No waiting. No manual reconciliation. This closed a gap we are seeing across many consumer brands.
Mobile App Alignment
Mobile required special attention. Our team wrote and deployed the necessary mobile app code changes to align app consent behavior with the web experience. Consent collected in the app synced back to OneTrust. Web consent synced to mobile. The result was a single, shared consent state that traveled with the user, not the device.
Architecture and Validation
Throughout the project, we handled the full architecture and design work. That included data mapping, event design, enforcement rules, and validation testing to ensure GPC signals were honored consistently.
Results
GPC Signal Enforcement
- Before: Not consistently enforced across downstream systems
- After: Enforced across web, mobile, and downstream marketing systems
Call Center Opt-Outs
- Before: Administrative notes only; no technical enforcement
- After: Immediate, automatic disabling of cookies and tracking technologies
Cross-Device Consent
- Before: Web and mobile treated separately with no sync
- After: Single shared consent state that travels with the user
Consent Drift
- Before: Re-consent events not flowing back to OneTrust
- After: Consent states stay in sync across devices and platforms
Data Usability
- Before: Risk of tracking users who had opted out
- After: Marketing and analytics retain usable data only where consent allows
Just as importantly, the internal teams gained confidence. They could answer regulator or consumer questions with clarity, because the system behavior was provable.
Looking Ahead
What actually works in GPC compliance is not buying another platform. It is designing consent as infrastructure. This engagement reinforced a pattern we are seeing across consumer brands. The tools are powerful, but only if they are wired together correctly and enforced end to end. When consent flows break at channel boundaries, risk accumulates quietly.
By treating consent as a shared, authenticated signal and aligning OneTrust, the CDP, mobile apps, and call center workflows, this team moved from fragmented compliance to operational control.
If you’re facing similar questions about GPC enforcement, cross-device consent, or call center opt-outs, the decision point is straightforward. You can keep patching workflows, or you can design it once and make it stick. We can help with that.
