A national weather and local news media company operating across web, mobile, and connected TV platforms found itself managing privacy consent in too many places at once. With streaming apps on Roku, Fire TV, Apple TV, Android, and iOS, plus multiple web properties, the organization had outgrown its original consent implementation. User choices made on one device were not recognized on another. Opt-out signals were handled inconsistently across platforms. No single team had visibility into whether consent was actually being enforced at the SDK level.
For a media company with millions of daily users across its streaming platforms, this created real exposure. State privacy laws now require companies to honor Global Privacy Control (GPC) signals and ensure opt-out preferences propagate across all touchpoints. The company had already invested in OneTrust but recognized that the platform was not configured to handle the complexity of their environment. They engaged FLLR to audit their existing implementation, close the gaps, and build a consent architecture that could scale.
The Challenge
The organization faced interconnected problems across every layer of their consent infrastructure.
Fragmented Consent Across Platforms
- Each app (Roku, Fire TV, tvOS, Android Mobile, Android TV) had been deployed with its own OneTrust configuration, with no centralized governance
- User opt-out preferences on one platform were invisible to other platforms
- There was no mechanism to synchronize consent state for authenticated users moving between devices
Inconsistent SDK Enforcement
- Third-party SDKs (including Google IMA for advertising) were not consistently respecting consent signals
- Some apps were missing entire consent categories, causing downstream compliance gaps in GPP string generation
- Enforcement logic for "Selling or Sharing" varied by platform, creating regulatory exposure
Cookie Consent Drift
- Web properties had accumulated new tags, scripts, and pixels since the initial deployment
- Cookie categorization was out of date, with unclassified cookies firing before consent was collected
- GPC signal handling was inconsistent across domains
No Cross-Device Identity Resolution
- The organization wanted authenticated users to carry consent preferences across devices, but had no working implementation
- An earlier attempt at cross-device consent had stalled due to integration complexity with their authentication layer
The Bottom Line
- The company could not demonstrate that a user's opt-out on their phone would be honored when that same user opened the app on their smart TV
- This gap represented both regulatory risk and a breakdown in the privacy promise they were making to users
Our Approach
We started with a comprehensive audit of the existing OneTrust environment, but our focus extended beyond configuration. The real question was whether consent decisions were actually being enforced where data collection happens: the SDK.
Our guiding principle was simple. Consent is only meaningful if it changes system behavior. A banner that collects preferences but does not block data collection is worse than useless.
We worked with the client's engineering and product teams to map every SDK in every app to its corresponding consent category in OneTrust. Where SDKs were missing from configurations, we added them. Where enforcement logic was absent, we designed it. We also established a governance framework so that new SDK integrations would be properly categorized before deployment.
For cross-device consent, we took a phased approach. Rather than solving everything at once, we prioritized getting each platform's native consent implementation working correctly first. Only then did we move to the harder problem of synchronizing consent across authenticated sessions.
Implementation
Cookie Consent Audit and Remediation
We conducted fresh scans of all web properties and reconciled results against the existing cookie inventory. New tags and pixels were categorized. Google Tag Manager configurations were audited to ensure proper consent gating. We validated GPC signal handling and ensured banner language accurately reflected how opt-out signals would be processed.
Mobile and CTV SDK Configuration
This was the most technically demanding workstream. We audited each app (Roku, Fire TV, tvOS, Android Mobile, Android TV) to ensure OneTrust SDK configurations matched the actual third-party SDKs present in each build. For apps using Google's Interactive Media Ads (IMA) SDK, we implemented enforcement logic so that opting out of "Selling or Sharing" would trigger Limited Ads mode. We also resolved issues with GPP string generation, which required adding missing consent categories to several app configurations.
Privacy Rights Automation
We reviewed the existing web intake forms and fulfillment workflows for access and deletion requests. The workflows were functional but needed refinement: routing rules were updated, ID validation logic was tightened, and automated response templates were aligned with current requirements.
Universal Consent and Preference Management
We configured OneTrust's Universal Consent module to serve as the system of record for consent across all collection points. This included defining data subject groups, mapping consent purposes to collection points, and deploying a global preference center for authenticated users.
Cross-Device Consent Foundation
We configured the Consent Rate Optimization module to enable consent synchronization for authenticated users. This involved working with the client's engineering team on JWT token integration and deploying updated script tags across web and app environments. While full cross-device sync required additional client-side work, we established the OneTrust configuration and validated profile syncing in test environments.
Governance and Enablement
We delivered operational playbooks for both cookie consent and mobile/CTV consent management, covering ongoing governance tasks: scanning and categorizing new cookies, managing mobile app SDK updates, publishing configuration changes, and validating enforcement. We conducted training sessions to ensure the client's team could operate independently.
Results
Platform Coverage
- Before: Consent configurations varied by app with no central governance
- After: Standardized OneTrust implementation across Roku, Fire TV, tvOS, Android Mobile, Android TV, and web
SDK Enforcement
- Before: Third-party SDKs not consistently respecting consent signals
- After: Enforcement logic implemented for advertising SDKs including Google IMA; consent categories aligned across all apps
GPP String Generation
- Before: Missing consent categories caused incomplete privacy strings
- After: All platforms generating valid GPP strings with complete US Privacy signals
Cross-Device Consent
- Before: No mechanism to sync preferences for authenticated users
- After: Consent Rate Optimization configured with JWT integration; foundation in place for cross-device sync
Cookie Compliance
- Before: Stale cookie inventory with unclassified tags
- After: Updated scans, current categorization, and validated GPC signal handling
Operational Readiness
- Before: Ad hoc troubleshooting with no documented processes
- After: Governance playbooks and trained internal team for ongoing management
The Bigger Picture
This engagement illustrates a challenge we see often in streaming media: the gap between having a consent management platform and having consent management that actually works. OneTrust could do what this client needed, but out-of-the-box configurations do not account for the complexity of multi-platform streaming environments where consent must propagate from banner to SDK to ad server across a dozen different app builds.
By auditing enforcement at the SDK level, standardizing configurations across platforms, and building a foundation for cross-device consent, we helped this organization move from fragmented compliance to unified privacy operations. User choices are now not just collected but honored, across every screen.
If your organization operates across web, mobile, and CTV and you are not confident that consent preferences are being enforced consistently, that is the gap worth closing. Our team is ready to help.
