Consent Management Platform (CMP) explained
A Consent Management Platform (CMP) helps websites collect, manage, and communicate user consent for cookies and personal data processing under regulations such as GDPR and the ePrivacy Directive.
Consent Management Platform (CMP)
**What Is a Consent Management Platform (CMP)?**
A Consent Management Platform (CMP) is software that collects, stores, and communicates user consent for cookies and personal data before any tracking begins. Under GDPR, ePrivacy, and CCPA, websites using analytics, advertising, or personalisation tools must obtain valid consent. A CMP is the technical system that makes this legally operational.
A Consent Management Platform (CMP) is a software solution that helps websites collect, manage, store, and communicate user consent for cookies and personal data processing under regulations including the GDPR, ePrivacy Directive, CCPA, and the Digital Markets Act (DMA).
A CMP enables websites to present consent choices to users, record their preferences, prevent non-essential data collection until consent is given, and send consent signals to analytics, advertising, and marketing technologies integrated with the site.
Why is a consent management platform important?
Modern privacy laws require websites to obtain valid, informed, and freely given consent before placing non-essential cookies or processing personal data for purposes such as analytics, advertising, or personalisation. The consequences of non-compliance are significant:
Regulation | Maximum penalty |
|---|---|
GDPR (EU/EEA) | €20 million or 4% of global annual turnover (whichever is higher) |
CCPA / CPRA (California) | $7,500 per intentional violation |
Up to £17.5 million or 4% of global turnover | |
Up to 10% of global annual turnover |
A CMP helps organisations manage this exposure by:
- Displaying compliant cookie and consent notices before non-essential tracking begins
- Offering granular consent choices: analytics, marketing, and functional separately
- Blocking or adjusting tags and scripts until consent is granted
- Storing auditable proof of consent decisions with timestamps and categories
- Communicating consent signals to tools like Google Analytics 4 and Google Ads
- Enabling users to withdraw or modify consent at any time
How does a consent management platform work?
A CMP typically operates in five stages when a user visits a website:
1. Consent notice display
When a user arrives on a website, the CMP detects the user's region and applicable regulatory requirements. It then displays a consent banner or modal interface that explains what data is collected, by whom, and for what purposes (e.g., analytics, advertising, personalisation).
2. User choice collection
The user selects one of the available options: accept all, reject all, or customise their preferences by consent category. The CMP must present these options with equal prominence; pre-ticked boxes or dark patterns are not permitted under GDPR.
3. Consent storage
The CMP securely records the user's decision, storing:
- The categories of consent granted or denied
- The timestamp of the consent event
- The user's geographic region
- The version of the consent notice presented
This creates an auditable consent record that organisations can produce in the event of a regulatory investigation.
4. Signal communication
Based on the consent decision, the CMP instructs integrated tools and scripts to activate or remain inactive. Signals are sent to:
- Google Consent Mode (ad_storage, analytics_storage, ad_user_data, ad_personalization)
- Google Tag Manager controls which tags fire
- Advertising pixels (Meta, LinkedIn, TikTok, etc.)
- Third-party analytics and personalisation tools
5. Ongoing preference management
Users can revisit and modify their consent choices at any time through a preference centre, typically accessible via a floating button or footer link. The CMP updates its stored record and re-signals integrated tools accordingly.
CMP vs cookie banner vs Google Consent Mode: what is the difference?
These three terms are frequently confused. They serve different and complementary roles in a privacy-compliant website architecture.
Feature | Cookie banner | CMP | Google Consent Mode |
|---|---|---|---|
Displays consent notice to user | ✅ | ✅ | ❌ |
Stores user consent decision | ❌ | ✅ | ❌ |
Blocks non-consented scripts | Sometimes | ✅ | ❌ |
Sends structured consent signals | ❌ | ✅ | ✅ (receives them) |
Enables regulatory consent record | ❌ | ✅ | ❌ |
Adapts Google tag behaviour | ❌ | Via integration | ✅ |
In plain terms, a cookie banner is a visible notice. A CMP is the system that manages the full consent lifecycle. Google Consent Mode is a Google framework that adapts tag behaviour based on the signals a CMP sends. You need all three working together for a compliant, measurement-functional setup.
Is a consent management platform required under GDPR?
The GDPR does not mandate a specific technical tool. However, Article 7 of the GDPR requires organisations to demonstrate that valid consent has been obtained, including what was consented to, when, and under what conditions. In practice, this requires a structured consent management process that a CMP provides.
Specifically, under GDPR, a CMP helps organisations:
- Manage granular consent categories that align with processing purposes
- Provide proof of consent with audit-ready records
- Enable withdrawal of consent as easily as it was given
- Prevent data collection before consent is obtained
- Adapt consent flows by geography (EEA, UK, US states, etc.)
For websites using Google Analytics 4, Google Ads, the Meta Pixel, or any third-party advertising or analytics technology, implementing a CMP is effectively required to remain both legally compliant and operationally functional within Google's measurement framework.
How does a CMP work with Google Consent Mode v2?
Google Consent Mode v2 became mandatory for all Google Ads and GA4 users in the EEA and UK from March 2024. Websites that do not implement GCM v2 via a certified CMP risk losing access to audience-based advertising features and receiving incomplete Analytics measurement.
The four consent signals
Google Consent Mode v2 requires CMPs to communicate four consent parameters to Google tags:
Signal | What it controls | Affected tools |
|---|---|---|
ad_storage | Storage of cookies for advertising purposes | Google Ads, Floodlight |
analytics_storage | Storage of cookies for analytics measurement | Google Analytics 4 |
ad_user_data | Sending user data to Google for advertising | Google Ads audiences |
ad_personalization | Personalised advertising and remarketing | Remarketing lists |
Basic vs advanced Consent Mode
Google Consent Mode operates in two modes:
- Basic mode: Google tags do not fire at all until consent is granted. No data is collected from users who decline.
- Advanced mode: Google tags fire in a cookieless state before consent. Behavioural modelling fills measurement gaps using aggregate signals. Full measurement resumes once consent is granted.
A properly configured CMP communicates the correct signal state to Google's infrastructure in real time, regardless of which mode is used.
What happens when a user denies consent?
When a user denies consent for one or more categories, a correctly implemented CMP helps prevent the related cookies and tracking technologies from loading:
Category denied | Expected behaviour | Technical outcome |
|---|---|---|
Analytics | Analytics scripts do not fire or operate in cookieless mode | analytics_storage = denied; GA4 operates in modelled mode |
Marketing / Advertising | Ad pixels do not load; remarketing lists are not updated | ad_storage, ad_user_data, ad_personalization = denied |
Functional | Non-essential features (e.g., chatbots, video players) may not activate | Relevant scripts remain blocked by tag manager |
All categories | Only strictly necessary cookies and scripts run | All non-essential tags blocked; no personal data collected |
Key features of a modern consent management platform
When evaluating a CMP, look for the following capabilities:
- Granular consent categories: Separate consent toggles for analytics, marketing, functional, and strictly necessary cookies
- Region-based consent logic: Different consent flows for EU, UK, US states, and other jurisdictions based on detected location
- Google Tag Manager integration: Native GTM support for controlling tag firing based on consent signals
- Google Consent Mode v2 support: Implementation of all four GCM v2 parameters (ad_storage, analytics_storage, ad_user_data, ad_personalization)
- IAB TCF 2.3 certification: For websites monetising through programmatic advertising, IAB Transparency and Consent Framework support is required
- Consent logging and audit records: Timestamped, categorised records of every consent event for regulatory evidence
- Preference centre: A user-accessible interface for modifying consent choices at any time
- Multi-language and multi-jurisdiction support: Localised consent notices and legal text for operating across markets
- Prior blocking / script blocking: Automatic prevention of non-consented tags from loading before consent is given
- API and headless CMP support: For custom implementations on apps, SPAs, or non-standard environments
CMP as part of a broader digital compliance strategy
For most organisations, consent management is one component of a broader digital compliance framework. A CMP addresses the data collection and consent layer, but compliance across a website typically requires addressing additional areas:
Compliance area | What it covers | Relationship to CMP |
|---|---|---|
Cookie consent, data collection signals, consent records | Core, the subject of this article | |
Web accessibility (WCAG / ADA / Section 508) | Accessible consent banners, keyboard navigation, screen reader support | CMP UI must itself be accessible |
Right to access, deletion, and portability requests from users | Often managed in same platform as CMP | |
Restricting access to age-inappropriate content for minors | Separate from consent, but often co-deployed | |
Privacy policy, cookie policy, terms of service | Policies must align with CMP consent categories | |
Confidential reporting for EU Whistleblowing Directive compliance | Separate tool, often the same vendor, for unified compliance |
Frequently asked questions about consent management platforms
A consent management platform (CMP) is software that collects, stores, and communicates user consent for cookies and personal data processing before any tracking or non-essential scripts begin. CMPs are used to comply with privacy regulations such as GDPR, ePrivacy Directive, and CCPA.
CMP stands for Consent Management Platform, a software that manages user consent for cookies and personal data processing on websites and apps.
A cookie banner is the visible notice displayed to users. A CMP is the underlying system managing the full consent lifecycle: displaying the notice, recording the user's choice, blocking scripts until consent is given, and sending consent signals to integrated tools. A cookie banner is one component of a CMP.
The best consent management platform depends on your organisation's size, regulatory exposure, and tech stack. Enterprise teams often choose OneTrust or Usercentrics for deep integrations. Mid-market and SMB organisations frequently use Clym, Osano, or Cookiebot for their balance of compliance coverage, ease of implementation, and pricing. All leading CMPs should support GDPR, CCPA, Google Consent Mode v2, and IAB TCF 2.3.
GDPR requires valid, informed, freely given consent before placing non-essential cookies or processing personal data for analytics, advertising, or personalisation. A CMP is the standard technical mechanism used to meet this requirement, though the regulation does not mandate a specific tool. For websites using Google Analytics 4 or Google Ads, a CMP integrated with Google Consent Mode v2 is effectively required.
Google Consent Mode v2 is a framework required by Google for all advertisers using Google Ads or GA4 in the EEA and UK. It requires websites to send four consent signals, ad_storage, analytics_storage, ad_user_data, and ad_personalization to Google tags based on the user's consent choice. A CMP communicates these signals automatically when integrated with Google Tag Manager or the gtag.js API.
Yes. When properly configured, a CMP can prevent non-essential scripts, cookies, and tracking pixels from loading until a user has actively provided consent. This is known as prior blocking or tag blocking and is handled through integration with Google Tag Manager or a native script-blocking mechanism.
Even websites that only use analytics tools may need a structured consent management process. Google Analytics 4 relies on cookies and device identifiers that qualify as personal data under GDPR and CCPA. A CMP enables your site to display consent options before GA4 scripts execute, record user preferences, and transmit consent signals, including the analytics_storage parameter for Google Consent Mode v2.
Adam is the Head of Digital Marketing at Clym, where he leverages his diverse expertise in marketing to support businesses with their compliance needs and drive awareness about data privacy and web accessibility. As one of the company’s original team members, Adam has been instrumental in shaping its journey from the very beginning. When he’s not diving into marketing strategies, Adam can be found cheering on his favorite sports teams or enjoying fishing.