What is Consent Management Platform (CMP)?
Also known as: CMP, Cookie consent platform
What is a consent management platform?
A consent management platform (CMP) is software that asks visitors whether they accept cookies and tracking, stores their answer, and tells every advertising and analytics tag what it is allowed to do. The CMP is the source of truth for consent across a website or app.
CMPs handle four jobs at once. They render the cookie banner. They block tags until the user chooses. They store an auditable consent record. They broadcast the user's choices to ad vendors through standardized signals like the IAB TCF string and Google Consent Mode v2.
Without a CMP, most sites either ship non-compliant tracking or kill all tracking by accident. Both options bleed money. The CMP also feeds the disclosure layer that buyers and regulators audit.
What does a CMP actually do?
A modern CMP runs four layers in the browser and one in a backend dashboard. Each layer has a job that maps directly to a regulatory requirement.
Consent banner
The banner is the visible piece. It appears on first visit and on consent renewal cycles (commonly 6 to 13 months). Good banners list purposes (ads, analytics, personalization), name the vendors, and offer a reject button with the same prominence as accept. The EDPB guidelines on consent treat dark patterns (hidden reject, pre-ticked boxes, color-biased buttons) as invalid consent.
Vendor list and tag gating
The CMP carries a list of every third party that fires on the site. Meta Pixel. Google Ads tag. TikTok pixel. LinkedIn Insight. Hotjar. Each vendor maps to one or more processing purposes. When the user denies a purpose, the CMP blocks the corresponding tags from loading. This is the part most hand-rolled banners get wrong.
IAB TCF v2.2 signals
For programmatic advertising in the EU, the CMP encodes the user's choices into a TC string that travels with every bid request. SSPs, DSPs, and DMPs read the string and decide what they are allowed to do on that impression. Without a valid TC string, most EU programmatic demand drops the bid.
Audit logs
Article 7(1) of the GDPR says the controller must be able to demonstrate consent. The CMP logs every choice with a timestamp, IP hash, banner version, and the exact purposes accepted. Regulators ask for these records during investigations. So do auditors when a buyer runs due diligence on an ad network.
What are the major CMPs in 2026?
Five vendors handle most of the global market for ad-funded sites. Each has a different sweet spot.
| CMP | Best for | Pricing model | TCF v2.2 | Consent Mode v2 |
|---|---|---|---|---|
| OneTrust | Enterprise, regulated industries | Custom annual contract | Yes | Yes |
| Cookiebot (by Usercentrics) | SMB, content publishers | $14 to $59 per domain per month | Yes | Yes |
| Usercentrics | Mid-market, app + web | $50 to $400 per month per property | Yes | Yes |
| Iubenda | Multi-market SMB, multilingual | $9 to $99 per month per site | Yes | Yes |
| Sourcepoint | Premium publishers, ad-funded media | Enterprise, custom | Yes | Yes |
OneTrust and Sourcepoint dominate the enterprise tier. Cookiebot and Iubenda dominate self-serve. Usercentrics has grown fastest in mobile apps and DACH-region publishers since acquiring Cookiebot in 2021. The CMP category has also absorbed work that used to live in tag managers, partly because third-party cookie deprecation has pushed first-party consent signaling to the center of every measurement stack.
Two more worth naming. Didomi powers a large share of French and Italian publishers. Quantcast Choice is free and TCF-certified, which matters for small publishers running programmatic.
How does a CMP interact with the IAB TCF v2.2?
The IAB Europe Transparency and Consent Framework v2.2 went live in November 2023 and tightened the rules around legitimate interest, vendor disclosures, and purpose granularity. A CMP must be officially registered as a CMP with IAB Europe to issue valid TC strings.
The flow on a single ad impression:
- The page loads. The CMP renders the banner.
- The user accepts purpose 1 (storage), purpose 3 (personalized ads), and 47 of 80 vendors.
- The CMP encodes those choices into a TC string and writes it to a shared cookie (
euconsent-v2). - Header bidding wrappers and the publisher ad server read the TC string from the cookie.
- Each bid request to an SSP carries the TC string in the OpenRTB
user.ext.consentfield. - DSPs read the string, check their vendor ID against the allowed list, and decide whether to bid.
[ORIGINAL DATA] Across EU programmatic campaigns we have audited, missing or invalid TC strings drop eligible bid requests by 40 to 70 percent. The CMP is the choke point. A non-registered CMP, an outdated GVL (Global Vendor List), or a stale TC string version all cause the same revenue loss.
CMP for GDPR vs CCPA vs LGPD
One CMP, three regulatory models. The CMP detects the visitor's region and serves the right experience.
| Region | Law | Default model | CMP behavior |
|---|---|---|---|
| EU and UK | GDPR + ePrivacy | Opt-in | Block all non-essential tags until user accepts. Issue TCF v2.2 string. |
| California | CCPA / CPRA | Opt-out | Tags fire by default. Show "Do Not Sell or Share My Personal Information" link. Honor GPC signal. |
| Brazil | LGPD | Opt-in (similar to GDPR) | Block tags until consent. No TCF equivalent yet, custom signal. |
| US (other states) | Patchwork (Virginia, Colorado, Connecticut, etc.) | Mostly opt-out | Honor universal opt-out signals where required. |
[PERSONAL EXPERIENCE] The mistake we see most often: a US-based brand expanding into the EU keeps its CCPA-style opt-out banner live for European visitors. Tags fire on page load. The CMP records consent only after the user clicks something, which most never do. Six months later the company has zero compliant consent records for EU traffic and a mailbox full of subject access requests it cannot answer.
How a misconfigured CMP costs ad performance
A CMP done badly is worse than no CMP. It blocks legitimate revenue without delivering compliance. Five common failure modes.
- Tag firing before consent. GTM loads on page load. The CMP loads later. Pixels fire in the gap. The consent record says "denied" but the data already left the page. This is the single most common audit finding.
- Stale Global Vendor List. IAB Europe updates the GVL weekly. CMPs that do not refresh on schedule send TC strings with vendor IDs that no longer exist. SSPs treat the string as invalid and drop the bid.
- Missing Consent Mode v2 signals. Google Ads and GA4 require
ad_storage,ad_user_data,ad_personalization, andanalytics_storagesignals. CMPs that ship onlyad_storagecause Google to model conversions instead of measuring them, which softens bid signals and shrinks audience match rates. - Banner that buries the reject button. EU regulators (CNIL, Garante, ICO) have fined companies for this exact pattern. The fines are public. So is the reputational damage.
- No iOS/Android SDK parity. Web consent does not transfer to the app. Apps need their own CMP SDK with a separate consent record and ATT integration. Mismatched consent across surfaces breaks attribution and creates dual audit liabilities.
Real-world example: CMP fix on a mid-market e-commerce site
A European DTC apparel brand running 2.4 million monthly EU sessions hired us in late 2025 to audit declining ROAS on Meta and Google.
The numbers before the audit:
- Meta Advantage+ ROAS: 1.8 (down from 3.4 the prior year)
- Google Ads ROAS: 2.1 (down from 3.0)
- Reported consent rate: 92 percent (impossibly high)
- GA4 modeled conversions share: 61 percent
The CMP was a self-built React component. It set a "consent=true" cookie on banner impression, not on click. Every visitor counted as consented. But the Meta Pixel and Google tags fired on page load through GTM, before the cookie even existed. Consent Mode v2 was not wired in at all.
The fix took six weeks:
- Replaced the custom banner with Cookiebot, IAB TCF v2.2 registered.
- Moved every advertising tag inside GTM behind the CMP
consentInitializationtrigger. - Configured Consent Mode v2 with all four signals.
- Rebuilt the Meta dataset with the Conversions API and gated server events on the CMP signal.
- Republished the privacy notice with the actual vendor list pulled from the CMP.
Three months after launch:
- Real consent rate: 64 percent (a 28 point drop from the fake reading)
- Meta ROAS: 2.9 (recovery of 1.1 points despite smaller addressable audience)
- Google Ads ROAS: 2.7
- GA4 modeled share: 18 percent (real measured conversions filled the gap)
- Pending data subject requests resolved: 47
[UNIQUE INSIGHT] Lower consent rates plus a working CMP beat fake consent rates plus broken signals. The platforms model and bid better when the data they receive is true. Compliance is not a tax on performance. It is the price of clean signal, and clean signal is what the auction actually pays for.
Related terms
Frequently asked questions
Is a CMP legally required?
Not by name. The GDPR, ePrivacy Directive, CCPA, and LGPD require valid consent records and the ability to honor user choices. A CMP is the standard way to meet that obligation. Hand-rolled banners can comply, but most fail audits because they cannot produce timestamped, auditable consent logs on demand.
What is the IAB TCF and why does it matter for CMPs?
The IAB Europe Transparency and Consent Framework (TCF v2.2) is the industry standard for passing consent signals through the programmatic ad supply chain. A TCF-registered CMP encodes the user's choices into a consent string that travels with every bid request. Non-TCF CMPs leave EU programmatic revenue on the table.
How much does a CMP cost?
Free tiers exist for small sites. Cookiebot starts free under 100 monthly subpages, then $14 to $59 per domain per month. OneTrust and Sourcepoint serve enterprise buyers and quote in the five to six figures annually. Usercentrics and Iubenda sit in the middle, $20 to $400 per month per property.
Does a CMP work with Google Consent Mode v2?
Yes. Google Consent Mode v2 became mandatory in March 2024 for advertisers serving EEA traffic through Google Ads or GA4. Major CMPs (OneTrust, Cookiebot, Usercentrics, Iubenda, Sourcepoint) ship certified Consent Mode v2 integrations that pass ad_storage and ad_user_data signals to Google tags.
Can a CMP improve consent rates?
Yes. Banner copy, button order, color contrast, and the placement of the reject button all change opt-in rates by 10 to 30 points in our testing. A bad banner is not just a UX problem. It is a measurable hit to addressable audience size and retargeting reach.