Consent Management Platform

User consent management is a core requirement for modern web analytics. How you implement it shapes legal compliance and the quality of the data you collect.

What a CMP Does

A Consent Management Platform automates how you collect, manage, and document user consent.

Key Functions

Cookie Scanning

CMPs scan sites regularly to detect every cookie and tracker in use. Inventories stay current.

Categorization and Blocking

Cookies are categorized by purpose. Loading is blocked until consent arrives.

Consent Management

Granular controls let users pick which categories they accept.

Categories vs Vendors

Two Models

Category-based:

• Easier to implement and maintain
• Standard buckets (necessary, analytics, marketing, personalization)
• Adding or removing trackers is simple
• Fewer update errors

Vendor-based:

• More detailed control
• Harder to maintain
• Updates needed every time vendor lists change
• Better transparency

Selection Criteria

Criterion	Importance	Notes
Compliance coverage	Critical	GDPR, CCPA/CPRA, other jurisdictions
Integrations	High	Google Consent Mode, IAB TCF, Tag Manager
Performance	High	Load speed, Core Web Vitals impact
Customization	Medium	Design, languages, positioning
Price	Medium	Traffic, domain, feature limits

Implementation Flow

graph TD
    A[User enters site] --> B{CMP checks consent}
    B -->|No consent| C[Show banner]
    B -->|Has consent| D[Load allowed scripts]
    C --> E{User selected}
    E -->|Accept all| F[Save all categories]
    E -->|Customize| G[Show details]
    E -->|Reject| H[Necessary only]
    G --> I[Save choice]
    F --> J[Set cookies]
    I --> J
    H --> K[Block tracking]
    J --> L[Document consent]
    K --> L

Cookie Banner

The cookie banner is the visible part of a CMP. It captures user preferences.

GDPR Requirements

Information

The banner must explain:

• What data is collected
• Why
• Who else gets access
• Retention period

Free Choice

• Rejection must be as easy as consent
• No pre-checked boxes
• Site access cannot depend on consent (cookie walls are prohibited)

Granularity

Users pick specific purposes, not just "all or nothing."

Design Approaches

MinimalistDetailed

Pros:

• Less distraction
• Faster loading
• Mobile-friendly

Cons:

• May lack required information
• Risk of failing transparency tests

Pros:

• Full transparency
• Stronger compliance position
• More user trust

Cons:

• May deter users
• Takes more screen space

Localization

Multilingual Best Practices

• Auto-detect via geolocation or browser
• Manual language switch
• Professional translation of legal terms
• Adapt to local rules

Global Privacy Control (GPC)

GPC is a browser-level signal that automatically tells sites the user opts out of selling or sharing personal data.

How It Works

Transmission:

• HTTP header: Sec-GPC: 1
• JavaScript API: navigator.globalPrivacyControl

Processing:

// Check for GPC signal presence
if (navigator.globalPrivacyControl === true) {
    // User activated GPC
    disableDataSaleAndSharing();
    updateConsentStatus('opt-out');
} else {
    // GPC not activated or not supported
    showStandardConsentBanner();
}

Legal Status

California (CCPA/CPRA)

GPC has been recognized as a valid opt-out mechanism since 2020. Sites must treat the signal as a request to opt out of data sale.

Colorado (CPA)

Universal opt-out compliance, including GPC, is mandatory since July 1, 2024.

Other US States

Connecticut, Virginia, Utah, and others are rolling out GPC support requirements.

European Union (GDPR)

GPC could be read as an objection under Articles 7 and 21 of GDPR. No clear regulatory guidance yet.

Implementation

GPC Steps

1. Add .well-known/gpc.json:

   {
     "gpc": true,
     "version": 1,
     "lastUpdate": "2024-01-01"
   }
   

2. Update CMP logic to process the signal

3. Sync with US Privacy API

4. Document in privacy policy

5. Test across browsers and extensions

Conflict Resolution

Scenario	Action
GPC on, no prior consent	Auto opt-out
GPC on, explicit consent exists	GPC wins (per CCPA)
GPC turned off after opt-out	Keep opt-out status
User changes manually after GPC	Manual choice wins

IAB TCF

The IAB Transparency and Consent Framework is the industry standard for consent in programmatic advertising.

TCF Version 2.2

Changes:

• Improved purpose granularity
• Stricter UI/UX rules
• Extended legitimate interests
• Mandatory for Google Ad products since January 2024

Structure

Purposes

TCF defines 11 standard processing purposes:

1. Store and/or access information on a device
2. Select basic ads
3. Create a personalized ads profile
4. Select personalized ads
5. Create a personalized content profile
6. Select personalized content
7. Measure ad performance
8. Measure content performance
9. Apply market research to generate audience insights
10. Develop and improve products
11. Use limited data to select advertising

Special Features:

• Use precise geolocation data
• Actively scan device characteristics

TC String

TC String Contents

Encodes:

• TCF version
• Consent timestamps
• CMP ID
• Consent for purposes and special features
• Consent for vendors
• Publisher restrictions

Analytics Integration

graph LR
    A[CMP collects consent] --> B[Generates TC String]
    B --> C[Passes to __tcfapi]
    C --> D[Tag Manager reads]
    D --> E[Conditional tag loading]
    E --> F[Analytics receives data]

Global Privacy Platform

GPP evolves TCF to cover multiple jurisdictions in one framework.

Architecture

Sections per jurisdiction:

• EU TCF (Europe)
• USP (US national)
• USCA (California)
• USVA (Virginia)
• USCO (Colorado)
• USCT (Connecticut)

GPP String

A single string carrying consent for every applicable jurisdiction.

GPP vs TCF

Aspect	TCF	GPP
Jurisdictions	EU only	Global
Flexibility	Fixed	Modular
Updates	New version	Add sections
Complexity	Medium	High

Implementation

Step by Step

Stage 1: Audit and Plan

• Inventory cookies and trackers
• Identify applicable jurisdictions
• Pick TCF, GPP, or proprietary

Stage 2: Pick Tech

• Evaluate CMPs
• Decide on GPC support
• Plan integrations (Google Consent Mode, Tag Manager)

Stage 3: Build

// Basic integration example
window.dataLayer = window.dataLayer || [];
function gtag(){dataLayer.push(arguments);}

// Set default consent state
gtag('consent', 'default', {
  'ad_storage': 'denied',
  'ad_user_data': 'denied',
  'ad_personalization': 'denied',
  'analytics_storage': 'denied',
  'functionality_storage': 'granted',
  'personalization_storage': 'denied',
  'security_storage': 'granted'
});

// Update after obtaining consent
function updateConsent(consentChoices) {
  gtag('consent', 'update', consentChoices);
}

Stage 4: Test

• Verify cookie blocking
• Validate consent storage
• Test withdrawal
• Check GPC handling

Stage 5: Document

• Update Privacy Policy
• Create Cookie Policy
• Document processes for audit

Complex Cases

Multi-domain SitesSingle Page AppsMobile Apps

Challenges:

• Sync consent across domains
• Different requirements per domain
• SSO and shared consent

Solutions:

• Centralized consent service
• Cross-domain sync
• Group banners

Challenges:

• Dynamic content loading
• No page reloads
• Async scripts

Solutions:

• Event-driven consent updates
• Dynamic script injection
• Virtual pageview tracking

Challenges:

• No cookies
• App Tracking Transparency (iOS)
• Different SDK requirements

Solutions:

• Native consent dialogs
• SDK-specific implementations
• Unified consent across platforms

Metrics

KPIs

Consent Rate

Percentage of users who gave at least partial consent.

Consent Categories

Distribution across analytics, marketing, personalization.

GPC Adoption

Percentage with GPC active.

Bounce Impact

Effect of the banner on bounce rate.

Optimization

Improving Consent Rate

UX:

• A/B test the banner
• Refine wording
• Tune display timing

Tech:

• Minimize performance impact
• Async CMP loading
• Cache choices

Comms:

• Explain the value
• Be transparent
• Offer incentives where allowed

Consent management is now critical infrastructure. CMP, GPC, and TCF compliance shape both legal standing and analytical signal quality.

Statable plans a flexible consent management system supporting all major standards. It will adapt to jurisdictions automatically and balance compliance with data quality.

---

About AI participation in writing articles

This article, like many others on our site, was created, written and proofread by a team of developers. Of course, not without the participation of AI assistants. We don't hide this and believe that modern systems are already quite good at handling simple tasks and, relatively speaking, writing an article about Viewport yourself is quite strange. It won't come out significantly better and will take a lot of time. But providing basic understanding to beginner webmasters is necessary. Of course, after the article is written by assistants - there's always proofreading, and this is where not one or two people participate, and only after that the article is published.

Ready to implement a modern consent management system?

Sign up for free testing and gain access to analytics tools with built-in support for all modern consent management standards.

---

Ready to take control of your web analytics? Try Statable free for 30 days — no credit card required, full feature access, GDPR-compliant by default. Start your free trial or view a live demo.