Consent Management Platforms: Cookie Banners and Compliance

Consent management platforms (CMPs) help websites comply with privacy laws by managing cookie consent, tracking preferences, and documenting user choices. If you operate a website that uses cookies or tracking technologies, a CMP is essential for GDPR, ePrivacy Directive, and increasingly CCPA compliance. For users, understanding how consent works helps you make informed choices about the data websites collect.

Why Consent Management Exists

The EU’s ePrivacy Directive (the “Cookie Law”) requires websites to obtain informed consent before setting non-essential cookies. GDPR strengthened this by requiring specific, informed, and freely given consent that can be withdrawn at any time. Simply using a website does not constitute consent. Pre-checked boxes do not constitute consent. Consent must be an affirmative action by the user.

Cookie banners are the visible interface of this requirement. The CMP behind the banner manages which cookies are loaded based on the user’s choices, stores consent records for compliance documentation, and updates cookie behavior when preferences change.

What Good Consent Looks Like

Equal choice. The “Accept” and “Reject” buttons should be equally prominent. Dark patterns that make rejection difficult (hiding the reject option, using confusing language, requiring multiple clicks to reject versus one to accept) violate GDPR’s requirement for freely given consent. The French data protection authority (CNIL) has fined Google and Facebook for making rejection harder than acceptance.

Granular categories. Users should be able to accept or reject specific categories of cookies: strictly necessary (always allowed), functional, analytics, advertising, and social media. “Accept all or leave” is not compliant consent.

No cookie walls. Denying access to content unless the user accepts all cookies is generally considered non-compliant, as it makes consent a condition of service rather than a free choice.

Easy withdrawal. Users must be able to change or withdraw consent as easily as they gave it. A persistent settings link in the footer allows users to modify their preferences at any time.

Popular CMP Platforms

Cookiebot (by Usercentrics) automatically scans your website, identifies all cookies, categorizes them, and generates a compliant consent banner. It provides consent documentation for regulatory inquiries.

OneTrust is the enterprise leader, supporting GDPR, CCPA, LGPD, and other frameworks with granular consent management, preference centers, and integration with marketing technology.

Osano provides a simplified CMP focused on ease of use for small and mid-sized websites, with automatic regulatory monitoring that alerts you to compliance changes.

For Website Visitors

When you see a cookie banner, take the two seconds to click “Manage Preferences” and disable advertising and analytics cookies. Only accept strictly necessary and functional cookies. Use browser settings and extensions to automatically reject non-essential cookies across all sites.

For the technical tracking these consent systems control, see our cookies and tracking guide. For the legal frameworks driving consent requirements, explore our GDPR compliance guide.

The CMP Implementation Process

Implementing a CMP involves several steps: scanning your website to identify all cookies and tracking technologies, categorizing each cookie by purpose (necessary, functional, analytics, advertising), configuring the consent banner with compliant options, integrating the CMP with your tag management system (Google Tag Manager, Adobe Launch) to conditionally load scripts based on consent, and establishing a process for maintaining accurate cookie inventories as your site evolves.

Test thoroughly after implementation. Verify that non-essential cookies are actually blocked when a user rejects them. Many CMP implementations display a consent banner but fail to actually prevent cookie setting on rejection, creating a compliance illusion rather than real consent management. Regular auditing with tools like Cookie Scanner or Blacklight ensures ongoing compliance.

Beyond Cookie Consent

Consent management is expanding beyond cookies. The same principles apply to mobile app tracking consent (Apple’s ATT framework), email marketing consent, and data sharing consent across connected services. Organizations that build consent management into their architecture now will be better positioned as consent requirements extend to new data processing contexts.