Consent Management Platforms (CMPs) and Technical Requirements

Consent Management Platforms (CMPs) are the technical infrastructure through which websites and apps collect, record, and propagate user consent for cookies, tracking technologies, and data processing under GDPR Article 6(1)(a), ePrivacy Directive, CCPA/CPRA, and state privacy laws. The IAB Europe Transparency and Consent Framework (TCF) v2.2 — the dominant industry standard for online advertising — defines a standardized signal format (TC String) encoding consent and legitimate interest decisions for hundreds of vendors registered in the IAB Global Vendor List. CMPs implementing TCF v2.2 must be certified by IAB Europe, display consent UIs meeting prescribed specification requirements, store consent signals with timestamps in browser storage (localStorage), and propagate TC Strings to all downstream ad tech vendors in the bidstream.

GDPR-compliant CMPs must meet requirements far stricter than those originally implemented at GDPR's 2018 effective date. Regulatory guidance from CNIL (France), DPA (Belgium), ICO (UK), and the EDPB Opinion 05/2020 have collectively established: consent must be granular (per purpose and per vendor, not global), freely given (no consent walls, no bundling with service access), specific (prior to loading tracking technologies), unambiguous (active opt-in, not pre-ticked boxes), and as easy to withdraw as to give. The Belgian DPA's May 2022 IAB TCF decision found the TCF's legitimate interest mechanism for ad tech non-compliant and required TCF to be rebuilt — leading to TCF v2.2 with significant restrictions on legitimate interest use for personalized advertising. Dark patterns in consent UIs are prohibited under EDPB Guidelines 3/2022.

Technical implementation of compliant CMPs requires: (1) pre-consent blocking of all non-essential scripts (implemented via tag manager consent mode or server-side rendering controls), (2) consent signal persistence with timestamp and version in durable storage with re-consent triggers when purposes change, (3) GPC/UOOM header recognition and automatic opt-out state mapping for jurisdictions requiring it (Colorado, Connecticut, Texas as of 2024–2025), (4) consent signal propagation to all third-party tags, SDKs, and server-side systems, and (5) documented deletion of data collected before a valid consent withdrawal, per GDPR Article 7(3) retroactivity requirements. Server-side consent architectures are increasingly used to prevent client-side bypass via browser extensions.

We implement and audit CMPs against EDPB and national DPA guidance, covering pre-consent blocking architecture, granular purpose/vendor layering, GPC signal integration, and server-side consent verification for high-compliance clients. Our CMP audit methodology checks for dark patterns against the EDPB Guidelines 3/2022 taxonomy and validates TC String propagation accuracy through bidstream sampling.

Compliance-Native Architecture Guide

Design principles and a structured checklist for building software that is compliant by default — not compliant by retrofit. Covers data architecture, access controls, audit trails, and vendor due diligence.