What a CMP does
When a user lands on your site, the CMP is responsible for:
- Displaying the cookie banner with clear, granular consent options
- Recording the user’s choices in a verifiable, auditable record
- Broadcasting consent state to every tracking script, pixel, and Tag Manager configuration on the page
- Honouring revocation, making it easy for users to change their mind later
Until the user consents, no tracking pixels load, no marketing cookies get set, no personal data flows to ad platforms. After consent, the relevant subset of tracking activates based on what was approved.
CMP and Consent Mode V2
Google’s Consent Mode V2 (mandatory in the EU since March 2024) is the bridge between the CMP and Google’s tracking products. The CMP captures user choices. Consent Mode V2 translates those choices into signals Google Tag Manager and gtag understand.
The flow:
- CMP shows the banner. User makes choices
- CMP pushes the consent state into the
dataLayer - Consent Mode V2 reads the dataLayer state
- Google tags adjust their behavior: full tracking if granted, modeled-conversion pings if denied
Similar bridges exist for Meta (Conversions API consent fields), TikTok, and other platforms.
Major CMPs in 2026
The Tag Management ecosystem matured around a handful of options:
- OneTrust, enterprise-focused, deep audit and DPO workflow tooling
- Cookiebot, mid-market, strong out-of-the-box GDPR coverage
- Usercentrics, popular in DACH region. Tight Consent Mode V2 integration
- Iubenda, SMB-focused, lower price point
- Didomi, French-headquartered, strong in EU markets
Most share the same core capabilities. The choice usually comes down to existing vendor relationships, pricing, and how much custom workflow you need.
Why “just block all cookies” doesn’t work
A common temptation: skip the CMP, block all cookies until consent, just show a “yes I consent” button. Why this is wrong:
- Bundled consent is invalid under GDPR. “Yes to everything” doesn’t count.
- Granular choice is required. Users must be able to consent to analytics without consenting to advertising, etc.
- Record-keeping matters. Regulators expect you to prove WHO consented to WHAT and WHEN.
- Withdrawal must be as easy as giving. A “manage preferences” entry point is required.
The CMP exists because doing this correctly is non-trivial.
Common mistakes
- Treating the CMP as a banner only. It’s also a consent record, a propagation system, and a withdrawal mechanism.
- Loading tracking scripts before consent. Defeats the purpose. Violates GDPR.
- Skipping Consent Mode V2 integration. Without it, denied-consent users contribute zero data to ad-platform models, hurting performance.
FAQ about CMP (Consent Management Platform)
What is a CMP (Consent Management Platform)?
A CMP captures, stores, and broadcasts users’ privacy consent decisions. It shows the cookie banner, records the user’s choices, and propagates them to all tracking tags. Required for GDPR-compliant marketing tracking in the EU.
Which CMP should I use?
Major options include OneTrust (enterprise), Cookiebot and Iubenda (mid-market), Usercentrics (DACH-focused), and Didomi (EU-focused). Core capabilities are similar. Choice usually comes down to existing vendor relationships and pricing.
Do I need a CMP if I am outside the EU?
If you have any EU visitors, yes. GDPR applies extraterritorially. Even outside the EU, similar laws (CCPA in California, LGPD in Brazil, PIPL in China) make CMPs the de-facto standard for any global marketing site.