Consent Management Platforms: The Definitive Guide for 2021

Chris Shuptrine
Chris Shuptrine
Consent Management Platforms: The Definitive Guide for 2021

The General Data Protection Regulation (GDPR) has given the world much since its enforcement date in May 2018, including headaches for publishers, memes, overflowing inboxes, horror stories, and even soothing lullabies.

It's also given us Consent Management Platforms (CMPs), an advertising tech tool for collecting user consent and passing that data to downstream ad partners.

Click here to jump to our visual comparison of the Top 10 CMPs

consent management platform example

These CMPs simplify a huge pain point for publishers: if you work with 10-20+ ad partners - from exchanges to DSPs to data providers - how do you get the consent you need to legally enable user-level ad targeting (with its higher eCPMs)?

Not asking for consent - but still collecting data - is a non-starter, as GDPR fines can be €20M or 4% of your yearly revenue (whichever is higher).

While publishers could spend time building their own solution, given the necessity of having a CMP, it makes sense to instead integrate with a third-party tool, of which there are many.

Also - as a small terminology clarification, technically the IAB's acronym of CMP stands for 'Consent Management Provider'. That said, the industry is more apt to use 'Platform'. For example, a Google search for "consent management platform" returns 34K results, while "consent management provider" returns 2.5K. Regardless, the exact word doesn't change the meaning of the phrase.

Wait - haven’t consent tools been around for a while?

Sort of! Ever since May 2011, when the EU Cookie Directive went into effect, most EU sites have added cookie notification bars to the top or bottom of their pages. This prompted many third-party solutions to pop-up, including WordPress plug-ins and the leading tool from Silktide.

insites consent management platform

These tools are still around, and many sites continue to use them under the GDPR.

However, these solutions were built for the older law, and the GDPR is much more specific about requiring explicit opt-in consent. Most of those older tools don't provide this, nor do they integrate with downstream ad partners, paving the way for the more sophisticated CMPs.

What is a Consent Management Platform?

A consent management platform (CMP) is a tool that enables a website or app to be GDPR-compliant. It does this by prompting users for consent, collecting and managing that information, and passing the data to downstream ad partners.

Often the phrase goes hand-in-hand with IAB Europe's Transparency & Consent Framework and the CMPs registered with them. Technically, though, 'Consent Management Platform' is a broader phrase that doesn't necessitate IAB integration.

The IAB Framework connects registered CMPs with a centralized list of ad tech vendors. Using this, first-parties can get consent to process user data by vendor and send that data to all third-parties. This brings transparency and accountability to the entire advertising supply chain, as the publisher can feel confident they are working with a GDPR-compliant ad partner and vice-versa.

iab consent management platform

For CMPs not registered with the IAB, they can acheive the same result by using a custom vendor list. In either scenario, there's transparent consent tracking between the publisher and downstream partners.

True CMPs, therefore, are more complex than cookie notification banners, as they not only collect consent but then pass that information to other vendors.

Another value-add of CMP tech is that it can sniff the user's location and show the prompt just to EU residents. This helps to comply with the law while not intruding on non-EU user experiences.

How prevalent are CMPs?

Below are the May 2020 numbers from our Ad Tech Insight's Consent Management Platform tracker, which looks at the Top 10K sites in both the UK and US.

We found that 39.7% of UK publisher and 35.2% of US publishers use third-party CMPs (with 'publishers' defined as sites that do programmatic advertising). Overall, 23.4% of UK sites (top 10K) use a CMP, and 20.7% of US sites do.

Are Consent Management Platforms GDPR-compliant?

What's ultimately "compliant" will be decided in the courts and from new guidance form the EU.

As of right now, there's no clear-cut guidance that certain CMP formats will get you fined or not.

For instance, a strict interpretation of the law would require publishers to get opt-in consent by individual vendor, rather than an 'Accept All' or 'Deny All' pop-up prompt. But currently that's not the way CMPs are structured.

The approach that publishers and ad tech vendor are taking is that a mass opt-in button - with an option to dive deeper and toggle consent by vendor - follows the "spirit of the law". This stance is increasingly coming under fire, though, especially as seen by a new study by researchers at UCL, MIT, and Aarhus University.

Are CMPs effective?

Early reports are promising for the efficacy of CMPs.

According to Mediavine, CPMs were 52% higher for sites that implemented a CMP, and fill rates were 39% higher.

mediavine consent management platform

On top of that, Quantcast claims to see a 90% opt-in rate, while Purch's is still high at 70%, indicating the intrusiveness of the prompt isn't deterring people from engaging with content.

quantcast consent management platform

What CMPs are most commonly-used?

The below stats also come from Kevel’s monthly Consent Management Platform tracker and tracks how many times we found the vendor's CMP across the Top 10K UK and Top 10K US sites (16K unique sites). They were last updated May, 2020.

Company # of Sites Industry
OneTrust 639 Privacy compliance management
Quantcast 425 Marketing analytics and audience insights
TrustArc 199 Privacy compliance management
Cookiebot 191 Pure-play CMP
Crownpeak 105 Marketing analytics
Sourcepoint 102 Content compensation platform
Tealium 75 Data hub and tag management
AdThrive/CafeMedia 74 Ad monetization platform
CivicUK 69 Digital agency
Ensighten 40 Security and performance managmeent
Iubenda 34 Legal compliance tools & software
Verizon Media 31 Media conglomerate
Venatus Media 31 Entertainment advertising platform

What's also interesting is the hodgepodge of companies that comprise this list: there are many privacy management services, but also ad platforms, digital agencies, and data/analytics tools.

The Best Consent Management Platforms

Here are the top consent management platforms platforms, with comparisons around look, feel, and functionality.

1. Iubenda

Iubenda's CMP does a great job not being an obtrusive pop-up banner, but instead defaults to a small noticeable black banner at the top of the page. The banner, like everything else in their Cookie Solution, is fully-customizable.

The instructions are clear, and users have the option to accept or get more information — a practice that most CMPs also employ — however, with iubenda's solution, you can set multiple options (like scrolling, clicking accept, etc.) for registering consent.

iubenda consent management platform

When you do click on the "learn more" button, you are taken to the (legally required) cookie policy which contains very well-designed, descriptive summary of how your data is being used.

iubenda consent management platform

If users decide that they want to further customize their preferences, they can click on the “customize preferences” button, which takes them to this preferences area where they can toggle consent preferences by data purpose and by individual vendor:

iubenda consent management platform

The great thing about this solution (and what makes it easily number 1 for us) are the plugins. iubenda's available plugins make it pretty easy to auto-block several popular cookie scripts right out of the box until the user gives consent. Since blocking the scripts is legally mandatory but pretty tricky to set up if you don't know what you're doing, this feature saves tones of time and effort.

2. OneTrust

onetrust consent management platform

OneTrust’s CMP allows you to choose from various professionally-designed templates to meet all user interface requirements, and customize language and branding.

onetrust consent management platform

Using out-of-the-box templates to support GDPR, CCPA, IAB TCF v2 as well as native apps, the banner will show buttons to “accept”, “reject”, “choose preferences” or “show purposes”.

The banner links to a clean preference center that allows users to easily toggle consent by purpose and clicking check boxes for individual vendor consent.

onetrust consent management platform

OneTrust also offers a tool that allows you to build a custom CMP for free in just a few steps; choose from out-of-the-box templates, customize preference center content for purposes and stacks, set the scope of notice to a global or EU audience, then simply install by copying and pasting the code snippet onto a website.

3. Sourcepoint

Sourcepoint’s Dialogue CMP is fully customizable to match the look and feel of your website. Buttons, links, message text, and user controls are all configurable from the user interface. You can build your own custom design or start from a selection of templates to support GDPR, CCPA, & IAB TCF v2.

sourcepoint consent management platform

The Dialogue platform provides a wide range of consent metrics so you can see which messages make for the best user experience and result in higher consent rates. Whether that’s a modal or a bottom banner, with buttons on the left or right, A/B testing reveals the best strategy for you.

sourcepoint consent management platform

For mitigating compliance risk from third parties, Sourcepoint’s CMP comes integrated with vendor scanning technology that automatically assesses vendors operating on your properties. You can review risk assessments and update your vendor list all from the same interface so you won’t be asking your users to consent to any third parties you don’t trust.

sourcepoint consent management platform

Sourcepoint is a great choice especially if you’re looking to monetize beyond web environments. They have robust SDKs for collecting consent on Google AMP, iOS/Android, and they have the best CMP compatibility across OTT devices such as Samsung, Roku, and AppleTV.

4. AppNexus

Like they did with Prebid - their open-source header bidding wrapper - AppNexus released an open-source CMP for others to build off of. In our analysis, about 60 sites had built their own CMP based on AppNexus's tool. In addition, many of the third-party CMPs are based on AppNexus's code.

Most AppNexus-based CMPs have a similar look and feel:

appnexus consent management platform

The prompt generally appears on the page's bottom with just an 'Accept' option. You can then dive deeper and toggle consent by use case and vendor.

appnexus consent management platform

5. Quantcast

quantcast consent management platform

Like most CMPs on this list, Quantcast's employs a full-page prompt that requires the user to interact before accessing content. Many of the Quantcast examples involve an easy 'Deny All' option alongside 'Accept All'. Most other CMPs, on the other hand, have only an 'Accept' button, preventing easy opt-outs.

Additionally, like other CMPs, Quantcast has a link that takes users to a screen where they can toggle consent by data purpose and by individual vendor.

quantcast consent management platform

Quantcast’s navigation, layout, vendor breakdown, and easy opt-out options make it, in our opinion, a very user-friendly solution.

6. TrustArc

trustarc consent management platform

TrustArc's CMP looked similar across most sites, indicating it may have minimal customization options.

In the 'More Information' link, most sites used a sliding knob to grant consent by three types of cookies: 'required', 'functional', and 'advertising'. Beyond seeming out-of-place, the knob format means you can't grant access to 'advertising' cookies without also granting it to 'functional'.

trustarc consent management platform

That said, you can toggle these use cases individually by diving even deeper via the "Advanced Settings" link (though not all TrustArc CMP examples had this option). It makes one wonder why 'More Information' doesn't just go directly to this page.

7. CivicUK

Cookie Control originally started out as a simple cookie notification bar, but recently made the upgrade to a full-fledged CMP.

civicuk consent management platform

The layout is clean, with options to opt-out by cookie purpose. Their website indicates there are vendor-level breakdown capabilities too, but we couldn't find any site that showed individual vendors.

civicuk consent management platform

8. Verizon

oath consent management platform

Verizon Media - the parent company of AOL, Yahoo!, and others - has a CMP that's both a first-party and third-party tool. You may also hear it by the name 'Oath', which is Verizon's ad tech / media branch that it recently rebranded to Verizon Media.

Verizon's CMP suffers from too much simplicity. There is no vendor breakdown, let alone a way to toggle consent by vendor. They do provide the ability to easily accept/reject different use cases, but the overly-simple visuals, the abundance of white space, the lack of vendor breakdowns, and the use of small hover text to explain each purpose is a bit disappointing for such a large company.

oath consent management platform

9. Tealium

Customers who use Tealium's tag management solution can now use it to collect consent as well. Implementation includes a non-intrusive banner at the top or bottom of the page.

tealium consent management platform

There appears to be many customization options as well, with few sites having the same look and feel.

tealium consent management platform

Clicking further brings up an interface to toggle by use case:

tealium consent management platform

Like others, Tealium's CMP suffers from the lack of vendor-level information and consent toggling, making it not as robust as other options.

10. Insites

Given that the Insites code is on 585 sites in our tracker, we wanted to highlight what their solution looks like. While Cookie Consent enables sites to record whether users consented to cookie tracking, there is no consent toggling beyond a high-level 'accept or not', nor does it integrate with downstream ad tech partners.

cookie consent insite consent management platform

While the bar's CSS differs by site, they all appear as notification boxes on the top or bottom of the page.

The prompt itself is simple, letting users know the site uses cookies. Some sites have just an 'Accept' button, others have both 'Deny' and 'Accept', and some just say that continued use of the site equates to consent (likely not GDPR-compliant).

Clicking 'Learn More' takes users to the site's privacy page.

Insite's Cookie Consent tool may be fine for a site that doesn't show programmatic ads, but it's not a viable solution for a publisher looking for a Consent Management Platform that integrates with ad partners and allows for vendor-level consent.

11. Piwik PRO

Piwik PRO’s integrated consent management system allows website and app analytics to be fully compliant with the strictest privacy laws in the world, such as EU’s GDPR, California’s CCPA and Brazil’s LGPD. Users of Piwik PRO’s consent manager can collect and process consent forms as well as manage visitor (data subject) requests.

An integration with Piwik PRO’s Tag Manager fires only those tags consistent with the consent choices of a website visitor. This allows for a zero-cookie load function, preventing tags from firing before there is legal consent.

piwik pro

Piwik PRO Consent Manager provides a selection of pop-up and bottom-bar templates. A built-in consent-form editor and JavaScript API integration also allow for full customization of all consent forms and widgets.

piwik pro

Visitors (data subjects) can send their data requests via a customizable widget. Consent Manager collects requests in one place where users can gather, process and resolve requests. A full history of visitor consents and data requests is also recorded, which can serve as a proof of compliance in case of an audit by data protection authorities.

piwik pro

Piwik PRO Consent Manager provides users aggregated data about the rate of opt-ins, broken down by the forms of data processing visitors consented to. It's important to keep a close eye on this data when optimizing forms and messaging for better rates of opt-in.

piwik pro

12. Crownpeak

The CMP built by Evidon (now Crownpeak) comes in many forms, with some being small banners and others full-screen prompts.

evidon consent management platform

Their deeper "More Options" screen isn't as intuitive as other CMPs's and is text-heavy, but they do provide good insight into how each vendor is being used.

evidon consent management platform

One nice touch is that Evidon links to the opt-out pages for many vendors, so if you wanted to do a mass opt-out for that ad tech company, you have an easy path to. This was the only CMP we found that did this (others just drove to the vendor's privacy page).

Where does Google - the ad tech king - fit into all of this?

According to our research, Google’s CMP (known as Funding Choices) is in 12 sites across the Top 10K US and UK sites (as of May 2020), making it the 35th most-common CMP. Not only that, but that's down from its peak of 30 sites in April 2019.

Given that Google’s ad tech products are nearly always #1 in market share, this position is no doubt disappointing to them. Google’s rank is even more surprising given that their publisher-side ad server (Google Ad Manager, previously DFP) is by far the #1 ad server in the US and UK, and it would be logical to use a CMP that’s already integrated with one’s ad server.

Google had a number of missteps with their roll-out, though, including limiting publishers to 12 vendor partners before reversing that stance about a month later. Funding Choices was still in beta for over four months after the GDPR enforcement date (May 2018), so they missed the opportunity to mass-release a product before others could gain market share.

Their CMP is also one of the weakest available:

google funding choices consent management platform

One would expect a CMP with more functionality and a better UI from Google, but it's basically just a list of ad partners, with no insight into what data the individual vendors collect and no way to opt-out by vendor or by use case.

The prompt looked nearly identical on all sites, indicating customization is limited too.

This doesn’t mean Google won’t find a way to improve their offering and convince publishers to use them instead. If there’s anything we know about ad tech, it’s that you can’t rule Google out to provide a good product, make it free, and see mass adoption.

What’s the future of CMPs?

Since the GDPR isn't going away, we expect CMPs to stick around, and we'll likely see many more digital agencies and networks/exchanges registering CMPs with the IAB in the coming year.

As mentioned above, we also expect that Google will improve their Funding Choices CMP and offer a seamless integration with Google Ad Manager (previously DFP) and other downstream ad partners. Given that OneTrust is in 524 sites to their 13, though, Google has an uphill climb to win this market.

Ultimately, publishers with any amount of European traffic would benefit from implementing a CMP, particularly if the promising results from Mediavine, Quantcast, and Purch hold true for the industry. Moreover, using a CMP is a proactive step to show that you are mindful of the GDPR and are trying to stay above board, thus mitigating the risk that you'll be slapped with a major fine.

Chris Shuptrine
Chris Shuptrine

Chris has worked in ad tech for over fourteen years in a variety of roles - giving him customer support, PM, and marketing perspectives from both the advertiser and publisher sides. He's the VP of Marketing at Kevel.