The General Data Protection Regulation (GDPR) has given the world much since its enforcement date in May 2018, including headaches for publishers, memes, overflowing inboxes, horror stories, and even soothing lullabies.
It's also given us Consent Management Platforms (CMPs), an advertising tech tool for collecting user consent and passing that data to downstream ad partners.
These CMPs simplify a huge pain point for publishers: if you work with 10-20+ ad partners - from exchanges to DSPs to data providers - how do you get the consent you need to legally enable user-level ad targeting (with its higher eCPMs)?
Not asking for consent - but still collecting data - is a non-starter, as GDPR fines can be €20M or 4% of your yearly revenue (whichever is higher).
Also - as a small terminology clarification, technically the IAB's acronym of CMP stands for 'Consent Management Provider'. That said, the industry is more apt to use 'Platform'. For example, a Google search for "consent management platform" returns 34K results, while "consent management provider" returns 2.5K. Regardless, the exact word doesn't change the meaning of the phrase.
Sort of! Ever since May 2011, when the EU Cookie Directive went into effect, most EU sites have added cookie notification bars to the top or bottom of their pages. This prompted many third-party solutions to pop-up, including WordPress plug-ins and the leading tool from Silktide.
These tools are still around, and many sites continue to use them under the GDPR.
However, these solutions were built for the older law, and the GDPR is much more specific about requiring explicit opt-in consent. Most of those older tools don't provide this, nor do they integrate with downstream ad partners, paving the way for the more sophisticated CMPs.
A consent management platform (CMP) is a tool that enables a website or app to be GDPR-compliant. It does this by prompting users for consent, collecting and managing that information, and passing the data to downstream ad partners.
Often the phrase goes hand-in-hand with IAB Europe's Transparency & Consent Framework and the CMPs registered with them. Technically, though, 'Consent Management Platform' is a broader phrase that doesn't necessitate IAB integration.
The IAB Framework connects registered CMPs with a centralized list of ad tech vendors. Using this, first-parties can get consent to process user data by vendor and send that data to all third-parties. This brings transparency and accountability to the entire advertising supply chain, as the publisher can feel confident they are working with a GDPR-compliant ad partner and vice-versa.
For CMPs not registered with the IAB, they can acheive the same result by using a custom vendor list. In either scenario, there's transparent consent tracking between the publisher and downstream partners.
Another value-add of CMP tech is that it can sniff the user's location and show the prompt just to EU residents. This helps to comply with the law while not intruding on non-EU user experiences.
Below are the May 2020 numbers from our Ad Tech Insight's Consent Management Platform tracker, which looks at the Top 10K sites in both the UK and US.
We found that 39.7% of UK publisher and 35.2% of US publishers use third-party CMPs (with 'publishers' defined as sites that do programmatic advertising). Overall, 23.4% of UK sites (top 10K) use a CMP, and 20.7% of US sites do.
What's ultimately "compliant" will be decided in the courts and from new guidance form the EU.
For instance, a strict interpretation of the law would require publishers to get opt-in consent by individual vendor, rather than an 'Accept All' or 'Deny All' pop-up prompt. But currently that's not the way CMPs are structured.
The approach that publishers and ad tech vendor are taking is that a mass opt-in button - with an option to dive deeper and toggle consent by vendor - follows the "spirit of the law". This stance is increasingly coming under fire, though, especially as seen by a new study by researchers at UCL, MIT, and Aarhus University.
Early reports are promising for the efficacy of CMPs.
According to Mediavine, CPMs were 52% higher for sites that implemented a CMP, and fill rates were 39% higher.
The below stats also come from Kevel’s monthly Consent Management Platform tracker and tracks how many times we found the vendor's CMP across the Top 10K UK and Top 10K US sites (16K unique sites). They were last updated May, 2020.
|Company||# of Sites||Industry|
|OneTrust||639||Privacy compliance management|
|Quantcast||425||Marketing analytics and audience insights|
|TrustArc||199||Privacy compliance management|
|Sourcepoint||102||Content compensation platform|
|Tealium||75||Data hub and tag management|
|AdThrive/CafeMedia||74||Ad monetization platform|
|Ensighten||40||Security and performance managmeent|
|Iubenda||34||Legal compliance tools & software|
|Verizon Media||31||Media conglomerate|
|Venatus Media||31||Entertainment advertising platform|
What's also interesting is the hodgepodge of companies that comprise this list: there are many privacy management services, but also ad platforms, digital agencies, and data/analytics tools.
Here are the top consent management platforms platforms, with comparisons around look, feel, and functionality.
Iubenda's CMP does a great job not being an obtrusive pop-up banner, but instead defaults to a small noticeable black banner at the top of the page. The banner, like everything else in their Cookie Solution, is fully-customizable.
The instructions are clear, and users have the option to accept or get more information — a practice that most CMPs also employ — however, with iubenda's solution, you can set multiple options (like scrolling, clicking accept, etc.) for registering consent.
If users decide that they want to further customize their preferences, they can click on the “customize preferences” button, which takes them to this preferences area where they can toggle consent preferences by data purpose and by individual vendor:
The great thing about this solution (and what makes it easily number 1 for us) are the plugins. iubenda's available plugins make it pretty easy to auto-block several popular cookie scripts right out of the box until the user gives consent. Since blocking the scripts is legally mandatory but pretty tricky to set up if you don't know what you're doing, this feature saves tones of time and effort.
OneTrust’s CMP allows you to choose from various professionally-designed templates to meet all user interface requirements, and customize language and branding.
Using out-of-the-box templates to support GDPR, CCPA, IAB TCF v2 as well as native apps, the banner will show buttons to “accept”, “reject”, “choose preferences” or “show purposes”.
The banner links to a clean preference center that allows users to easily toggle consent by purpose and clicking check boxes for individual vendor consent.
OneTrust also offers a tool that allows you to build a custom CMP for free in just a few steps; choose from out-of-the-box templates, customize preference center content for purposes and stacks, set the scope of notice to a global or EU audience, then simply install by copying and pasting the code snippet onto a website.
The CMP built by Evidon (now Crownpeak) comes in many forms, with some being small banners and others full-screen prompts.
Their deeper "More Options" screen isn't as intuitive as other CMPs's and is text-heavy, but they do provide good insight into how each vendor is being used.
One nice touch is that Evidon links to the opt-out pages for many vendors, so if you wanted to do a mass opt-out for that ad tech company, you have an easy path to. This was the only CMP we found that did this (others just drove to the vendor's privacy page).
Like they did with Prebid - their open-source header bidding wrapper - AppNexus released an open-source CMP for others to build off of. In our analysis, about 60 sites had built their own CMP based on AppNexus's tool. In addition, many of the third-party CMPs are based on AppNexus's code.
Most AppNexus-based CMPs have a similar look and feel:
The prompt generally appears on the page's bottom with just an 'Accept' option. You can then dive deeper and toggle consent by use case and vendor.
Like most CMPs on this list, Quantcast's employs a full-page prompt that requires the user to interact before accessing content. Many of the Quantcast examples involve an easy 'Deny All' option alongside 'Accept All'. Most other CMPs, on the other hand, have only an 'Accept' button, preventing easy opt-outs.
Additionally, like other CMPs, Quantcast has a link that takes users to a screen where they can toggle consent by data purpose and by individual vendor.
Quantcast’s navigation, layout, vendor breakdown, and easy opt-out options make it, in our opinion, a very user-friendly solution.
TrustArc's CMP looked similar across most sites, indicating it may have minimal customization options.
In the 'More Information' link, most sites used a sliding knob to grant consent by three types of cookies: 'required', 'functional', and 'advertising'. Beyond seeming out-of-place, the knob format means you can't grant access to 'advertising' cookies without also granting it to 'functional'.
That said, you can toggle these use cases individually by diving even deeper via the "Advanced Settings" link (though not all TrustArc CMP examples had this option). It makes one wonder why 'More Information' doesn't just go directly to this page.
Cookie Control originally started out as a simple cookie notification bar, but recently made the upgrade to a full-fledged CMP.
The layout is clean, with options to opt-out by cookie purpose. Their website indicates there are vendor-level breakdown capabilities too, but we couldn't find any site that showed individual vendors.
Verizon Media - the parent company of AOL, Yahoo!, and others - has a CMP that's both a first-party and third-party tool. You may also hear it by the name 'Oath', which is Verizon's ad tech / media branch that it recently rebranded to Verizon Media.
Verizon's CMP suffers from too much simplicity. There is no vendor breakdown, let alone a way to toggle consent by vendor. They do provide the ability to easily accept/reject different use cases, but the overly-simple visuals, the abundance of white space, the lack of vendor breakdowns, and the use of small hover text to explain each purpose is a bit disappointing for such a large company.
Customers who use Tealium's tag management solution can now use it to collect consent as well. Implementation includes a non-intrusive banner at the top or bottom of the page.
There appears to be many customization options as well, with few sites having the same look and feel.
Clicking further brings up an interface to toggle by use case:
Like others, Tealium's CMP suffers from the lack of vendor-level information and consent toggling, making it not as robust as other options.
Given that the Insites code is on 585 sites in our tracker, we wanted to highlight what their solution looks like. While Cookie Consent enables sites to record whether users consented to cookie tracking, there is no consent toggling beyond a high-level 'accept or not', nor does it integrate with downstream ad tech partners.
While the bar's CSS differs by site, they all appear as notification boxes on the top or bottom of the page.
Clicking 'Learn More' takes users to the site's privacy page.
Insite's Cookie Consent tool may be fine for a site that doesn't show programmatic ads, but it's not a viable solution for a publisher looking for a Consent Management Platform that integrates with ad partners and allows for vendor-level consent.
Piwik PRO’s integrated consent management system allows website and app analytics to be fully compliant with the strictest privacy laws in the world, such as EU’s GDPR, California’s CCPA and Brazil’s LGPD. Users of Piwik PRO’s consent manager can collect and process consent forms as well as manage visitor (data subject) requests.
An integration with Piwik PRO’s Tag Manager fires only those tags consistent with the consent choices of a website visitor. This allows for a zero-cookie load function, preventing tags from firing before there is legal consent.
Visitors (data subjects) can send their data requests via a customizable widget. Consent Manager collects requests in one place where users can gather, process and resolve requests. A full history of visitor consents and data requests is also recorded, which can serve as a proof of compliance in case of an audit by data protection authorities.
Piwik PRO Consent Manager provides users aggregated data about the rate of opt-ins, broken down by the forms of data processing visitors consented to. It's important to keep a close eye on this data when optimizing forms and messaging for better rates of opt-in.
According to our research, Google’s CMP (known as Funding Choices) is in 12 sites across the Top 10K US and UK sites (as of May 2020), making it the 35th most-common CMP. Not only that, but that's down from its peak of 30 sites in April 2019.
Given that Google’s ad tech products are nearly always #1 in market share, this position is no doubt disappointing to them. Google’s rank is even more surprising given that their publisher-side ad server (Google Ad Manager, previously DFP) is by far the #1 ad server in the US and UK, and it would be logical to use a CMP that’s already integrated with one’s ad server.
Google had a number of missteps with their roll-out, though, including limiting publishers to 12 vendor partners before reversing that stance about a month later. Funding Choices was still in beta for over four months after the GDPR enforcement date (May 2018), so they missed the opportunity to mass-release a product before others could gain market share.
Their CMP is also one of the weakest available:
One would expect a CMP with more functionality and a better UI from Google, but it's basically just a list of ad partners, with no insight into what data the individual vendors collect and no way to opt-out by vendor or by use case.
The prompt looked nearly identical on all sites, indicating customization is limited too.
This doesn’t mean Google won’t find a way to improve their offering and convince publishers to use them instead. If there’s anything we know about ad tech, it’s that you can’t rule Google out to provide a good product, make it free, and see mass adoption.
Since the GDPR isn't going away, we expect CMPs to stick around, and we'll likely see many more digital agencies and networks/exchanges registering CMPs with the IAB in the coming year.
As mentioned above, we also expect that Google will improve their Funding Choices CMP and offer a seamless integration with Google Ad Manager (previously DFP) and other downstream ad partners. Given that OneTrust is in 524 sites to their 13, though, Google has an uphill climb to win this market.
Ultimately, publishers with any amount of European traffic would benefit from implementing a CMP, particularly if the promising results from Mediavine, Quantcast, and Purch hold true for the industry. Moreover, using a CMP is a proactive step to show that you are mindful of the GDPR and are trying to stay above board, thus mitigating the risk that you'll be slapped with a major fine.
Chris has worked in ad tech for over twelve years in a variety of roles - giving him customer support, PM, and marketing perspectives from both the advertiser and publisher sides. He's the VP of Marketing at Kevel.