The Consent Management Platform - CMP - has become one of the most important pieces of technology on any publisher’s site, and also one of the most misunderstood. In the years since GDPR, the CMP market has grown dramatically, and with it, a set of common misconceptions about what a CMP is supposed to do and how it should be configured.
This guide is for publishers who want to understand their obligations clearly and implement consent management that is both genuinely compliant and, where possible, commercially optimal.
What a CMP is - and isn’t
A CMP is a system that manages the collection, storage, and communication of users’ consent choices regarding the processing of their personal data, particularly in the context of online advertising and analytics. It is responsible for:
- Presenting users with clear, accurate information about what data will be collected and how it will be used
- Collecting and recording users’ consent choices (or legitimate interest objections)
- Communicating those choices to every technology vendor on the site that processes personal data
- Providing users with the ability to change or withdraw their consent at any time
What a CMP is not is a tool for maximising consent rates at any cost. The entire purpose of GDPR consent requirements is to give users genuine control over their data. A CMP designed primarily to nudge users towards acceptance, through confusing language, buried rejection options, or dark patterns, is not fulfilling its legal function - regardless of whether it is technically certified by the IAB’s TCF programme.
The IAB TCF and why it matters
The IAB Europe’s Transparency and Consent Framework (TCF) is the industry standard for communicating consent signals through the programmatic advertising ecosystem. When a user makes consent choices on a TCF-compliant CMP, those choices are encoded into a TC String that is passed to every demand-side platform, supply-side platform, and data vendor that participates in the framework - allowing them to only process data for the purposes and vendors that the user has consented to.
TCF 2.2, the current version, is more robust than its predecessors in terms of how it handles purposes and special features. It requires more granular transparency about how data is used, and it closes some of the loopholes that earlier versions allowed.
However, the TCF framework is a communication mechanism, not a compliance guarantee. A CMP can be TCF-certified and still use dark patterns. The certification means that the technical consent signal handling is correct - not that the user experience of collecting consent is compliant with GDPR requirements.
The dark pattern problem
Dark patterns in consent management are user interface designs that manipulate users into accepting data collection they might otherwise decline. Common examples include:
Asymmetric presentation: The “Accept All” button is prominent, colourful, and immediately visible. The “Manage Preferences” or “Reject All” option is smaller, greyer, harder to find, and requires additional clicks.
Purpose conflation: Consent for advertising cookies is bundled with consent for functional cookies that are genuinely needed for the site to work, creating the impression that rejecting advertising consent means the site won’t function properly.
Pre-ticked checkboxes: Individual vendor or purpose checkboxes are ticked by default in the detailed consent view, requiring users to actively untick each one rather than actively opting in.
Withdrawal friction: Accepting consent is one click; withdrawing it requires navigating several menus and confirming a decision multiple times.
These patterns are specifically addressed in ICO guidance and EDPB guidelines on consent. They are not compliant, regardless of whether they generate high consent rates. Publishers using CMPs that default to these approaches are operating on borrowed time.
Choosing a CMP
The CMP market includes dozens of vendors, ranging from enterprise platforms used by large media groups to more accessible options suitable for independent publishers. When evaluating options, the key questions are:
Does it support TCF 2.2? Any CMP being newly implemented should support the current version of the TCF framework as a minimum.
How does it handle the reject path? The consent experience should be symmetrical: rejecting all non-essential cookies should be as easy as accepting them. If a CMP makes this difficult by design, look elsewhere.
How does it communicate with your ad tech stack? A CMP that doesn’t correctly pass consent signals to your ad server, header bidding wrapper, and analytics platform is creating compliance exposure regardless of how compliant the banner itself looks.
Does it support server-side consent storage? Browser-based consent storage is vulnerable to being cleared along with other cookie data. Server-side storage provides a more durable record of consent choices.
What does your analytics look like with it? A good CMP implementation should give you clear visibility of your consent rates by purpose, by geography, and over time. If you can’t see this data, you can’t manage compliance proactively.
The commercial reality
The most persistent objection we hear to properly compliant CMP implementation is that it will reduce consent rates and therefore reduce advertising revenue. This is true in the short term, in the narrow sense that a fully compliant banner will typically generate lower consent rates than a dark-pattern-laden one.
But the calculation is more complex than that. Publishers running non-compliant consent flows face regulatory risk that could result in fines, public enforcement action, and reputational damage that dwarfs any short-term revenue gain from elevated consent rates. They also face the risk that major advertising partners - increasingly sophisticated about compliance - refuse to work with them.
More importantly, the value of non-consented inventory has changed. With the deprecation of third-party cookies, contextual advertising - which does not require consent - has improved dramatically in both quality and price. A publisher who cannot monetise non-consented impressions at all is leaving money on the table through poor advertising strategy, not through proper consent management.
Getting consent management right is a business decision as much as a legal one. The publishers who treat it seriously end up with more sustainable, more valuable, and more resilient advertising operations.