What is a CMP and how does it work?


CMP stands for Consent Management Platform or Consent Management Provider. A CMP is integrated into a website and asks the user for consent on data protection and privacy related topics (mostly referring to cookies and tracking). The difference between a “Cookie Banner” and a CMP is, that a Cookie Banner does not have an impact on which cookies or trackers are used — it has just informative purpose.

A CMP is an interactive tool, which allows the user to give consent to a selected range of vendors. A vendor is a 3rd party on the website which might collect user data for tracking, personalization, marketing, advertising or performance metrics. To allow a vendor figure which consent was given, the CMP offers an API (Transparence and Consent Framework API, TCF). For proper consent management, the vendors need to fully support TCF.

Technically, the CMP is the first JavaScript to be loaded on the website. Very likely this JavaScript is loaded from a host name which ends with consensus.org. TCF compliant vendor scripts will be loaded after the CMP and register a Listener with the CMP to get notified, as soon as the user gave consent (or not). As long no explicit consent by the users was given, the vendor must not drop a cookie unless it is a functional requirement for the website (eg: for Load Balancing, Login or a Shopping Cart or the CMP Cookie with the TC String).

The CMP collects user consent thru a UI on the website and stores the information in a cookie, but also very likely in the backend of the CMP as recommended by the IAB. As cookies become less and less popular also local storage is a valid option for the user content. Technically speaking the CMP acts as an API to the consent storage on the client. Whatever technology is used and will be used, there has to be standardized JavaScript API for vendors to obtain the consent information (encoded in a so called TC String in the cookie/local storage).

To test if a CMP is available for a vendor, simple copy and paste

this.__cmp(“ping”, 2, function(pingResult, success){alert(JSON.stringify(pingResult));});

in the JavaScript Console of the Browser and a Pop-up will show, if the CMP is able to differentiate between GDRP and non-GDPR users.

But, neither the CMPs nor the IAB is intended to facilitate the lawful processing of special categories of personal data (Paragraph IV). Also an interesting site note: Google currently is not yet listed as a vendor, but shows commitment to be compliant “when the IAB has completely migrated to TCF 2.0”.


Comments are closed.