What is a consent management platform (CMP)?

A consent management platform (CMP) is software that shows a cookie consent banner, records the user's choice, and tells the scripts on the page what to do. Common ones include OneTrust, Cookiebot, TrustArc, and Quantcast Choice.

Explained

Cookies & Tracking Updated Apr 12, 2026

What Is Cookie Consent?

Q: Which cookies require consent?

Under the ePrivacy Directive, only "strictly necessary" cookies are exempt. That covers session cookies for login state, shopping cart cookies, and cookies essential for a service the user explicitly asked for. Everything else needs consent before it gets set: analytics, advertising, social media, personalisation, and so on.

Cookie consent is the practice of asking a user's informed, affirmative permission before storing or reading non-essential cookies on their device. It is a legal requirement under the EU's ePrivacy Directive and GDPR, and similar rules now exist in other parts of the world. On most sites, you see it as the cookie banner that pops up on your first visit, run by a piece of software called a consent management platform (CMP).

Why cookie consent exists

The legal basis for cookie consent comes primarily from the ePrivacy Directive (2002/58/EC, amended in 2009), which requires informed consent before storing information on a user's device. GDPR reinforced this by raising the standard for what counts as valid consent: it must be freely given, specific, informed, and unambiguous.

Similar requirements now exist in Brazil (LGPD), California (CCPA/CPRA), South Africa (POPIA) and other jurisdictions, although the specific mechanisms vary.

Which cookies require consent?

Under the ePrivacy Directive, only "strictly necessary" cookies are exempt. These include:

Session cookies for maintaining login state
Shopping cart cookies in e-commerce
Security cookies (CSRF tokens, authentication)
Load-balancing and CDN cookies

Everything else needs consent before it can be set: analytics, advertising, third-party cookies, social media widgets, tracking pixels, and personalisation cookies.

How consent banners work

A consent management platform (CMP) displays a banner or modal when a user first visits the site. The banner must:

Identify the categories of cookies being used and their purposes
Allow the user to accept or reject each category individually
Block non-essential cookies until consent is given (opt-in, not opt-out)
Record the user's choice and honor it on subsequent visits

Common CMPs include OneTrust, Cookiebot, TrustArc, and Quantcast Choice. Each one implements the IAB Transparency & Consent Framework (TCF) so it can pass consent signals to ad tech vendors in a standard format.

The gap between consent and reality

Having a consent banner does not guarantee compliance. Common issues include:

Scripts and cookies fire before the user interacts with the banner. Tracking pixels can set cookies via HTTP headers the moment they load, before any consent logic runs.
Tracking cookies get classified as "necessary" to slip past consent.
Cookies still get set after the user declines.
Third-party pixels and scripts set cookies that nobody declared in the consent banner at all.

This gap is why auditing matters. Tagmaps does consent-aware scanning. It interacts with your CMP and captures what fires before consent, after acceptance, and after rejection, so you can see how the site actually behaves in each state.