The Definitive Guide to Consent Management

In today's digital landscape, proper handling of user consent and personal data isn't just good practice—it's a legal requirement in most countries around the world.

In response to privacy laws in Europe and California going into effect in 2018 and 2020 respectively, nearly all websites in the US and Europe now display consent banners, but billions of dollars in privacy fines later, we’ve seen that is not enough.  

Personal data has leaked to advertising third parties when users opt out. Sensitive data not disclosed in privacy policies has leaked as well. Consent banners have been flagged for misleading users.   

For privacy teams to ensure their websites, mobile apps, and other user-facing applications are managing consent properly, they need centralized controls and continuous monitoring. 

With consumer expectations rising, privacy fines increasing, and software updates accelerating, privacy teams cannot simply trust teams to manage consent properly. They need privacy solutions based on evidence.

This comprehensive guide explores everything businesses need to know about consent management, including requirements, solutions, and best practices.

What Is Consent Management?

Consent management is the process of obtaining, storing, and managing user permissions for personal data processing: collection, usage, and sharing. It encompasses the systems and practices organizations use to ensure they have proper authorization before processing an individual's personal data. These include privacy policy disclosure, consent collection, data processing controls, consent record keeping, and permission update management.

Modern consent management goes beyond a simple cookie banner on a website. Consent management is critical anywhere personal data collected, including mobile apps, connected TV apps, and websites. It requires creating transparent, user-friendly interfaces to collect and act on users’ consent choices. 

What Is a Consent Management Platform?

A consent management platform (CMP) is a software solution that collects, acts on, and records user consent for websites, mobile apps, and/or connected TV apps. CMPs must be able to operate across digital properties; web-only cookie consent managers are no longer sufficient. 

On the surface, these tools offer customizable cookie banners that allow users to opt in or out of data processing. On the backend, consent management tools act on user preferences by limiting data sent to third parties and internal systems.

To comply with the complex web of privacy regulations in the US, Europe, and countries around the world, CMPs are important for any company collecting personal data on their digital properties. CMPs are a must-have for any company running digital advertising campaigns, because sending personal data to advertising third parties without proper consent can result in highly damaging privacy violations, particularly in the US and Europe. 

To help maintain compliance, consent management platforms should include the following key features. 

Consent collection

1. Customizable, user-friendly consent/cookie banners and preference centers for websites, mobile apps, and connected TV apps
2. User experiences responsive to regulations in user’s location and device/channel
3. Consent settings based on regulations and policies by location

Data flow configuration

1. Catalog of all cookies, pixels/tags/trackers, tag managers, and SDKs on websites, mobile apps, and connected TV apps via the CMP’s cookie scan, web SDK / script tag, and SDK
2. Consent handling workflows by geography that limit data sharing according to user consent choices by destination and based on sharing purpose; this should include sharing from backend systems via integrations and APIs 

Consent reporting 

1. Centralized storage of consent records with auditable logs
2. Consent analytics and reporting for compliance documentation

Why Is Consent Management Needed?

The short answer is privacy fines. Regulators have increased scrutiny, and the rate of privacy fines is increasing. Regulators are responding to increasing concerns from consumers over the handling of their personal data. Transparent and responsible consent management also builds trust with consumers and increases loyalty. 

US Consent Requirements: CPRA, CIPA, & Other State Laws

The United States has entered a new era of privacy regulation, with the California Consumer Privacy Act (CCPA) and its 2024 amendment, the California Privacy Rights Act (CPRA), leading the way. These regulations fundamentally change how businesses must handle personal data, introducing strict requirements for consent management and data processing.

Under these laws, businesses must provide clear notice before collecting personal data and obtain explicit consent for certain data processing activities. The requirements include:

• Prominent "Do Not Sell or Share My Personal Information" links on websites and apps
• Detailed privacy notices explaining data collection and use practices
• Right to opt out of selling personal data with any third parties
• Right to opt out of sharing personal data with advertising third parties
• Specific opt-in requirements for processing minors' personal information
• Maintenance of detailed consent records for at least 24 months

In addition to giving users the option to opt out on a website or app, CPRA also requires the companies honor users’ Global Privacy Control (GPC) setting in their browser. GPC allows users to universally opt out of personal data selling and sharing for all websites. Sephora was fined by California in 2022 because they ignored opt out requests from GPC signals and continued to sell those users’ data. 

Although CPRA is the new standard for privacy regulation in the US, privacy leaders are currently most worried about lawsuits for violating another California privacy law, the California Invasion of Privacy Act (CIPA). 

CIPA was enacted all the way back in 1967 to prevent wiretapping or eavesdropping on telephones. Even though CIPA was not designed to regulate online privacy, lawyers have argued that the use of web and app tracking technologies without consent is equivalent to the wiretapping that CIPA prohibits. 

This decades-old law is now responsible for at least 1,641 online privacy lawsuits since 2022. Since many of these claims are being filed in private arbitration and are resolved without any publicly filed lawsuits, the law firm Fisher Phillips estimates that the number of businesses affected since 2022 is closer to 5,000. You might be wondering: why are lawyers suing under the obscure CIPA law instead of the new CPRA? 

CPRA does not provide a private right of action for privacy violations. Only the California Attorney General’s Office can take action against companies violating CPRA’s “Do Not Sell or Share” rule.  

CIPA on the other hand does provide a private right of action, and lawyers are currently looking to get as many quick CIPA settlements as possible. To make a claim, Fisher Phillips law firm reports that law firms often pay a “tester” to use websites and apps and document the personal data shared to third parties when the user opts out, opts in, or takes no action. With this information, law firms are threatening companies with large class action lawsuits in an effort oftentimes to reach a quick settlement.

For the nearly 1,700 CIPA online privacy lawsuits that have been filed publicly since 2022, the courts are still litigating how CIPA should be applied to online privacy. Regardless, more US companies than ever are now at risk of expensive privacy lawsuits. 

Outside of California, the complexity has continued to increase as nearly 20 other states have enacted their own privacy laws since 2021. Each state’s law each brings unique requirements, creating a complex patchwork of consent obligations that businesses must navigate.

The Texas privacy law has already led to lawsuits less than a year after enforcement began. The Texas Attorney General filed a landmark lawsuit in January 2025 against leading US insurance company, Allstate, for collecting sensitive personal data from 45 million drivers without consent from various mobile apps.  

Europe Consent Requirements: GDPR

The General Data Protection Regulation (GDPR) remains the global benchmark for privacy protection and consent management. As the first privacy law of its kind to go into effect in 2018, GDPR’s requirements have influenced privacy regulations worldwide and set the standard for how organizations should approach consent management.

GDPR's consent requirements are particularly stringent, demanding that consent be:

• Freely given, with no detriment if consent is refused
• Specific to each processing purpose
• Informed, with clear explanation of data use
• Unambiguous, requiring clear affirmative action
• As easy to withdraw as to give
• Demonstrable, with detailed records maintained
• Separate from other terms and conditions
• Written in clear, plain language accessible to all users

The TLDR is GDPR requires opt-in consent to collect, use, or share any personal data. 

As a result, users must opt in before companies can place first or third party cookies on their web browser, collect device IDs in apps, or send any personal data to third parties. 

Because user identifiers like cookies and device IDs cannot be collected without consent, that means personalized ads cannot be displayed unless the user gives consent. For websites and apps that run live ad auctions based on user data, ad auctions should not receive user identifiers by default, and the auction should be delayed long enough for the user to opt in.  

To provide the digital advertising industry with a standardized approach to comply with GDPR, the IAB (Interactive Advertising Bureau) introduced the Transparency and Consent Framework (TCF) in 2018. TCF has been widely adopted by advertisers, publishers, marketing partners, and consent management platforms (CMPs) in Europe. 

To comply with TCF, websites and apps must create a user preference center that gives users the option to opt into data usage and sharing by purpose and by third party. Most companies implement this by using CMPs to categorize data use and third parties and limit data flows based on user preferences. 

GDPR also requires organizations to maintain detailed records of when, how, and what users consented to, creating an audit trail that can demonstrate compliance to regulatory authorities.

Failing to comply with GDPR consent requirements can be extremely costly financially and reputationally. In 2021, Amazon was fined $888M, the second-largest GDPR fine to date, for targeting users with ads without proper consent. Smaller, less prominent companies are also at risk. Criteo was also fined $44M for the same reason as Amazon in 2023. In 2021, Italian telecom company, Wind Tre SpA, was fined $18M for marketing to customers after Wind Tre SpA required customers to provide consent to use their mobile apps. 

Consent Management Builds Consumer Trust

Beyond regulatory compliance, effective consent management has become a crucial element in building and maintaining consumer trust. In an era where data breaches and privacy scandals regularly make headlines, organizations that demonstrate respect for user privacy often gain a competitive advantage.

Strong consent management practices build trust by:

• Demonstrating transparency about data collection and use
• Giving users genuine control over their personal information
• Showing respect for privacy preferences through consistent enforcement
• Providing clear, accessible information about data practices
• Maintaining open communication about privacy policies and changes

This trust translates into tangible business benefits, including increased customer loyalty, higher engagement rates, and improved brand reputation. Research shows that consumers are more likely to share data and engage with brands they trust to handle their information responsibly.

Use Cases for Consent Management Platforms

Websites

Website consent management represents the most common and visible implementation of privacy compliance. Modern websites often integrate with dozens of third-party services, from analytics to advertising partners, each requiring specific consent management approaches.

Effective website consent management requires sophisticated solutions that can:

• Present user-friendly consent banners that clearly communicate data collection practices
• Integrate seamlessly with tag management systems to control script loading
• Maintain consent preferences across multiple user sessions and domains
• Adapt consent requirements based on user geography and applicable regulations
• Verify consent status server-side before processing personal data
• Handle complex scenarios like A/B testing and personalization

Organizations must carefully balance user experience with compliance requirements, ensuring consent interfaces don't disrupt the user journey while still meeting legal obligations. This often involves sophisticated consent UI design, including progressive disclosure of information and contextual privacy controls.

Mobile Apps

Mobile applications present unique consent management challenges due to their distinct technical architecture and user interaction patterns. Unlike websites, mobile apps must handle both app-specific consent and device-level permissions, creating a more complex consent landscape.

Mobile consent management solutions must address:

• Native consent UI that aligns with platform design guidelines
• Permission management for device features like location and notifications
• Consent orchestration across multiple third-party SDKs
• Cross-app consent synchronization within the same organization
• Offline consent storage and synchronization
• Push notification permission optimization

The mobile environment also requires careful consideration of user context and timing. For example, requesting location permission at app launch may lead to lower opt-in rates compared to requesting it when the user accesses a location-based feature.

Connected TV Apps

Connected TV (CTV) applications represent a rapidly growing channel that brings its own set of consent management challenges. The unique viewing environment and input limitations of CTV platforms require specially adapted consent solutions.

CTV consent management must address:

• Remote control-friendly interface design that maintains usability
• Household-level consent management for shared devices
• Cross-device consent synchronization with mobile and web platforms
• Platform-specific implementation requirements across different CTV ecosystems
• Efficient use of limited screen real estate for consent interfaces
• Integration with ad delivery systems and content personalization

The growing importance of CTV in the advertising ecosystem makes effective consent management crucial for maintaining compliance while delivering personalized viewing experiences.

Why Consent Management Platforms Don't Ensure Compliance

While Consent Management Platforms provide essential tools for privacy compliance, they aren't a complete solution. Organizations often mistake implementing a CMP for achieving compliance, but the reality is more complicated. 

Although CMPs are critical for configuring consent banners and data flows across websites and apps in each region, CMPs can’t sufficiently monitor privacy compliance on their own.

Key CMP Limitations

• CMPs lack full visibility into data collection and sharing: CMPs can only provide a surface-level view of what pixels, cookies, tag managers, or SDKs are deployed on a website or app. Without looking at website’s or app’s code and backend data pipelines, it’s not possible to see every personal data element that is actually sent to which third parties. This is particularly true for data shared on the backend. Privacy teams would need to regularly review all workflows set up in the CMP and request engineering support in situations of doubt.
• CMPs rely on continual manual configuration to maintain compliance: CMP misconfigurations and website/app changes regularly lead to privacy violations such as ignored consent signals or sensitive data sharing. If consent policies or data flows are not configured correctly for every device/channel, location, type of data, or third party, there are no alerts or safeguards to prevent privacy violations. Additionally, non-compliance can occur if the CMP is not updated when changes are made to the website or app by the engineering or marketing team. 
• CMPs may lack functionality to comply with latest requirements by geography: Regional compliance requirements continue to change, and they may exceed CMP capabilities. New tracking technologies may also emerge that CMPs don't detect or manage.
• Reactive issue resolution: Non-compliant cookies, pixels, tag managers or SDKs can only be discovered after they are live; the same goes for non-compliant data flows. These solutions cannot proactively prevent issues in the software development process. 

We are operating in an evolving regulatory landscape. What constitutes compliant consent management today may not meet tomorrow's requirements. Organizations must maintain active oversight of their consent management practices rather than relying on teams to properly maintain their CMP. 

Why Continuous Consent Monitoring Is Needed

The dynamic nature of software and privacy regulations makes continuous consent monitoring on websites and apps essential for maintaining privacy compliance. 

Even though most companies leverage consent management platforms (CMP) to centrally manage consent banners and data flows, privacy teams don’t have a way to reliably audit their CMP and generate evidence of compliance. Someone must manually check the configuration of each banner, pixel, tag manager, and SDK for every website and app in every region.

With most websites and apps getting updated on a weekly basis, automated and regular monitoring is required to prevent violations and prove compliance. Without it, companies open themselves up to privacy fines and reputational damage. 

Consent monitoring solutions help organizations automatically identify privacy risks before they become violations and generate the evidence privacy teams need to prove compliance. Additional benefits include:

• Real-time detection of consent violations across digital properties
• Verification of CMP implementation and effectiveness
• Identification of unauthorized data collection activities
• Documentation of consent compliance for audit purposes
• Early warning of potential privacy risks and compliance gaps

Monitor Consent & Risks with Privado for Web & App

Privado offers comprehensive consent monitoring for websites and apps to help ensure compliance with each regulation in each location. No technical implementation is required. Privado simulates user interactions on live websites and apps and analyzes data flow activity against all privacy requirements.   

With the following key capabilities, our web and app auditing solutions can ensure CMPs and consent banners properly collect and act on user consent.

Privado Consent Monitoring Capabilities

• Complete privacy risk monitoring coverage for websites, mobile apps (iOS & Android), and marketing platforms
• Recurring scans and custom frequency
• Consent banner and regulatory link visibility checks
• 40+ preset checks for CPRA, GDPR, and other laws to prevent non-compliant cookies, pixels, SDKs, and data flows across jurisdictions and consent actions
• Data element and flow discovery to prevent sensitive data leaks
• Tag manager and CDP integrations to map all 3rd party data flows 
• OneTrust integration to sync third parties, data flows, and risks identified

Get Started Today

1. No technical implementation required for websites or apps: Simply input the necessary web domains or upload app store files (IPA for iOS or APK/AAB for Android) 
2. Request a free website scan
3. Take App Auditor product tour
4. Learn more at our consent monitoring product page