Consent Management Platforms: The Definitive Guide
The General Data Protection Regulation (GDPR) has given the world much since its enforcement date in May 2018, including headaches for publishers, memes, overflowing inboxes, horror stories, and even soothing lullabies.
It's also given us Consent Management Platforms (CMPs), an advertising tech tool for collecting user consent and passing that data to downstream ad partners.
These CMPs simplify a huge pain point for publishers: if you work with 10-20+ ad partners - from exchanges to DSPs to data providers - how do you get the consent you need to legally enable user-level ad targeting (with its higher eCPMs)?
Not asking for consent - but still collecting data - is a non-starter, as GDPR fines can be €20M or 4% of your yearly revenue (whichever is higher).
While publishers could spend time building their own solution, given the necessity of having a CMP, it makes sense to instead integrate with a third-party tool, of which there are many.
Also - as a small terminology clarification, technically the IAB's acronym of CMP stands for 'Consent Management Provider'. That said, the industry is more apt to use 'Platform'. For example, a Google search for "consent management platform" returns 34K results, while "consent management provider" returns 2.5K. Regardless, the exact word doesn't change the meaning of the phrase.
Wait - haven’t consent tools been around for a while?
Sort of! Ever since May 2011, when the EU Cookie Directive went into effect, most EU sites have added cookie notification bars to the top or bottom of their pages. This prompted many third-party solutions to pop-up, including WordPress plug-ins and the leading tool from Silktide.
These tools are still around, and many sites continue to use them under the GDPR.
However, these solutions were built for the older law, and the GDPR is much more specific about requiring explicit opt-in consent. Most of those older tools don't provide this, nor do they integrate with downstream ad partners, paving the way for the more sophisticated CMPs.
How do you define a Consent Management Platform?
To quote Digiday’s article on CMPs:
"It’s the technical infrastructure a business uses to collect and store what data customers have consented to be used and for what. The CMP then feeds that information to other selected partners in the digital ad supply chain. The idea is that everyone in a publisher’s supply chain understands what data they may use and for what."
Often the phrase goes hand-in-hand with IAB Europe's Transparency & Consent Framework and the CMPs registered with them. Technically, though, 'Consent Management Platform' is a broader phrase that doesn't necessitate IAB integration.
The IAB Framework connects registered CMPs with a centralized list of ad tech vendors. Using this, first-parties can get consent to process user data by vendor and send that data to all third-parties. This brings transparency and accountability to the entire advertising supply chain, as the publisher can feel confident they are working with a GDPR-compliant ad partner and vice-versa.
For CMPs not registered with the IAB, they can acheive the same result by using a custom vendor list. In either scenario, there's transparent consent tracking between the publisher and downstream partners.
True CMPs, therefore, are more complex than cookie notification banners, as they not only collect consent but then pass that information to other vendors.
Another value-add of CMP tech is that it can sniff the user's location and show the prompt just to EU residents. This helps to comply with the law while not intruding on non-EU user experiences.
How prevalent are CMPs?
Below are the September 2018 numbers from our Ad Tech Insight's Consent Management Platform tracker.
We found that 31% of UK publishers and 27% of US publishers use CMPs (with 'publishers' defined as sites that do programmatic advertising).
Are Consent Management Platforms GDPR-compliant?
What's ultimately "compliant" will be decided in the courts. As of right now, there's no clear-cut guidance that certain actions are 100% compliant or not. For instance, a strict interpretation of the law would require publishers to get opt-in consent by individual vendor, rather than an 'Accept All' pop-up prompt.
The approach that publishers and ad tech vendor are taking is that a mass opt-in button - with an option to dive deeper and toggle consent by vendor - follows the "spirit of the law". Indeed, it would be difficult to say that a publisher using an IAB-registered, top-tier CMP is being negligent or duplicitous (though that doesn't mean it won't be deemed illegal).
Are CMPs effective?
Early reports are promising for the efficacy of CMPs.
According to Mediavine, CPMs were 52% higher for sites that implemented a CMP, and fill rates were 39% higher.
What are the top CMPs?
The below stats also come from Adzerk’s monthly Consent Management Platform tracker and tracks how many times we found the vendor's CMP across the Top 10K UK and Top 10K US sites (~16K unique sites).
|Company||# of Sites||Industry|
|Quantcast||252||Marketing analytics and audience insights|
|OneTrust||163||Privacy compliance management|
|TrustArc||142||Privacy compliance management|
|Curse Digital Media||42||Digital agency|
|Venatus Media||41||Digital agency|
|AdThrive/CafeMedia||39||Ad monetization platform|
|Oath||38||Media conglomerate and ad tech platform|
|Tealium Consent Manager||32||Data hub and tag management|
|Sourcepoint||31||Content compensation platform|
|Google Funding Choices||30||Media conglomerate and ad tech platform|
Please note: this list excludes the popular cookie notification tools built by Insites (on 585 sites), Catapult (44), and dFactory (32), as they don't integrate with downstream partners.
Quantcast’s CMP is the most widely-adopted one in both the US and UK, not too surprising since they were part of the IAB Steering Committee and helped oversee the IAB’s framework. It's still anyone's game, though, given that Quantcast accounts for just 19% of all CMPs.
What's also interesting is the hodgepodge of companies that comprise this list. Only Cookiebot (by Cybot) is a pure-play CMP. The others include a diverse set of industries, each of whom likely view their CMP as an opportunity to upsell their core product.
How do the CMPs compare to each other?
This comparison analyzes the look, feel, and functionality of the top CMPs.
One thing to note is that most of these services provide customization tools, so while CMPs from the same vendor will share many traits, they won’t necessarily look identical site to site.
Like most CMPs on this list, Quantcast's employs a full-page prompt that requires the user to interact before accessing content. Many of the Quantcast examples involve an easy 'Deny All' option alongside 'Accept All'. Most other CMPs, on the other hand, have only an 'Accept' button, preventing easy opt-outs.
Additionally, like other CMPs, Quantcast has a link that takes users to a screen where they can toggle consent by data purpose and by individual vendor.
Quantcast’s navigation, layout, vendor breakdown, and easy opt-out options make it, in our opinion, the most user-friendly solution.
The CMP built by Evidon (now Crownpeak) comes in many forms, with some being small banners and others full-screen prompts.
Their deeper "More Options" screen isn't as intuitive as Quantcast's and is text-heavy, but they do provide good insight into how each vendor is being used.
One nice touch is that Evidon links to the opt-out pages for many vendors, so if you wanted to do a mass opt-out for that ad tech company, you have an easy path to. This was the only CMP we found that did this (others just drove to the vendor's privacy page).
Like they did with Prebid - their open-source header bidding wrapper - AppNexus released an open-source CMP for others to build off of. In our analysis, 60 sites had built their own CMP based on AppNexus's tool. In addition, many of the third-party CMPs (including Curse Digital Media, AdThrive/CafeMedia, and Venatus) are based on AppNexus's code.
Most AppNexus-based CMPs have a similar look and feel:
The prompt generally appears on the page's bottom with just an 'Accept' option. You can then dive deeper and toggle consent by use case and vendor.
OneTrust's CMP is generally integrated as a notification bar on the bottom of the page. The 'Cookie Settings' option takes users to an interface where one can toggle by cookie use case.
While the interface is clean and intuitive, we couldn't find a way to opt-out by individual vendor, and almost no publisher even listed vendors being used, making this one of the more opaque CMPs.
TrustArc's CMP looked similar across most sites, indicating it may have minimal customization options.
In the 'More Information' link, most sites used a sliding knob to grant consent by three types of cookies: 'required', 'functional', and 'advertising'. Beyond seeming out-of-place, the knob format means you can't grant access to 'advertising' cookies without also granting it to 'functional'.
That said, you can toggle these use cases individually by diving even deeper via the "Advanced Settings" link (though not all TrustArc CMP examples had this option). It makes one wonder why 'More Information' doesn't just go directly to this page.
There are many things to admire about Cookiebot's CMP. For one, you can toggle by data purpose straight from the notification bar. Plus, the 'Show Details' button extends the bar, rather than it loading a separate UI.
Additionally, they provide an in-depth breakdown of each cookie, why it's used, how long it stays on your computer (expiry), and the type of cookie.
What's not to like, though, is the inability to toggle consent by individual vendor. Moreover, the cookie breakdown section is a little confusing, with the left column being the filename of the cookie, rather than the company's name.
Also, in the example above, there are 301 cookies in 'Marketing', but they aren't grouped by purpose, so one couldn't turn off consent for, say, ad personalization but leave it on for geo-targeting.
Cookie Control originally started out as a simple cookie notification bar, but recently made the upgrade to a full-fledged CMP.
The layout is clean, with options to opt-out by cookie purpose. Their website indicates there are vendor-level breakdown capabilities too, but we couldn't find any site that showed individual vendors.
Oath - the parent company of AOL, Yahoo!, and others - has a CMP that's both a first-party and third-party tool.
Oath's CMP suffers from too much simplicity. There is no vendor breakdown, let alone a way to toggle consent by vendor. They do provide the ability to easily accept/reject different use cases, but the overly-simple visuals, the abundance of white space, the lack of vendor breakdowns, and the use of small hover text to explain each purpose is a bit disappointing for such a large company.
Customers who use Tealium's tag management solution can now use it to collect consent as well. Implementation includes a non-intrusive banner at the top or bottom of the page.
There appears to be many customization options as well, with few sites having the same look and feel.
Clicking further brings up an interface to toggle by use case:
Like others, Tealium's CMP suffers from the lack of vendor-level information and consent toggling, making it not as robust as other options.
Nothing particular to point out about Sourcepoint's CMP. It checks all the boxes of a robust, intuitive CMP.
Given that the Insites code is on 585 sites in our tracker, we wanted to highlight what their solution looks like. While Cookie Consent enables sites to record whether users consented to cookie tracking, there is no consent toggling beyond a high-level 'accept or not', nor does it integrate with downstream ad tech partners.
While the bar's CSS differs by site, they all appear as notification boxes on the top or bottom of the page.
Clicking 'Learn More' takes users to the site's privacy page.
Insite's Cookie Consent tool may be fine for a site that doesn't show programmatic ads, but it's not a viable solution for a publisher looking for a Consent Management Platform that integrates with ad partners and allows for vendor-level consent.
Where does Google - the ad tech king - fit into all of this?
According to our research, Google’s CMP (known as Funding Choices) is in 30 sites across the Top 10K US and UK sites, making it the 16th most-common CMP. Given that Google’s ad tech products are nearly always #1 in market share, this position is likely disappointing to them. Google’s rank is even more surprising given that their publisher-side ad server (Google Ad Manager, previously DFP) is by far the #1 ad server in the US and UK, and it would be logical to use a CMP that’s already integrated with one’s ad server.
Google had a number of missteps with their roll-out, though, including limiting publishers to 12 vendor partners before reversing that stance about a month later. In addition, Funding Choices is still in beta almost four months after the enforcement date of the GDPR, so they missed the opportunity to mass-release a product before others could gain market share. Plus, they missed their own self-imposed deadline to implement the IAB Consent Framework as of August.
Their CMP is also one of the weakest available:
One would expect a CMP with more functionality and a better UI from Google, but what's in beta is basically just a list of ad partners, with no insight into what data the individual vendors collect and no way to opt-out by vendor or by use case.
The prompt looked nearly identical on all sites, indicating customization is limited too.
This doesn’t mean Google won’t find a way to improve their offering and convince publishers to use them instead. If there’s anything we know about ad tech, it’s that you can’t rule Google out to provide a good product, make it free, and see mass adoption.
What’s the future of CMPs?
Since the GDPR isn't going away, we expect CMPs to stick around, and we'll likely see many more digital agencies and networks/exchanges registering CMPs with the IAB in the coming year.
As mentioned above, we also expect that Google will improve their Funding Choices CMP and offer a seamless integration with Google Ad Manager (previously DFP) and other downstream ad partners. It would not be surprising if Google is the number one CMP by late 2019.
Ultimately, publishers with any amount of European traffic would benefit from implementing a CMP, particularly if the promising early results from Mediavine, Quantcast, and Purch hold true for the industry. Moreover, using a CMP is a proactive step to show that you are mindful of the GDPR and are trying to stay above board, thus mitigating the risk that you'll be slapped with a major fine.