In the lead-up to the implementation of the GDPR on 25th May 2018, you might have noticed a new piece of technology cropping up in the adtech ecosystem: the consent management platform (CMP).

Under the much more stringent requirements of the GDPR, companies are proactively obtaining consent from EU-based users to have their data processed by advertisers and marketers if they are to be, for example, shown targeted advertising on a website.

They are also required to be transparent about any third-parties who rely on that consent in order to process data, to obtain separate consent for separate purposes, and to make it easy for people to withdraw their consent if they so choose.

All of this suddenly makes things a lot more complicated for, say, a publisher who works with a dozen different adtech partners and now needs to individually obtain user consent for each one.

Enter the consent management platform. Typically built on top of the IAB’s GDPR Transparency & Consent Framework, consent management platforms offer publishers a tool for more easily obtaining and managing user consent for data processing. Some are also designed to help publishers monetise users even when they don’t opt in to sharing their data.

To get a better understanding of how CMPs work and allow companies to comply with the GDPR, I spoke to two companies who offer consent management solutions about how their tools work. I also quizzed an adtech expert, BrainLabs CEO Daniel Gilbert, about whether the addition of CMPs to the adtech ecosystem is a good thing for the industry.

The workings of a consent management platform

Audience insights, targeting and measurement specialist Quantcast was the first company to implement a consent management solution using the IAB’s framework. Somer Simpson, product lead at Quantcast, explained to me how Quantcast Choice, Quantcast’s CMP, works in practice, and why the company decided to create a consent management solution.

“Quantcast Choice is built on top of the IAB’s transparency and consent framework, so it’s fully compliant with the GDPR,” said Simpson. “Quantcast was actually part of the IAB working group which developed the framework, and so by being the first to implement it, we had the opportunity to test that implementation in the real world.”

Simpson explained to me that the IAB framework sets a baseline standard for transparency and compliance across the industry, as well as establishing consistency in what consent means. “Part of the IAB framework is a set of policies that participants have to follow – CMPs have to conform to a minimum level, and so do vendors,” she said.

Quantcast Choice works by presenting the user with a modal pop-up that prompts them to opt in to data sharing with a publisher’s advertising partners. This is customisable, so publishers can choose how it presented to the user – Simpson noted that a banner format has typically performed the best.

From there, users have the ability to dig down into the purposes that their data is being processed for, and opt into and out of different types of data processing. If they choose, users can also access a full list of third-party vendors and their purposes for processing data, and again, can opt in and out of each one individually.

quantcast content management platform

consent management platform

How does offering a consent management platform benefit Quantcast, and what made the company set out to develop a consent management solution?

“Quantcast has always been ‘privacy first’,” notes Simpson, “but GDPR changed the playing field around what is considered personally identifying information.”

By creating a CMP, Quantcast wanted to make it easier to gain consumers’ consent for its own purposes while maintaining its strong privacy-first ethos; but the company also wanted to do its bit to improve the user experience of consent across the industry. “In the early days, Quantcast feared a fragmented ecosystem, with every vendor capturing consent in their own way - which results in a horrible user experience," said Simpson.

The IAB’s framework, and consent management platforms, aim to harmonise that experience. In theory, any publisher can build their own CMP on top of the IAB’s framework, but for those without the time or resources to create an in-house platform, the IAB recognises close to 100 different CMPs that are available for publishers to use.

Monetising unconsented users

Marketing and advertising company UnveilMedia offers another one of these solutions, which is geared towards small and medium-sized digital publishers. What’s most notable about UnveilMedia’s consent management platform, named ConsentForAds, is that it offers an option for monetising users even when they don’t opt in to sharing their data.

Damian Routley, an advisor at UnveilMedia, broke down how this works, and why the company hopes that its CMP will level the playing field for smaller publishers.

“UnveilMedia’s consent management platform is intended for mid-tier and long-tail publishers, and is available to be implemented as a WordPress plugin or JavaScript tag,” said Routley. “Users can consent to sharing their data by partner, or consent to data processing for a specific purpose – all based on the IAB’s Transparency & Consent Framework.

“Users who don’t consent to data sharing are shown a video ad before they continue to the publisher’s website; this is funded by advertisers who buy contextually-targeted ads. The publisher can choose a 6, 10 or 15-second video ad – or they can turn it off altogether, but then they won’t receive any revenue from unconsented users.”

The ConsentForAds WordPress plugin in action

Routley explained that by launching a consent management solution, UnveilMedia wanted to help out smaller publishers who might otherwise struggle to comply with GDPR due to a lack of available resources.

“As a whole, regulation tends to benefit the big guys, and it’s much harder for smaller companies to comply. We thought that GDPR would play into the hands of the bigger platforms, especially because users are more likely to not consent to data sharing with these kinds of [small] publishers.

“Regulation like GDPR is a big risk for publishers who don’t have these resources at their disposal. We wanted to look at what we could do, after the choice is made, to help the publisher capture their fair share of revenue.”

Does the advertising industry need CMPs?

In the midst of the panic and hype surrounding a regulation like GDPR, it can be easy to lose sight of the bigger picture, with companies going to unnecessary lengths to comply out of fear of being fined, and adtech ‘solutions’ popping up which in reality might not be needed.

I spoke to Daniel Gilbert, CEO of BrainLabs, to get his thoughts on whether consent management platforms are a good thing for brands and consumers, and whether the industry really needs another piece of adtech.

“There’s a lot of cynicism about both the GDPR and consent management platforms, but both are serious attempts, albeit imperfect ones, to improve transparency about data collection and support data privacy rights,” said Gilbert.

“The issue is that there is no standard CMP, so of course some publishers and data holders are going to push the boundaries. There are advantages to making it difficult for consumers to manage their consent: fewer opt-outs means more data. From what I’ve seen so far, some of the biggest publishers and brands are really testing the water in this respect, and may get found out when enforcement of the GDPR begins – which needs to happen if consumers are truly to benefit from these changes.”

Do CMPs make it clear enough to users what they’re opting into? “That really depends on each case, and the underlying motivations of the author of the platform.

“CMPs can make it perfectly clear to consumers – take Yahoo’s CMP as a case in point. Users are given a clear, detailed list of all the companies that might handle their data, and the option to toggle their approval on or off for each one. Whereas makes it pretty obscure.

“Once again, it’s in the hands of the platform owner.”

As for whether the adtech world really needs another piece of technology, Gilbert believes that CMPs are an important addition to the industry – “but there are bundles of other bits of adtech that we could happily substitute!”

The Consent Management platform created by Oath, Yahoo's parent company. Source: Oath

The future of CMPs beyond 25th May 2018

Unsurprisingly, most companies launched their consent management solutions in the run-up to 25th May 2018, the date on which the GDPR officially came into force – or as the rest of the world dubbed it, “GDPR Day”.

This begs the question of whether we’re likely to see any further adoption of consent management platforms now that the regulation is already in effect. Surely any publisher which needs a consent management platform will have either implemented one, or found another way to be compliant? Do CMPs have a future beyond GDPR Day?

Somer Simpson believes that demand for consent management platforms is still on the rise, even now that we’ve passed the official ‘GDPR deadline’. “People still have a “wait and see” attitude towards GDPR – they’re waiting for more guidance to emerge on the law, on the framework – then they might decide to implement a consent management solution.

“We’re expecting to see another uptick in installs when that happens.”

Damian Routley agreed that consent management platforms would continue to have a shelf life beyond 25th May. “People will switch their CMP as time goes on – and the issue of privacy is not just confined to the EU. We’re already starting to see other countries adopting similar privacy regulations.

“Choice and transparency are important, and the industry needs to embrace these kinds of moves. Going forward, consent management platforms will be an essential part of programmatic strategy, if publishers want to benefit from revenue.”

The Festival of Marketing 2018 includes stages (of 10 in total) dedicated to the topics of personalisation and customer experience. Don't miss it.

Rebecca Sentance

Published 25 June, 2018 by Rebecca Sentance @ Econsultancy

22 more posts from this author

You might be interested in

Comments (5)

Nick Wood

Nick Wood, Partnership Operations Director at

We've seen an explosion in demand for CMPs, but a key challenge has been solving this from an omnichannel perspective. We also still see too many CMPs with options on by default and let's be honest, how many people really want to read, understand and choose from literally hundreds of Ad tech and other choices?

23 days ago

Rebecca Sentance

Rebecca Sentance, Deputy Editor at EconsultancyStaff

@Nick Wood

Very true - I've come across several CMPs with all providers selected by default. Also, although Daniel praises Yahoo's CMP, their consent management for Tumblr had a notoriously horrible UX ( until Tumblr/Oath finally gave into demands to implement a "deselect all" option.

And even when there is an option to deselect all, when visiting a website for the first and probably only time just to read a one-off article, how many people are going to bother going through two or three different interface layers to opt out of data sharing? Most CMPs don't offer the chance to either "opt in" or "opt out" in the first instance - they offer a choice between "opt in" or "manage permissions". They make users work hard to opt out of data sharing, which is the exact opposite of what GDPR compliance should look like.

In other words, the CMP technology itself is worthwhile, but it's still being implemented poorly in many places.

23 days ago


Joel Coppersmith, Head of Marketing at Databoxer

@Rebecca Sentance - Have to agree with you and Daniel Gilbert that many of the implementations are frankly horrible. Some are effectively forcing consent by making the opt-out process out so onerous that no-one will go through it. That's the type of behaviour that I hope the regulators will look at ASAP and act to deter.

It's particularly galling because:

a) So many of these companies claim they care about customer experience/user choice/user privacy but then effectively stick two fingers up at their visitors

b) The system of online media selling as it currently exists has consistently devalued publisher's inventory while enriching the ad tech industry and contributed to the introduction of the GDPR in the first place. Publishers scrabbling for consents in this manner to try and maintain a status quo that has been so damaging for them just seems crazy.

c) They're completely devaluing the consents they are getting. Why not seize the opportunity to make genuinely informed, freely given and legally secure consents a way to increase the value of their audience? It's possible there'll be fewer opt-ins but those that do are self-identifying as more open to advertising messages on a publisher's property. Might that not be an opportunity for charging a premium? That opportunity is gone when the only reason people have consented is because it takes 5 minutes, 4 screens and 3 wishes to do anything else.

22 days ago

Pete Austin

Pete Austin, Founder and Author at Fresh Relevance

@Rebecca. Totally agree. The whole system of GDPR Consent for Advertising is becoming like "Cookie Banners #2" where everyone just clicks "opt in" without thinking, to make the consent banner go away, because anything else takes too long. I personally don't think it's compliant in the slightest, because clicking in less than a second is hardly "informed" consent, but it's down to the regulators now and ICO is starting out with a very light touch.

Somewhat related - here's my new blog post that tackles the whole issue of what marketing needs consent as thoroughly as I could manage, because a lot of marketers don't know.

22 days ago


Matt Lovell, Head of Customer Data, Insight & Analytics at Eurostar International Ltd.

It's a really tough one isn't it - the biggest problem with all these things is the inconsistency with their application thanks to a somewhat ambiguous set of governance that is left open to interpretation. Couple that with limited customer understanding (most have now seen the immortal GDPR mentioned more times than they'd care to imagine but outside of those whose job it impacts, how many really understand the details).

Similarly, interesting article @Pete but I'd also debate some of the elements in it around not needing consent for on site personalisation and to an extent data collection (based on the fact that inevitably that data will be processed). A customer may expect to see marketing by opening a marketing website but they aren't consenting to you personalising it specifically based on their behaviours which is why so many companies are now enabling consumers to opt out of this. Similarly, from a data collection process, most companies will look to process that data in ways the customer wouldn't expect (lawful and decent or otherwise) so to me, it's a grey line as to whether you need to provide a simple mechanism for consent there too...

8 days ago

Save or Cancel

Enjoying this article?

Get more just like this, delivered to your inbox.

Keep up to date with the latest analysis, inspiration and learning from the Econsultancy blog with our free Digital Pulse newsletter. You will receive a hand-picked digest of the latest and greatest articles, as well as snippets of new market data, best practice guides and trends research.