What is a Consent Management Platform (CMP)?

A Consent Management Platform (CMP) is a system that collects, manages and passes on consent for cookies, tracking and external services on websites. It is therefore more than a visible cookie notice: it controls which services may load and when.

What tasks does a CMP handle?

A CMP shows users information about services and categories, enables consent or refusal, stores the selected status and passes this information to the website, tag manager, analytics tools or advertising systems. Good systems support granular choices, logging and subsequent changes to the selection.

In practice, this involves services such as web analytics, marketing tags, embedded media, maps, chat tools or external font and script sources. A cookie notice alone is not enough if tracking or external services are already active before valid consent.

A CMP must therefore be connected to the technical delivery of the website. It should not only display a decision, but actually control scripts, tags and external embeds. Otherwise, there is a gap between visible consent and real data flow.

Which legal requirements are relevant?

For Germany, GDPR and TDDDG are particularly relevant; TDDDG replaced the earlier TTDSG framework. Technically non-essential access to end devices and many tracking operations usually require prior consent. Companies should still check which services they use and on which legal basis they operate them.

A CMP does not replace legal review. It is a technical tool that has to implement a legally defined decision. If service categories are maintained incorrectly or scripts start despite refusal, even a visually polished banner does not solve the issue.

What makes a good CMP technically?

Important features include clear categories, understandable descriptions, no preselected optional consent, reliable blocking before consent, logging, versioning of texts and interfaces to Consent Mode or tag management systems.

For online marketing, it is also important that measurement is neither blindly switched off nor unlawfully forced. A good setup distinguishes necessary technical functions, analytics, marketing and external content in a traceable way.

Depending on the setup, interfaces such as Google Consent Mode, a tag manager or the IAB Transparency and Consent Framework may be involved. These interfaces have to be configured correctly so consent status is not only stored, but also respected by connected systems.

Common mistakes in practice

Many consent setups fail not because of the banner, but because of the technical integration. Tracking scripts load immediately, external media send requests before consent, services are categorized incorrectly or changes in marketing tags bypass the CMP.

WordPress websites add plugin conflicts. A privacy plugin can only control what it knows or what has been integrated correctly. Consent management therefore belongs to WordPress GDPR and data protection implementation, not only to plugin selection.

The German Data Protection Conference and the BfDI information on cookies and tracking technologies provide orientation. For companies, the practical order remains: inventory services first, then check legal basis and technical triggering.

After major website changes, the CMP should be tested again. New plugins, embedded media, campaign tags or form providers can create additional data flows that need to be reflected in the consent setup.