A Consent Management Platform (CMP) helps websites collect and manage user consent for cookies and similar technologies. A CMP presents a banner or preference center, blocks non-essential tags until consent is given, and records consent for auditing.
What a CMP Typically Does
Displays a banner with clear choices
Accept, reject/manage, customize options
Defers non-essential scripts
Until consent is captured
Stores and updates consent preferences
Provides a way to change them later
Integrates with tools like GTM
Works with Google Tag Manager and Consent Mode v2
Keeps consent logs
To support compliance audits
CookieBeam provides these capabilities with a focus on simple installation and accurate Consent Mode v2 signaling.
About CookieBeam
CookieBeam is a Cookie Consent Solution, not an IAB-certified CMP. We provide comprehensive consent management functionality and help you collect and manage consent in compliance with GDPR, CCPA, and other privacy regulations. However, we are not officially registered with IAB Europe as a certified CMP and do not currently implement the IAB Transparency & Consent Framework (TCF).
How a CMP Works: Step by Step
A Consent Management Platform operates by intercepting the normal page-load sequence and inserting a consent gate before any non-essential scripts are allowed to execute. Understanding this flow helps you evaluate whether a CMP is implemented correctly on your site and what a user's experience will look like.
When a visitor lands on your website for the first time, the browser downloads your HTML and begins parsing it. The very first script that runs should be your CMP's initialisation snippet, a small piece of JavaScript typically placed in the <head> element. At this point, the CMP checks whether a valid consent record already exists in the visitor's browser (stored in a first-party cookie or localStorage). If no record is found, the CMP immediately blocks all non-essential tags from firing and displays the consent banner.
The user is then presented with their choices: accept all, reject all, or configure their preferences by category. Once the user makes a selection, the CMP records the decision, including a timestamp, the version of the banner displayed, and the exact choices made, and releases (or continues to block) tags accordingly. If the user accepted analytics cookies, for example, your analytics tag is now permitted to fire. If they declined advertising cookies, those tags remain suppressed for the duration of the session and all future sessions until the user changes their preference.
Finally, the consent record is written to the user's device and, in platforms like CookieBeam, also logged server-side so you have a tamper-proof audit trail. This audit log is invaluable if a data protection authority (DPA) ever requests proof that a specific consent was obtained.
CMP Workflow in Practice
Page Load & Script Initialisation
The browser parses your HTML and executes the CMP's inline initialisation snippet before any other third-party scripts. The CMP sets a default consent state of denied for all non-essential categories and signals this state to tag managers such as Google Tag Manager so that no restricted tags fire prematurely. This synchronous initialisation is critical, if the CMP loads asynchronously, tags may fire before consent is checked.
Banner Display
If no prior consent record exists for the visitor, the CMP injects the consent banner into the page. The banner is typically rendered on top of the page content and may block interaction with the underlying page until a choice is made, depending on your configuration and the applicable legal standard. The banner presents the user's options clearly, as required by GDPR and the ePrivacy Directive.
User Interaction
The visitor selects their preferences, accepting all, rejecting all, or adjusting individual cookie categories via a preference centre. The CMP captures each decision and maps it to the relevant consent signals (for example, analytics_storage, ad_storage, and ad_user_data in the Google Consent Mode framework). The banner is then dismissed and the user continues browsing.
Tag Release or Block
Based on the user's choices, the CMP updates the active consent state and either releases or permanently blocks the corresponding tags for that session. Tags that were held in a pending state by Google Tag Manager are now allowed to execute (for accepted categories) or are discarded (for declined categories). In Advanced Consent Mode, Google's own tags fire in a restricted, cookieless state even on decline, enabling conversion modeling without setting cookies.
Consent Storage & Logging
The full consent record, including the timestamp, the banner version, the user's specific choices, and the jurisdiction, is written to a first-party cookie and/or localStorage on the user's device. The CMP also transmits this record to its server-side audit log. On future visits, the CMP reads the stored record and reinstates the appropriate consent state without showing the banner again, unless the banner version has changed or the consent has expired.
How CMPs Block Scripts: Two Approaches
One of a CMP's most critical functions is preventing non-essential scripts from executing before consent. There are two fundamentally different approaches to this, and the CMP you choose determines which one you get.
Manual Script Blocking (Tag-Based)
In this approach, the website owner explicitly marks each script tag with attributes that tell the CMP which cookie category it belongs to. The CMP then holds those scripts dormant until the user consents to the relevant category. This is the approach used by CookieBeam, Cookiebot, CookieYes, and most CMPs. It requires the website owner to edit their HTML, but it is precise, you control exactly which scripts are blocked and how they are categorised.
A typical implementation looks like this:
1 <!-- Blocked until user consents to "analytics" --> 2 <script type="text/plain" data-category="analytics" 3 data-src="https://www.googletagmanager.com/gtag/js?id=G-XXXXXXX"> 4 </script>
The browser sees type="text/plain" and does not execute the script. When the user accepts analytics cookies, the CMP replaces it with an executable copy.
Automatic Script Discovery and Blocking
Some CMPs, notably Osano, take a different approach: they automatically detect scripts as the page loads and block them based on a vendor database, without requiring the website owner to tag anything. Osano offers three compliance modes: Listener (discovers scripts but does not block), Permissive (blocks classified scripts but allows unknown ones), and Strict (blocks everything that is not classified as essential).
This is more convenient for site owners, but carries a significant risk: over-blocking. Because the blocker relies on URL pattern matching, it can misclassify essential services. For example, Osano's auto-blocker is known to block Google reCAPTCHA by default because it pattern-matches on google.com domains, even though reCAPTCHA is a security feature that should be classified as essential. This requires manual reclassification by the site owner to fix.
Manual vs Automatic Script Blocking
| Aspect | Manual (Tag-Based) | Automatic (URL-Based) |
|---|---|---|
| Setup effort | Website owner must tag each script with data-category | No tagging needed, CMP detects scripts automatically |
| Accuracy | Precise, you control exactly what is blocked | Can over-block essential services (e.g. reCAPTCHA, payment scripts) |
| Dynamic scripts | Only blocks scripts present in HTML at page load | Can intercept scripts injected at runtime by other scripts |
| Risk | Low, a script only blocks if explicitly tagged | Higher, false positives can break site functionality |
| Used by | CookieBeam, Cookiebot, CookieYes, most CMPs | Osano, partially OneTrust |
Google Consent Mode makes both approaches less critical for Google tags
If you use Google Tag Manager with Consent Mode V2, Google's own tags (GA4, Google Ads, Floodlight) self-regulate based on consent signals, they don't need to be hard-blocked at all. In Advanced Mode, they fire in a restricted, cookieless state even without consent. Script blocking is primarily needed for non-Google scripts that do not respect Consent Mode, such as Facebook Pixel, Hotjar, LinkedIn Insight, and TikTok Pixel.
Basic vs Advanced CMP Operation
Not all CMPs, or CMP configurations, behave identically when a user declines consent. The two principal operating modes, particularly relevant in the context of Google Consent Mode v2, are Basic Mode and Advanced Mode, and the difference between them has a direct and measurable impact on your advertising performance.
In Basic Mode, the CMP completely prevents Google's tags from loading or executing until the user actively consents. If a user declines, no data whatsoever is sent to Google, not even an anonymous signal. This is the more conservative approach and is technically compliant, but it means Google Ads receives zero information about non-consenting users, making Smart Bidding and conversion tracking significantly less accurate for traffic from consent-required regions such as the EEA and UK.
In Advanced Mode, Google's tags are allowed to fire even when a user declines cookies, but they do so in a restricted, cookieless state. These 'cookieless pings' contain no personal identifiers and set no cookies on the user's device. Google uses these anonymous signals as inputs to its conversion modeling algorithms, which can recover up to 65% of conversions that would otherwise be invisible. Smart Bidding can then optimise bids using the modeled data, substantially reducing the performance gap caused by consent refusals.
From a legal perspective, both modes are GDPR-compliant. Data protection authorities have confirmed that sending non-personal, cookieless pings does not constitute personal data processing and therefore does not require consent. Advanced Mode is the recommended configuration for any business that relies on Google Ads performance in the EEA.
Basic vs Advanced CMP Mode
| Aspect | Basic Mode | Advanced Mode |
|---|---|---|
| Tag firing before consent | Blocked, tags do not load | Tags fire in restricted, cookieless state |
| Data sent on decline | None | Anonymous cookieless pings only, no personal data |
| Cookieless pings | Not sent | Sent, enables conversion modeling |
| Conversion modeling | Not available | Available, recovers up to 65% of conversions |
| GDPR compliance | Compliant | Compliant, cookieless pings are not personal data |
| Recommended for | Sites with strict DPO requirements or no Google Ads | Most websites using Google Ads in the EEA or UK |
What to Look for When Choosing a CMP
The consent management market is crowded, and the differences between platforms matter, both for compliance and for your day-to-day operational experience. Before selecting a CMP, evaluate it against the following criteria.
Ease of Installation
A good CMP should be installable without writing custom code. The two main installation methods are a direct <script> tag added to your HTML <head>, or a template in the Google Tag Manager Template Gallery. Both approaches should be supported. If a CMP requires a developer to configure it from scratch, factor that time and cost into your evaluation.
Google Consent Mode v2 Support
As of March 2024, Google requires Consent Mode v2 compliance for all websites using Google Ads or GA4 in the EEA and UK. Your CMP must support the full set of v2 signals: ad_storage, analytics_storage, ad_user_data, and ad_personalization. Verify that the CMP supports both Basic and Advanced modes and that it has been tested with GTM's built-in consent overview.
Audit Log Capability
A tamper-proof, server-side audit log is not just a nice-to-have, it is your primary defence in the event of a DPA investigation or a data subject access request (DSAR). The log should capture the timestamp, banner version, jurisdiction, and the exact choices made for every consent event.
Multilingual and Multi-Region Support
If your website serves visitors across the EU, your banner must be available in the official language of each member state. Look for CMPs that offer at least 24 EU languages out of the box and that can automatically serve the correct language based on the visitor's browser locale or IP-based geolocation. Region-specific rules (for example, stricter defaults for France or Germany) should also be configurable.
Preference Centre and Cookie Scanner
Users must be able to withdraw or change their consent at any time. A well-designed preference centre, accessible from a persistent floating button or footer link, satisfies this requirement. Look for a CMP that also includes an automated cookie scanner to detect and categorise all cookies set by your site, so your cookie declaration stays accurate as your tag stack evolves.
Pricing Transparency
Some CMP vendors charge per pageview, per domain, or add fees for advanced features like audit logs. Review the pricing structure carefully and check whether costs scale in a predictable way as your traffic grows. A flat monthly fee per domain is generally easier to budget for than consumption-based pricing.
Script Blocking Capabilities
Understand how the CMP enforces consent at the script level. Does it require you to manually tag scripts, or does it auto-detect and block them? Manual tagging is more reliable but requires developer effort; auto-blocking is convenient but can cause over-blocking. The ideal CMP gives you a choice, or combines both approaches. Also check whether the CMP supports per-service toggles that let users control individual scripts within a category.
CMP Evaluation Checklist
Easy installation (no coding required)
Should be installable via a single script tag or a GTM template, with no custom development work needed to get a compliant banner live.
Google Consent Mode v2 support
Must implement all four v2 consent signals (ad_storage, analytics_storage, ad_user_data, ad_personalization) and support both Basic and Advanced operating modes.
Tamper-proof consent audit logs
Server-side logs that record every consent event with a timestamp, banner version, jurisdiction, and the user's exact choices, accessible from the dashboard and exportable.
Multilingual banner support (24 EU languages)
Banner text and preference centre should be automatically served in the visitor's browser language, covering all EU official languages without manual translation work.
Granular preference centre per category
Users must be able to accept or decline cookies by category (e.g. analytics, marketing, functional) and change their choices at any time via an accessible preference centre.
Cookie scanner / auto-categorisation
An automated scanner that crawls your site, detects all cookies set by third-party scripts, and suggests category mappings, keeping your cookie declaration up to date as your tag stack changes.
GTM Template Gallery integration
A published template in the Google Tag Manager Community Template Gallery makes installation and Consent Mode configuration significantly faster and reduces the risk of misconfiguration.
Script blocking with per-service toggles
The CMP should support blocking non-essential scripts until consent and ideally offer per-service toggles so users can control individual scripts within a category.
Transparent pricing (no per-pageview fees)
Look for a flat monthly fee per domain with no hidden charges for audit logs, languages, or pageview volumes. Predictable costs make budgeting straightforward as your site grows.
CookieBeam as a Consent Solution
CookieBeam is a Consent Management Platform designed to be straightforward to install and maintain. It provides a customisable consent banner, a granular preference centre, Google Consent Mode v2 integration (including Advanced Mode), a server-side audit log, and an automated cookie scanner, all accessible from a single dashboard.
CookieBeam supports installation via a direct <script> tag or through a Google Tag Manager template, and is built to satisfy the consent requirements of GDPR and the ePrivacy Directive for websites operating in the EEA, UK, and other consent-required jurisdictions.
Important note on IAB TCF: CookieBeam is not registered with IAB Europe and does not implement the IAB Transparency and Consent Framework (TCF). For the vast majority of websites, this is not a requirement. IAB TCF certification is specifically required for publishers using Google AdSense, Google Ad Manager, or Google AdMob to serve programmatic advertising to EEA users. If you are running a content publisher monetised through these products, you will need a TCF-certified CMP. CookieBeam is well-suited for all other use cases, including e-commerce, SaaS, and lead generation sites using Google Ads and GA4.
Continue Learning
What Is GDPR?
Understand the EU data protection law and its requirements for websites.
Google Consent Mode v2
How Consent Mode signals work and why they matter for Google Ads.
What Is TCF?
The IAB Transparency & Consent Framework, who needs it and how it differs from standard consent.
How to Block Scripts
Step-by-step guide to preventing tracking scripts from firing before consent.
Frequently Asked Questions
Do I legally need a CMP?
If your website sets non-essential cookies, including analytics cookies like Google Analytics or advertising cookies like those placed by Google Ads, and you have visitors from the EU or UK, then yes: EU law requires you to obtain valid, informed, and freely given consent before those cookies are set. The ePrivacy Directive (implemented as national cookie laws in each EU member state) and the GDPR together establish this requirement. A Consent Management Platform is the standard mechanism for obtaining and documenting that consent. Operating without one puts you at risk of investigation and enforcement by data protection authorities (DPAs), which can result in fines and mandatory corrective action.
Is CookieBeam a certified IAB CMP?
No. CookieBeam is not registered with IAB Europe and does not implement the IAB Transparency and Consent Framework (TCF). This is perfectly fine for the majority of websites. IAB TCF certification is specifically required for publishers who use Google AdSense, Google Ad Manager, or Google AdMob to serve programmatic display advertising to users in the EEA. If you are running an e-commerce store, a SaaS product, or a lead generation site that uses Google Ads and GA4, but does not serve programmatic ads through IAB-connected supply chains, CookieBeam covers all your consent obligations without requiring TCF support.
Can I use a CMP without Google Tag Manager?
Yes. Google Tag Manager is a convenient way to manage your tags and integrate your CMP's Consent Mode signals with Google's measurement products, but it is entirely optional. Every CMP, including CookieBeam, supports direct installation via a <script> tag placed in the <head> of your HTML. If you install directly, you will need to ensure that the CMP's initialisation snippet is the first script to execute on the page, before any analytics or advertising tags, so that the consent state is established before those tags attempt to fire. GTM makes this sequencing easier to manage but is not a requirement.
How does a CMP store consent records?
Consent is recorded in two places. On the user's device, the CMP writes the consent record to a first-party cookie and/or localStorage. This stored record includes a timestamp, the specific consent choices made, the version of the banner that was shown, and in some implementations a cryptographic consent string. On subsequent visits, the CMP reads this record and reinstates the appropriate consent state without showing the banner again. CookieBeam also transmits each consent event to a server-side audit log, which is stored securely and accessible from your dashboard. This server-side log provides a tamper-proof record that can be produced as evidence in the event of a DPA inquiry or a data subject access request.