With privacy regulations like GDPR and ePrivacy reshaping how businesses collect and process user data, implementing a proper Consent Management Platform (CMP) is no longer optional — it’s mandatory. Whether you're managing a mobile app or a website, a CMP helps you collect, store, and act on user consent in a legally compliant and user-respecting way.
This guide explains everything you need to know about CMPs — from their role in your data stack to legal requirements, SDK behavior, and hands-on implementation tips for Adjust and AppsFlyer.
📘 What Is a CMP?
A Consent Management Platform (CMP) is a technology system that collects and manages user consent for processing personal data, particularly when it involves cookies, trackers, or third-party SDKs used for advertising and analytics.
A CMP provides:
- A user interface (usually a banner, modal, or dialog) for consent collection
- Granular options to accept or reject data usage by category (e.g., Analytics, Marketing)
- Storage and retrieval of consent preferences
- Integration with SDKs, ad platforms, and analytics tools to enable or disable tracking accordingly
CMPs operate based on the Transparency and Consent Framework (TCF), a standard by IAB Europe that ensures consistent consent handling across vendors and publishers.
🔍 Why Is a CMP Important?
A CMP isn't just a legal checkbox. It's a fundamental piece of your user experience, data governance, and marketing strategy. Here's why:
1. Regulatory Compliance
Under GDPR and ePrivacy rules, you must ask for explicit and informed consent before loading any non-essential tracking technology — like Facebook SDK, Google Ads tags, or Adjust.
2. User Trust
Users are increasingly aware of how their data is used. A transparent CMP boosts your credibility and minimizes opt-out rates when designed well.
3. Platform Compatibility
CMPs help signal consent status to platforms like Meta, TikTok, and Google — improving attribution and reducing wasted ad spend.
4. Avoiding Legal Penalties
Violations can result in fines of up to €20 million or 4% of global revenue, depending on severity and intent.
🇪🇺 What the Law Requires in the EU
✅ GDPR + ePrivacy = Consent by Default
Under the General Data Protection Regulation (GDPR) and the ePrivacy Directive, it is mandatory to:
- Ask for prior consent before storing or accessing any personal data — this includes cookies, pixels, and SDKs.
- Offer granular control, allowing users to choose consent by purpose (e.g., Analytics, Advertising, Personalization).
- Log and store proof of consent, including what was agreed to, when, and how — ideally with user ID or device info.
- Allow users to withdraw or update consent easily at any time, especially inside apps or from a website footer.
- Keep SDKs and tracking technologies disabled until consent is given for their respective purposes.
- Accept only freely given, specific, informed, and unambiguous consent — meaning pre-ticked boxes or "implicit consent" are not valid.
⚠️ Soft consent banners (like “By continuing to browse, you accept…”) are not GDPR compliant in the EU. Consent must be opt-in, not opt-out.
Key Articles to Know:
- GDPR Article 6 & 7 – Conditions for lawful data processing
- ePrivacy Article 5(3) – Use of cookies and tracking technologies
🔁 How a Consent Flow Works
A typical consent workflow looks like this:
- App or website loads
- CMP displays a consent banner (first-layer)
- User:
- Accepts all
- Rejects all
- Customizes preferences (second-layer)
- CMP stores consent decision with timestamp and user ID (if available)
- SDKs/trackers are:
- Enabled for categories with consent
- Blocked or disabled where no consent was given
All of this must happen before any data is sent to vendors like Google, Meta, TikTok, or attribution platforms.
📱 Handling Consent in Mobile Apps
Implementing CMPs in apps is more complex than on web:
- You can’t rely on cookies — use local storage or server-side solutions
- You must conditionally initialize SDKs after consent
- Consent must persist between sessions and allow users to revoke it from settings
- You may need to integrate native SDKs from tools like Axeptio, OneTrust Mobile, or a custom solution tied to your onboarding flow
🧪 SDK Behavior: What To Do After Consent
Once a user accepts or refuses consent, your app must configure SDKs accordingly.
✅ If the user accepts tracking:
- Load Adjust, AppsFlyer, Firebase, Meta SDK with full tracking mode
- Enable conversion tracking, IDFA, advertising features
❌ If the user refuses tracking:
- Block SDK loading altogether or
- Initialize in restricted/disabled mode
- Suppress data sending to external vendors
🧰 Example: Adjust SDK Integration Based on Consent
✅ With consent
javascript
CopiaModifica
import adjust from 'adjust-sdk';
const config = new adjust.Config('YOUR_APP_TOKEN', adjust.EnvironmentProduction);
adjust.create(config);
❌ Without consent
javascript
CopiaModifica
import adjust from 'adjust-sdk';
const config = new adjust.Config('YOUR_APP_TOKEN', adjust.EnvironmentProduction);
config.setEnabled(false); // disables all tracking
adjust.create(config);
You can also delay calling adjust.create() entirely until after consent.
🧰 Example: AppsFlyer SDK Integration Based on Consent
✅ With consent
javascript
CopiaModifica
import appsFlyer from 'react-native-appsflyer';
appsFlyer.initSdk({
devKey: 'YOUR_DEV_KEY',
appId: 'YOUR_IOS_APP_ID',
isDebug: false,
onInstallConversionDataListener: true,
}, (result) => {
console.log('AppsFlyer started:', result);
});
❌ Without consent
javascript
CopiaModifica
// Don't initialize SDK OR block data sharing
appsFlyer.setSharingFilterForAllPartners(); // disables all partner data sharing
AppsFlyer does not currently support "init but disable tracking" out of the box. Best practice is to delay SDK loading until after consent.
✅ Best Practices
- Use a CMP that’s compliant with IAB TCF 2.2
- Delay SDK execution until consent is given (do not preload)
- Store consent server-side for audit purposes
- Offer a consent center in your app settings
- Test the full opt-in/opt-out experience before going live
- Use tags like
gdpr=0ortracking_enabled=falsein SDK setup or custom event logic
⚠️ Common Mistakes to Avoid
- Initializing SDKs before consent
→ Even if you "disable tracking," SDKs might still collect data initially - Relying only on local storage for consent logs
→ Store consent proofs server-side for audit and legal defense - Not allowing easy consent withdrawal
→ Make sure users can manage their choices anytime from settings - Assuming Apple’s ATT covers everything
→ ATT ≠ GDPR. You must also request GDPR consent, even with ATT prompt on iOS. - Using vague consent language
→ Avoid “We use cookies to improve your experience…” without specific opt-in buttons
🔚 Conclusion
A Consent Management Platform is more than a banner — it’s a legal, technical, and ethical foundation for how you handle user data.
Done right, a CMP gives you better marketing data, higher user trust, and full compliance with European laws.
Whether you're building your own solution or integrating a platform like Axeptio, it’s critical to configure SDK behavior and store consent correctly.
📩 Need help implementing a compliant CMP with Adjust, AppsFlyer, or Firebase?
👉 Let’s talk: Scalebay.io
.png)
%20(1).png){kind=small}