🛡️ Consent Management Platform (CMP): What It Is, Why It Matters & How to Implement It Legally in the EU

With privacy regulations like GDPR and ePrivacy reshaping how businesses collect and process user data, implementing a proper Consent Management Platform (CMP) is no longer optional — it’s mandatory. Whether you're managing a mobile app or a website, a CMP helps you collect, store, and act on user consent in a legally compliant and user-respecting way.

This guide explains everything you need to know about CMPs — from their role in your data stack to legal requirements, SDK behavior, and hands-on implementation tips for Adjust and AppsFlyer.

📘 What Is a CMP?

A Consent Management Platform (CMP) is a technology system that collects and manages user consent for processing personal data, particularly when it involves cookies, trackers, or third-party SDKs used for advertising and analytics.

A CMP provides:

• A user interface (usually a banner, modal, or dialog) for consent collection
• Granular options to accept or reject data usage by category (e.g., Analytics, Marketing)
• Storage and retrieval of consent preferences
• Integration with SDKs, ad platforms, and analytics tools to enable or disable tracking accordingly

CMPs operate based on the Transparency and Consent Framework (TCF), a standard by IAB Europe that ensures consistent consent handling across vendors and publishers.

🔍 Why Is a CMP Important?

A CMP isn't just a legal checkbox. It's a fundamental piece of your user experience, data governance, and marketing strategy. Here's why:

1. Regulatory Compliance

Under GDPR and ePrivacy rules, you must ask for explicit and informed consent before loading any non-essential tracking technology — like Facebook SDK, Google Ads tags, or Adjust.

2. User Trust

Users are increasingly aware of how their data is used. A transparent CMP boosts your credibility and minimizes opt-out rates when designed well.

3. Platform Compatibility

CMPs help signal consent status to platforms like Meta, TikTok, and Google — improving attribution and reducing wasted ad spend.

4. Avoiding Legal Penalties

Violations can result in fines of up to €20 million or 4% of global revenue, depending on severity and intent.

🇪🇺 What the Law Requires in the EU

✅ GDPR + ePrivacy = Consent by Default

Under the General Data Protection Regulation (GDPR) and the ePrivacy Directive, it is mandatory to:

• Ask for prior consent before storing or accessing any personal data — this includes cookies, pixels, and SDKs.
• Offer granular control, allowing users to choose consent by purpose (e.g., Analytics, Advertising, Personalization).
• Log and store proof of consent, including what was agreed to, when, and how — ideally with user ID or device info.
• Allow users to withdraw or update consent easily at any time, especially inside apps or from a website footer.
• Keep SDKs and tracking technologies disabled until consent is given for their respective purposes.
• Accept only freely given, specific, informed, and unambiguous consent — meaning pre-ticked boxes or "implicit consent" are not valid.

⚠️ Soft consent banners (like “By continuing to browse, you accept…”) are not GDPR compliant in the EU. Consent must be opt-in, not opt-out.

Key Articles to Know:

• GDPR Article 6 & 7 – Conditions for lawful data processing
• ePrivacy Article 5(3) – Use of cookies and tracking technologies

🔁 How a Consent Flow Works

A typical consent workflow looks like this:

1. App or website loads
2. CMP displays a consent banner (first-layer)
3. User:
   • Accepts all
   • Rejects all
   • Customizes preferences (second-layer)
4. CMP stores consent decision with timestamp and user ID (if available)
5. SDKs/trackers are:
   • Enabled for categories with consent
   • Blocked or disabled where no consent was given

All of this must happen before any data is sent to vendors like Google, Meta, TikTok, or attribution platforms.

📱 Handling Consent in Mobile Apps

Implementing CMPs in apps is more complex than on web:

• You can’t rely on cookies — use local storage or server-side solutions
• You must conditionally initialize SDKs after consent
• Consent must persist between sessions and allow users to revoke it from settings
• You may need to integrate native SDKs from tools like Axeptio, OneTrust Mobile, or a custom solution tied to your onboarding flow

🧪 SDK Behavior: What To Do After Consent

Once a user accepts or refuses consent, your app must configure SDKs accordingly.

✅ If the user accepts tracking:

• Load Adjust, AppsFlyer, Firebase, Meta SDK with full tracking mode
• Enable conversion tracking, IDFA, advertising features

❌ If the user refuses tracking:

• Block SDK loading altogether or
• Initialize in restricted/disabled mode
• Suppress data sending to external vendors

🧰 Example: Adjust SDK Integration Based on Consent

✅ With consent

javascript

CopiaModifica

import adjust from 'adjust-sdk';

const config = new adjust.Config('YOUR_APP_TOKEN', adjust.EnvironmentProduction);
adjust.create(config);


❌ Without consent

javascript

CopiaModifica

import adjust from 'adjust-sdk';

const config = new adjust.Config('YOUR_APP_TOKEN', adjust.EnvironmentProduction);
config.setEnabled(false); // disables all tracking
adjust.create(config);


You can also delay calling adjust.create() entirely until after consent.

🧰 Example: AppsFlyer SDK Integration Based on Consent

✅ With consent

javascript

CopiaModifica

import appsFlyer from 'react-native-appsflyer';

appsFlyer.initSdk({
 devKey: 'YOUR_DEV_KEY',
 appId: 'YOUR_IOS_APP_ID',
 isDebug: false,
 onInstallConversionDataListener: true,
}, (result) => {
 console.log('AppsFlyer started:', result);
});


❌ Without consent

javascript

CopiaModifica

// Don't initialize SDK OR block data sharing
appsFlyer.setSharingFilterForAllPartners(); // disables all partner data sharing


AppsFlyer does not currently support "init but disable tracking" out of the box. Best practice is to delay SDK loading until after consent.

✅ Best Practices

• Use a CMP that’s compliant with IAB TCF 2.2
• Delay SDK execution until consent is given (do not preload)
• Store consent server-side for audit purposes
• Offer a consent center in your app settings
• Test the full opt-in/opt-out experience before going live
• Use tags like gdpr=0 or tracking_enabled=false in SDK setup or custom event logic

⚠️ Common Mistakes to Avoid

1. Initializing SDKs before consent
   → Even if you "disable tracking," SDKs might still collect data initially
2. Relying only on local storage for consent logs
   → Store consent proofs server-side for audit and legal defense
3. Not allowing easy consent withdrawal
   → Make sure users can manage their choices anytime from settings
4. Assuming Apple’s ATT covers everything
   → ATT ≠ GDPR. You must also request GDPR consent, even with ATT prompt on iOS.
5. Using vague consent language
   → Avoid “We use cookies to improve your experience…” without specific opt-in buttons

🔚 Conclusion

A Consent Management Platform is more than a banner — it’s a legal, technical, and ethical foundation for how you handle user data.
Done right, a CMP gives you better marketing data, higher user trust, and full compliance with European laws.

Whether you're building your own solution or integrating a platform like Axeptio,  it’s critical to configure SDK behavior and store consent correctly.

📩 Need help implementing a compliant CMP with Adjust, AppsFlyer, or Firebase?

‍
👉 Let’s talk: Scalebay.io

‍