The Guide to Consent Management

Consumers are more aware than ever of the risks related to sharing personal information online. As regulations grow stricter across jurisdictions, it’s important to define what “consent” actually means in practice. Consent is the mechanism through which a visitor gives or withholds permission for a website to collect, process, or share their personal data. Under GDPR and the ePrivacy Directive, that means obtaining explicit opt-in before deploying non-essential cookies. Under CCPA/CPRA and most US state privacy laws, it means honoring a consumer’s right to opt out of the sale or sharing of their data.

The specifics vary by jurisdiction. Under GDPR, websites must explain what each cookie does in plain language before asking for consent, maintain documented records of that consent, and make it easy for users to withdraw at any time. Under CCPA/CPRA and US state laws, the focus is on providing clear opt-out mechanisms, honoring browser-level signals like Global Privacy Control, and ensuring consumers are not penalized for exercising their rights. In both models, transparency and user choice are the foundation.

With this guide, we cover the role consent management platforms (CMPs) play in safeguarding user privacy, how they work, what to look for when evaluating one, and how consent fits into a broader privacy program. After analyzing consent compliance on 5,000 websites, DataGrail found that 69% of organizations still fire tracking cookies after a visitor opts out, even with existing consent tools in place. The gap between “compliant on paper” and “compliant in practice” is where enforcement risk lives.