How do CMPs work?

When a visitor loads your website, their browser sends a request to your server. In response, the server transmits the code needed to display the page. But the display isn’t solely determined by that exchange. The website’s code incorporates functionality to read the visitor’s consent preferences, typically stored in cookies from a previous visit. These preferences encompass a range of choices, such as allowing or denying specific types of data collection or tracking.

Once the visitor’s consent preferences are received, the CMP steps in to update and enforce them. If the visitor hasn’t made a choice yet, the CMP displays a consent banner. If they have, it allows or blocks the relevant scripts, tags, and cookies based on those preferences. The specifics depend on jurisdiction. Under GDPR, non-essential cookies can’t fire until the visitor explicitly opts in. Under CCPA/CPRA and most US state privacy laws, the model is opt-out: data can be collected by default, but companies must honor a consumer’s request to stop the sale or sharing of their personal information. A growing number of jurisdictions now require businesses to recognize universal opt-out mechanisms like Global Privacy Control, meaning the CMP has to detect and act on browser-level signals without manual intervention.

In essence, CMPs act as intermediaries. They ensure that users have control over their online privacy by dynamically adjusting website functionalities based on their consent preferences. Depending on the regulatory requirements a company deals with, the functionalities a CMP provides may differ slightly, but the result is always about providing users with transparency and choice regarding their data.