Why a Structured Evaluation Matters
Picking a consent management platform based on price alone is a recipe for compliance gaps. The CNIL issued 21 cookie-related sanctions in 2025, many targeting websites that relied on tools unable to block trackers before consent or log preferences properly. A CMP that ticks the right boxes on a feature page but fails under regulatory scrutiny is worse than no CMP at all - it gives false confidence.
This checklist gives you a structured way to score and compare platforms against the criteria that regulators, auditors, and your own development team will care about.
Regulatory and Jurisdictional Coverage
Your CMP must support every privacy framework that applies to your audience. A platform built only for GDPR will leave you exposed if you have visitors from California, Brazil, or South Africa.
Check whether the platform handles opt-in consent models (required under GDPR and LGPD) and opt-out models (used by CCPA/CPRA and most US state laws). Some regulations, such as PIPEDA, sit somewhere between the two, requiring implied consent for certain processing and explicit consent for sensitive data.
Geo-detection is not optional. Your CMP should detect a visitor's location and apply the correct legal framework automatically, presenting the appropriate banner language and consent model. A visitor in France should see an opt-in banner; a visitor in Texas should see an opt-out mechanism honouring Global Privacy Control signals.
Regulation Checklist
| Criterion | What to Check | Why It Matters |
|---|---|---|
| GDPR / ePrivacy | Opt-in before any non-essential cookies fire | Article 5(3) of the ePrivacy Directive requires prior consent |
| CCPA / CPRA | "Do Not Sell or Share" opt-out link | Required under CCPA Section 1798.120 |
| LGPD | Portuguese-language banner, consent logging | ANPD expects demonstrable consent records |
| UK GDPR / PECR | Separate configuration from EU GDPR | Post-Brexit divergence is increasing with the Data Use and Access Act |
| POPIA | South African opt-in model support | POPIA requires prior and informed consent |
| US state laws | Support for GPC signal recognition | Colorado, Connecticut, and other states mandate GPC compliance |
Certifications and Industry Standards
Two certifications stand out when evaluating a CMP: IAB Transparency and Consent Framework (TCF) registration and Google CMP Partner certification.
IAB TCF v2.3 became mandatory for publishers serving personalised ads in the EEA and UK by 28 February 2026. If your CMP does not generate valid TCF 2.3 consent strings - including the new Disclosed Vendors segment - ad platforms will treat your inventory as unconsented, and revenue drops immediately. Ask whether the platform downloads the Global Vendor List weekly and populates the disclosure bitfield accurately.
Google requires a certified CMP for any publisher using AdSense, Ad Manager, or AdMob in the EEA and UK. Without certification, Google Consent Mode v2 signals will not propagate correctly, and ad requests may default to Limited Ads.
Cookie Scanning and Classification
A CMP that cannot identify the cookies on your site is just a banner generator. Automated scanning should discover all cookies, local storage entries, and tracking pixels across your domain and subdomains. The scan results should classify each item into standard categories: strictly necessary, functional, analytics, and marketing.
Ask how often the scanner runs. A one-time scan at setup is insufficient. Third-party scripts change their cookie behaviour without warning - a Google Analytics update, a new HubSpot feature, or a developer adding a Meta Pixel can introduce new trackers overnight. Look for scheduled, automated scans that flag new or reclassified cookies.
Classification accuracy matters too. Misclassifying a marketing cookie as functional means it fires without consent, putting you in breach of Article 5(3) of the ePrivacy Directive.
Script Blocking and Consent Enforcement
The most critical technical capability is prior blocking: non-essential scripts must not execute until the visitor grants consent. This is not a nice-to-have. The Spanish AEPD has specifically targeted websites where cookies loaded before any consent interaction.
Evaluate the blocking mechanism. Some platforms modify script tags (changing type="text/javascript" to type="text/plain") while others use a proxy-based approach. The method matters less than the result: open your browser's DevTools, reject all cookies, and verify that no _ga, _fbp, or _gcl_au cookies appear. If they do, the CMP fails this test.
Check whether the platform supports Google Tag Manager integration through consent initialisation triggers and dataLayer events. Most modern marketing stacks run through GTM, and your CMP needs to communicate consent state to it reliably.
Banner Design and Legal Compliance
Regulators across Europe have made their position on dark patterns unmistakable. The CNIL fined organisations for hiding reject buttons behind extra clicks. The EDPB has stated that accept and reject options must have equal prominence.
Your CMP should offer a reject button on the first layer of the banner without requiring visitors to navigate to a settings panel. Button styling must be equivalent - same size, same visual weight, same position hierarchy. If the platform makes this difficult or buries the reject option by default, treat that as a red flag.
Beyond button parity, check for:
- Granular category-level consent toggles
- WCAG 2.2 accessibility (keyboard navigation, screen reader support, sufficient colour contrast)
- Multilingual support with accurate translations, not just machine output
- Customisable copy that lets you use plain language
- Minimal impact on Core Web Vitals (CLS, LCP)
Consent Logging and Audit Trail
GDPR Article 7(1) requires you to demonstrate that consent was obtained. Your CMP must store a timestamped record of each consent decision, including what the visitor was told, which categories they accepted or rejected, and when they made that choice.
Ask how long records are retained. Some platforms purge logs after 12 months, but regulatory investigations can reach back further. Verify that logs are exportable in a format your legal team can use - CSV, JSON, or direct API access.
Consent proof becomes especially important during a DPA investigation. The Italian Garante has demanded detailed consent logs from investigated organisations, and incomplete records led to adverse findings.
Integration and Developer Experience
A CMP lives inside your tech stack. It must work with your tag manager, analytics platform, advertising scripts, and deployment pipeline.
Key integration questions:
- Does it expose a JavaScript callback API for custom consent events?
- Can it pass consent signals to Google Consent Mode v2 (both basic and advanced)?
- Does it support server-side consent verification for server-side tagging setups?
- Is there a WordPress plugin, and does it support the WP Consent API?
- Can non-technical team members update banner copy and categories without deploying code?
Performance deserves scrutiny. Request the script's file size (gzipped), and check whether it loads asynchronously. A heavy, render-blocking CMP script will damage your Largest Contentful Paint score and, by extension, your search rankings.
Pricing, Support, and Vendor Stability
CMP pricing models vary widely. Some charge per domain, others per pageview, and some per visitor. Understand how costs scale as your traffic grows. A platform that costs little at 10,000 monthly visits may become expensive at 500,000.
Support quality matters during a compliance incident. If a regulator sends a formal inquiry, you need responsive vendor support, not a chatbot. Check whether the vendor offers a Service Level Agreement, and whether support includes compliance guidance or only technical troubleshooting.
Vendor stability is worth investigating. A CMP that shuts down or gets acquired forces a migration under pressure. Look for transparent company information, a clear product roadmap, and evidence of ongoing development.
Frequently Asked Questions
What certifications should a CMP have?
At minimum, look for IAB TCF v2.3 registration and Google CMP Partner certification. These are required for publishers serving ads in the EEA and UK. Without them, ad revenue and consent signal propagation will be affected.
Does my CMP need to support Google Consent Mode v2?
Yes, if you use any Google advertising or analytics products. Google requires Consent Mode v2 signals from a certified CMP for users in the EEA, UK, and Switzerland. Without it, Google may limit data collection and ad personalisation.
How do I test whether a CMP actually blocks cookies before consent?
Open your website in an incognito browser window, reject all cookies on the banner, then check the Application tab in Chrome DevTools. If non-essential cookies like _ga or _fbp appear, the CMP is not blocking properly.
Can I use a free CMP and still be compliant?
Some free CMPs cover basic scenarios, but many lack automated scanning, consent logging, or multi-jurisdiction support. For sites with EU traffic and advertising scripts, a paid solution with proper enforcement and audit trails is safer.
How often should a CMP scan my website for new cookies?
Weekly scans are a reasonable baseline. Third-party scripts update frequently, and a new cookie appearing without being categorised means it could fire without consent. Some platforms offer daily scans for higher-traffic sites.
What is the Disclosed Vendors segment in TCF v2.3?
TCF v2.3 requires CMPs to include a Disclosed Vendors bitfield in the consent string, indicating which vendors were shown to the user. If this segment is missing or inaccurate after 28 February 2026, ad platforms will treat the consent string as invalid.
Take Control of Your Cookie Compliance
If you are not sure which cookies your site sets, start with a free scan. Kukie.io detects, categorises, and helps you manage every cookie - so your visitors get a clear choice, and you stay on the right side of the law.
