What is Consent Management?

Cookies? Consent? GDPR? – Why You Need to Understand These Terms to Succeed Online

Have you ever clicked the "Accept" button on a website without fully understanding what you're agreeing to? Welcome to the jungle of cookie banners, consent management, and data privacy laws! What used to be simple cookie notices has evolved into a complex system that dictates how websites handle your data—and whether businesses stay legally compliant.

Why is this important?
Over the past eight years, data privacy regulations have undergone significant changes in Europe, led by the General Data Protection Regulation (GDPR), the Telecommunications and Digital Services Data Protection Act (TDDPA), and the ePrivacy Regulation. This wave of change has also reached other regions, with countries like the U.S. (on a state-by-state basis), Switzerland, and Brazil introducing their own privacy regulations for citizens. These laws are reshaping how businesses are allowed to handle their users' personal data.

But there’s more to it than meets the eye: Why are "cookie banners" no longer what they used to be? How does modern consent management work? And why does this affect not only your online experience but also the success of every business?

We’ll dive deep, clear up common misconceptions, and uncover what’s really behind these terms—and why they’ve become more than just an annoying formality in today’s digital world.

Data Privacy Challenges: Many Laws, Many Requirements

The internet has evolved rapidly over the past decades. In its early days, the primary focus was on functionality for websites and online shops. Later, individuality and appealing design became more important. However, as the number of websites and online shops grew, so did the competition. When functionality and design became standard expectations, it became clear that this alone wasn’t enough to stand out. Businesses needed clever strategies to target users effectively.

This is where Google saw an opportunity. As the world’s most widely used search engine, it offered businesses a way to stay competitive through Google Ads—a monetization platform for targeted advertising. Companies could go beyond traditional marketing strategies like email campaigns and instead promote their products or services directly to their target audience, significantly increasing their chances of success.

At the same time, Google introduced Google Analytics, enabling businesses to analyze their marketing campaigns. By leveraging user data, companies could adjust and optimize campaigns early on. This data-driven approach to marketing provided a significant advantage: rather than relying on hope, companies could make informed decisions based on detailed data analysis and precise audience targeting. Initially, data privacy played a minor role in this dynamic and relatively new field of marketing.

However, this changed fundamentally with the introduction of stringent privacy laws such as the General Data Protection Regulation (GDPR). Suddenly, protecting users' privacy and personal data took center stage. Businesses faced the challenge of implementing the complex GDPR requirements on their websites—often resulting in significant limitations. These new regulations stood in stark contrast to the thriving field of data-driven marketing, raising a crucial question: how can compliant tracking be reconciled with targeted marketing?

For internationally operating companies, the challenge is even greater. They must comply not only with GDPR but also with various privacy laws from countries like the United States, Canada, Brazil, and Japan. This multitude of regulations presents a significant challenge for businesses, requiring them to maintain oversight and ensure compliance.

This is where Consent Management comes into play. This process helps businesses efficiently navigate and comply with various data protection regulations while building trust with their customers. Consent Management provides a solution to manage complex legal requirements and ensure privacy-compliant operations—without losing sight of business goals.

What Is Consent Management?

Consent management refers to the process through which businesses obtain, manage, and document users' consent for processing their personal data. It plays a central role in ensuring compliance with data protection regulations like the General Data Protection Regulation (GDPR). The goal of consent management is to give users control over their data while ensuring that businesses meet legal requirements.

Consent management is often implemented through tools called Consent Management Platforms (CMPs) or consent managers. These platforms enable businesses to provide transparent information about data processing and record user interactions, such as consenting to or rejecting specific types of data processing. Examples include consent for the use of cookies or sharing data with third parties like Google Analytics.

Why Is Consent Management Important?

Consent management isn’t just a nice-to-have; in many countries, it’s a legal requirement. If your business processes personal data in regions where explicit user consent (opt-in) or an opt-out option is mandatory, you’ll need a system to manage consent preferences. Failure to implement adequate consent management can lead to substantial fines—up to 4% of annual revenue under GDPR—as well as other legal issues.

An effective consent management system must ensure the following:

1. Legality: Data can only be processed if there is a legal basis, such as the user's consent (Article 6 of GDPR).
2. Transparency: Users must be clearly informed about what data is being processed and for what purpose.
3. Data Minimization: Only data that is absolutely necessary should be collected and processed—"data hoarding" should be avoided.

Beyond the legal implications and potential fines, poor consent management also risks damaging your visitors' trust. Awareness of data privacy issues is growing, and users now expect their privacy to be respected and protected. Consent management is not just about complying with regulations—it’s also about empowering users to make informed decisions regarding their personal data.

Respect your visitors’ right to privacy and give them control over what information they share with you. In turn, you’ll benefit from accurate and complete data obtained with user consent. High-quality data like this enables better analysis and supports informed business decisions.

Consent Management, Cookie Banners, and Consent Management Platforms (CMPs): A Historical Perspective

Consent management, cookie banners, and consent management platforms (CMPs) are closely related but often misunderstood. While cookie banners began as a simple tool to inform users about cookies, today, consent management and CMPs represent comprehensive solutions that go far beyond their original purpose. But how are these concepts connected?

Consent Management: The Foundation

Fig.: The Consent Management Process

Consent management refers to the entire process of obtaining, managing, and ensuring compliance with user consent. Its purpose is to create transparency and give users control over their data. This process serves as the foundation upon which cookie banners and CMPs are built.

The Steps of Consent Management

1. Obtaining Consent:
The first step is to inform visitors transparently about what data is being collected, why it is being used, and who has access to it (e.g., third parties). Active, explicit permission must be obtained that is voluntary, specific, informed, and unambiguous.

2. Recording Consent:
Once consent is granted, it must be thoroughly documented. This includes noting when and how consent was obtained, as well as tracking any changes made to consent settings. These records are essential to demonstrate compliance with data protection regulations.

3. Managing Consent:
Visitors should always have access to their consent preferences. They must be able to review, modify, or withdraw their consent at any time. Additionally, updates or changes to data processing activities and policies should be documented and made available to visitors.

4. Ensuring Compliance:
There must always be a clear audit trail for consent-related activities. This ensures compliance with data protection laws like the GDPR and allows businesses to respond to data subject access requests.

5. Updating and Deleting:
Consent management should always remain up-to-date. If there are significant changes to how data is used or processed, users must be asked for their consent again. Users should also have the ability to request the deletion of their data or the withdrawal of their consent to meet privacy requirements.

Cookie Banners: The Origins

In the early days, there were no advanced consent managers, as data privacy was still in its infancy. Businesses faced the challenge of meeting emerging privacy requirements and urgently needed a solution. This led to the creation of the first cookie banners. However, these banners were relatively simple and focused solely on informing website visitors about the use of cookies.

Fig.: Simple Cookie Banner

In many cases, cookie banners were passive, serving more as an informational tool rather than providing users with the ability to actively opt out of cookies or other data processing activities. It quickly became clear that such basic notices were insufficient to meet the stringent requirements of the General Data Protection Regulation (GDPR). Businesses needed software that could regulate data processing in compliance with legal requirements, document consent and refusals, and fully inform users about their rights regarding data processing.

This need gave rise to Consent Managers, designed to meet these demands.

Consent Managers: The Evolution

Driven by the requirements of GDPR, Consent Managers (also known as Consent Management Platforms or CMPs) emerged as advanced tools that go far beyond the functionality of simple cookie banners. These platforms offer:

1. Data Processing Regulation
   CMPs manage not only cookie usage but all types of personal data processing, such as the use of analytics and marketing tools.

2. Legal Compliance
   They document user consent and ensure that all data processing activities adhere to legal requirements, providing a robust compliance framework.

3. User-Friendliness
   CMPs offer detailed options for users to make informed decisions about which data processing activities they consent to. This granularity fosters transparency and builds trust by empowering users to control their data.

Fig.: Consent Manager

What started with simple cookie banners has evolved into comprehensive tools that address the complexities of modern privacy regulations. Consent Managers not only ensure compliance but also create a more transparent and user-centric experience, bridging the gap between legal requirements and user trust. The term “cookie banner” is often used synonymously with Consent Manager, which can be misleading. While cookie banners address some basic consent needs, Consent Managers go far beyond by offering a wide range of functionalities.

Cookie Banners, Consent Banners, Consent Managers, Consent Management Platforms (CMPs)...

Call them what you like—in essence, these tools are designed to achieve one primary goal: obtaining user consent for data processing for specific purposes and blocking corresponding technologies until that consent is given. The key distinction is that a cookie banner can be seen as a simple notification informing users about data processing through cookies, whereas a Consent Manager functions as a comprehensive all-in-one solution.

Over time, these technologies have evolved significantly, with numerous providers entering the market. Modern Consent Managers now often include additional features and integrations, such as preference management. While their purpose remains the same, the range of features they offer can vary widely.

Core Functions of a Consent Manager

1. Reliable Blocking
   Technologies that process personal data must be effectively blocked until explicit user consent is given.

2. Design and Compliance Guidelines
   The Consent Manager must adhere to specific design requirements and include mandatory information to ensure legal compliance.

3. Activation After Consent
   Once consent is granted, the relevant technologies should become fully operational without delay.

4. Legally Secure Storage
   All consents must be documented and stored securely to provide evidence of compliance if needed.

5. Consent Withdrawal
   Requests to delete or withdraw consent must be processed quickly and securely.

6. Performance Optimization
   The Consent Manager should not noticeably impact page load speeds or the functionality of the website or app.

How Does a Consent Manager Work?

A Consent Manager ensures that explicit user consent is obtained before storing or processing personal data. Until this consent is granted, the Consent Manager blocks all cookie technologies and tracking tools that might process personal data. This protects users' privacy and ensures no data is unintentionally shared with third parties.

Additionally, a Consent Manager provides users with detailed information about how their data will be used, enabling them to make informed decisions. The granted consents are stored securely in compliance with legal requirements, ensuring both regulatory adherence and user expectations are met.

An essential feature of a Consent Manager is allowing users to withdraw their consent at any time. A well-designed Consent Manager ensures this process is simple and quick, without disrupting the user experience.

By protecting user data, fostering transparency, and building trust, a Consent Manager contributes to a positive user experience while maintaining compliance with data protection laws.

What Do Cookies Have to Do With Consent Management?

Imagine visiting a website or an online store via your web browser. When you open a site, your browser sends an HTTP request to the web server hosting the website's content. You might notice that items in your shopping cart remain there even after you leave the site, or that the "Keep me logged in" option saves you from entering your email and password repeatedly. These conveniences are made possible by cookies.

Cookies enable websites or online stores to collect and store specific information about users. However, since these cookies often contain personal data like IP addresses, names, or email addresses, businesses are legally obligated to obtain active and informed consent from users for the collection and processing of this data.

This is where Consent Management comes into play. It provides a reliable solution for meeting privacy requirements by ensuring users are informed and their consent is properly managed before cookies or other tracking technologies process their data.

Two Consent Models: Opt-In and Opt-Out

In the realm of data privacy, there are two primary types of consent models: Opt-In and Opt-Out. The applicable model depends on the laws of the country where the personal data of citizens is being processed.

Opt-In Consent: Active Agreement Required

The Opt-In consent model requires visitors to actively give their approval before non-essential cookies are set or personal data is collected. This is typically achieved through buttons like “Accept” or “Allow,” commonly implemented in a Consent Manager.

Fig.: GDPR-Compliant Consent Manager with Choices

This model ensures that users perform a clear and deliberate action to agree to the use of cookies or the processing of their data. In some jurisdictions, consent must also be granular, allowing users to approve specific uses of their data while rejecting others.

This strict approach is characteristic of privacy regulations such as the General Data Protection Regulation (GDPR), which applies in Europe. By mandating clear, informed, and active consent, Opt-In models prioritize user autonomy and data protection.

Opt-Out Consent: Active Rejection Required

The Opt-Out consent model assumes that cookies or other data collection mechanisms may be used by default unless the user actively opts out. This approach is less stringent than the Opt-In method and is commonly applied under laws like the California Consumer Privacy Act (CCPA).

Fig.: Options for Opt-Out Consent

In the Opt-Out model, website visitors can use links or buttons, often integrated into a Consent Manager, to prohibit the sale of their personal data—commonly phrased as “Do not share or sell my personal information.” Additional buttons may allow users to limit the use of sensitive information, typically labeled as “Limit the use of my Sensitive Personal Information.”

This model is primarily used in the United States and, even there, only in certain states.

Which GDPR Articles Apply to the Processing of Personal Data?

The General Data Protection Regulation (GDPR) outlines clear rules for the lawful processing of personal data. Among these, Article 6 is particularly significant, as it governs the legality of processing and defines six possible legal bases:

1. Consent (Article 6(1)(a))
   The data subject has given explicit consent for the processing of their data. This is the most common legal basis in consent management, especially for the use of analytics or marketing tools.

2. Contract Fulfillment (Article 6(1)(b))
   Processing is necessary to fulfill a contract with the data subject, such as providing a delivery address for shipping.

3. Legal Obligation (Article 6(1)(c))
   Processing is required to comply with a legal obligation, such as verifying identity data to prevent money laundering.

4. Vital Interests (Article 6(1)(d))
   Processing is necessary to protect the vital interests of the data subject or another person, for example, in medical emergencies.

5. Public Interest (Article 6(1)(e))
   Processing is necessary for tasks carried out in the public interest, such as conducting a national census.

6. Legitimate Interest (Article 6(1)(f))
   Processing is necessary for the legitimate interests of the controller or a third party, provided these do not override the rights and freedoms of the data subject. This basis is often subject to interpretation and requires careful consideration.

These legal bases provide the framework for ensuring that the processing of personal data is transparent and compliant with regulations—a central aspect of consent management.

Challenges in Implementing These Articles

Some provisions in the GDPR are clear and straightforward. For instance, Article 6(1)(a) explicitly states that personal data can only be processed with active consent. In other words, there is no way around obtaining such consent.

One might assume, however, that the term "processing" is broad and does not include mere storage. Yet the GDPR offers a clear definition in Article 4 (Definitions). According to this, "processing" includes any operation involving personal data, such as collection, recording, storage, retrieval, organization, transmission, erasure, and even restriction.

In simple terms: any form of interaction with personal data qualifies as processing, making active consent indispensable.

A greater challenge, however, lies in the vague wording of Article 6(1)(f) ("legitimate interest"). Companies might argue that certain data is essential to provide their services. Whether such an argument holds up in court in case of a dispute depends on the judge's discretion.

For this reason, it is strongly recommended to always obtain active consent. This approach not only ensures legal compliance but also fosters user trust.

Who Needs a Consent Manager? 

In short: almost everyone. Any website or online shop interacts with personal data in some way. For smaller websites and shops, simplified, basic versions of a consent manager might be sufficient. It’s even possible that only functional cookies, such as those for shopping carts, are used—cookies that do not require consent. However, we strongly recommend that every business, regardless of size, implement a consent manager to safeguard against potential fines.

If you want to track user interactions, such as conversions, using analytics tools like Google Analytics (GA4), obtaining explicit consent is essential. Fortunately, there’s a suitable solution for every business. Larger organizations, especially those with an international presence, can benefit significantly from more advanced consent managers. Many providers now combine consent management with additional features like a preference manager, which can be especially valuable for many businesses.

Google, too, is now subject to stricter data protection regulations, particularly under the Digital Markets Act 2023. This act requires Google to take measures if personal data is unlawfully processed. As a result, websites using tools like Google Analytics 4 must implement a robust consent manager. To help ensure compliance, Google has introduced the so-called Google Consent Mode. Websites that fail to adopt it may soon face restrictions on using Google products such as Google Ads or Google Analytics.

Additionally, Google has developed a type of certification program to verify consent managers that support Google Consent Mode. Therefore, it’s worthwhile to choose a consent manager that is Google-certified. Doing so not only ensures your website’s legal compliance but also guarantees the full functionality of the Google products you rely on.

What Makes a Good Consent Manager?

A good consent manager stands out for its extensive functionality and seamless usability. While there are dozens of features a quality consent manager should have, several key aspects are particularly important:

A Consent Manager Should Offer Customer Support

Every website is unique, and a consent manager must adapt to the specific needs of each site. Reliable customer support is crucial for this, helping to determine appropriate pricing and ensuring a flawless technical implementation. This not only guarantees that the platform's features work as intended but also saves the website operator time and money on debugging.

A Consent Manager Should Have Certifications

Certifications are vital. As mentioned earlier, Google’s Consent Mode certification is particularly important. Additionally, other certifications, such as the IAB TCF v2.2, are critical. These certifications ensure that the consent manager adheres to high industry standards.

A Consent Manager Should Simplify Processes

Ease of use is key. For example, having a library of pre-written texts for integration can save time. Since users must have the opportunity to gather information about the technologies in use before giving consent, pre-formulated text options are highly valuable. Usercentrics, for instance, provides over 2,000 legally compliant templates for this purpose.

A Consent Manager Must Provide Analytical Capabilities

Collecting and analyzing data about consents is essential. This enables businesses to strategically prioritize key cookies and optimize their placement. Furthermore, analyzing consent data provides insights into data quality and other critical KPIs.

A Consent Manager Should Support Compliance with Multiple Laws

While the GDPR is the primary legal framework in Europe and Germany, many other countries have their own regulations requiring specific adaptations. The more jurisdictions a consent manager supports, the easier it becomes for businesses to operate in multiple markets.

By addressing these aspects, a consent manager can help businesses ensure compliance, improve user experience, and optimize their digital strategy.