Consent Management Platforms (CMPs)
Consent Management Platforms (CMPs)
Consent Management Platforms handle the complex task of collecting, storing, and enforcing user consent across websites and applications. While building a custom consent system is possible, CMPs offer battle-tested implementations that handle edge cases, multiple jurisdictions, and integration with common third-party services. The key is choosing a CMP that balances features with flexibility and privacy.
Open-source CMPs provide transparency and customization options. Osano (formerly Cookieconsent) offers a lightweight, customizable solution suitable for basic consent needs. Klaro! provides more advanced features including purpose-based consent and easy third-party service integration. These tools handle the frontend display and basic consent storage but require backend implementation for full compliance.
// Implementing Klaro! for consent management
import * as Klaro from 'klaro/dist/klaro';
const klaroConfig = {
elementID: 'klaro',
storageMethod: 'cookie',
cookieName: 'klaro',
cookieExpiresAfterDays: 365,
privacyPolicy: '/privacy-policy',
// Language and translations
lang: 'en',
translations: {
en: {
acceptAll: 'Accept all',
acceptSelected: 'Accept selected',
decline: 'Decline'
}
},
// Service definitions
services: [
{
name: 'google-analytics',
title: 'Google Analytics',
purposes: ['analytics'],
cookies: [/^_ga/, /^_gid/, /^_gat/, /^__utma/, /^__utmb/, /^__utmc/, /^__utmz/],
callback: function(consent, service) {
if (consent) {
// Enable GA
window.dataLayer = window.dataLayer || [];
function gtag(){dataLayer.push(arguments);}
gtag('js', new Date());
gtag('config', 'GA_MEASUREMENT_ID', {
anonymize_ip: true,
cookie_flags: 'SameSite=Lax;Secure'
});
} else {
// Disable GA
window['ga-disable-GA_MEASUREMENT_ID'] = true;
// Delete GA cookies
service.cookies.forEach(cookiePattern => {
document.cookie.split(';').forEach(cookie => {
if (cookiePattern.test(cookie.split('=')[0].trim())) {
document.cookie = cookie.split('=')[0] +
'=;expires=Thu, 01 Jan 1970 00:00:00 UTC;path=/;';
}
});
});
}
}
},
{
name: 'facebook-pixel',
title: 'Facebook Pixel',
purposes: ['marketing'],
cookies: ['_fbp', 'fr'],
callback: function(consent, service) {
if (consent) {
!function(f,b,e,v,n,t,s){if(f.fbq)return;n=f.fbq=function(){
n.callMethod?n.callMethod.apply(n,arguments):n.queue.push(arguments)};
if(!f._fbq)f._fbq=n;n.push=n;n.loaded=!0;n.version='2.0';
n.queue=[];t=b.createElement(e);t.async=!0;
t.src=v;s=b.getElementsByTagName(e)[0];
s.parentNode.insertBefore(t,s)}(window,document,'script',
'https://connect.facebook.net/en_US/fbevents.js');
fbq('init', 'YOUR_PIXEL_ID');
fbq('track', 'PageView');
}
}
},
{
name: 'custom-analytics',
title: 'Our Analytics',
purposes: ['analytics', 'functional'],
required: false,
optOut: false,
onlyOnce: true,
cookies: ['session_analytics', 'user_id'],
callback: function(consent, service) {
// Custom implementation
window.analyticsConsent = consent;
if (consent) {
initializeAnalytics();
} else {
disableAnalytics();
}
}
}
],
// Callback when consent changes
callback: function(consent, changed) {
console.log('Consent updated:', consent);
// Send to backend
fetch('/api/consent', {
method: 'POST',
headers: { 'Content-Type': 'application/json' },
body: JSON.stringify({
consent,
changed,
timestamp: new Date().toISOString()
})
});
}
};
// Initialize Klaro!
Klaro.setup(klaroConfig);
// Programmatic consent check
function canUseService(serviceName) {
const manager = Klaro.getManager();
return manager.getConsent(serviceName);
}
// Update consent programmatically
function updateServiceConsent(serviceName, consent) {
const manager = Klaro.getManager();
manager.updateConsent(serviceName, consent);
manager.saveAndApplyConsents();
}
Commercial CMPs like OneTrust, TrustArc, and Cookiebot offer additional features including automatic cookie scanning, consent analytics, and pre-built integrations with hundreds of third-party services. They often include geo-location detection, A/B testing capabilities, and comprehensive reporting for compliance teams. The tradeoff is less control and potential vendor lock-in.