Back to articles

Consent implementations

Consent is no longer a banner checkbox—it is part of your measurement architecture. A solid CMP setup protects users, keeps tags compliant, and preserves as much signal as possible for analytics and advertising when users opt in.

This guide covers what a production-ready consent implementation includes, where implementations fail, and how we typically roll out OneTrust, Cookiebot, CookiePro, and IAB TCF setups with Google Tag Manager.

What a production-ready setup includes

  • CMP configuration aligned with your regions, languages, and legal requirements (EU, UK, US states where applicable)
  • Google Consent Mode v2 with correct defaults and update triggers for analytics_storage, ad_storage, ad_user_data, and ad_personalization
  • Tag firing rules that respect marketing, analytics, functional, and necessary consent categories
  • Vendor transparency — cookie policy and CMP vendor list match tags actually live in GTM
  • Consent logs retained according to your policy for audit and dispute resolution
  • Staging validation before every major CMP or GTM publish

CMP platforms we commonly integrate

OneTrust

Strong for enterprise multi-domain estates. Expect longer setup but robust policy workflows, assessments, and governance. GTM integration requires careful category-to-tag mapping across brands and locales.

Cookiebot / CookiePro

Popular for mid-market sites, WordPress, and Shopify. Good Consent Mode templates and straightforward GTM guides. Watch vendor auto-blocking vs manual GTM triggers—pick one strategy and stick to it.

Usercentrics

Common in EU retail and DACH markets. Flexible banner UX and solid Consent Mode support. Evaluate multi-property pricing early.

IAB TCF 2.2

Required when working with programmatic vendors and ad networks that expect TC strings. Ensure your CMP version, vendor list, and ad tag setup are aligned.

Common failure points

  • Tags firing before consent updates propagate to GTM (race condition on page load)
  • Mismatch between banner categories and GTM consent settings (e.g. “Statistics” in CMP vs analytics_storage in GTM)
  • Missing ad_user_data / ad_personalization signals for Google Ads after v2 requirements
  • Auto-blocking plugins conflicting with GTM Consent Initialization tags
  • Hardcoded pixels outside GTM bypassing the CMP entirely
  • Stale vendor lists after adding Meta, TikTok, Hotjar, or A/B testing tools

Implementation workflow

  1. Inventory — List all tags, cookies, and data recipients (including server-side endpoints)
  2. Map categories — Define which tags belong to necessary, analytics, marketing, functional
  3. Configure CMP — Banner text, languages, geo rules, vendor declarations
  4. Wire GTM — Consent defaults, update tags, conditional triggers per category
  5. Test journeys — First visit, reject all, accept all, granular choices, re-open preferences
  6. Document — Runbook for marketing when adding a new pixel (update CMP + GTM + policy)
  7. Monitor — Quarterly re-audit and after every major site or app release

How we approach implementations

We map your stack end-to-end, configure the CMP, wire GTM triggers and variables, validate with Tag Assistant, consent logs, and real browser scenarios across locales before go-live. Deliverables typically include a tag/consent matrix, test scripts, and handover documentation for your internal teams.

Signs your consent setup needs help

  • Ad platforms show sudden attribution drops after a banner update
  • Legal or DPO flags missing vendors in the cookie policy
  • Non-essential cookies appear in browser DevTools before any user action
  • Different behavior between /en, /ro, and other locales

Fixing consent is faster and cheaper before a regulatory inquiry or enterprise security review—not after.