What’s a Consent Management Platform (CMP)?

Still have a question, spotted an error, or have a better explanation or a source we should cite?

A Consent Management Platform (CMP) is software that handles how you collect, store, and manage user consent for data processing. If you've seen those cookie banners on websites, you've seen a CMP in action. But they do more than just cookies.

For email, a CMP's job is to record consent in a way that's auditable and legally defensible. Under GDPR, it's not enough to have someone's email address. You need to be able to prove that they gave you consent, when they gave it, what they consented to, and through which mechanism. A CMP creates and stores that record. Your ESP usually isn't designed to be the system of record for consent, even if it tracks subscription status.

What a CMP typically provides: consent collection interfaces (forms, banners, checkboxes), a database of consent records with timestamps and identifiers, synchronization to downstream systems (your ESP, your CRM), and a preference center where subscribers can view and update their choices.

Whether you need a dedicated CMP depends on your situation. A solo newsletter sender probably doesn't need one. A company collecting subscriber data across multiple channels, running targeted campaigns, and dealing with GDPR at any scale should seriously consider it. The audit trail a CMP provides is much harder to reconstruct after the fact if you get a GDPR complaint or a data subject access request.

Popular CMPs include OneTrust, Cookiebot, and Usercentrics for web consent, and platforms like Didomi that cover both web and email. Your ESP may also have native consent logging features worth reviewing before adding another tool.

For more on what valid consent actually requires, what counts as valid consent covers the specifics that a CMP needs to capture.

Contributors

Who worked on this answer

Every name links to their profile. Every company links to their site. Real people, real accountability.

Ask an AI · tailored to your setup

Review my consent management setup

I want to understand whether my consent management approach is adequate for GDPR. Here's my current setup: - How I collect email consent: double opt-in form / single opt-in / other - Where consent records are stored: ESP / CRM / standalone tool / not stored separately - Whether I can answer a data subject request for what consent a person gave: yes / no / not sure - My subscriber regions: EU / UK / other - My monthly send volume: approximate Tell me whether my current consent management is likely sufficient, or whether I should look at a dedicated CMP.

Edit the yellow boxes, then send to the AI of your choice.