Companies manage consent across websites and apps by implementing a Consent Management Platform (CMP) — software that runs four core operations in sequence: collect user choices about data processing, match those choices to a user identity that persists across platforms, harmonize the consent record
Get exclusive insights on privacy laws, compliance strategies, and product updates delivered to your inbox
Companies manage consent across websites and apps by implementing a Consent Management Platform (CMP) — software that runs four core operations in sequence: collect user choices about data processing, match those choices to a user identity that persists across platforms, harmonize the consent record across every connected tool and system, and honor it in real time — including when users update or withdraw their preferences.
The challenge is that websites and mobile apps are technically separate environments with different storage mechanisms, different platform-level consent requirements, and different integration architectures. A user who opts out of analytics on your website and then opens your app is, technically, a different anonymous session — unless you have built an identity layer that links those two environments. Managing that link, and keeping consent synchronized across it, is the central operational problem in modern cross-platform consent management.
Picture this: your marketing team discovers that a segment of subscribers who opted out of email tracking six months ago are still receiving behavioral emails — because the consent withdrawal updated the banner but never reached the CRM. That is not a hypothetical scenario. It is one of the most common patterns in consent enforcement investigations, and it is exactly the kind of systemic failure that regulators now treat as evidence of inadequate governance rather than a technical accident.
The enforcement data reflects the scale of the problem. European regulators issued €1.2 billion in GDPR penalties in 2025 alone — a 22% year-over-year increase. The CMS GDPR Enforcement Tracker records more than 2,685 fines totalling over €6.11 billion since 2018, with more than 60% of that total issued since January 2023. Consent-related violations — insufficient legal basis, dark patterns, failure to honor withdrawals — account for a disproportionate share.
The specific enforcement cases that define the risk:
The prevalence data is equally striking. A 2022 European Commission study — the largest systematic audit of consent practices ever conducted — found that 97% of the most popular websites and apps used by EU consumers deployed at least one dark pattern in their consent interfaces (European Commission, 2022). This is not a minority problem. It is the industry default.
On the consumer side: according to Cisco's 2025 Privacy Benchmark Study, 84% of consumers say they want control over what information companies collect about them — and organizations that invest in genuine consent management report a median 1.6x ROI on that investment. Consent infrastructure is not purely defensive. It builds the first-party data foundation that marketing operations depend on as third-party cookies become unenforceable.
Key term defined: The consent lifecycle is the complete operational sequence from the moment a user first encounters a consent interface, through every subsequent update, withdrawal, renewal, and data deletion — across every platform and tool that processes their personal data.
The four-stage model that best describes how enterprise consent management actually works:
| Stage | What It Means | What Breaks Without It |
|---|---|---|
| 1. Collect | Obtain the user's freely given, specific, informed, and unambiguous consent choice — via banner, modal, or native mobile prompt | Vague language, pre-ticked boxes, bundled purposes, dark patterns — all GDPR Art. 7 violations |
| 2. Match | Link the consent record to a persistent user identity — so the same person's choices are recognized across web, mobile, and authenticated sessions | Consent exists as a browser cookie or local app record; it cannot follow the user across platforms |
| 3. Harmonize | Synchronize the matched consent record across every connected system — analytics, advertising, CRM, CDP, email platform, AI pipeline | Consent collected and matched but not propagated; downstream tools continue processing under withdrawn consent |
| 4. Honor | Enforce user choices in real time, including processing renewals when purposes change, withdrawals immediately, and deletions when retention periods expire | Withdrawal registered in the CMP but not acted on in downstream tools — the single most common source of consent enforcement failures |
Most consent failures occur at stages 3 and 4 — not at collection. A technically compliant consent banner can coexist with active consent violations if the signal never reaches the tools that actually process personal data.
This distinction is one of the most important — and least understood — in consent management.
Cookie consent is session-level and device-level. When a user accepts or rejects cookies on your website, that preference is stored in a browser cookie on that device. It applies to that browser, on that device, for as long as the cookie persists. It does not follow the user to a different browser, a different device, or your mobile app. When the cookie is cleared, the consent record is gone.
Identity consent (sometimes called authenticated consent or follow-me consent) links consent choices to a persistent user identity — typically a hashed email address or a platform-assigned user ID — stored in a cloud-based consent repository. When a user with an identity-linked consent record authenticates on any of your platforms, their preferences are applied automatically, without re-prompting.
| Storage | Browser cookie / local device storage | Cloud-based consent repository |
|---|---|---|
| Scope | Single browser on single device | All authenticated sessions, all platforms |
| Survives cookie clearing | No | Yes |
| Works across web and mobile | No | Yes (for authenticated users) |
| Required for cross-platform compliance | No | Yes, for organizations with web + app |
| Enables preference centers | Partially | Fully |
The practical implication: organizations that manage only cookie consent are operating a consent program that is invisible to their mobile app, breaks when users clear their browsers, and cannot synchronize across multiple domains. For any organization with both a website and a mobile app, identity consent is the architecture that makes cross-platform compliance operationally possible.
Website consent management is the most mature and most enforced domain. CNIL's enforcement actions against Google, Facebook, and SHEIN — all consent-UI related — have made the website consent banner the most scrutinized data protection artifact in the EU.
The technical architecture of website consent:
A CMP deployed on a website operates through a JavaScript tag that fires when a user loads the page. Before any non-essential cookies or tracking scripts are allowed to run, the CMP:
Key website consent components and what they do:
Cross-domain consent:
Consent collected on one domain does not automatically apply to another. Organizations operating multiple websites need explicit cross-domain consent synchronization — passing consent state between domains via a shared identity token — to avoid re-prompting authenticated users and to maintain consistent compliance across a domain portfolio.
Mobile consent management is technically separate from website consent and governed by an additional layer of platform requirements on top of data protection law.
Platform-level requirements that apply before data protection law:
How mobile CMP deployment works:
Mobile consent requires integrating an SDK directly into the app's codebase — not a JavaScript tag. The SDK:
The third-party SDK governance problem:
Most mobile apps contain dozens of third-party SDKs — analytics, crash reporting, push notifications, advertising, attribution. Each SDK may independently collect and process personal data. Consent management requires ensuring every third-party SDK respects the consent signal — which means SDKs must be initialized conditionally, in the correct order, based on the categories the user has accepted. Misconfigured SDK initialization — where a restricted SDK fires before the consent check completes — is one of the most common mobile consent violations and one of the hardest to detect without deliberate end-to-end testing.
Secure Privacy's Mobile SDK for consent management handles cross-platform synchronization across iOS, Android, and web — ensuring preferences captured on one platform apply consistently across all others.
Collecting consent on a website and collecting consent in an app are solved problems. The genuinely hard problem is keeping consent state synchronized when the same user interacts across both — and ensuring a withdrawal made in one environment is honored in all others, including systems that the consent team may not even know are receiving personal data.
Why the default state is consent fragmentation:
Websites store consent in browser cookies or localStorage. Mobile apps store it in local device storage. Without a shared identity layer, these are two independent consent records for the same person. The average consumer uses 3.6 devices (Didomi, 2025). Without cross-platform synchronization, that is 3.6 separate consent states that may contradict each other — and that regulators will expect you to reconcile in an audit.
The identity-linked synchronization architecture:
The standard architecture for cross-platform consent synchronization:
The timestamp rule for conflicts: When consent records conflict across platforms, the standard practice is to apply the most recent timestamp — honoring the latest expression of user intent regardless of which platform it was made on.
Real-world impact: A documented deployment of cross-device consent synchronization by a major European telecoms company increased consent rates by approximately 10% — because authenticated users were not repeatedly shown prompts they had already answered on another device (Didomi/Orange, 2025).
What cannot be synchronized:
For unauthenticated users — anyone who has not logged in — cross-platform synchronization is not technically possible without a shared identifier. Unauthenticated web sessions and unauthenticated app sessions must be treated as independent consent contexts, each requiring their own consent collection. The practical implication: organizations for whom consent persistence matters should design their UX to encourage authentication, and should not assume that consent coverage of authenticated users extends to guest sessions.
A CMP is not a cookie banner. The banner is the visible layer of a much larger operational system.
Core CMP capabilities:
| Capability | What It Does | Why It Matters |
|---|---|---|
| Jurisdiction detection | Identifies user location and serves the appropriate consent experience | GDPR, CCPA, LGPD, and 19+ US state laws have different thresholds |
| Consent collection UI | Presents the banner, modal, or native prompt through which users choose | Must meet format and content requirements under applicable law |
| Tag and SDK blocking | Prevents non-essential tracking from firing before consent is obtained | Most common failure point — tools that fire before the consent check |
| Identity matching | Links consent records to a persistent user identity across sessions | Enables cross-platform sync; without this, every session is a new consent context |
| Consent logging | Records every consent event with timestamp, notice version, and specific choice | GDPR Art. 5(2) accountability — you must be able to prove consent |
| Preference center | Persistent interface for users to review and update their choices | GDPR requires withdrawal to be as easy as giving consent |
| Consent harmonization | Synchronizes consent state across all connected tools and platforms | Consent collected but not harmonized is a violation even if collection was valid |
| Withdrawal processing | Handles opt-out requests and stops downstream processing | Most commonly failed requirement in regulatory audits |
| Cross-platform sync | Synchronizes consent state across web and mobile for authenticated users | Prevents consent fragmentation across 3.6 average devices per consumer |
| Audit reporting | Generates compliance evidence for regulators, auditors, and review | Required to demonstrate compliance under GDPR Art. 5(2) |
| Regulatory updates | Automatically updates consent flows when applicable regulations change | Manual updates cannot scale across dozens of jurisdictions |
What a CMP does not replace:
A CMP manages consent — it does not manage the full privacy governance program. It does not handle Data Subject Access Requests, Records of Processing Activities (RoPA), DPIAs, or vendor risk management. For organizations that need both, Secure Privacy's privacy governance software integrates consent management with the full suite of privacy operations tools.
These terms are often used interchangeably. They describe different things.
A Consent Management Platform (CMP) is the complete system — the technical infrastructure that collects, records, enforces, and audits consent across all platforms and tools. It includes the banner, the backend logging, the consent propagation integrations, the audit trail, and the regulatory update mechanism.
A preference center is a user-facing interface — one component within a CMP — where users can view and update their consent choices at any time after the initial collection. Under GDPR, a preference center is required: users must be able to withdraw consent as easily as they gave it, which means providing an always-accessible interface to manage their choices.
| What it is | Complete consent management system | A user-facing UI component within that system |
|---|---|---|
| Who interacts with it | Primarily backend / technical | End users |
| What it manages | Entire consent lifecycle across all platforms | A user's current preferences on a single interface |
| Is it required by GDPR? | Yes — to demonstrate accountability | Yes — to enable withdrawal |
| Can it exist without the other? | A CMP without a preference center is incomplete | A preference center without a CMP backend has no enforcement mechanism |
The practical test: a preference center where a user can update their choices, but where those choices do not propagate to downstream tools, is not compliance. It is a consent theater interface without a backend. The CMP is what makes the preference center operationally meaningful.
Most consent enforcement actions target failures that are preventable. These are the most common:
1. Tags firing before consent is collected
If your tag manager fires non-essential scripts on page load before the CMP blocks them, you are collecting data without valid consent — regardless of what the banner says. This is the most common technical failure and the hardest to detect without deliberate testing. Fix: ensure your CMP tag loads synchronously and blocks all other scripts before any fire.
2. Consent UI asymmetry (dark patterns)
The European Commission found that 97% of the most popular EU websites and apps deployed at least one dark pattern in their consent interfaces. Honda was fined $632,500 under CCPA specifically because opting out required two clicks while opting in required one. CNIL fined Google €150 million and Facebook €60 million for the same asymmetry in 2022. Fix: every action available on the opt-in path must be equally available on the opt-out path, at equivalent depth and visual prominence.
3. Consent collected but not harmonized to downstream tools
A user opts out of advertising cookies. The CMP records the choice. The advertising platform — Google Ads, Meta Pixel, a DMP — continues receiving data because the signal was never transmitted. Fix: audit every data processing tool in your stack against your CMP's signal propagation integrations, and test withdrawal scenarios end-to-end before go-live and after any integration change.
4. No renewal when consent purposes change
Adding a new analytics tool, a new ad partner, or a new AI model trained on user data creates a new processing purpose. Existing consent does not cover it. Fix: tie consent version management to your data processing inventory — any change to processing activities triggers a consent version review and, where necessary, a fresh consent collection.
5. Withdrawal not reaching AI and data pipelines
A user withdraws consent. The CMP records it. The website stops firing the analytics tag. But the user's data is still in an AI training set. Under GDPR Art. 17, withdrawal can trigger deletion obligations that extend into AI training data. Fix: implement data lineage tracking that maps which personal data entered which AI pipeline, so withdrawal signals can propagate beyond marketing tools into data infrastructure.
6. Mobile and web consent operating as silos
The same user accepts analytics on your website but your app has no record — so the app initializes tracking without a valid consent check. Fix: implement identity-linked cross-platform consent synchronization for authenticated users.
7. Mismatched consent purposes across platforms
If your website collects consent for purposes A and B but your app adds purpose C, a user who consented to A and B will be re-prompted on the app for purpose C — even if they already responded. Fix: maintain a unified consent purpose taxonomy across all platforms and ensure the preference center reflects all purposes regardless of which platform the user is on.
Consent requirements vary significantly by jurisdiction. The same user population may trigger multiple overlapping frameworks simultaneously.
| Regulation | Jurisdiction | Consent Standard | Key Requirements |
|---|---|---|---|
| GDPR | EU / EEA | Freely given, specific, informed, unambiguous opt-in | Separate consent per purpose; equal ease of withdrawal; full audit trail; GDPR Art. 5(2) accountability |
| ePrivacy Directive | EU / EEA | Opt-in for non-essential cookies | Prior consent before placing non-essential cookies; applies alongside GDPR |
| CCPA / CPRA | California, US | Opt-out for sale/sharing of personal data | Honor GPC signal; opt-out link required; sensitive data requires opt-in |
| US State Laws (19 states as of Jan 2026) | Indiana, Kentucky, Rhode Island + 16 others | Varies | Sensitive data opt-in in most states; universal opt-out rights |
| LGPD | Brazil | Opt-in, similar to GDPR | Freely given, specific, informed consent; simple withdrawal required |
| PDPA | Thailand / Singapore | Opt-in | Explicit consent before collection; withdrawal rights enforced |
| Apple ATT | iOS globally | Opt-in (OS level) | Native prompt required before accessing IDFA; separate from GDPR |
| DMA | EU (7 designated gatekeepers) | Opt-in; cannot be conditional on service access | Withdrawal must be as easy as giving consent; no bundling of consent with service |
| DSA | EU (large platforms) | Prohibits dark patterns | Deceptive or nudging consent interfaces explicitly prohibited since February 2024 |
| ISO/IEC TS 27560 | International standard | Machine-readable consent records | Specifies a standardized format for consent receipts that can be processed automatically across systems |
On ISO/IEC TS 27560 specifically: This is the international technical specification for machine-readable consent records — a standardized format that allows consent receipts to be generated, stored, and processed automatically. It is not a regulation, but it is increasingly referenced in enterprise procurement requirements and in regulatory guidance on what constitutes demonstrable consent accountability. Organizations implementing consent logging that conforms to ISO/IEC TS 27560 produce consent records that are significantly easier to audit and to transmit across organizational boundaries.
The right architecture depends on your digital footprint and regulatory exposure.
If you operate a single website with EU traffic:
Minimum requirement: a GDPR-compliant CMP with ePrivacy-compliant tag blocking, a genuine opt-out path, a preference center, a consent log, and Google Consent Mode v2. This is the entry-level use case. What to watch: ensure your cookie scanner is re-run whenever you add new integrations — new tags appear without triggering a consent review surprisingly often.
If you operate multiple domains:
You need cross-domain consent synchronization — a CMP that passes consent state across your domain portfolio using a consistent identity token, so authenticated users are not re-prompted on every property. Cookie-level consent does not transfer across domains by default.
If you operate both a website and a mobile app:
You need a CMP with a JavaScript library (web) and a native SDK (iOS and Android) connected to a shared cloud consent repository. The SDK must handle IAB TCF string generation for programmatic advertising and integrate with Apple ATT for iOS. This is where cookie consent is insufficient and identity consent becomes architecturally necessary.
If you have a large unauthenticated user base:
Cross-platform synchronization is not possible for unauthenticated users. Your consent program will be fragmented by design — each device session is an independent consent context. The mitigation is to maximize authenticated reach (prompt sign-in where you can), and to design consent collection flows that are low-friction enough to maximize genuine opt-in rates rather than engineering around the problem with dark patterns.
If you use AI systems that process personal data:
Your consent management must extend into your AI data pipelines. A banner opt-out that does not reach your AI training data is an incomplete withdrawal — and regulators are beginning to examine this gap directly. You need data lineage tracking connecting consent records to AI training sets, and automated withdrawal propagation that can remove personal data from AI pipelines when users opt out.
Secure Privacy's consent management and AI governance platform operationalizes this chain of custody — from the initial GDPR-compliant consent collection on your website or app, through to enforcement in your data and AI pipelines. Explore Secure Privacy's consent management tools →
Related: AI Governance Framework Tools: Compliance, Risk & Control
What is a Consent Management Platform (CMP)?
A CMP is the complete system for managing consent across the full lifecycle — collecting user choices, matching them to a persistent identity, harmonizing them across all connected tools and platforms, and honoring them through withdrawals, renewals, and data deletions. It is not just a cookie banner; the banner is the user-facing layer of a much larger operational infrastructure. Under GDPR Art. 5(2), a CMP must also produce evidence of compliance — meaning every consent event must be logged with sufficient metadata to prove that valid consent was obtained.
What is the difference between cookie consent and identity consent?
Cookie consent is session-level and device-level — stored in a browser cookie that disappears when cleared and that has no connection to your mobile app. Identity consent links consent choices to a persistent user identifier stored in a cloud repository, so preferences follow the authenticated user across browsers, devices, and platforms. For any organization with both a website and a mobile app, identity consent is the architecture that makes cross-platform compliance operationally possible. Cookie consent alone produces consent fragmentation.
Do companies need separate consent management for websites and mobile apps?
Technically yes — websites use JavaScript tags; mobile apps require native SDKs. They are also governed by different platform requirements (Apple ATT for iOS, Google Play Data Safety for Android). But operationally, organizations should run a unified consent management system where both environments write to the same consent repository, enabling identity-linked synchronization for authenticated users.
How do companies synchronize consent across websites and apps?
The standard architecture uses a hashed user identifier — typically a hashed email address — as the shared key linking consent records across environments. When a user authenticates on any platform, the CMP queries the central repository using that identifier and applies stored preferences automatically. When the user updates preferences on any platform, the change propagates back and applies at next authentication across all others. For conflict resolution, the most recent timestamp wins.
What happens when a user withdraws consent?
Under GDPR Art. 7(3), withdrawal must take effect immediately and be as easy as giving consent. In practice: the CMP records the withdrawal, stops firing associated tags or SDKs, transmits an opt-out signal to all connected tools, and — for organizations with AI data pipelines — triggers a data lineage review to suppress the user's personal data from active training and inference workflows. Failure to propagate withdrawal to downstream systems is among the most common consent enforcement failures in regulatory audits.
What is the 97% dark patterns figure?
A 2022 European Commission study — the largest systematic consent audit ever conducted in the EU — found that 97% of the 200 most popular websites and apps used by EU consumers deployed at least one dark pattern in their consent interfaces. This finding directly informed the Digital Services Act's explicit prohibition of dark patterns (Art. 25, applicable February 2024) and has been cited in multiple enforcement actions since, including the €345 million TikTok fine and the Honda $632,500 CCPA penalty.
What is Google Consent Mode v2 and is it required?
Google Consent Mode v2 is Google's framework for receiving consent signals from a CMP and adjusting Google tag behavior accordingly. Since March 2024, it is required for organizations using Google Analytics 4, Google Ads, or other Google measurement tools with European traffic. Without it, these tools cannot legally use personal data for measurement, attribution, or audience creation for EU users. A Google-certified CMP handles Consent Mode v2 integration automatically.
What is ISO/IEC TS 27560 and does it matter for consent management?
ISO/IEC TS 27560 is the international technical specification for machine-readable consent records — a standardized format for consent receipts that can be generated, stored, and processed automatically across systems. It is not a regulation but is increasingly referenced in enterprise procurement and regulatory guidance on what constitutes demonstrable consent accountability. Organizations whose consent logs conform to this standard produce records that are significantly easier to audit and to share across organizational and jurisdictional boundaries.
What is the connection between consent management and AI governance?
Consent collected at the point of data collection is only meaningful if it is honored throughout the entire data lifecycle — including when that data enters AI training sets or inference pipelines. A user who consented to analytics tracking did not consent to their behavioral data training a recommendation model. Withdrawal under GDPR Art. 17 can trigger deletion obligations that extend into AI training data. Organizations need consent management that extends into their AI data infrastructure — with data lineage tracking, purpose-scoped consent records, and automated withdrawal propagation that reaches beyond marketing tools. Read more: AI Governance Framework Tools
Managing consent across websites and apps is not a banner problem. It is a data infrastructure problem that spans every tool, platform, and pipeline that touches personal data — across every jurisdiction where your users are located.
The organizations with functional cross-platform consent management share three characteristics: a CMP covering both web and mobile through a shared consent repository with identity-linked synchronization; verified end-to-end enforcement that they test, not just configure; and consent infrastructure that extends into their data and AI pipelines, not just their front-end properties.
With GDPR cumulative fines exceeding €6.11 billion, 97% of EU apps and sites still deploying at least one dark pattern, and AI data pipeline compliance emerging as the next enforcement frontier, the cost of fragmented consent management is measurable and rising.
Explore how Secure Privacy manages consent across websites, apps, and AI systems →
Secure Privacy is a consent management and privacy governance platform for organizations operating under GDPR, the EU AI Act, CCPA, and global privacy law. The platform covers cookie consent, mobile SDK deployment, cross-platform consent synchronization, DPIA workflows, data subject rights management, and AI governance — in a single integrated system.
Further reading from the Secure Privacy consent management and privacy governance blog:
Start a free trial of Secure Privacy's GDPR-compliant consent management platform →
Explore more privacy compliance insights and best practices
