Phloz
Sign inStart free
google tag manager4 min readBy Phloz team

Choosing a consent management platform (CMP) for agency clients

Google now requires a certified CMP to serve EEA ads — and a CMP that isn't wired to Consent Mode just blocks data with nothing to show for it. How to choose one, and what 'done right' looks like across a book of clients.

TL;DR

A consent management platform (CMP) is the cookie banner plus the machinery that stores a visitor's choices and signals them to your tags. It's no longer optional for clients with EEA traffic: Google requires a certified CMP (and Consent Mode v2) to keep serving personalized ads and measurement in the EEA. But a CMP is only useful if it's wired to Consent Mode correctly — installed-but-unwired just blocks data with no modeling to recover it. When choosing one, the criteria that matter for agencies: Google-certified, native Consent Mode v2 integration, a GTM template, geo-targeting (only prompt where required), multi-client manageability, and price. Below: what a CMP does, how to choose, and the "done right" checklist.

Consent is the part of tracking everyone wishes would go away, and the part that's now load-bearing: get it wrong and a client's EEA ad measurement degrades or their personalized ads stop serving. The good news is that choosing and wiring a CMP well is a solved problem — you just have to treat it as infrastructure, not a banner you bolt on.

What a CMP actually does

Three jobs: (1) show the consent UI (the banner/preferences), (2) store the visitor's choices, and (3) signal those choices to your tags so they fire (or don't) accordingly. That third job is the one that matters technically — a banner that collects consent but doesn't pass the signal to Consent Mode is decoration. The CMP sits upstream of GTM: it sets the consent state, and your tags respect it.

Why this is now mandatory (for EEA traffic)

Google requires advertisers using its platforms to collect consent via a Google-certified CMP and pass it through Consent Mode v2 for users in the EEA/UK — otherwise audiences, remarketing, and full measurement degrade for that traffic. So "do we need a CMP?" is answered for any client touching European users: yes, and it has to be a certified one wired to Consent Mode. (For clients with zero EEA traffic the legal pressure is lighter, but the trajectory is one-directional — build for consent now.)

How to choose one (the criteria that matter for agencies)

  • Google-certified. Non-negotiable for EEA ads. Check it's on Google's certified-CMP list.
  • Native Consent Mode v2 integration. It must set the consent defaults and updates correctly — ideally with an official GTM template so the wiring is standard, not bespoke.
  • Geo-targeting. Show the consent prompt only where required (EEA/UK/etc.) so you're not adding friction — and killing conversion rates — for visitors in regions that don't need it.
  • Granularity + customisation. Per-purpose consent (ads vs analytics), and enough branding control to match the client's site (and your white-label posture).
  • Multi-client manageability. As an agency you'll run this across many clients — favour a CMP whose pricing and admin scale to a portfolio, not one you re-learn per client.
  • Price + maintenance. Free tiers exist (fine for small sites); enterprise tools (OneTrust, etc.) suit large/regulated clients. Match the tool to the client, but standardise where you can.

Common certified options span the range — Cookiebot, Usercentrics, OneTrust, CookieYes, Osano, and others — so the choice is usually about fit and manageability, not capability.

"Done right" checklist

Choosing the CMP is half the job; wiring it is the half that actually breaks:

  1. Consent defaults load before the container. The default consent state must be on the page before GTM loads, or tags fire before consent is known. This is the #1 wiring bug.
  2. Consent Mode v2 signals pass through. Verify ad_storage, analytics_storage, ad_user_data, ad_personalization actually update when a visitor accepts/declines.
  3. Geo-targeting works. Confirm the banner shows in the EEA and doesn't needlessly block non-EEA visitors.
  4. Modeling is on. With Consent Mode, declined users still send cookieless pings GA4 can model — so "consent denied" isn't "data gone." If you see nothing under denial, the wiring is too strict.
  5. It's verified, not assumed. Test accept and decline paths; a banner that looks fine can still fail to pass the signal — the same verify-don't-trust discipline as the rest of tracking. A mis-wired CMP is a frequent hidden cause of traffic landing in Unassigned or thin EEA data.

Where this fits

Consent is infrastructure now — a per-client system that determines whether the client's European measurement and ads even function, and that breaks silently when the defaults load late or the signal doesn't pass. Phloz keeps each client's consent setup — the CMP, its Consent Mode wiring, its geo rules — modeled and health-checked alongside the rest of the tracking-infrastructure map, so "is this client's consent actually working, or just showing a banner?" is a view you can confirm. The CRM for SEO agencies and pricing pages cover the workflow — but pick a certified CMP, wire it to Consent Mode, and test both the accept and the decline; the banner is the easy part.