Consent Management Platform (CMP) — Mobile App Privacy Consent Tooling

Key takeaways

01CMP = consent management platform. Handles consent UI, IAB TCF integration, vendor preferences, audit trail.
02Major platforms 2026: OneTrust (enterprise standard), Cookiebot, Didomi, Sourcepoint, TrustArc.
03Build vs buy: most mobile apps buy. The complexity of GDPR + CCPA + state laws + IAB TCF makes DIY consent management high-risk.
04Right consent design lifts MMP-trackable installs by 10-20% vs default-reject patterns — UX matters.

A consent management platform (CMP) is software that handles the user-privacy-consent layer for mobile apps and websites. The CMP shows the consent UI to users, captures their preferences, generates the standardized consent strings (IAB TCF format) that get passed to every ad network and analytics SDK, and maintains an audit trail of consent decisions for regulatory compliance. It's the operational layer between privacy regulations (GDPR, CCPA, others) and the ad tech stack.

Major CMPs in 2026

OneTrust — enterprise standard. Most comprehensive feature set, broad regulator support, used by large publishers and consumer brands.
Cookiebot (by Usercentrics) — popular for mid-market, strong on automated scanning of data collection practices.
Didomi — European-headquartered, strong GDPR focus, mobile SDK quality.
Sourcepoint — publisher-focused, strong ad-tech integration.
TrustArc — enterprise legal-focused.
Quantcast Choice — free tier popular for smaller publishers.
OneSignal Privacy — bundled with the OneSignal push-notification platform.
Iubenda — popular for smaller / SMB publishers, automated policy generation.

Most mobile apps integrate one CMP via SDK — handles iOS and Android consent UI consistently, manages TCF consent string for downstream ad networks.

What a CMP does for mobile apps

Show the consent dialog — at first launch (GDPR opt-in) and / or in settings (CCPA "Do Not Sell or Share").
Capture consent preferences per purpose category — analytics, advertising, personalization, content delivery, social media, etc. Per IAB TCF vendor list.
Generate the consent string — a standardized encoded representation of which purposes the user consented to. Pass this string to every ad network and analytics SDK call.
Respect user preferences — block SDK / network calls that don't have appropriate consent.
Audit trail — log who consented to what, when, with what UI version. Required for regulator response.
Re-consent workflow — when your privacy practices change (new vendor, new data category), prompt users to re-consent.
Geo-aware presentation — show GDPR-style dialog to EU users, CCPA-style dialog to California users, customizable for other regions.

Build vs buy

Buy (most apps): the regulatory complexity (GDPR + CCPA + Virginia + Colorado + dozens of others) + IAB TCF spec + audit trail requirements + vendor list maintenance makes DIY consent management high-risk. Costs typically $200-$2,000 / month for SaaS CMP at mid-market scale, less at small-volume tiers, more for enterprise.
Build (rare): some very large apps with specialized needs build internal consent management. Usually requires dedicated privacy engineering plus ongoing legal review. Generally only economic at hundreds-of-millions-of-users scale.

For most mobile apps in 2026, the CMP-as-SaaS option is the right default.

Consent UX matters more than people think: well-designed consent UX can lift opt-in rates 10-30% vs poorly-designed UX. Key principles:

Clear value-exchange explanation — "Allow tracking to get personalized recommendations and free content".
Granular but not overwhelming — too many toggles confuse; too few options feels coercive.
Easy to find later — users should be able to revisit their consent decision via settings.
No dark patterns — pre-checked boxes, hidden reject buttons, "accept all" prominent vs "reject all" hidden all violate GDPR. Regulators are increasingly enforcing UX standards.
Re-prompt with cause — when your data practices change (new ad partner, new data type), explain why you're re-asking.

Quick answers

What is a consent management platform (CMP)?

A CMP is software that handles user privacy consent for mobile apps and websites. The CMP shows the consent UI, captures preferences per purpose category, generates IAB TCF-formatted consent strings to pass to every ad network and analytics SDK, and maintains an audit trail for regulator response. It's the operational layer between privacy regulations and ad tech.

Which CMP should I use for my mobile app?

Depends on scale. **OneTrust** for enterprise (comprehensive features, broad support). **Cookiebot** for mid-market (automated scanning of data practices). **Didomi** for EU-focused. **Sourcepoint** for publisher-heavy use cases. **Quantcast Choice** has a free tier for smaller publishers. **Iubenda** for SMB. Most mobile apps integrate one CMP via SDK — picks based on cost, integration quality with your ad-tech stack, and regional focus.

Should I build my own consent management or buy a CMP?

Almost always buy. The regulatory complexity (GDPR + CCPA + Virginia + Colorado + dozens of state and country laws) plus IAB TCF spec maintenance plus vendor list updates plus audit trail requirements makes DIY consent management high-risk for most apps. SaaS CMPs are $200-$2,000 / month at mid-market scale — a trivial cost vs the regulatory risk of doing it wrong. Build only at hundreds-of-millions-of-users scale with dedicated privacy engineering.

How much does consent UX affect tracking opt-in rates?

A lot. Well-designed consent UX can lift opt-in rates 10-30% vs poorly-designed UX. Key principles: clear value-exchange explanation ("Allow tracking for personalized recommendations and free content"), granular but not overwhelming toggle structure, easy-to-find later in settings, no dark patterns. Regulators (especially in EU) are increasingly enforcing UX standards — pre-checked boxes, hidden reject buttons, asymmetric "accept all" vs "reject all" prominence all violate GDPR.

Back to glossary