Privacy regulations have changed what it means to run analytics on a website. GDPR, CCPA, and a growing list of state-level laws in the US now require that visitors actively consent before you collect behavioral data on them. The tool that manages this process is called a consent management platform, or CMP. And while the concept is straightforward, the implementation rarely is.
OneTrust, Ketch, and Cookiebot are the three platforms we work with most at TestedPath. Each one is well-suited to different scenarios, and each one has failure modes that are easy to stumble into if you have not done this before. This guide covers how these platforms actually work, how to choose between them, and what a correct implementation looks like from start to finish.
What a Consent Management Platform Actually Does
A CMP sits between your visitor and your tags. When someone lands on your site, the CMP presents a consent banner and records the visitor's choice. That choice then controls which tags are allowed to fire. If a visitor declines analytics cookies, your GA4 tag should not fire. If they accept, it should. The CMP is the mechanism that enforces this.
Done correctly, a CMP also stores consent records, syncs consent signals across sessions, and in some cases communicates with ad platforms via the IAB TCF (Transparency and Consent Framework) for programmatic advertising compliance.
Done incorrectly, you get one of two outcomes. Either your tags fire regardless of consent (a compliance violation), or your analytics stop collecting data for everyone because the tag is blocked even when visitors have accepted. Both outcomes are bad, and both are common.
The most common CMP mistake: deploying the banner without integrating it with your tag manager. The banner fires, visitors click accept, and then nothing changes because GTM is not listening to the consent signal. Your tags keep firing on everyone regardless of what they chose.
OneTrust vs. Ketch vs. Cookiebot: How to Choose
There is no universally best CMP. The right choice depends on your organization's size, technical resources, regulatory exposure, and how deeply you need to integrate consent data into your marketing stack.
| Platform | Best For | Key Strengths | Watch Out For |
|---|---|---|---|
| OneTrust | Enterprise, regulated industries, multi-region | Deep customization, IAB TCF support, legal workflow tools, robust reporting | Complex setup, requires dedicated configuration time, expensive |
| Ketch | Mid-market companies with strong data governance needs | Clean UI, strong programmatic consent API, good developer experience | Smaller ecosystem, less native GTM documentation |
| Cookiebot | Small to mid-size organizations, simpler compliance needs | Easy setup, automatic cookie scanning, affordable, solid GTM integration | Less flexibility for complex consent scenarios, basic reporting |
For most marketing-focused organizations without a dedicated legal or privacy team, Cookiebot is the fastest path to a working, compliant implementation. OneTrust is the right call when you need to document consent across multiple jurisdictions, support multiple languages, and integrate consent data into a broader privacy management program. Ketch sits in the middle and appeals to organizations that want more control over the user experience and consent data without OneTrust's administrative overhead.
The GTM Integration: Where Most Implementations Break
Regardless of which platform you choose, the integration with Google Tag Manager is where implementations most often go wrong. Google Tag Manager has a native consent mode framework that allows tags to respect consent signals, but it requires specific configuration to work correctly.
Google Consent Mode v2
As of March 2024, Google requires Consent Mode v2 for advertisers who want to use audience and remarketing features. Consent Mode v2 adds two new consent types on top of the original framework: ad_user_data and ad_personalization. If your CMP integration was set up before 2024, there is a good chance it is only passing the original consent signals and missing these two.
The four consent types you need to be passing correctly are:
- analytics_storage — controls whether GA4 and similar analytics tools can set cookies
- ad_storage — controls whether advertising cookies (Google Ads, etc.) can be set
- ad_user_data — controls whether user data can be sent to Google for advertising purposes
- ad_personalization — controls whether data can be used to personalize ads
Your CMP needs to set default states for all four of these before GTM loads, and then update them after the visitor makes a choice. The sequence matters. If GTM fires before the CMP has set default consent states, tags may fire during that gap.
Setting Up OneTrust in GTM
OneTrust integrates with GTM through a combination of a GTM template (available in the community template gallery) and custom variables that read OneTrust's consent groups. The OneTrust cookie categories (C0001 through C0005 by default) map to consent types in GTM. You configure this mapping in your GTM workspace, then use consent-aware trigger conditions to control when each tag fires.
One thing to get right: the OneTrust script needs to load before GTM. This is typically handled by placing the OneTrust snippet above the GTM snippet in your page's head section. If GTM loads first, you lose the default consent state window and create a compliance gap.
Setting Up Ketch in GTM
Ketch exposes a JavaScript API that fires events when consent is granted or revoked. In GTM, you set up a custom event trigger that listens for Ketch's consent events and then pushes the appropriate consent state updates to the dataLayer. Ketch has a GTM template that handles much of this, but you still need to configure the mapping between Ketch's purpose categories and Google's consent types.
Ketch also supports server-side consent signaling, which is useful if you are running a server-side GTM container. This is more advanced territory, but it is one of the areas where Ketch has a meaningful advantage over simpler platforms.
Setting Up Cookiebot in GTM
Cookiebot is the most straightforward of the three. Cookiebot automatically scans your site for cookies and categorizes them. In GTM, you install the Cookiebot GTM template, which adds a consent initialization tag and a consent update tag. The initialization tag sets default states, and the update tag fires when the visitor makes a choice.
Cookiebot also supports automatic cookie blocking, where it injects a type attribute change into script tags to prevent them from executing before consent is given. This can conflict with some tag management setups and should be disabled if you are relying on GTM consent mode to handle tag blocking instead.
Cookie Scanning and Category Mapping
Every CMP needs an accurate inventory of the cookies your site sets. Without this, your consent categories will not match your actual cookies, your compliance documentation will be inaccurate, and visitors will be consenting to categories that do not reflect what is actually happening on the page.
All three platforms offer automated cookie scanning, but automated scans are a starting point, not an endpoint. They will catch first-party analytics cookies and common third-party scripts, but they frequently miss cookies set by custom JavaScript, server-side scripts, or tags that only fire in specific user journeys.
A proper cookie audit involves running the scanner, then manually reviewing the output against your GTM container to ensure every tag has a corresponding cookie entry in the right category. This process should be repeated whenever you add new tags or third-party integrations.
How CMP Implementation Affects Your Analytics Data
This is the part that surprises most marketing teams. A correctly implemented CMP will reduce your reported analytics numbers, because visitors who decline cookies will no longer appear in GA4 reports the same way they did before. This is not a bug. It is the implementation working as intended.
What you should expect after a correct implementation:
- A drop in overall session counts, typically between 20% and 40% depending on your audience and geography
- A higher-than-usual new user rate initially, as returning visitors who previously had cookies set now appear as new
- Reduced remarketing audience sizes in Google Ads
- Conversion data that reflects only consenting users
Google's Consent Mode modeling helps partially compensate for this by using machine learning to estimate conversions from non-consenting users. This modeling only works if Consent Mode is implemented correctly and you have sufficient conversion volume for Google's models to work from.
Important: If your analytics numbers do not change at all after implementing a CMP, your implementation is almost certainly not working. The banner may be appearing, but the consent signal is not reaching your tags.
Geographic Targeting and Multi-Region Compliance
GDPR applies to EU residents regardless of where your business is located. CCPA applies to California residents. Quebec's Law 25 applies to Quebec residents. These laws have meaningfully different requirements, and a single consent banner configuration will not satisfy all of them.
All three platforms support geolocation-based banner logic to some degree. OneTrust has the most mature multi-region functionality, allowing you to create separate rule sets for different jurisdictions with different default consent states, different banner text, and different required consent flows. Cookiebot handles GDPR and CCPA but has more limited support for newer regional regulations. Ketch is built with a jurisdiction-first architecture that makes multi-region configuration more systematic.
For organizations doing business in Europe, the default consent state for analytics and advertising cookies must be "denied" until the visitor actively accepts. For California, opt-out is sufficient rather than opt-in. These distinctions need to be reflected in your CMP configuration.
Testing Your CMP Implementation
Before any CMP goes live, it needs to be tested across four scenarios: consent accepted, consent declined, consent not yet given (pre-choice), and consent previously given (returning visitor). For each scenario, you should verify that the tags firing in GTM match what should be allowed under that consent state.
GTM's preview mode is useful here, but it has a limitation: preview mode bypasses some consent restrictions by design. Use a browser privacy extension or a dedicated consent testing tool to simulate real user consent states. ObservePoint's consent validation features are worth considering for ongoing monitoring if your organization has significant compliance requirements.
Also test the consent record itself. Submit a consent choice and then verify that the CMP's consent record reflects it accurately. For OneTrust, this means checking the consent log in the admin portal. For Cookiebot, you can inspect the CookieConsent cookie directly. For Ketch, the consent record is accessible via the Ketch admin interface.
Getting This Right Matters
A CMP implementation touches your legal compliance, your analytics data quality, and your advertising performance all at once. A misconfigured implementation creates liability on the compliance side and blind spots on the analytics side. The platforms themselves are mature and capable, but the configuration work between the CMP, GTM, GA4, and your ad platforms requires someone who understands how all of these systems interact.
At TestedPath, we have implemented all three of these platforms across dozens of client environments, ranging from enterprise healthcare organizations with complex multi-jurisdiction requirements to direct-to-consumer brands that needed a clean, fast implementation. We know where the configuration gaps appear and how to close them before they affect your data.
Need help with your consent management setup?
Whether you are starting from scratch or fixing a broken implementation, we can get it right. Every engagement starts with a free consultation.
Talk to TestedPath →