Consent Management covers the full lifecycle of customer permission: obtaining consent (opt-in flows, preference centers), recording it durably (consent logs with timestamp, channel, version of terms), and enforcing it machine-reliably at activation time (suppression before send, not after).
Why it is a first-class architectural concern. A CDP architecture that cannot enforce consent in real time before activation is incomplete. Consent violations carry regulatory penalties (GDPR fines up to 4 % of global annual revenue; TCPA statutory damages of $500–$1,500 per message), reputational risk, and, more immediately, channel erosion: users who receive unconsented messages revoke permission permanently.
The modality dimension. Each modality carries its own consent regime:
- modality.email: CAN-SPAM (US), GDPR Art. 7 (EU), CASL (Canada) — opt-out must be honored within 10 business days (CAN-SPAM), immediately (GDPR).
- modality.sms: TCPA (US) — requires Prior Express Written Consent (PEWC) for marketing texts; STOP keywords must propagate to suppression within seconds. The FCC's one-to-one consent restriction (which would have required per-sender consent and prohibited shared consent across brands) was vacated by the 11th Circuit on January 24, 2025 (Insurance Marketing Coalition v. FCC) and formally removed by the FCC on August 29, 2025 — multi-seller consent is currently permissible under federal law. State-level SMS laws (e.g., Florida, Oklahoma) may impose stricter standards. See constraint.tcpa-prior-express-written-consent-sms.
- modality.push: Platform-enforced opt-in (APNs, FCM); permission revocation is instantaneous and must disable all push targeting.
- modality.web: GDPR consent for cookies and tracking; consent signals from CMPs (Consent Management Platforms) must feed the CDW event stream. IAB TCF 2.2 (operative 2023; GVL v3): For EU programmatic advertising, TCF 2.2 removes legitimate interest (LI) as a permissible legal basis for advertising purposes 3–6 (ad delivery, ad personalization, market research, and product development at the programmatic layer). Consent is the only permissible basis for these purposes at CMP registration level. CDPs feeding DSP activation pipelines in the EU must enforce per-vendor, per-purpose consent filtering at the audience-export level — not just at collection. See source.iabeurope-eu.tcf-2-2-2023.
IAB TCF 2.2 and EU programmatic activation. TCF 2.2 (IAB Europe, in effect 2023; GVL v3) materially changed the consent-enforcement requirement for EU CDP-to-DSP pipelines:
- LI removed for purposes 3–6. Legitimate interest is no longer a valid legal basis for advertising purposes 3–6: ad delivery, ad personalization, ad measurement, audience research, and product development at the advertising layer. Consent is the only permissible basis at CMP registration level. This eliminates a common shortcut where publishers and brands relied on LI for programmatic targeting without obtaining explicit consent.
- GVL v3 requirements. Vendors in the Global Vendor List must declare per-purpose data retention periods and categories of data collected. CDPs exporting audiences to programmatic destinations must verify that downstream vendors are GVL-registered and that the user's consent signal covers each vendor–purpose pair.
- CMP UI obligations. The CMP first-layer display must show total vendor count; users must be able to resurface the consent UI and withdraw consent at any time.
- Architectural implication for CDPs. CDP audience activation pipelines targeting EU programmatic channels (DV360, The Trade Desk, Amazon DSP) must enforce purpose-limitation filtering with TCF vendor-purpose vectors before segment delivery — not as a post-export reconciliation step. This is a stricter SLO requirement than pre-TCF-2.2 approaches that applied LI-grounded consent retroactively or batch-filtered after delivery.
The architectural implication. Consent state must be the first lookup at activation time, not an afterthought batch job. In composable stacks, this means the suppression/consent table must be queryable with sub-second latency from every activation pathway — a harder SLO to meet than batch reconciliation. In packaged CDPs, the vendor typically provides this layer; in composable architectures, it must be built.
The agent's job. When recommending architectures for regulated industries (healthcare, finance, insurance), surface consent management as a first-class workstream. Ask: "How does your consent state propagate from the preference center to each activation system?" If the answer involves batch jobs with hours of lag, flag the compliance risk before recommending higher-frequency activation.