Category Analysis

The Bouncer Fallacy.

Consent Management Platforms are bouncers. They check IDs at the door, write names in a book, and go home. They don’t follow guests inside. They don’t watch what happens at the party. They don’t know who came in through the window.

Your CMP manages the policy. BLACKOUT enforces it.

The CMP Market

A multi-billion dollar industry that manages the door.

OneTrust

Enterprise CMP market leader. Acquired Cookiepedia. ~$5B valuation.

Cookiebot (Usercentrics)

Mid-market CMP. Acquired by Usercentrics in 2022. Popular in EU.

Usercentrics

CMP platform. GDPR/ePrivacy focus. Owns Cookiebot.

TrustArc

Privacy management platform with CMP module. Enterprise focus.

Osano

Data privacy platform with consent management. Mid-market.

Didomi

Consent and preference management. Strong in media/publishing.

These platforms are necessary. You need consent management for GDPR, ePrivacy, and CCPA. The question isn’t whether you need a CMP. The question is whether your CMP is sufficient. It isn’t.

The Bouncer Fallacy

Three steps. Three failures.

1The bouncer checks your ID at the door

What the CMP Does

The CMP displays a consent banner. The visitor clicks Accept or Decline.

What Actually Happens

By the time the banner renders, 6-20 vendor scripts have already fired. The check happened after the guests were already inside.

2The bouncer writes your name in a book

What the CMP Does

The CMP records the consent preference in a cookie. Compliance documented.

What Actually Happens

The consent cookie is read by the CMP. Not by the vendors. Each vendor checks consent differently — or doesn't check at all.

3The bouncer goes home

What the CMP Does

Consent is recorded. The CMP's job is done. Compliance reports generated.

What Actually Happens

No one monitors vendor behavior post-consent. Vendors that fire pre-consent continue to fire. Vendors that should stop after rejection don't. The bouncer left. The party continues.

Observed Bypass Patterns

Six ways vendors walk past the bouncer.

These are not theoretical. Every pattern below was observed by BLACKOUT on production websites with deployed, configured CMPs reporting full compliance.

Pre-render firing

Vendor script loads and executes before the CMP JavaScript initializes. The consent check can't block what already ran.

Found on 44% of scanned sites with CMPs deployed

Consent status polling

Vendor script checks for consent cookie in a loop. If the CMP hasn't set it yet (user hasn't interacted), the check returns undefined — treated as 'no decision' rather than 'no consent.' Script fires.

Found in 6sense, HubSpot, and 12 other major vendors

Wrong cookie check

Vendor script checks its OWN consent cookie, not the CMP's consent cookie. Even if the CMP records a decline, the vendor never reads that signal.

Structurally undetectable by the CMP

Inline script injection

Vendor code is hardcoded in page source HTML, not loaded through the tag manager. The CMP only manages scripts it controls. Inline scripts are invisible to it.

Common in WordPress plugins and legacy integrations

Piggyback loading

Vendor A is consent-gated by the CMP. Vendor A's script loads Vendors B, C, and D through initiator chains. The CMP gated A but has no awareness of B, C, or D.

Average: 3.2 undisclosed vendors loaded per consented vendor

Post-rejection persistence

User clicks Decline. CMP records it. Vendor's previously set cookies remain. Vendor's already-executing JavaScript continues. The CMP stopped new script loading but can't undo what already happened.

Universal — CMPs cannot retroactively clear vendor state

The Missing Layer

CMPs manage consent. BLACKOUT verifies compliance.

CMP

The policy

BLACKOUT

The enforcement

Verified

Actual compliance

The CMP establishes the policy. BLACKOUT verifies vendors follow it. Without verification, consent is theater.

The bouncer checks IDs at the door.

BLACKOUT checks what happens at the party.

See the Platform