Category Definition

Your CMP manages the door.
Nobody’s watching the windows.

OneTrust, Cookiebot, and Usercentrics manage consent at the front door — display a banner, record a choice, block some scripts. But they stop watching the moment the banner is dismissed.

BLACKOUT found 19 of 43 vendors on a single site firing before the consent banner loaded. The CMP was deployed. The CMP was configured. The CMP was irrelevant.

What a CMP Does

  • Display a consent banner
  • Record user's consent choice
  • Categorize cookies by purpose
  • Block scripts until consent is given (if configured correctly)
  • Generate compliance documentation
  • Store consent receipts

This is necessary. You need consent management. Keep your CMP.

What a CMP Does NOT Do

  • Verify that blocked scripts are actually blocked
  • Detect scripts that load outside the tag manager
  • Catch vendors that ignore the consent signal
  • Detect consent polling loops that retry until consent is bypassed
  • Identify vendors that fire before the banner renders
  • Monitor what vendors do AFTER consent is granted
  • Detect defeat devices that behave differently when the CMP is watching
  • Track data exfiltration through cookie sync chains post-consent

This is where the liability lives. Your CMP says consent is managed. BLACKOUT checks if anyone is listening.

Consent Theater

Five ways vendors bypass your CMP.

These are not hypothetical. These are observed patterns from BLACKOUT scans across hundreds of websites. Every pattern below occurs while the CMP reports full compliance.

The 340ms gap

The consent banner takes 340ms to render. The tracking pixel fires at 12ms. By the time the user sees 'Accept or Decline,' their data has already been transmitted. The CMP never sees this because it wasn't loaded yet.

The consent polling loop

The vendor script checks for consent status every 600ms. If the CMP hasn't loaded yet, the check returns undefined — not 'declined.' The script treats undefined as 'no answer yet' and fires anyway. Technically, consent was never denied.

The post-rejection fire

User clicks Decline. The CMP records the preference. The vendor script checks a different cookie, not the CMP's consent cookie. It fires regardless. The CMP reports 100% consent compliance. The vendor ignores it.

The inline script bypass

The CMP manages scripts loaded through the tag manager. The vendor adds an inline script directly in the page source. The CMP has no awareness it exists. It fires on every page load, consent or not.

The decorative banner

The CMP is installed and displays a banner. But no scripts are actually gated behind consent. Every vendor fires immediately on page load. The banner is cosmetic. Accept and Decline do the same thing: nothing.

What BLACKOUT Found
19 of 43

vendors on a single site firing before the user interacts with the consent banner

80%

of vendors claiming GDPR compliance observed violating consent requirements at runtime

3-pass

consent testing: pre-consent, post-accept, post-reject — revealing vendors that ignore rejection

The Difference

The CMP is the policy. BLACKOUT is the enforcement.

OneTrust / Cookiebot

“We told visitors they have a choice.”

Displays the banner. Records the choice. Reports compliance based on what SHOULD happen if every vendor respects the signal. Does not verify that vendors actually stop.

BLACKOUT

“We checked if anyone listened.”

Scans before consent, after accepting, and after rejecting. Identifies every vendor that fires regardless of consent state. Detects polling loops, inline bypasses, and defeat devices. The CMP says what should happen. BLACKOUT shows what does.

Your CMP tells visitors they have a choice.

BLACKOUT tells you whether that choice matters.

See the Platform