Building a GDPR-Compliant Consent System (Web and App)

Most teams build consent backwards. They start with the banner - the colours, the copy, where the buttons sit - and treat everything behind it as plumbing to wire up later. But the banner is the one part regulators rarely fine you for. The fines land on what happens after the click: the signal that never reached the ad platform, the app SDK that fired before anyone agreed, the withdrawal that updated a screen but stopped no processing. A consent system isn’t a banner. It’s a small distributed system for capturing a decision, storing it as evidence, enforcing it everywhere, and being able to prove all of it months later.

Mar 2024

Consent Mode v2 required for Google ads & measurement on EEA traffic (enforced from mid-2025)

Art 7(3)

Withdrawal must be as easy as granting - in the UI and the backend behind it

Art 7(1)

The controller must prove consent: who, when, and to what notice version

TCF v2.3

The current IAB adtech consent standard, mandatory since February 2026

Consent Is Four Jobs, Not One

A consent system has to do four distinct things, and most broken implementations are missing two or three of them without realising it. It has to capture a decision - granularly, per purpose, on whichever surface the user is on. It has to store that decision as a durable record, not a single true/false flag. It has to enforce the decision, meaning the analytics, the ad tags, the SDKs, and the downstream processing actually change behaviour based on it. And it has to prove the decision later, reproducing exactly what the user saw and agreed to. Capture is the part everyone builds. Store, enforce, and prove are the parts that get skipped - and they’re the parts that get tested.

The four jobs - and where each one breaks

Job	What it has to do	Where it breaks in practice
Capture	Granular choice per purpose, on web and in-app, with reject as easy as accept	A single accept/reject; the in-app flow gates nothing; reject buried
Store	A consent record per decision: subject, purpose, scope, notice version, timestamp, surface	A boolean column overwritten on every change, with no history
Enforce	Tags, SDKs, and server-side processing actually read and obey the stored state	Banner sets a cookie but scripts fire anyway; app SDKs init on launch
Prove	Reproduce on demand what was shown and chosen, six months later	No notice version stored; the record can’t be tied back to a session

One Source of Truth, Many Surfaces

The single decision that shapes everything else is where consent lives. The mistake is letting each surface own its own copy - the website remembers one thing in a cookie, the iOS app another in local storage, the backend a third in the user row - and trusting them to stay in sync. They won’t. The architecture that holds up is a single consent service that every surface writes to and reads from: the web CMP, the mobile SDKs, and the backend all defer to one authoritative store keyed to the user - or, before login, to a stable anonymous identifier you later stitch to the account.

This is harder than it sounds, because the same person shows up as different identities - a logged-out web visitor, a logged-in app user, an email recipient - and their consent has to follow them across all of it. If a user accepts on the website and later logs into the app, the app must already know. If they withdraw in the app, the website and every downstream system must find out. Consent that doesn’t travel with the person is consent you can’t actually honour.

Web: The Banner Is the Front of a Pipeline

On the web, the banner is the visible end of a chain that mostly runs out of sight. The Consent Management Platform captures the choice; tag managers and SDKs are supposed to read it before they fire; and for anyone using Google’s advertising or measurement products on EEA traffic, Consent Mode v2 has to carry the signal to Google’s tags - all four parameters, set before anything loads. The dangerous gap is between the banner appearing and the tags actually respecting it. A banner can look perfect, log a clean choice, and still let analytics and ad scripts run because the signal never made it downstream.

🟢

SIGNAL THAT NEVER ARRIVES - CONSENT MODE V2

Since March 2024, any site using Google’s ad and measurement products on EEA visitors has been required to implement Consent Mode v2, and from mid-2025 Google began enforcing it by quietly degrading non-compliant accounts. The recurring failure isn’t a missing banner - it’s a banner that collects a choice the rest of the stack never hears. Teams have watched measured conversions collapse almost overnight after enforcement tightened, traced not to a policy change but to consent signals that were captured in the UI and never transmitted to the tags. The compliance lesson and the engineering lesson are the same: a choice that isn’t propagated is, for every practical purpose, a choice that wasn’t honoured. A green status in a tag-testing tool proves the banner works - not that the system does.

Ships a Banner vs. Ships a Consent System

Pattern-matching from real consent reviews - the gap between something that looks like consent and a system that actually is tends to follow the same shape:

Looks like consent	Is actually consent
✗ One accept/reject covering everything	✓ Granular choice per purpose, the same on web and app
✗ A boolean flag overwritten each time	✓ An immutable record per decision, with full history
✗ Banner sets a cookie; scripts fire regardless	✓ Tags and SDKs gated by the stored state, server-side too
✗ Each surface keeps its own copy	✓ One consent service every surface reads and writes
✗ ATT prompt treated as GDPR consent	✓ ATT and consent handled as the separate things they are
✗ Withdrawal updates a screen	✓ Withdrawal propagates to every system and processor
✗ “We log consent somewhere”	✓ The exact notice version reproducible months later

Build the Record First, the Banner Last

The order that produces a working system is the reverse of the instinctive one. Model the consent record before you design a single screen: a row that captures who consented, to which purpose, under what scope, against which version of the notice, from which surface, when, and whether it’s since been withdrawn. Make that store the source of truth. Then gate everything - web tags, app SDKs, server-side jobs, processor hand-offs - off it, and expose withdrawal through the same store so a single change ripples everywhere. The banner is the last thing you build, because by then you know exactly what it has to write and what reads it. Built the other way round, the banner is a tidy UI sitting on top of a system that can’t keep its promises.

Final Thought

A consent system is judged on its weakest surface. You can have an immaculate cookie banner and still fail because an Android SDK fired before the user chose, or because withdrawal stopped at the website while the email platform kept sending. The regulation treats consent as one continuous obligation across everywhere you process - capture it cleanly, store it as evidence, enforce it on every surface, and keep the proof.

The test that cuts through it: pick any user and any purpose, and answer four things without engineering having to dig - what did they choose, on what version of the notice, is it still being honoured everywhere right now, and would withdrawal actually stop the processing. If any answer needs a meeting, you have a banner, not a consent system.

Frequently Asked Questions

Does a cookie banner make me GDPR-compliant?▾

No. The banner is the visible ten percent. A compliant consent system also has to store a defensible record of each decision, enforce that decision so tags and SDKs actually obey it, and be able to reproduce what was shown and chosen months later.

Does withdrawing consent have to be as easy as giving it?▾

Yes. Article 7(3) requires that withdrawal be as easy as granting consent — in the UI and in the backend behind it. A one-click accept and a buried, multi-step withdrawal fails the test.

What does a valid consent record have to contain?▾

Under Article 7(1) you must be able to prove consent: who consented, when, to what purpose and scope, against which version of the notice, and on which surface. A single boolean column overwritten on every change is not a record.

What is Consent Mode v2?▾

Google's requirement, in force since March 2024, that sites using its ad and measurement products signal user consent for EEA traffic. Without it, ads and measurement on EEA users are affected.