Consent Management
Signal provides comprehensive consent management that integrates with your Consent Management Platform (CMP), enforces consent rules per-integration before delivery, and passes the correct consent signals to each vendor API.
How Consent Works in Signal
- Capture: Datafly.js reads consent state from your CMP’s cookie/storage
- Attach: Consent categories are included on every event payload
- Derive: Google Consent Mode v2 parameters are automatically derived
- Enforce: The pipeline engine filters integrations based on consent before delivery
- Audit: Every filtering decision is logged to the consent audit table
Supported CMPs
Signal supports reading consent from the following CMPs, in detection order:
| CMP | Cookie / Storage | Auto-Detected | Config-Driven |
|---|---|---|---|
| OneTrust | OptanonConsent (cookie) | Yes | Yes |
| Cookiebot | CookieConsent (cookie) | Yes | Yes |
| Didomi | didomi_token (cookie) | Yes | Yes |
| Osano | osano_consentmanager (cookie) | Yes | Yes |
| IAB TCF v2.0 | euconsent-v2 (cookie) | Yes | Yes |
| Custom | Any cookie or localStorage key | No | Yes |
Config-Driven Consent (Recommended)
The preferred approach is to configure your consent provider in Pipeline Settings. This uses the flexible readConsentFromConfig() system which supports:
- Any cookie or localStorage key
- JSON, comma-delimited, URL-encoded, and semicolon-delimited formats
- Custom category mapping rules (code → CMP field name → granted value)
Legacy Auto-Detection
For backward compatibility, Datafly.js auto-detects OneTrust, Cookiebot, Didomi, Osano, and IAB TCF cookies. This maps to three legacy categories: analytics, marketing, functional.
Google Consent Mode v2
Since March 2024, Google requires four granular consent parameters for EEA compliance. Signal automatically derives these from your consent categories:
| Parameter | Controls | Derived From |
|---|---|---|
ad_storage | Ad cookies (gclid, gcl*) | marketing consent |
analytics_storage | Analytics cookies (_ga, _gid) | analytics consent |
ad_user_data | Sending user data to Google for ads | marketing consent |
ad_personalization | Remarketing and personalisation | marketing consent |
These parameters are:
- Included in the event payload as
consent.google.* - Mapped to GA4 Measurement Protocol as
consent.ad_user_dataandconsent.ad_personalization - Injected into Google Ads delivery payloads
If your CMP provides explicit Google Consent Mode parameters, Signal uses those directly. Otherwise, Signal derives them: marketing=true → all three ad_* params granted; analytics=true → analytics_storage granted.
Per-Vendor Consent Enforcement
Consent enforcement happens in the Pipeline Engine before events reach Delivery Workers. Each integration can have a consent category gate — events without the required consent are filtered and never delivered.
Vendor-Specific Rules
In addition to the pipeline-level consent gate, each delivery worker applies vendor-specific consent enforcement:
| Vendor | When Consent Denied | Action |
|---|---|---|
| Meta CAPI | marketing=false | Strip PII (email, phone, fbp, fbc, IP, UA). Set data_processing_options=['LDU'] |
| Google Ads | Any state | Include Consent Mode v2 params. Google handles modelling internally |
| GA4 | Any state | Include ad_user_data and ad_personalization in payload |
| TikTok | marketing=false | Strip PII (email, phone, ttp, ttclid, IP, UA). Set limited_data_use=true |
| Microsoft UET | ad_storage=denied | Suppress event entirely (UET does not support degraded delivery) |
Consent Audit Logging
Every consent filtering decision is recorded in the consent_filtered_events table:
| Field | Description |
|---|---|
pipeline_id | Which pipeline the event was processed through |
integration_id | Which integration was blocked |
consent_category | The consent category that was denied |
event_type | The type of event (page, track, etc.) |
event_name | The specific event name |
anonymous_id_hash | SHA256 hash of the anonymous ID (privacy-safe) |
filtered_at | Timestamp of the filtering decision |
This provides a complete audit trail for compliance reviews without storing PII.
Configuration
Pipeline-Level Consent Gate
Each integration attached to a pipeline can have a consent category:
- Go to Pipelines → [Your Pipeline] → Integrations
- Click an integration
- Set the Consent Category (e.g. “Marketing”, “Analytics”)
- Set the Consent Mode (“Explicit” for GDPR, “Implicit” for CCPA)
Events without the required consent for that category will be filtered before delivery.
Consent Provider Setup
- Go to Settings → Consent
- Click Add Provider
- Configure the cookie name, storage type, and category mappings
- Set each pipeline to use the provider