Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Conversant Consent Tool is a JavaScript consent management platform operated by Conversant LLC, an Epsilon and Publicis Groupe company based in the United States. Registered with the IAB Transparency and Consent Framework v2.2 under CMP ID 24, it is mainly deployed on Conversant Media properties and partner publisher sites to collect cookie and advertising consent, relay TCF strings to ad vendors and emit Google Consent Mode v2 signals.
The Conversant Consent Tool is a consent management platform (CMP) operated by Conversant LLC, an Epsilon and Publicis Groupe company headquartered in the United States. It is registered with the IAB Europe Transparency and Consent Framework v2.2 as CMP ID 24. The tool is deployed mainly on Conversant Media properties and partner publisher sites where Conversant supplies advertising inventory. Functionally it is a JavaScript banner that collects user consent for cookies and advertising vendors, stores a first party consent cookie, builds a TCF v2.2 consent string and relays Google Consent Mode v2 signals to gtag based tags.
The CMP loads from Conversant infrastructure (commonly tags.crwdcntrl.net and conversantmedia.com). On first visit the banner reads the IAB Global Vendor List, displays purposes and vendors, captures the user choice, writes a consent cookie and exposes the TCF API (__tcfapi) so downstream ad and analytics SDKs can read the consent string. It can also push default and update commands to Google Consent Mode v2. The proof of consent (timestamp, identifier, choices, TCF string version) is stored on Conversant servers in the United States.
The CMP itself is consent infrastructure. Its operation does not require prior consent under Art 5(3) ePrivacy because the cookie used by the CMP is strictly necessary to provide a service explicitly requested by the user (recording the consent choice). The legal basis is Art 6(1)(c) GDPR to comply with the obligation to demonstrate consent under Art 7(1), and Art 6(1)(f) GDPR for fraud prevention and integrity of the banner. Consent is, however, required for every third party vendor that the CMP gates (advertising, audience, measurement).
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
Consent records and connection metadata (IP, user agent, timestamp) are transferred to Conversant infrastructure in the United States. Epsilon Data Management LLC, the parent group, is self certified under the EU US Data Privacy Framework, so transfers from the EEA rely on the DPF adequacy decision of 10 July 2023. Standard Contractual Clauses with a transfer impact assessment remain a fallback for jurisdictions not covered by DPF (notably Switzerland under the Swiss US DPF, and the United Kingdom under the UK Extension).
The CMP itself is low risk: limited personal data, consent infrastructure role, recognised TCF v2.2 registration. The medium overall risk rating reflects the tight coupling with the Conversant advertising and Epsilon audience businesses. Publishers should ensure the CMP is not implicitly enabling Conversant audience tags without separate consent, that the vendor list is restricted to vendors actually used, and that the data processing addendum properly identifies Conversant as processor for the CMP function and as separate controller (or joint controller) for any advertising services activated on the same site.
Conversant Consent Tool is a niche CMP tied to the Conversant ad ecosystem. Publishers seeking a vendor neutral CMP often consider Didomi (France), OneTrust (US), Cookiebot by Usercentrics (Denmark and Germany) or the open source Klaro. Migration paths usually involve exporting the existing vendor list, re collecting consent (TCF strings are not always portable between CMPs) and updating the cookie policy and DPA to reflect the new processor.
Websites using Conversant Consent Tool must obtain user consent under GDPR regulations.
DPIA considerations
A dedicated DPIA for the Conversant Consent Tool itself is generally not required under Art 35 GDPR because the CMP is consent infrastructure with limited personal data (a pseudonymous consent identifier, IP for geo, timestamp and TCF string). A DPIA is, however, strongly recommended for the underlying advertising stack that the CMP gates, especially when Conversant Media audience or measurement tags are used on the same site, given the systematic monitoring and US transfers involved. Document retention of consent proofs, the legal basis for the banner itself (Art 6(1)(c) and (f)), the Conversant role as processor for the CMP function, and any controller role for adjacent ad services.
Sample consent text
We use cookies and similar technologies on this site, including the Conversant Consent Tool, to remember your consent choices and to broadcast them to advertising vendors via the IAB Transparency and Consent Framework v2.2 and Google Consent Mode v2. The CMP itself stores a consent identifier, a timestamp and your preferences. You can review or withdraw your consent at any time from the cookie settings link in the footer.
Third-party domains contacted
tags.crwdcntrl.netconversantmedia.comcdn.conversantmedia.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| conversant_consent | functional | 1 year | Stores user consent choices |
| _lr_geo | functional | 30 days | Geo targeted policy lookup |
| conversant_session | functional | session | Banner session and display logic |
Conversant Consent Tool is an essential service, but transparency matters. Manage all your consent with FlowConsent.
The CMP itself sets a small number of functional first party cookies: conversant_consent stores the consent choices and TCF string for around one year, _lr_geo holds the coarse geographic region used to determine the applicable policy for about 30 days, and conversant_session is a session cookie used for banner display logic. These are strictly necessary cookies for the consent function and do not themselves require prior consent.
No. The CMP banner is consent infrastructure and falls under the strictly necessary exception of Art 5(3) ePrivacy because the cookie used is essential to remember the user choice. You do, however, need valid consent before the CMP authorises any non essential vendor (advertising, analytics, audience). The Conversant Consent Tool ships with TCF v2.2 to collect that downstream consent in a standardised way.
Two grounds apply. Art 6(1)(c) GDPR (legal obligation) covers the recording and retention of proof of consent, which is mandated by Art 7(1) GDPR. Art 6(1)(f) GDPR (legitimate interest) covers fraud prevention, security and correct rendering of the banner across devices. The CMP is not based on consent itself, which is consistent with EDPB guidance on consent banners.
Yes. Consent records, pseudonymous identifiers and connection metadata are stored on Conversant infrastructure in the United States. Epsilon Data Management LLC is self certified under the EU US Data Privacy Framework, so transfers from the EEA primarily rely on the DPF. Standard Contractual Clauses with a transfer impact assessment cover the UK (UK Extension) and Switzerland (Swiss US DPF) and serve as fallback if DPF certification lapses.
A standalone DPIA is generally not required for the CMP function. The processing volume is limited, data are pseudonymous and the purpose is to enable users to exercise rights. A DPIA is, however, advisable when the CMP is deployed alongside Conversant Media advertising or audience tags, since the broader ad operation involves systematic monitoring and US transfers. Many supervisory authorities consider that combination triggers Art 35(3)(c) GDPR.
Implementation is typically a script tag pointing to tags.crwdcntrl.net or conversantmedia.com, parameterised with the site identifier. The script registers __tcfapi for TCF v2.2 vendor signalling and a gtag based listener for Google Consent Mode v2 default and update commands. Conversant maintains the CMP ID 24 registration with IAB Europe, including the required CMP API surface and audit trail.
For publishers outside the Conversant ad ecosystem, the most common vendor neutral CMPs are Didomi (France), OneTrust (United States), Cookiebot by Usercentrics (Denmark and Germany) and the open source Klaro. All of them are IAB TCF v2.2 registered and support Google Consent Mode v2. Choice usually depends on vendor list management, server side capabilities and pricing.
Review the cookie policy at least every 12 months and whenever the vendor list, purposes or data flows change. The Conversant Consent Tool exposes the current vendor and purpose configuration in the preference centre, which should be cross referenced with the cookie policy. Document any change in a versioned log together with the corresponding TCF string version, so that proof of consent remains demonstrable.