Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Crownpeak Universal Consent Platform (UCP, formerly Evidon) is a US-based consent management platform that delivers IAB TCF 2.2 compliant banners, geo-targeted policies, cookie scanning and a preference center. It writes a strictly necessary consent cookie on the publisher domain and stores audit records on US infrastructure, which raises GDPR transfer questions for European deployments despite DPF coverage.
Crownpeak Universal Consent Platform (UCP), formerly marketed as Evidon, is a consent management platform (CMP) operated by Crownpeak Technology, Inc. It loads a small JavaScript SDK on the publisher domain that renders a configurable banner, displays a preference center and writes a single strictly necessary cookie containing the visitor consent string. UCP exposes the IAB Transparency and Consent Framework 2.2 API so that downstream advertising, analytics and personalisation vendors can read the consent signal before they fire. The platform also includes an automated cookie scanner that crawls the site weekly and produces an inventory used to populate the banner categories.
The banner writes a first party functional cookie (typically named cp_consent or evidon-consent) that stores the TCF consent string, the chosen vendor list and a timestamp. The SDK transmits the consent record together with the visitor IP, user agent and a CMP identifier to Crownpeak servers so that the choice can be replayed across subdomains and audited later. No advertising identifiers, browsing history or content interactions are captured by UCP itself. When banner analytics are enabled (acceptance rate, dwell time, version A/B testing), an additional analytics cookie is set on the publisher domain.
Under ePrivacy Article 5(3) the consent cookie set by a CMP is considered strictly necessary because it is required to provide a service explicitly requested by the user, namely the ability to record and honour cookie choices. Prior consent is therefore not required to drop the consent string itself. The collection and retention of the consent log, however, constitutes personal data processing under GDPR. Controllers must rely on legitimate interest (Art. 6(1)(f)) and the legal obligation to demonstrate consent (Art. 7(1) and Art. 5(2) accountability) as the lawful basis. The CMP must not pre-tick boxes, must offer a refuse option as prominent as accept, and must allow withdrawal that is as easy as the original opt-in.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
Crownpeak is headquartered in the United States and consent audit records are stored on US infrastructure. EU and UK controllers must therefore document a valid Chapter V transfer mechanism. As of 2024 Crownpeak self certifies under the EU US Data Privacy Framework, which the European Commission considers an adequate safeguard. Controllers that prefer not to rely on the DPF should sign the EU 2021 Standard Contractual Clauses, perform a Transfer Impact Assessment and consider supplementary measures such as pseudonymisation of the audit log. The processor agreement with Crownpeak should reference FISA 702 and Executive Order 12333 risk in the TIA.
A standalone DPIA on the CMP is rarely required because it processes a minimal set of operational data. The CMP must nonetheless be referenced in the records of processing activities (Art. 30 GDPR) and in any DPIA covering the underlying advertising and analytics stack. Auditors expect the consent log retention period to be documented (Crownpeak offers configurable retention from 6 to 36 months), proof that the consent banner version history is preserved, and evidence that the TCF vendor list shown to users matches the vendors actually present on the page.
To deploy UCP compliantly, configure geo targeted policies so EU and UK visitors see a TCF 2.2 banner with reject all on the first layer, US visitors see a CCPA/CPRA opt out signal, and other regions receive an informational notice. Run the cookie scanner monthly and review the vendor list before each release. Alternatives hosted inside the EU include Didomi (France), Usercentrics (Germany), Axeptio (France) and Cookiebot by Usercentrics (Denmark), all of which offer TCF 2.2 support without the US transfer question.
Websites using Crownpeak Universal Consent Platform must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA is generally not mandatory for a CMP alone because the consent cookie is strictly necessary and the volume of personal data is low. However, controllers must document the legal basis for storing the consent log, evaluate the US transfer of audit records under Chapter V GDPR, and ensure Crownpeak is bound by a written processor agreement under Article 28. If the CMP is paired with analytics or fingerprinting, a broader DPIA on the combined stack is recommended.
Sample consent text
We use Crownpeak Universal Consent Platform to record your cookie choices and to signal those choices to advertising and analytics vendors through the IAB Transparency and Consent Framework. The banner itself stores a strictly necessary cookie that does not require your prior consent. You can change your preferences at any time through the preference center.
Third-party domains contacted
c.evidon.comc.betrad.comcdn.crownpeak.netconsent.crownpeak.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| cp_consent | functional | 12 months | Stores the IAB TCF consent string, the chosen vendor list and a timestamp so the visitor preference can be replayed on every page and across subdomains. Strictly necessary under ePrivacy Article 5(3). |
| evidon-consent | functional | 12 months | Legacy name of the same consent string cookie, still set on tenants migrated from Evidon. Used to honour and audit the cookie preference. |
| cp_consent_uuid | functional | 12 months | Pseudonymous identifier paired with the consent record to allow the visitor to update or revoke their choice without re-identification. |
| evidon_banner_id | analytics | 6 months | Optional cookie set when banner analytics (A/B testing, acceptance rate) are enabled. Requires consent under ePrivacy. |
Crownpeak Universal Consent Platform is an essential service, but transparency matters. Manage all your consent with FlowConsent.
UCP sets one strictly necessary first party cookie that holds the IAB TCF 2.2 consent string, the chosen vendor list and a timestamp. A pseudonymous UUID cookie may be paired with it to support revocation. If banner analytics (A/B testing, acceptance metrics) are turned on, an additional analytics cookie is set, and that one requires consent before it can be read.
No. The consent cookie itself is strictly necessary under ePrivacy Article 5(3) because it is required to provide a service explicitly requested by the visitor, namely the registration of cookie choices. You may deploy the banner without prior consent. Any optional analytics or A/B testing cookies set by UCP do require prior consent, just like any other non essential cookie.
The consent record processing relies on two combined bases: the legitimate interest of the controller in being able to demonstrate compliance (Art. 6(1)(f) GDPR) and a legal obligation under Art. 7(1) and the accountability principle of Art. 5(2) GDPR, both of which require the controller to prove that valid consent was obtained. There is no need to obtain consent to log the consent itself.
Yes. Crownpeak is a US controller and audit logs are processed on US infrastructure. EU and UK deployments must document a Chapter V transfer mechanism. Crownpeak self certifies under the EU US Data Privacy Framework, which the Commission considers adequate. Controllers that prefer not to rely on the DPF should sign the 2021 SCCs, complete a Transfer Impact Assessment and consider pseudonymising the audit log.
A standalone DPIA on the CMP is rarely required: the processing is limited to operational data linked to consent management. The CMP must, however, be entered in the Article 30 records of processing activities and included in any DPIA covering the broader advertising and analytics stack it serves. Pair the assessment with the Transfer Impact Assessment for the US audit log transfer.
Configure geo targeted policies so EU and UK visitors see a TCF 2.2 banner with an equally prominent reject all button on the first layer. Block all non essential vendor tags until consent is granted using the TCF API or Google Consent Mode v2 bridge. Run the cookie scanner monthly, sync the banner vendor list with the live page and retain consent logs for at least 13 months to satisfy supervisory authority guidance.
Yes. Didomi (France), Axeptio (France), Usercentrics (Germany) and Cookiebot by Usercentrics (Denmark) are CMPs hosted within the EU/EEA that fully support IAB TCF 2.2 and Google Consent Mode v2. They remove the US transfer question entirely, which simplifies the Chapter V compliance burden, although they share similar architectural choices around consent logging.
Disclose Crownpeak Technology, Inc. as a processor in the cookie policy, list the consent cookie name, retention and purpose, and explain that the cookie is strictly necessary. Reference the US transfer mechanism (DPF or SCCs) and link to the preference center. Re-run the UCP scanner before publishing the policy so that the cookie inventory in the policy matches the banner categories and the actual page behaviour.