Consent Management
Integrate with or replace your existing Consent Management Platform.
ListenLayer provides a privacy-first approach to web tracking that automatically adapts to regional regulations, respects user consent choices, and protects personally identifiable information (PII) at the edge—before data ever reaches your analytics systems.
Use Our Integrated CMP
Coming Soon: ListenLayer Consent Management Platform
We're building a fully integrated consent management solution that works seamlessly with ListenLayer's tracking infrastructure. When you use ListenLayer's CMP, consent flows directly to our Edge—no middleware, no latency, no configuration gaps.
Why migrate to ListenLayer CMP?
Edge integration
Requires adapter
Native
Consent latency
50-200ms
<5ms
Regional rules
Manual configuration
Automatic
PII protection
Your responsibility
Built-in vault
Tracking mode sync
Polling required
Real-time
Current CMP users: ListenLayer works with your existing consent platform today. When you're ready to simplify your stack, migration is seamless—your regional rules and consent categories transfer directly.
Our Approach to Consent
ListenLayer's consent architecture is built on three principles:
Edge-First Resolution — Consent decisions happen at the edge (Cloudflare), not in your browser or backend
Regional Automation — Tracking behavior automatically adapts based on visitor location and your configured rules
Privacy by Default — When consent is unclear, ListenLayer defaults to the most privacy-protective mode for that region
Tracking Modes
Based on the visitor's location, your regional rules, and their consent choices, ListenLayer operates in one of three tracking modes:
Identified id
Full
Persistent device ID, cross-session tracking, identity linking enabled. Used when analytics consent is granted in permissive regions.
Anonymous anon
Memory only
Time-limited device ID (48 hours), no persistent cookies, no identity linking. Used in privacy-conscious regions like CCPA.
Do Not Track dnt
None
Session-only tracking, no device ID persistence, no PII storage. Strictest mode for GDPR or when consent is denied.
Consent Categories
ListenLayer normalizes all consent into five standard categories:
Necessary
Essential site functionality
Always granted
Functional
User preferences and settings
Depends on region
Analytics
Usage tracking and performance (controls tracking mode)
Depends on region
Advertising
Marketing, targeting, and ads
Depends on region
Personalization
Content recommendations
Depends on region
The analytics category is the key driver—it determines which tracking mode is applied.
Regional Rule Settings
ListenLayer automatically enforces regional privacy regulations based on visitor location. Configure rules once, and the Edge applies them to every event.
How Regional Rules Work
Visitor arrives — Cloudflare geo-detection identifies their country, state, and continent
Rule matching — ListenLayer finds the highest-priority rule matching their location
Consent resolution — Regional defaults merge with any explicit consent from your CMP
Tracking mode set — The appropriate mode (
id,anon, ordnt) is applied
Consent Models
Explicit (Opt-In)
Default to denied; user must actively grant consent
GDPR (EU), UK
Implicit (Opt-Out)
Default to granted; user can choose to deny
CCPA (California), most US states
Example Rule Configuration
GDPR (European Union)
Consent model: Explicit (opt-in required)
Default analytics: Denied
Tracking mode when granted: Anonymous (
anon)Tracking mode when denied: Do Not Track (
dnt)Restrictions: Respect GPC signal, force IP anonymization
CCPA (California)
Consent model: Implicit (opt-out)
Default analytics: Granted
Tracking mode when granted: Anonymous (
anon)Tracking mode when denied: Do Not Track (
dnt)Restrictions: Respect GPC signal (legally binding in CA)
Default (Permissive Regions)
Consent model: Implicit
Default analytics: Granted
Tracking mode when granted: Identified (
id)Tracking mode when denied: Do Not Track (
dnt)Restrictions: None
Global Privacy Control (GPC)
ListenLayer detects and respects the Global Privacy Control browser signal. When a visitor has GPC enabled and they're in a region that respects it (like California), their advertising consent is automatically set to denied—even if your CMP says otherwise.
Cookie Usage
ListenLayer uses minimal, purpose-specific cookies to maintain consent state and device identity.
Cookies Set by ListenLayer
ll_tm
Always
Compound tracking mode cookie containing: current mode, consent category states, IP anonymization flag, and GPC respect flag
ll_did
id mode only
Persistent device identifier (UUID) for cross-session tracking. Never set in anon or dnt modes.
Cookie Format: ll_tm
The ll_tm cookie encodes your consent state in a compact format:
Examples:
id.1.1.1.0.0— Identified mode, all consent grantedanon.1.0.0.1.1-lphm80— Anonymous mode with timestamp for 48-hour expirationdnt.0.0.0.1.1— Do Not Track, all denied, IP anonymized
First-Party Cookies Only
ListenLayer exclusively uses first-party cookies set via your domain. This ensures compatibility with:
Safari's Intelligent Tracking Prevention (ITP)
Firefox Enhanced Tracking Protection (ETP)
Brave and other privacy-focused browsers
Ad blockers that strip third-party cookies
Multi-Layer Storage (Self-Healing)
To survive aggressive cookie deletion by ad blockers, ListenLayer mirrors consent state across multiple storage layers:
Cookies (primary)
localStorage (backup)
sessionStorage (session backup)
IndexedDB (deep backup)
If an ad blocker deletes the cookie, ListenLayer restores it from backup storage—ensuring consistent tracking mode throughout the session.
How the Edge and SDK Work Together
ListenLayer's consent system is a coordinated dance between the browser SDK and the Cloudflare Edge Worker.
The Edge is Authoritative
The Edge Worker is the single source of truth for consent decisions. The SDK collects consent signals, but the Edge makes the final determination based on:
Visitor's geographic location
Your account's regional rules
The SDK's reported consent state
GPC signal status
Event Flow
Consent Change Detection
When a visitor changes their consent (via your CMP banner), ListenLayer detects it in real-time:
CMP fires change event — SDK receives new consent values
SDK compares to ll_tm — Detects difference from stored state
SDK sends update event — Includes new consent in the
csfieldEdge resolves new mode — Returns updated
ll_tmvalueSDK updates all storage — Cookie + backup layers updated atomically
This process uses an epoch counter to prevent race conditions when multiple events are in-flight during consent changes.
Supported CMPs
ListenLayer integrates with 14+ consent management platforms out of the box:
OneTrust
ot
window.OneTrust, OptanonConsent cookie
Cookiebot
cb
window.Cookiebot, CookieConsent cookie
Usercentrics
uc
window.UC_UI, localStorage
TrustArc
ta
window.truste, notice cookies
Didomi
did
window.Didomi, didomi_token cookie
CookieYes
ky
window.getCkyConsent
Osano
os
window.Osano
Ketch
ktc
window.ketch, localStorage
Termly
trm
window.Termly, localStorage
Complianz
cmp
window.complianz, cmplz cookies
Clym
clm
window.Clym
iubenda
ado
window._iub
Securiti
sec
window.SecuritiConsent
IAB TCF 2.2
tcf
window.__tcfapi
How CMP Integration Works
Detection — SDK automatically detects which CMPs are present on the page
Subscription — SDK subscribes only to your configured CMP for consent updates
Real-time hooks — SDK receives immediate callbacks when consent changes
Polling backup — SDK checks storage every 60 seconds as a safety net
PII Vault
The PII Vault is ListenLayer's privacy-preserving storage system for personally identifiable information. It ensures PII is protected based on consent—even retroactively.
How the Vault Works
When a visitor submits PII (like an email in a form) but hasn't granted full consent, ListenLayer doesn't discard that data—it vaults it:
id
Unlocked vault
PII stored with full access, linked to device ID
anon
Locked vault
PII stored encrypted with 50-hour TTL, awaiting consent upgrade
dnt
Not stored
PII never persisted
Consent Upgrade: Unlocking the Vault
When a visitor upgrades their consent (e.g., from anon to id):
Edge detects transition — Mode changes from anonymous to identified
Vault unlock triggered — Previously locked PII becomes accessible
Backfill event sent — Historical data surfaces with proper consent
Identity linking enabled — Anonymous session connects to identified profile
This means you never lose valuable lead data just because a visitor initially declined cookies—if they later accept, their information becomes available.
What Goes in the Vault?
Email addresses
Phone numbers
Names
Form field data marked as PII
Any fields matching your PII detection rules
Vault Security
PII is stored separately from event data
Locked vault entries have a 50-hour TTL (48-hour cookie window + buffer)
Vault keys are scoped to your account and the visitor's device
PII never travels to your analytics destination without proper consent
Best Practices
Maximize accuracy while respecting privacy
Configure regional rules — Don't rely on defaults. Set explicit rules for your key markets.
Use a custom tracking domain — First-party tracking domains improve cookie persistence and reduce ad blocker interference.
Test consent flows — Use ListenLayer's preview mode with geo overrides (
?_ll_mock_geo=DE) to verify behavior in different regions.Monitor consent rates — Track how many visitors are in each mode to understand your data coverage.
Plan for vault unlocks — Design your analytics to handle backfilled data when visitors upgrade consent.
Related Pages
Regional Settings — Configure rules by country, state, or continent
CMP Integration — Detailed setup for each supported platform
Privacy & Compliance — GDPR, CCPA, and other regulations
Last updated
Was this helpful?