Consent & Preference Management Platform
Collect, store, and manage user consent with a CDN-hosted cookie banner, tamper-evident ledger, website scanning, and preference center.
Consent & Preference Management Platform
The Consent & Preference Management Platform (CPMP) provides everything you need to collect cookie consent, manage user preferences, maintain a tamper-evident audit trail, and scan your websites for tracking technologies. It consists of a lightweight consent banner, a suite of backend microservices connected via Pub/Sub, and management tools in the Neostra dashboard.
Architecture Overview
Core Components
Cookie Consent Banner
CDN-hosted Svelte 5 modal that auto-initializes on your site. Config-driven, multilingual, with GPC signal detection.
Consent API
REST API that accepts consent signals and publishes them to the event pipeline. Returns 202 Accepted for non-blocking collection.
Consent Ledger
Tamper-evident, append-only ledger with SHA-256 hash chaining for cryptographic proof of consent history.
Reporting & Analytics
Dashboard analytics, preference center management, data subject lookup, and CSV/Excel export capabilities.
Cookie Scanner
Selenium-based crawler that scans your websites and detects cookies, tracking scripts, and embedded iframes.
Platform Configuration
Banner design, collection points, cookie categorization, purposes, and preference centers managed in neostra-core.
Embedding the Consent Banner
The cpmp-modal is a Svelte 5 application that ships as both UMD and ES module bundles. The simplest integration is a single script tag.
Add the Script Tag
Include the banner script on every page of your website. The data-cp-id attribute links it to your collection point configuration.
<script
src="https://cdn.neostra.io/cpmp-modal/latest/cpmp-modal.umd.js"
data-cp-id="cp_your_collection_point_id"
defer
></script>
The banner auto-initializes on DOMContentLoaded. No additional JavaScript is required.
Configure Your Collection Point
In the Neostra dashboard, navigate to Consent > Collection Points and create a new collection point. Configure:
- Banner appearance (colors, position, layout)
- Cookie categories (Necessary, Analytics, Marketing, Functional)
- Purposes with descriptions for each category
- Languages for multilingual support
- GPC behavior (honor Global Privacy Control signal automatically)
Listen for Consent Changes
The banner dispatches a custom event whenever a user updates their consent preferences. Use this to conditionally load scripts.
document.addEventListener("cpmp-consent-change", (event) => {
const { analytics, marketing, functional } = event.detail;
if (analytics) {
// Load analytics scripts
}
if (marketing) {
// Load marketing pixels
}
});
Publish Your Banner Configuration
After configuring the banner in the dashboard, use the BannerController to publish your changes. Only published configurations are served to the CDN.
curl -X POST https://api.neostra.io/v1/banners/{bannerId}/publish \
-H "Authorization: Bearer <token>"
The banner automatically detects the Global Privacy Control (GPC) signal from the browser. When GPC is enabled, the banner defaults to rejecting all non-essential cookies and notifies the user.
API Reference
The cpmp-api-service provides the primary consent collection endpoint.
Record Consent
curl -X POST https://api.neostra.io/v1/consents \
-H "Content-Type: application/json" \
-d '{
"subjectId": "sub_abc123",
"collectionPointId": "cp_your_collection_point_id",
"consents": {
"necessary": true,
"analytics": true,
"marketing": false,
"functional": true
},
"gpcDetected": false,
"userAgent": "Mozilla/5.0 ...",
"language": "en"
}'
const response = await fetch("https://api.neostra.io/v1/consents", {
method: "POST",
headers: { "Content-Type": "application/json" },
body: JSON.stringify({
subjectId: "sub_abc123",
collectionPointId: "cp_your_collection_point_id",
consents: {
necessary: true,
analytics: true,
marketing: false,
functional: true
},
gpcDetected: false,
language: "en"
})
});
// response.status === 202
Response: 202 Accepted
The API returns immediately. The consent record is published to cpmp-consent-topic on Google Cloud Pub/Sub for asynchronous processing.
Retrieve Consent for a Subject
curl -X GET https://api.neostra.io/v1/consents/{subjectId} \
-H "Authorization: Bearer <token>"
Response (200 OK):
{
"subjectId": "sub_abc123",
"currentConsents": {
"necessary": true,
"analytics": true,
"marketing": false,
"functional": true
},
"lastUpdated": "2026-03-16T10:15:00Z",
"collectionPointId": "cp_your_collection_point_id"
}
The cpmp-crawler-service uses Selenium Grid with Chromium to scan websites and detect tracking technologies.
Start a Scan
curl -X POST https://api.neostra.io/v1/crawl/start \
-H "Authorization: Bearer <token>" \
-H "Content-Type: application/json" \
-d '{
"tenantId": "tenant_123",
"website": "https://www.example.com",
"urlFilterRegex": "^https://www\\.example\\.com/.*",
"maxPages": 50
}'
Response (202 Accepted):
{
"scanId": "scan_def456",
"status": "IN_PROGRESS",
"startedAt": "2026-03-16T10:20:00Z"
}
Get Scan Metrics
curl -X GET https://api.neostra.io/v1/report/scans/{scanId}/metrics \
-H "Authorization: Bearer <token>"
Response (200 OK):
{
"scanId": "scan_def456",
"status": "COMPLETED",
"pagesScanned": 42,
"cookiesDetected": 18,
"scriptsDetected": 7,
"iframesDetected": 3,
"categories": {
"necessary": 4,
"analytics": 8,
"marketing": 5,
"unknown": 1
}
}
Cookie scanning requires Selenium Grid infrastructure. Configure the grid URL in your environment: SELENIUM_GRID_URL=http://selenium-hub:4444.
The cpmp-reporting-service provides dashboard analytics, preference center management, and export capabilities.
Dashboard Analytics
curl -X GET https://api.neostra.io/v1/dashboard/consent-stats \
-H "Authorization: Bearer <token>"
Returns consent rates, opt-in/opt-out trends, geographic distribution, and category breakdowns.
Export Data (CSV/Excel)
curl -X GET https://api.neostra.io/v1/reports/export?format=xlsx \
-H "Authorization: Bearer <token>" \
-o consent_report.xlsx
Exports are generated using Apache POI. Supported formats: csv, xlsx.
Data Subject Lookup
curl -X GET https://api.neostra.io/v1/subjects/{subjectId}/history \
-H "Authorization: Bearer <token>"
Returns the full consent history for a specific data subject, including all ledger entries.
These endpoints are part of neostra-core and manage the configuration objects that power the consent banner and preference centers.
Banners (BannerController)
| Method | Endpoint | Description |
|---|---|---|
| GET | /api/v1/banners | List all banner configs |
| POST | /api/v1/banners | Create a new banner |
| PUT | /api/v1/banners/{id} | Update banner configuration |
| POST | /api/v1/banners/{id}/publish | Publish banner to CDN |
Collection Points (CollectionPointController)
| Method | Endpoint | Description |
|---|---|---|
| GET | /api/v1/collection-points | List collection points |
| POST | /api/v1/collection-points | Create collection point |
| PUT | /api/v1/collection-points/{id} | Update collection point |
Cookies (CookieController)
| Method | Endpoint | Description |
|---|---|---|
| GET | /api/v1/cookies | List known cookies |
| POST | /api/v1/cookies | Add a cookie record |
| PUT | /api/v1/cookies/{id} | Update cookie categorization |
Purposes (PurposeController)
| Method | Endpoint | Description |
|---|---|---|
| GET | /api/v1/purposes | List consent purposes |
| POST | /api/v1/purposes | Create a purpose |
| PUT | /api/v1/purposes/{id} | Update a purpose |
Preference Centers (PreferenceCenterController)
| Method | Endpoint | Description |
|---|---|---|
| GET | /api/v1/preference-centers | List preference centers |
| POST | /api/v1/preference-centers | Create a preference center |
| PUT | /api/v1/preference-centers/{id} | Update preference center |
Consent Ledger
The consent ledger provides a tamper-evident, append-only record of every consent event. It uses SHA-256 hash chaining so that any modification to historical entries would break the chain and be immediately detectable.
The hash chain ensures regulatory compliance. If an auditor or regulator requests proof of consent, you can provide the full ledger for a data subject and they can independently verify the chain integrity by recomputing the hashes.
Cookie Scanning
The crawler service automates the discovery of cookies and tracking technologies across your web properties.
Configure the Scan
Set the target website, URL filter regex (to stay within your domain), and a maximum page limit to control crawl depth.
Run the Scan
Trigger a scan via the API or from the Neostra dashboard under Consent > Cookie Scanner. The crawler uses Selenium Grid with headless Chromium to visit each page and record all cookies set, scripts loaded, and iframes embedded.
Review Results
View the scan report to see detected cookies organized by category. Unknown cookies are flagged for manual review and categorization.
Categorize and Update
Assign categories to newly discovered cookies using the CookieController. This feeds back into the banner configuration so users see accurate descriptions.
Service Architecture Reference
| Service | Port | Role |
|---|---|---|
cpmp-api-service | 9001 | Consent collection REST API |
cpmp-log-receipt-service | 9002 | Ledger writer (Pub/Sub consumer) |
cpmp-reporting-service | 9003 | Analytics and exports |
cpmp-crawler-service | 9004 | Website cookie scanning |
| Package | Purpose |
|---|---|
cpmp-platform-core | Shared JPA entities, JSONB types, PostgreSQL config |
cpmp-js-sdk | JavaScript SDK (placeholder) |
cpmp-modal | Svelte 5 consent banner (UMD + ESM) |
Event Flow
The following sequence shows what happens when a user interacts with the consent banner.
Configuration Checklist
Use this checklist to fully configure the Consent & Preference Management Platform for your organization.
Create Purposes
Define the consent purposes your organization uses (e.g., "Analytics", "Marketing", "Functional"). Each purpose should have a clear, user-facing description.
Register Cookies
Add known cookies to the system with their category, duration, and description. Run a cookie scan to discover any cookies you may have missed.
Set Up Collection Points
Create a collection point for each website or application where you collect consent. Link the relevant purposes and cookies.
Design the Banner
Configure the banner appearance, layout, and copy for each language you support. Preview the banner before publishing.
Embed the Script
Add the banner script tag to your website with the correct data-cp-id attribute. Verify it loads and functions correctly.
Configure the Preference Center
Set up a preference center where users can revisit and update their consent choices at any time. Link it from your privacy policy or website footer.
Schedule Regular Scans
Set up periodic cookie scans to detect new tracking technologies as your website evolves. Review and categorize any unknown cookies after each scan.
DSAR-CPMP Integration
The DSAR module integrates with the Consent & Preference Management Platform to enforce opt-out requests. When a data subject submits an opt-out DSAR, the system can automatically retrieve their consent state from CPMP and enforce the opt-out across both cookie banner (third-party consents) and preference center (first-party consents).
Consent Sources
Captures user preferences for analytics, marketing, and personalization cookies. Consent is collected via the cpmp-modal banner widget and stored in the consent ledger. During a DSAR opt-out, these preferences are retrieved and updated to reflect the withdrawal.
Captures direct user consents for marketing channels (email, SMS), personalization, and other processing purposes. Both sources are stored in a unified consent store (PostgreSQL + GCS backup). During a DSAR opt-out, preference center consents are also retrieved and updated.
Opt-Out Enforcement Workflow
Identity Verification
A user task to verify the data subject's identity before processing the opt-out request.
Consent Retrieval (System Task)
An automated system task calls the CPMP Consent API to retrieve the subject's current consent state. The system uses the subject's email address (or email + name / email + address combination) to look up consent records across all collection points.
# System task: Retrieve consent for a data subject
curl -X GET "https://api.neostra.io/v1/consents/lookup?email=user@example.com" \
-H "Authorization: Bearer <token>"
Enforcement
If opt-outs are present in the consent retrieval response, the system calls configured integration APIs (CRM, ad platforms, analytics services) to apply the opt-out state. Supported built-in integrations include: SendGrid, Mailchimp, HubSpot, and Salesforce. Custom API integrations can be configured for any external system.
Review and Closure
A user task for the privacy team to review the enforcement results and close the DSAR.
System tasks extend the DSAR task model to support automated actions. These tasks can query CPMP's consent APIs and enforce opt-outs without manual intervention, reducing response time from days to minutes.
API Integration Actions
The DSAR module can connect to CPMP's Consent API using Advance Actions — configurable API call tasks within workflows. An advance action specifies the API endpoint, authentication, and payload mapping for automated consent operations.
Last updated 1 week ago
Built with Documentation.AI