Stewarded by the European CMP Association (ECMPA)

navigator.consent

The technical architecture of navigator.consent

A neutral browser API coordinates consent between websites, Consent Management Platforms, and the consent assistants acting on users’ behalf.

// navigator.consent

How it works

navigator.consent is the wire between browsers, the assistants acting for users, the websites the user is visiting, and the CMPs that hold the records. The browser carries the messages. The CMP keeps the receipts.

[ user control plane ]

User

Holds preferences.

[ consent assistant ]optional

Consent Assistant

Acts on the user’s behalf.

[ browser transport ]

Browsersnavigator.consent

Implement navigator.consent.

[ compliance plane ]

CMP

System of record.

[ data controller ]

Website

Where the user actually is. Hosts content, embeds the CMP, acts as data controller.

A competitive alternative: three layers

This architecture builds on GPC’s foundation and adds the granularity that GDPR requires: structured, machine-readable, and auditable consent coordination across three layers.

The integration effort falls on three browser vendors who already manage complex web platform APIs. For users, nothing changes, but they can optionally adopt a consent assistant to reduce their exposure to consent interfaces. For businesses, the CMP continues to orchestrate consent; some visitors will simply arrive with preferences already set. For legislators, the pitch is concrete: install an assistant, and cookie banners disappear. This model also dovetails with the EU digital identity wallet: a personal agent that carries your verified preferences across services.

Layer 1

Browser API

navigator.consent is a thin, neutral API, like navigator.geolocation. CMPs declare their vendors and purposes in structured data. No more opaque tracking: every actor reveals what they process and why.

Layer 2

Consent assistant extensions

Users choose a consent assistant from a selection screen (like the DMA search engine choice). Extensions like Consent-o-matic, SuperAgent, and Taste use the API to apply preferences granularly. This creates a competitive European market for privacy innovation.

Layer 3

CMPs as the compliance layer

CMPs remain responsible for contextual information, audit trails, vendor-level instructions, and regulatory compliance. The assistant communicates with the CMP, not around it. A browser signal alone cannot fulfill these functions.

Consent fatigue has technical roots the regulation doesn’t address

The European Commission estimates EU citizens spend 334 million hours on cookie banners per year. But the root causes are technical, not inherent to consent itself.

Browser tracking protection

Safari’s ITP caps client-side cookies to 7 days. Firefox’s ETP applies similar restrictions. Since most CMPs store consent with document.cookie, your choices are silently erased, and the banner comes back as if you never decided.

WebKit ITP

In-app browsers

A growing share of mobile browsing happens inside apps (Instagram, LinkedIn, news apps). These sandboxed webviews can’t access consent stored in the main browser. Every visit looks like a new user.

InAppBrowser.com