First-Party CMP Domain: Serve Your Consent Banner from Your Own Domain

UniConsent Team

4 min read
Table of contents

Third-Party CMP Domains and Browser Privacy Restrictions

Most CMPs serve their consent banner scripts from a third-party domain like cmp.vendor.com. This has worked for years, but modern browsers now actively restrict how third-party scripts can store data.

Safari's Intelligent Tracking Prevention (ITP) is the most aggressive. ITP identifies scripts loaded from third-party domains and caps cookies set by those scripts to 7 days — even if the cookie is written to your own domain. So a visitor who accepts cookies on Monday could see the consent banner again the following Monday, because Safari quietly deleted the consent cookie.

It gets worse: ITP doesn't just look at which domain the cookie belongs to. It also checks the origin of the script that set it. If the script comes from a domain Safari classifies as a tracker, any cookies that script creates are subject to the 7-day cap — regardless of what domain the cookie is stored on.

Firefox's Enhanced Tracking Protection and Chrome's evolving privacy model are heading in the same direction. Storing consent via third-party scripts is becoming unreliable across the board.

How a First-Party CMP Domain Works

With UniConsent's first-party CMP domain feature, you serve the consent banner from your own subdomain — for example, cmp.yourwebsite.com instead of cmp.uniconsent.com. From the browser's perspective, the script and cookies are now first-party. There's no third-party classification, no ITP restriction, no 7-day cap. The consent cookie lives for its full intended expiry — typically 12 months.

When consent cookies expire after 7 days, returning users see the consent banner again. Every re-prompt is a chance for the user to reject or ignore it. Sites with high Safari/iOS traffic can lose a significant share of their consented audience this way.

A first-party CMP domain eliminates this re-prompting cycle. Users who already gave consent stay consented. The result is a measurably higher consent rate — especially on Safari, which accounts for roughly 20% of global web traffic and over 50% on mobile in many markets.

Less Interruption for Users

Nobody wants to see the same consent banner every week. Repeated prompts frustrate users and make the site feel broken. With a first-party domain, consent preferences are remembered for the full duration, so users see the banner once and move on.

The 7-day ITP cap creates a gap between what users actually chose and what your system records. A user who consented 10 days ago shows up as "no consent" in Safari. This distorts your analytics, breaks ad targeting signals, and can cause compliance headaches if you can't demonstrate valid consent was given.

With a first-party subdomain, the consent cookie persists for its full expiry. Your consent records accurately reflect real user choices, your ad stack receives consistent consent signals, and your compliance documentation holds up.

ITP Is Invisible — You Can't See It in DevTools

One tricky aspect of Safari's ITP: it operates silently. If you open Safari's developer tools and inspect a cookie set by a third-party script, the cookie inspector still shows the original expiry you set — for example, 1 year. There's no warning or visual indicator that ITP has capped it to 7 days. The cookie simply disappears after 7 days without any trace in the developer tools.

This makes ITP hard to test in a quick debugging session. The only way to confirm the 7-day cap is in effect is to set the cookie, wait more than 7 days, and check whether it's still there. Many developers and site owners assume their consent cookies are working fine because the expiry looks correct in DevTools — but Safari is quietly deleting them behind the scenes.

With a first-party CMP domain, the expiry you see in DevTools is the expiry you actually get. No silent overrides, no surprises.

Safari led the way with ITP, but other browsers are following. Firefox already limits third-party storage access, and Chrome continues tightening its privacy controls. A first-party CMP domain protects your consent setup against current and upcoming browser changes — no need to react every time a browser ships a new privacy update.

Get Started

The first-party CMP domain feature is available on UniConsent Pro plans and above. For the full setup guide, see: First-Party CMP Domain Setup. Or reach out at hello@uniconsent.com.

Activate Google Consent Mode UniConsent to enhance the accuracy of your Google Analytics and Google Ads conversion data.

Set up Google Consent Mode →

Get started to make your website and application compliant for EU GDPR, US CPRA, CA PIPEDA etc

Sign up

Get started to make your website and application compliant for EU GDPR, US CPRA, CA PIPEDA etc

Sign up