Best affordable CMP

Your CMP is a third-party script. It gets blocked 30-40% of the time. You never see it fail.

OneTrust loads from cdn.cookielaw.org. Cookiebot loads from consent.cookiebot.com. CookieYes loads from cdn-cookieyes.com. Those hostnames are in EasyList and EasyPrivacy, the filter lists that ship by default in uBlock Origin, Brave Shields, and Firefox Enhanced Tracking Protection. When any of those are active, your CMP script is blocked before it executes. The banner never appears. Your tags fire. Your CAPI endpoint receives the session. No consent was collected and no record was created because the script that would have done both was blocked before it ran.

This is not a compliance risk you can mitigate with better pricing. A CMP that costs EUR 30 per month and gets blocked on a third of your sessions is not more affordable than one that costs nothing and loads on every session. The cheapest CMP that fails to load is more expensive than the most expensive CMP that works, because the one that fails is generating compliance exposure on every session it misses while billing you for the privilege.

Every "affordable CMP" comparison sorts tools by monthly fee. None of them asks the question that determines whether price matters at all: does the banner actually appear?

---

Why load reliability is the only column that matters first

When a CMP script is blocked, four things happen simultaneously and silently.

No banner appears. The user never makes a choice. There is no Accept, no Reject, no record of any kind.

Your analytics tags fire. Your Meta Pixel fires. Your Google Ads tags fire. Every third-party script that was supposed to wait for consent executes immediately because the CMP that would have held them never loaded.

Your CAPI endpoint receives the event. Server-side tracking does not know the browser-side CMP was blocked. It receives whatever the browser sends and forwards it. The consent state that should have gated the event is absent because it was never set.

Your consent log shows nothing. Not a rejection. Not an empty consent. Nothing. The CMP that would have logged the session was blocked before it could. Your log looks complete because it only records sessions where the CMP ran. The blocked sessions are invisible to your records and visible to your ad platforms.

CNIL fined SHEIN EUR 150M in September 2025 for cookies that fired after Reject. The blocked-CMP failure produces a worse outcome: cookies that fire before any choice, with no record that the session ever happened. An auditor who ran a network intercept would see tags firing. Your consent log would show no corresponding record. That gap, between what happened and what was recorded, is exactly what enforcement investigations look for.

The compliance floor for any CMP is not price. It is whether the script loads.

---

The load problem sorted

Three categories. One question before anything else: does this CMP load from a domain ad blockers filter?

Loads from your own domain (never blocked):

DataCops loads from datacops.yourdomain.com. Your subdomain. Not on EasyList. Not on EasyPrivacy. The banner appears on every session. Borlabs Cookie and Complianz are WordPress self-hosted: they load from your WordPress domain. Klaro and CCM19 are self-hosted: they load from whatever server you deploy them on. These four are the only options in this comparison where the blocked-CDN problem does not exist.

Loads from a third-party CDN (blocked 30-40% of privacy-browser sessions):

Every other CMP in this comparison: OneTrust, Cookiebot, Usercentrics, CookieYes, CookieHub, Termly, Iubenda, Enzuzo, CookieFirst, Quantcast, Osano, Secure Privacy, Didomi, TrustArc. Their scripts load from vendor-controlled CDNs. Those CDN hostnames are in ad-blocker filter lists. On any browser with standard privacy settings, those scripts are blocked before execution.

What this means for the rest of the comparison:

For sites with no privacy-conscious audience, no ad-blocker users, no Brave or Firefox users: the blocked-CDN problem is smaller. CDN-hosted CMPs work fine on most sessions. Price and features become the deciding factors.

For sites with any meaningful share of privacy-browser traffic: a CDN-hosted CMP is generating compliance exposure on 30-40% of sessions regardless of how compliant the banner UI is. The compliance floor has not been met on those sessions. Price comparisons are irrelevant until that is resolved.

---

Quick answers

What is the cheapest CMP that actually loads on every session?

DataCops free tier. The CMP loads from your own subdomain, is not on any filter list, and is included at no cost on every plan. For pure banner-only needs without CAPI: Borlabs Cookie at EUR 39/year (WordPress only) or self-hosted Klaro at zero direct cost.

Is there a free CMP?

Several. DataCops free covers 2,000 sessions per month including CMP, bot detection, and analytics. CookieHub free covers 1,000 sessions. CookieYes free covers 15K pageviews on one domain. Termly free covers 10,000 banner views. Klaro and CCM19 are self-hosted and free at any traffic volume. The meaningful question is not whether a free tier exists but whether the free tier's CMP script loads on sessions with ad blockers active.

Does an affordable CMP work with Google Consent Mode v2?

Most paid tiers do. CookieYes, CookieHub, Termly, Iubenda, CookieFirst, and Enzuzo all support GCM v2. The Consent Mode v2 integration is only relevant on sessions where the CMP loaded. On sessions where the CMP was blocked, Consent Mode v2 receives no signal at all.

What about the Cookiebot price increase?

Cookiebot doubled its Premium Small price from EUR 15 to EUR 30 per domain per month in August 2025 and force-migrated one-to-three domain customers to Medium tier. That price increase is a real switching trigger. The replacement question is not "which tool is cheaper than Cookiebot" but "which replacement tool actually loads on every session, including the sessions Cookiebot was already missing."

Can I build my own CMP?

Yes. Klaro is MIT-licensed and handles TCF 2.2 consent flows. CCM19 runs on PHP 8.2 LAMP or NGINX. Silktide is free-forever self-hosted with GCM v2. All three load from your own server so the blocked-CDN problem does not apply. The cost is engineering time to maintain vendor list updates and TCF spec changes.

---

Compliance floor: what must work before price matters

Pre-consent script blocking. Not just a banner. Actual prevention of marketing and analytics scripts from firing before opt-in. This is what SHEIN and Google were fined for failing to enforce.

Google Consent Mode v2. Mandatory for EEA advertisers running Google Ads. Non-compliant accounts lose conversion modeling. The June 15, 2026 Google Signals change tightened this further.

TCF v2.3. Mandatory from February 28, 2026, for sites monetizing programmatic inventory. Sites still on TCF v2.2 after that date saw 60-80% CPM drops.

Audit log. Proof of consent for any session, retrievable if challenged. Most paid tiers include this. Free tiers frequently do not.

Banner loads on every session. The compliance floor item every comparison article skips. If the CMP script is blocked, none of the above apply to that session.

---

The tools

DataCops

DataCops is the only CMP in this comparison that solves the load problem at the architecture level. The script runs from datacops.yourdomain.com. Your subdomain. Not cdn.cookielaw.org. Not on EasyList. The banner appears on every session including the 30-40% that would silently skip every CDN-hosted CMP.

TCF 2.2 certified. Consent recorded server-side with timestamp, banner version, and user choice. When a user clicks Reject, anonymous analytics continue because anonymous data requires no consent anywhere. Identifiable parameters are suppressed at the server layer before any event reaches Meta CAPI or Google Ads Enhanced Conversions. The consent record and the suppressed CAPI event are the same pipeline.

Bot filtering against 361B+ IPs on the same subdomain. First-party analytics on the same pipeline.

What does not work: not a standalone CMP for sites without paid ads. No DSAR automation. No legal policy generation. No TCF v2.3 publisher support for programmatic. Requires a CNAME record. SOC 2 Type II in progress.

Right for: performance marketers running paid ads who need a CMP that loads on every session and propagates consent server-side to CAPI.

Value for money: 9/10 for the bundle.

Pricing: Free (2,000 sessions/mo, CMP included, bot detection, analytics, no CAPI). Growth $7.99/mo. Business $49/mo: CAPI starts here, all four platforms. Organization $299/mo. Enterprise custom.

---

Borlabs Cookie

WordPress self-hosted CMP. The script loads from your WordPress installation domain. Not blocked by any CDN filter. Consent records stay on your server.

What does not work: WordPress-only. Requires developer comfort for complex setups. No TCF v2.3 publisher support. Self-hosting means you maintain vendor list updates.

Right for: WordPress developers who want a CMP that loads from their own domain without SaaS dependency.

Value for money: 8/10

Pricing: Single site EUR 39/year.

---

Complianz

WordPress self-hosted CMP with per-site annual licensing. Loads from your WordPress domain. The most cost-effective option for agencies managing multiple small WordPress properties.

What does not work: WordPress-only. Third-party loading on some cloud components. Less known outside WordPress.

Right for: WordPress agencies managing 5+ sites where per-pageview SaaS pricing becomes expensive.

Value for money: 9/10 for multi-site WordPress agencies.

Pricing: Single $49/year. Five sites $149/year. Twenty-five sites $299/year.

---

Klaro (self-hosted)

MIT-licensed open-source CMP. Loads from your own server. No CDN blocking problem. No pageview metering. No monthly fee.

What does not work: requires engineering resources to configure and maintain vendor list updates. No auto-scanning. No TCF v2.3 out of the box. No support SLA.

Right for: engineering-driven teams comfortable maintaining their own compliance infrastructure at zero direct cost.

Pricing: Free (MIT license). Hosting cost only.

---

CCM19 (self-hosted)

Self-hosted CMP running on PHP 8.2 LAMP or NGINX. Multi-language. Loads from your own server. One-time license available.

What does not work: requires server infrastructure. Technical setup. Engineering overhead for updates.

Right for: teams wanting a one-time license and self-hosted control over consent records.

Pricing: One-time license. Self-hosted.

---

CookieYes

Most widely used SMB CMP post-Cookiebot pricing shift. 1M+ active WordPress installs. GCM v2. Auto-scan. Per-domain pricing.

What does not work: cdn-cookieyes.com loads from a CDN in EasyPrivacy filter lists, blocked on 30-40% of privacy-browser sessions. Pageview overage at $0.30/1K above plan. Free tier disables at 15K pageviews.

Right for: single WordPress sites with low privacy-browser traffic wanting straightforward GDPR compliance.

Value for money: 6/10 (load reliability caveat applies)

Pricing: Free (15K pv, 1 domain). Basic $10/month. Pro $25/month.

---

CookieHub

Session-based pricing eliminates page-depth penalties. April 2026 repricing removed per-session overage fees. Free tier covers 1,000 sessions per month with GCM v2.

What does not work: loads from third-party CDN, blocked on 30-40% of privacy-browser sessions. Multi-domain admin cumbersome per G2 reviews.

Right for: content-heavy sites with mostly non-privacy-browser audiences where pageview-based pricing is prohibitive.

Value for money: 7/10

Pricing: Free (1,000 sessions/month). Starter EUR 6/month. Business EUR 30/month with TCF.

---

Termly

CMP plus privacy policy, terms of service, and disclaimer templates. Pro+ at $15/month annual uses banner-view counting, not pageview counting. Predictable pricing for high-traffic sites.

What does not work: loads from third-party CDN. Free tier caps at 10,000 banner views with quarterly scans.

Right for: freelancers and small teams wanting consent plus legal policy generation at flat predictable pricing.

Value for money: 7/10

Pricing: Free (10K banner views). Starter $10/month. Pro+ $15/month annual.

---

Iubenda

Privacy compliance suite with CMP, privacy policy, and DPA bundled. team.blue-owned.

What does not work: loads from third-party CDN. Free tier silently disables at 1,000 pageviews per month, leaving sites in non-compliance without warning. Pageview metering expensive at high traffic.

Right for: SMBs wanting consent plus policy generation in one subscription.

Value for money: 6/10 (load reliability caveat applies)

Pricing: Free (1K pv, then disabled). Essentials from EUR 5/month. Advanced from EUR 19/month.

---

Enzuzo

Flat-rate pricing with no pageview metering on paid plans. Google CMP Gold. DSAR automation included from Starter tier.

What does not work: loads from third-party CDN. Limited TCF publisher depth.

Right for: SMBs wanting predictable flat-rate pricing with DSAR automation included.

Value for money: 7/10

Pricing: Starter $9/month (1 domain). Growth $22/month (4 domains).

---

Cookiebot (by Usercentrics)

2M+ websites. Auto-scanning. Google Gold CMP. Strong TCF publisher support.

What does not work: loads from consent.cookiebot.com, in ad-blocker filter lists. Doubled from EUR 15 to EUR 30 per domain per month in August 2025. Trustpilot 2.3/5 dominated by billing complaints.

Right for: mid-market publishers with complex vendor lists who can absorb the pricing.

Value for money: 5/10 (load reliability caveat plus price increase)

Pricing: Premium Small EUR 30/domain/month. Medium EUR 50/domain/month.

---

Quantcast Choice

Free TCF v2.3-compliant CMP. Data-for-software exchange with Quantcast.

What does not work: loads from third-party CDN. Data exchange requires audience privacy review.

Right for: publishers running programmatic ads wanting free TCF v2.3 compliance.

Value for money: 7/10 for TCF publishers

Pricing: Free.

---

Secure Privacy

CMP plus cookie audit plus policy generation. Small plan at $14/month.

What does not work: loads from third-party CDN. Less established than major players.

Right for: compliance-focused teams wanting documentation depth at mid-range pricing.

Value for money: 6/10

Pricing: Free (500 consents/month). Small $14/month. Business $49/month.

---

CookieFirst (Iubenda-owned)

team.blue/Iubenda-owned. Cookie scanning, TCF support, GCM v2. EU data storage.

What does not work: loads from third-party CDN. Roadmap under Iubenda control post-acquisition.

Right for: EU-based SMBs wanting simple Google-certified consent with EU data residency.

Value for money: 6/10

Pricing: Free (1 domain). Basic EUR 9/month. Plus EUR 19/month.

---

Osano

US-state-law forward CMP. GDPR plus CCPA, CPRA, and multiple US state laws.

What does not work: loads from third-party CDN. US law breadth adds complexity for EU-only sites.

Right for: US companies with multi-state compliance requirements.

Value for money: 6/10

Pricing: Starter $199/month. Growth $399/month.

---

OneTrust

The enterprise standard. USD 10,000 annual minimum from Q2 2026.

What does not work: loads from cdn.cookielaw.org, blocked 30-40% of privacy-browser sessions. USD 10,000 minimum eliminates it for SMBs. 275%-1000% renewal increases documented.

Right for: enterprises with full GRC requirements and existing contracts.

Value for money: 3/10 for anyone below enterprise scale.

Pricing: USD 10,000 minimum annual contract.

---

Usercentrics

Enterprise parent of Cookiebot. Google Gold certification. TCF v2.3.

What does not work: loads from third-party CDN. Enterprise-only pricing.

Right for: large publishers in DACH markets needing deep TCF publisher support.

Value for money: 7/10 for its specific segment.

Pricing: Enterprise custom.

---

Didomi

Post-Sourcepoint and Addingwell acquisition. TCF v2.3. Processes 2 billion consents per month.

What does not work: loads from third-party CDN. USD 2,000-15,000 per year minimum.

Right for: EU publishers running programmatic at scale.

Value for money: 7/10 for publishers.

Pricing: USD 2,000-15,000/year.

---

Sourcepoint

Acquired by Didomi July 2025. Under Didomi umbrella.

What does not work: acquisition integration ongoing. Not standalone SMB.

Right for: premium publishers already on Sourcepoint.

Pricing: Enterprise custom via Didomi.

---

TrustArc

Enterprise privacy management. Google-certified CMP.

What does not work: loads from third-party CDN. Enterprise-only.

Right for: enterprises needing Google-certified CMP alternative to OneTrust.

Pricing: Enterprise custom.

---

Sirdata

EU publisher CMP with TCF v2.3 and programmatic monetization integrations.

What does not work: loads from third-party CDN. Publisher-focused.

Right for: EU publishers with complex IAB vendor list requirements.

Pricing: Custom.

---

Ketch

Modern privacy infrastructure with 1,000+ integrations. Free tier up to 5,000 users. Closest feature match to OneTrust at mid-market pricing.

What does not work: loads from third-party CDN. Some technical setup required.

Right for: mid-market teams needing OneTrust-level features without the USD 10,000 minimum.

Value for money: 8/10

Pricing: Free (5,000 users/month). Pro from approximately USD 499/month.

---

BigID

Enterprise data governance with consent as one module.

What does not work: consent is secondary. Enterprise-only. Loads from third-party infrastructure.

Right for: enterprises managing AI and data governance.

Pricing: Enterprise custom.

---

DataGrail

US-market privacy operations with DSAR automation.

What does not work: US-market focus. Not a standalone consent banner.

Right for: US enterprises needing DSAR automation alongside consent.

Pricing: Custom.

---

Transcend

Developer-forward privacy automation.

What does not work: significant implementation complexity. Enterprise pricing.

Right for: engineering-driven enterprises wanting infrastructure-level privacy controls.

Pricing: Enterprise custom.

---

Securiti

Data and AI governance with consent as one module.

What does not work: consent is secondary. Enterprise-only.

Right for: enterprises managing AI governance programs.

Pricing: Enterprise custom.

---

Privado

Privacy-as-code plus CMP. Developer-only.

Right for: engineering teams wanting code-level consent mapping.

Pricing: Custom.

---

ConsentManager (Iubenda-owned)

TCF-compliant CMP with publisher focus.

What does not work: overlapping with main Iubenda product. Third-party CDN loading.

Right for: publishers needing TCF compliance alongside Iubenda support quality.

Value for money: 6/10

Pricing: From EUR 19/month.

---

The only table that matters first

DataCops, Borlabs, Complianz, Klaro, and CCM19 are the only tools where the CMP loads from your own domain. For every other tool: assume the banner is invisible to 30-40% of privacy-browser sessions and plan accordingly.

---

When DataCops is not the right answer

If you only need a cookie banner with no CAPI and no paid ads, DataCops is over-engineered. Borlabs or Complianz for WordPress. Klaro for self-hosters. CookieHub or CookieYes for everything else.

If you are a publisher running programmatic advertising with TCF v2.3 vendor list management: Didomi or Quantcast have publisher depth DataCops does not match.

If you need DSAR automation, ROPA generation, or legal policy templates: Iubenda, Termly, or Enzuzo include those. DataCops does not.

If you need SOC 2 Type II today: DataCops is completing it. Other tools have existing certifications.

If your primary concern is US state privacy laws rather than GDPR: Osano or Ketch are more relevant.

---

Every comparison article assumes the banner loaded. The price table, the compliance score, the feature matrix: all of it assumes the CMP script executed on the session being discussed.

On 30-40% of sessions from users with standard privacy browser settings, that assumption is wrong. Those sessions are not in the compliance log. Those sessions are not in any cost calculation. Those sessions had your tags fire without consent and will never appear in any audit unless a regulator runs a network intercept.

Price matters after load reliability. Not before.

Which CMP on your site right now loads on a session from a user running Brave with default settings?