Best CMP 2026

Your CMP is a third-party script. It gets blocked 30-40% of the time. You never see it fail.

OneTrust loads from cdn.cookielaw.org. Cookiebot loads from consent.cookiebot.com. CookieYes loads from cdn-cookieyes.com. Every one of those CDN hostnames is in the EasyList and EasyPrivacy filter lists that uBlock Origin, Brave Shields, and Firefox Enhanced Tracking Protection enforce by default. When the CMP script is blocked, the banner never appears. Your analytics tags fire. Your Meta Pixel fires. Your Google Ads tags fire. No consent was collected because no banner was shown. No record exists in your consent log because the script that would have created the record was never executed.

This is not a compliance risk. It is an active violation happening right now on 30-40% of your privacy-browser traffic, invisibly, on every site running a CMP from a third-party CDN.

The CNIL fines everyone cites made this concrete. EUR 325M against Google in September 2025. EUR 150M against SHEIN. EUR 1.5M against American Express in November 2025. Every "best CMP 2026" article opens with those fines and points at banner UI as the lesson. The lesson is not the banner. The lesson is whether your pipeline actually stops when the banner says stop. And the first version of that problem, the one nobody names, is whether the banner appeared at all.

Every CMP comparison I have read for this article scores banner aesthetics, template counts, and GDPR article compliance. None of them checks which CMPs load from domains that ad blockers filter. That is the column this article adds.

I reviewed 24 CMPs for this guide. The structure is simple: which ones load from a CDN that gets blocked, and which ones do not. Then pricing, compliance depth, and where each tool actually wins.

---

Quick answers

What is the best CMP in 2026?

For sites running paid ads on Meta and Google who need consent that actually loads on ad-blocker sessions: DataCops, because the CMP loads from your own subdomain and is not on any filter list. For single-domain sites on no paid ads: CookieYes or CookieHub at low cost. For publishers needing TCF v2.3 depth: Didomi. For enterprises: OneTrust if procurement can absorb the USD 10,000 minimum, Ketch if you want comparable features at lower cost.

Which CMP is Google certified?

47 Google CMP Partners listed across Bronze, Silver, and Gold tiers as of 2026. Gold-tier includes Usercentrics/Cookiebot, Didomi, CookieYes, Enzuzo, Osano, and others. Non-certified CMPs cannot serve EEA and UK ads via AdSense, Ad Manager, or AdMob. Verify at Google's current CMP Partner page before purchasing.

What is Consent Mode v2?

Google's framework for passing user consent state as signals to Google tags. Two consent types added over v1: ad_user_data and ad_personalization. Without these signals emitted by your CMP and propagated to your server-side GTM container, EEA campaigns lose conversion modeling and ROAS degrades. CMPs emitting only v1 signals are non-compliant for EEA Google Ads as of March 2024, enforced more strictly since June 2026.

Does Google require a CMP?

For EEA and UK ad serving via AdSense, Ad Manager, or AdMob: yes, from a Google-certified partner. For Google Ads Enhanced Conversions: no explicit CMP requirement, but Consent Mode v2 is mandatory for EEA advertisers. Without a CMP emitting correct v2 signals, EEA campaigns operate without conversion modeling.

Is Cookiebot or OneTrust better?

Neither is the default answer for mid-market in 2026. Cookiebot doubled its base pricing in August 2025. OneTrust enforced a USD 10,000 annual minimum in Q2 2026. Both load from third-party CDNs blocked by uBlock Origin and Brave. For most mid-market buyers, Ketch, Enzuzo, or CookieHub are now better value. For enterprises already on OneTrust with a working contract, staying is reasonable.

What happens when a CMP fails to load?

If the CMP script is blocked before execution, no consent banner appears, no consent is recorded, and your tags fire without legal basis. Your consent log shows no record of that session because the logging mechanism was also blocked. This is the failure mode that generates compliance exposure with no paper trail. The only defense is a CMP that loads from a domain the browser does not filter.

What is the difference between a CMP and a cookie banner?

A cookie banner is the visible UI element. A CMP is the infrastructure: consent state storage, signal transmission to GTM, GA4, Meta CAPI, and Google Ads, and the audit log. The banner is five minutes of a procurement conversation. The consent propagation chain is 24 months of potential regulator exposure. The CMP that loads from a filtered CDN fails both jobs silently.

---

The Reject-path test every stack should run and almost nobody does

Before choosing any CMP, run this test on your current setup.

Open your browser with uBlock Origin or Brave Shields active. Load your site. Watch whether the consent banner appears. If it does not appear, stop. Your CMP script was blocked. Everything that follows is irrelevant until you fix the load problem.

If the banner does appear, click Reject All. Open your browser's network inspector. Watch the requests that fire in the next 30 seconds. Are your Google Ads tags still posting? Is your Meta Pixel still sending data? Is your CAPI endpoint receiving events? If yes, your CMP loaded but did not stop the pipeline. Two separate problems, both require separate fixes.

Practitioners report that most server-side GTM setups silently fail the Reject path: the CMP updates browser consent state but the sGTM container never receives the signal. Tags keep firing on Reject because the consent propagation chain from browser to server was never wired. CNIL's SHEIN fine was exactly this failure, documented at EUR 150M.

DataCops solves both problems from one architecture. The CMP loads from your subdomain, so the banner appears on ad-blocker sessions. The consent enforcement runs server-side on the same pipeline as the CAPI events, so the Reject signal stops the downstream events at the server layer.

---

The tools

DataCops

DataCops is the only CMP in this comparison that loads from your own subdomain. One CNAME record: Host = datacops, Value = cdn.yourdomain.com. The banner loads from datacops.yourdomain.com. Not from cookielaw.org. Not from consent.cookiebot.com. Not on EasyList. Not on EasyPrivacy. The banner appears on every session including the 30-40% that would silently skip a third-party CMP.

TCF 2.2 certified. Consent recorded server-side with timestamp, banner version, vendor list version, and user choice. When a user clicks Reject, anonymous session analytics continue because anonymous data requires no consent anywhere. Identifiable conversion parameters are suppressed at the server layer before any event reaches Meta CAPI, Google Ads Enhanced Conversions, TikTok Events API, or LinkedIn Insight CAPI. The consent record and the suppressed CAPI event are the same pipeline. An auditor traces the rejection directly to the absent downstream event.

Bot filtering against 361B+ IPs runs on the same pipeline. First-party analytics on the same subdomain. TCF 2.2 CMP is included free on every plan tier.

What does not work: DataCops is not a standalone CMP for sites without paid ads. No DSAR automation. No ROPA export. No legal policy generation. No TCF v2.3 publisher support for programmatic monetization. No Shopify App Store install. SOC 2 Type II in progress.

Right for: performance marketers running paid ads who need a CMP that loads on every session and propagates consent to CAPI server-side.

Value for money: 9/10 for the bundle.

Pricing: Free (2,000 sessions/mo, CMP included, bot detection, analytics, no CAPI). Growth $7.99/mo. Business $49/mo: CAPI starts here. Organization $299/mo. Enterprise custom.

---

OneTrust

The enterprise standard. Broadest module catalog: consent, DSAR, data mapping, vendor risk, GRC, AI governance. Market leader for Fortune 500 privacy programs.

What does not work: USD 10,000 annual contract minimum from Q2 2026. G2 reviewers documented 275%-468% price increases with 21 days notice. Mid-market accounts seeing EUR 550 per site repriced to EUR 12,000+. Third-party CDN loading means OneTrust scripts are blocked on 30-40% of Brave and uBlock sessions. Enterprise complexity requires professional services for implementation.

Right for: enterprises with dedicated privacy operations teams and existing OneTrust contracts where the full GRC suite justifies the cost.

Value for money: 4/10 for SMB. 7/10 for enterprise already contracted.

Pricing: USD 10,000 minimum annual contract. Mid-market typically USD 40,000-120,000/year.

---

Cookiebot (by Usercentrics)

2M+ websites. Auto-scanning. Google Gold CMP certification. Strong TCF publisher support. The dominant SMB CMP until August 2025.

What does not work: Premium Small doubled from EUR 15 to EUR 30 per domain per month in August 2025. Force-migrated 1-3 domain customers to Medium tier. Trustpilot 2.3/5 with billing transparency as the dominant complaint. Third-party CDN loading, blocked on 30-40% of privacy-browser sessions.

Right for: mid-market publishers with complex vendor lists who can absorb the new pricing.

Value for money: 6/10 post-price-increase.

Pricing: Premium Small EUR 30/domain/month. Medium EUR 50/domain/month.

---

Usercentrics

Enterprise CMP parent of Cookiebot. Controls approximately 50% of the DACH market. Google Gold certification. Strong TCF v2.3 publisher support. In January 2026 acquired MCP Manager for AI governance.

What does not work: enterprise pricing and complexity. Third-party CDN loading. Strategic attention shifting toward AI governance.

Right for: large publishers and enterprise brands in German-speaking markets needing deep TCF support.

Value for money: 7/10 for its segment.

Pricing: Enterprise custom.

---

Didomi

Post-Sourcepoint and Addingwell acquisition: consent management, server-side GTM, and data layer infrastructure under one vendor. TCF v2.3 certified ahead of the February 28, 2026 deadline. Processes 2 billion consents per month at 99.9999% uptime. Published the most-cited European consent rate benchmark in 2026.

What does not work: USD 2,000-15,000 per year minimum. Enterprise-only in practice. Addingwell server-side integration still roadmap-dependent for full consent-to-CAPI propagation. Third-party script loading.

Right for: EU publishers and enterprise advertisers needing the deepest TCF v2.3 support and publisher-grade SLAs.

Value for money: 8/10 for publishers.

Pricing: USD 2,000-15,000/year.

---

Sourcepoint

Acquired by Didomi July 2025. Now under Didomi umbrella with ongoing integration.

What does not work: acquisition integration creates roadmap and pricing uncertainty. Not a standalone SMB tool.

Right for: premium publishers already on Sourcepoint evaluating the Didomi migration.

Pricing: Enterprise custom via Didomi.

---

Ketch

Modern privacy infrastructure with 1,000+ integrations and no-code consent orchestration. Google Silver CMP certification. The closest feature match to OneTrust for mid-market buyers at a fraction of the cost. Free tier covers 5,000 users per month.

What does not work: some technical setup compared to self-serve SMB tools. Less transparent pricing than simpler CMPs. Not publisher-grade for complex TCF use cases. Third-party script loading.

Right for: mid-market teams needing OneTrust-level consent features without the USD 10,000 minimum.

Value for money: 8.5/10

Pricing: Free tier (5,000 users/month). Pro from approximately USD 499/month. Enterprise custom.

---

Iubenda

Privacy compliance suite with CMP, privacy policy, and DPA bundled. team.blue-owned. Acquired CookieFirst in January 2025. Pageview-metered with free tier that disables at 1,000 pageviews per month.

What does not work: free tier silently disables at 1K pageviews, leaving sites in non-compliance without warning. Pageview metering on paid tiers gets expensive for high-traffic sites. Third-party CDN loading.

Right for: SMBs wanting consent plus privacy policy generation in one subscription.

Value for money: 7/10

Pricing: Free (1K pv, then disabled). Essentials from EUR 5/month. Advanced from EUR 19/month.

---

CookieYes

Most widely used SMB CMP post-Cookiebot pricing shift. Native WordPress plugin with 1M+ active installs. Per-domain flat pricing. GCM v2. Auto-scan.

What does not work: $0.30/1K pageview overage above plan; free tier limits to 15K pageviews and 100 pages. Third-party CDN loading.

Right for: single WordPress sites under 50K monthly pageviews.

Value for money: 7/10

Pricing: Free (15K pv, 1 domain). Basic $10/month (100K pv). Pro $25/month.

---

CookieHub

Session-based pricing eliminates the page-depth penalty of pageview metering. April 2026 repricing eliminated per-session overage fees. Free tier covers 1,000 sessions per month with GCM v2.

What does not work: multi-domain admin cumbersome per G2 reviews. Third-party script loading.

Right for: content-heavy sites where pageview-based pricing is prohibitive.

Value for money: 8/10

Pricing: Free (1,000 sessions/month). Starter EUR 6/month. Business EUR 30/month (TCF).

---

Termly

CMP plus privacy policy, terms of service, and disclaimer templates. Pro+ at $15/month annual uses banner-view counting rather than pageview counting.

What does not work: free tier caps at 10,000 banner views with quarterly scans. Third-party script loading.

Right for: freelancers and small teams wanting consent plus legal policy generation at flat predictable pricing.

Value for money: 8/10

Pricing: Free (10K banner views). Starter $10/month. Pro+ $15/month annual.

---

Enzuzo

Flat-rate pricing with no pageview metering on paid plans. Google CMP Gold certification. Starter at $9/month includes DSAR automation and API access. The OneTrust alternative most commonly recommended by privacy practitioners in r/cipp discussions.

What does not work: limited TCF publisher depth. Third-party script loading.

Right for: SMBs wanting predictable flat-rate pricing with DSAR included from day one.

Value for money: 8.5/10

Pricing: Starter $9/month (1 domain). Growth $22/month (4 domains).

---

Borlabs Cookie

WordPress self-hosted CMP. The consent record and the script both live on your server. Loads from your WordPress installation domain. Not subject to third-party CDN blocking.

What does not work: WordPress-only. Requires developer comfort. No TCF v2.3 publisher support. Self-hosted means you maintain vendor list updates.

Right for: WordPress developers who want a CMP that loads from their own domain without SaaS dependency.

Value for money: 8/10

Pricing: Single site EUR 39/year.

---

CookieFirst (Iubenda-owned)

team.blue/Iubenda-owned CMP. Cookie scanning, TCF support, GCM v2. EU data storage. Acquired by Iubenda January 2025.

What does not work: acquisition means roadmap and pricing under Iubenda control. Overlapping positioning with main Iubenda product. Third-party script loading.

Right for: EU-based SMBs wanting simple Google-certified consent with EU data residency.

Value for money: 7/10

Pricing: Free (1 domain). Basic EUR 9/month. Plus EUR 19/month.

---

ConsentManager (Iubenda-owned)

Iubenda-owned CMP with TCF publisher focus. Separate product from main Iubenda suite.

What does not work: overlapping positioning with Iubenda creates selection confusion. Third-party script loading.

Right for: publishers needing TCF-compliant consent with Iubenda-level support.

Value for money: 7/10

Pricing: From approximately EUR 19/month.

---

Secure Privacy

CMP plus cookie audit plus policy generation. Small plan at $14/month covering 10K consents per month.

What does not work: less established than major players. Documentation depth requires configuration investment. Third-party script loading.

Right for: compliance-focused teams wanting documentation depth at mid-range pricing.

Value for money: 7/10

Pricing: Free (500 consents/month). Small $14/month. Business $49/month.

---

Quantcast Choice

Free TCF v2.3-compliant CMP. Data-for-software exchange with Quantcast measurement.

What does not work: data exchange requires audience privacy review. Third-party script loading.

Right for: publishers running programmatic ads wanting free TCF v2.3 compliance.

Pricing: Free.

---

Osano

US-state-law forward CMP. GDPR plus CCPA, CPRA, Colorado, Virginia, Connecticut. No-fine guarantee covers regulatory defense costs.

What does not work: US law breadth adds complexity for EU-only sites. Third-party script loading.

Right for: US companies with multi-state compliance requirements wanting OneTrust alternatives.

Value for money: 7/10

Pricing: Starter $199/month. Growth $399/month.

---

TrustArc

Enterprise privacy management. Google-certified CMP. AI-assisted compliance. Closest feature match to OneTrust for enterprise alternatives.

What does not work: enterprise-only. Not an SMB tool. Third-party script loading.

Right for: enterprises requiring a Google-certified enterprise CMP alternative to OneTrust.

Value for money: 7/10 for enterprise.

Pricing: Enterprise custom.

---

Sirdata

EU publisher CMP with TCF v2.3 and programmatic monetization integrations.

What does not work: publisher-focused, not relevant for DTC advertisers.

Right for: EU publishers with complex IAB vendor list requirements.

Value for money: 7/10

Pricing: Custom.

---

BigID

Enterprise data governance with consent as one module.

What does not work: consent is secondary to data governance. Enterprise-only. Not an SMB tool.

Right for: enterprises managing AI and data governance who need consent in the same platform.

Pricing: Enterprise custom.

---

DataGrail

US-market privacy operations with DSAR automation. G2 4.7/5 across 193 reviews.

What does not work: US-market emphasis over GDPR depth. Not a standalone consent banner.

Right for: US enterprises needing DSAR automation alongside consent.

Pricing: Custom.

---

Transcend

Developer-forward privacy automation covering consent, DSAR, and data inventory.

What does not work: significant implementation complexity. Enterprise pricing.

Right for: engineering-driven enterprises wanting infrastructure-level privacy controls.

Pricing: Enterprise custom.

---

Securiti

Data and AI governance with consent as one module. Strong AI governance capabilities.

What does not work: consent is secondary. Enterprise-only.

Right for: enterprises managing AI governance programs.

Pricing: Enterprise custom.

---

Privado

Privacy-as-code plus CMP. Scans code repositories to map data flows to consent requirements.

What does not work: developer-only. Not for non-technical compliance teams.

Right for: engineering teams wanting automated code-level consent mapping.

Pricing: Custom.

---

Scoring rubric

DataCops and Borlabs are the only tools where the CMP script loads from your own domain. DataCops is the only tool where server-side consent propagation to CAPI is built into the architecture.

---

When DataCops is not the best CMP

If you only need a cookie banner with no paid ads and no CAPI, DataCops is over-engineered. CookieHub at EUR 6/month or CookieYes free does the job for less.

If you are a publisher running programmatic advertising with complex TCF v2.3 vendor list management, Didomi or Quantcast have publisher depth DataCops does not match.

If you need DSAR automation, ROPA generation, or legal policy templates, Iubenda, Termly, or Enzuzo include those. DataCops does not generate legal documents.

If your organization requires enterprise procurement documentation and a Google Gold CMP certification on record with formal compliance audit trails extending to DSAR and data mapping, OneTrust or TrustArc carry that credential set.

If you run primarily US state law compliance rather than GDPR, Osano is more relevant.

---

Thirty to forty percent of your visitors with privacy browsers active never saw your consent banner. Those sessions are not in your consent log. Your tags fired on all of them. No record. No consent. Active exposure.

Which of your current analytics sessions from the past 30 days came from users whose CMP banner never rendered, and what did your pipeline send to Meta and Google on their behalf?