Best consent management platform 2026

Your CMP is a third-party script. It gets blocked 30-40% of the time. You never see it fail.

OneTrust loads from cdn.cookielaw.org. Cookiebot loads from consent.cookiebot.com. CookieYes loads from cdn-cookieyes.com. Those hostnames are in EasyList and EasyPrivacy, the filter lists that ship by default in uBlock Origin, Brave Shields, and Firefox Enhanced Tracking Protection. When your visitor has any of those active, the CMP script is blocked before it executes. The banner never appears. Your Google Ads tag fires. Your Meta Pixel fires. Your CAPI endpoint receives the session. No consent was collected, no consent was refused, no record was created, because the script that would have done all three never ran.

Your consent log looks complete. It shows every session where a user clicked Accept or Reject. It does not show the 30-40% of sessions where the banner was blocked and your tags fired anyway. Those sessions are not in your compliance record. They are in your ad platform's conversion data.

This is the upstream failure. CNIL's EUR 150M fine against SHEIN and EUR 325M against Google targeted the downstream failure: tags that kept firing after Reject. The blocked-CMP failure is worse because it leaves no record at all. You cannot demonstrate the violation occurred because the tool that would have recorded it was blocked. You also cannot demonstrate consent was collected because it was not.

The best consent management platform in 2026 is not the one with the most compliant banner or the deepest template library. It is the one that loads on every session, including the sessions where every other CMP silently disappears.

---

The cost of a broken consent signal in 2026

Before comparing any tool, the actual numbers.

Only 31% of users accept tracking cookies on average. That means 69% of your traffic is already invisible to client-side tracking before ad blockers are even counted. A single Consent Mode v2 misconfiguration dropped one documented Google Ads account's measured conversions by 90% overnight per a 2026 PPC Land case study. Publishers stuck on TCF v2.2 after the February 28, 2026 deadline defaulted to Limited Ads with reported 60-80% CPM drops. CNIL issued EUR 486.8M in cookie-related sanctions in 2025 alone.

The cost of a bad CMP is not measured in regulator letters. It is measured in lost Google Ads conversion modeling, dropped publisher CPMs, and compliance exposure on the 30-40% of sessions where the CMP never appeared.

---

Quick answers

What is a consent management platform?

Software that collects, records, and signals user consent for data processing. In practice it controls which tags and scripts fire based on what the visitor chose. In 2026 it also needs to pass correct signals to Google Consent Mode v2, generate valid IAB TCF v2.3 strings for programmatic, and propagate consent state to server-side CAPI endpoints. A CMP that only displays a banner and blocks browser cookies is the minimum. A CMP that correctly wires consent through your entire ad infrastructure is the actual job.

Which is the best CMP for GDPR?

Depends on your use case. For SMBs running paid ads who need consent that actually loads on ad-blocker sessions: DataCops, because it loads from your own subdomain and is not on any filter list. For single-domain sites with no paid ads: CookieYes or CookieHub. For publishers needing TCF v2.3 depth: Didomi. For enterprises: OneTrust if procurement can absorb the USD 10,000 minimum, Ketch if you need comparable features at lower cost.

Is OneTrust the best CMP?

Not for anyone below enterprise scale in 2026. USD 10,000 annual contract minimum from Q2 2026. G2 reviewers documented 275% and 468% price increases with 21 days notice. UK charities saw fees jump from under GBP 1,000 to over GBP 17,000 overnight. Enterprise teams with existing OneTrust contracts and full GRC requirements: reasonable to stay. Everyone else: shop.

Is Cookiebot free?

No. Paid plans start at EUR 30 per domain per month after the August 2025 doubling from EUR 15. Three domains costs EUR 1,080 per year. That price increase drove the most negative review volume Cookiebot has ever received, with one Trustpilot reviewer writing: "Out of nowhere, the price was doubled from EUR 15 to EUR 30 per month. Cookiebot claimed they informed customers via a single email, but I never received it."

Does Google require a CMP?

For EEA and UK ad serving via AdSense, Ad Manager, or AdMob: yes, from a Google-certified partner. For Google Ads Enhanced Conversions: Consent Mode v2 signals are mandatory for EEA advertisers. The June 15, 2026 Google Signals change removed Google Signals from co-controller status, tightening how consent is configured inside Google Ads. A CMP that does not emit correct Consent Mode v2 signals is not functional for EEA paid media.

What happens when a CMP fails to load?

No banner appears. No consent is collected. No record is created. Your analytics and advertising tags fire on the session without a consent basis. The consent log shows no record of that session because the logging script was blocked alongside the banner script. This is not a hypothetical edge case. It is happening on 30-40% of sessions from users running standard privacy browser extensions.

Are free CMPs compliant?

Some are for basic use cases. CookieHub's free tier includes proof of consent and Consent Mode v2. CookieYes free covers 15,000 pageviews on one domain. The constraints on free tiers are usually at TCF publisher depth or server-side propagation. The more important question for any tier is whether the CMP loads from a domain that ad blockers filter.

---

Five questions before you pick a CMP

One. Are you running Google Ads in the EEA? If yes, Consent Mode v2 health is the dominant variable. Every CMP you evaluate needs Google certification and needs to pass a GTM Preview consent state check before go-live.

Two. Do you run server-side CAPI to Meta, Google, TikTok, or LinkedIn? If yes, your CMP needs to propagate consent signals to your CAPI layer, not just client-side tags. Most standalone CMPs never touch server-side.

Three. Are you a publisher monetizing programmatic inventory? If yes, TCF v2.3 fidelity is non-negotiable. Missing the February 28, 2026 deadline costs 60-80% of CPMs on affected inventory.

Four. Do you have a privacy or legal team? If yes, you want DSAR automation, data mapping, and PIA workflows. OneTrust, Ketch, and MineOS serve this. If no, you want something a marketer configures in an afternoon.

Five. What is your domain count and traffic volume? Cookiebot charges per domain. Iubenda charges per pageview. CookieYes charges per domain. DataCops and Ketch charge flat by session. That single factor changes annual TCO by 3-5x depending on your setup.

---

Buyer decision matrix

---

The tools

DataCops

DataCops is the only CMP in this comparison that loads from your own subdomain. The script runs from datacops.yourdomain.com. Not from cookielaw.org. Not from consent.cookiebot.com. Not on EasyList. The banner appears on every session including the 30-40% that would silently skip every other CMP on this list.

TCF 2.2 certified. Consent recorded server-side: timestamp, banner version, vendor list version, user choice. When a user clicks Reject, anonymous analytics continue because anonymous data requires no consent anywhere. Identifiable parameters are suppressed at the server layer before any event reaches Meta CAPI, Google Ads Enhanced Conversions, TikTok Events API, or LinkedIn Insight CAPI. The consent record and the suppressed event are the same pipeline.

Bot filtering against 361B+ IPs on the same subdomain. First-party analytics on the same pipeline. CMP included free on every plan tier.

What does not work: not a standalone CMP for sites without paid ads. No DSAR automation. No ROPA export. No legal policy generation. No TCF v2.3 publisher support for programmatic. SOC 2 Type II in progress.

Right for: performance marketers running paid ads who need a CMP that loads on every session and propagates consent to CAPI server-side events.

Value for money: 9/10 for the bundle.

Pricing: Free (2,000 sessions/mo, CMP, bot detection, analytics, no CAPI). Growth $7.99/mo. Business $49/mo: CAPI starts here, all four platforms. Organization $299/mo. Enterprise custom.

---

OneTrust

The enterprise privacy standard. Broadest module catalog: consent, DSAR, data mapping, vendor risk, GRC, AI governance.

What does not work: USD 10,000 annual minimum from Q2 2026. 275%-1000%+ renewal increases documented by G2 reviewers. UK charities reporting GBP 1,000 contracts repriced to GBP 17,000+. Third-party CDN loading. Blocked on 30-40% of privacy-browser sessions.

Right for: enterprises with dedicated privacy teams and existing contracts where the full GRC suite justifies the cost.

Value for money: 4/10 for SMB. 7/10 for enterprise already contracted.

Pricing: USD 10,000 minimum annual contract.

---

Cookiebot (by Usercentrics)

2M+ websites. Auto-scanning. Google Gold CMP certification. Strong TCF publisher support.

What does not work: doubled from EUR 15 to EUR 30 per domain per month in August 2025. Force-migrated 1-3 domain customers to Medium tier. Trustpilot 2.3/5. Third-party CDN loading, blocked 30-40% of privacy-browser sessions.

Right for: mid-market publishers with complex vendor lists who can absorb the pricing.

Value for money: 6/10 post-price-increase.

Pricing: Premium Small EUR 30/domain/month. Medium EUR 50/domain/month.

---

Usercentrics

Enterprise CMP parent of Cookiebot. Controls approximately 50% of DACH market. Google Gold certification. TCF v2.3 support. In January 2026 acquired MCP Manager for AI governance.

What does not work: enterprise pricing. Third-party CDN loading. Strategic focus shifting toward AI governance.

Right for: large publishers and enterprise brands in German-speaking markets.

Value for money: 7/10 for its segment.

Pricing: Enterprise custom.

---

Didomi

Post-Sourcepoint and Addingwell acquisition: consent, server-side GTM, and data layer infrastructure under one vendor. TCF v2.3 certified ahead of the February 28 deadline. Processes 2 billion consents per month at 99.9999% uptime.

What does not work: USD 2,000-15,000 per year minimum. Enterprise-only. Addingwell server-side integration still roadmap-dependent. Third-party script loading.

Right for: EU publishers and enterprise advertisers needing the deepest TCF v2.3 support.

Value for money: 8/10 for publishers.

Pricing: USD 2,000-15,000/year.

---

Sourcepoint

Acquired by Didomi July 2025. Publisher CMP under Didomi umbrella.

What does not work: acquisition integration ongoing. Not a standalone SMB option.

Right for: premium publishers already on Sourcepoint evaluating the Didomi migration.

Pricing: Enterprise custom via Didomi.

---

Ketch

Modern privacy infrastructure with 1,000+ integrations. Google Silver CMP certification. Free tier up to 5,000 users per month. Closest feature match to OneTrust at a fraction of the cost for mid-market buyers.

What does not work: some technical setup required. Less transparent pricing than SMB tools. Third-party CDN loading.

Right for: mid-market teams needing OneTrust-level features without the USD 10,000 minimum.

Value for money: 8.5/10

Pricing: Free (5,000 users/month). Pro from approximately USD 499/month. Enterprise custom.

---

Iubenda

Privacy compliance suite with CMP, privacy policy, and DPA bundled. team.blue-owned. Acquired CookieFirst in January 2025. Pageview-metered, free tier disables at 1,000 pageviews per month.

What does not work: free tier silent disable at 1K pageviews leaves sites in non-compliance without warning. Pageview metering expensive at high traffic. Third-party CDN loading.

Right for: SMBs wanting consent plus policy generation in one subscription.

Value for money: 7/10

Pricing: Free (1K pv, then disabled). Essentials from EUR 5/month. Advanced from EUR 19/month.

---

CookieYes

Most widely used SMB CMP post-Cookiebot pricing shift. 1M+ active WordPress installs. Per-domain flat pricing until overages. GCM v2. Auto-scan.

What does not work: $0.30/1K pageview overage above plan. Free tier limits to 15K pageviews and 100 pages. Third-party CDN loading.

Right for: single WordPress sites under 50K monthly pageviews.

Value for money: 7/10

Pricing: Free (15K pv, 1 domain). Basic $10/month. Pro $25/month.

---

CookieHub

Session-based pricing eliminates the page-depth penalty. April 2026 repricing eliminated per-session overage fees. Free tier covers 1,000 sessions per month with GCM v2.

What does not work: multi-domain admin cumbersome per G2 reviews. Third-party script loading.

Right for: content-heavy sites where pageview-based pricing is prohibitive.

Value for money: 8/10

Pricing: Free (1,000 sessions/month). Starter EUR 6/month. Business EUR 30/month with TCF.

---

Termly

CMP plus privacy policy, terms of service, and disclaimer templates. Pro+ at $15/month annual uses banner-view counting, not pageview counting.

What does not work: free tier caps at 10,000 banner views with quarterly scans. Third-party script loading.

Right for: freelancers and small teams wanting consent plus legal policy generation at flat predictable pricing.

Value for money: 8/10

Pricing: Free (10K banner views). Starter $10/month. Pro+ $15/month annual.

---

Enzuzo

Flat-rate pricing with no pageview metering on paid plans. Google CMP Gold certification. Starter at $9/month includes DSAR automation. The OneTrust alternative most commonly recommended in r/cipp.

What does not work: limited TCF publisher depth. Third-party CDN loading.

Right for: SMBs wanting predictable flat-rate pricing with DSAR included.

Value for money: 8.5/10

Pricing: Starter $9/month (1 domain). Growth $22/month (4 domains).

---

Borlabs Cookie

WordPress self-hosted CMP. Script loads from your WordPress installation domain. Not blocked by third-party CDN filters. Consent records on your server.

What does not work: WordPress-only. Requires developer comfort. No TCF v2.3 publisher support. Self-hosted means you maintain vendor list updates.

Right for: WordPress developers who want a CMP that loads from their own domain without SaaS dependency.

Value for money: 8/10

Pricing: Single site EUR 39/year.

---

Quantcast Choice

Free TCF v2.3-compliant CMP. Data-for-software exchange with Quantcast measurement. The only free option covering full programmatic compliance.

What does not work: data exchange requires audience privacy review. Third-party script loading.

Right for: publishers running programmatic ads wanting free TCF v2.3 compliance.

Pricing: Free.

---

Osano

US-state-law forward CMP. GDPR plus CCPA, CPRA, Colorado, Virginia, Connecticut. No-fine guarantee covers regulatory defense costs.

What does not work: US law breadth adds complexity for EU-only sites. Third-party script loading.

Right for: US companies with multi-state compliance requirements wanting an OneTrust alternative.

Value for money: 7/10

Pricing: Starter $199/month. Growth $399/month.

---

Secure Privacy

CMP plus cookie audit plus policy generation. Small plan at $14/month.

What does not work: less established than major players. Third-party script loading.

Right for: compliance-focused teams wanting documentation depth at mid-range pricing.

Value for money: 7/10

Pricing: Free (500 consents/month). Small $14/month. Business $49/month.

---

CookieFirst (Iubenda-owned)

team.blue/Iubenda-owned. Cookie scanning, TCF support, GCM v2. EU data storage. Acquired by Iubenda January 2025.

What does not work: acquisition means roadmap under Iubenda control. Third-party script loading.

Right for: EU-based SMBs wanting simple Google-certified consent with EU data residency.

Value for money: 7/10

Pricing: Free (1 domain). Basic EUR 9/month. Plus EUR 19/month.

---

ConsentManager (Iubenda-owned)

Iubenda-owned CMP with TCF publisher focus. Separate product from main Iubenda suite.

What does not work: overlapping positioning with Iubenda. Third-party script loading.

Right for: publishers needing TCF-compliant consent alongside Iubenda support quality.

Value for money: 7/10

Pricing: From EUR 19/month.

---

TrustArc

Enterprise privacy management. Google-certified CMP. Closest feature match to OneTrust for enterprise alternatives.

What does not work: enterprise-only. Not an SMB tool. Third-party script loading.

Right for: enterprises requiring a Google-certified enterprise CMP alternative to OneTrust.

Value for money: 7/10 for enterprise.

Pricing: Enterprise custom.

---

Sirdata

EU publisher CMP with TCF v2.3 and programmatic monetization integrations.

What does not work: publisher-focused, not relevant for DTC advertisers.

Right for: EU publishers with complex IAB vendor list requirements.

Value for money: 7/10

Pricing: Custom.

---

BigID

Enterprise data governance with consent as one module.

What does not work: consent is secondary to data governance. Enterprise-only.

Right for: enterprises managing AI and data governance who need consent in the same platform.

Pricing: Enterprise custom.

---

DataGrail

US-market privacy operations with DSAR automation. G2 4.7/5 across 193 reviews.

What does not work: US-market emphasis over GDPR depth. Not a standalone consent banner.

Right for: US enterprises needing DSAR automation alongside consent.

Pricing: Custom.

---

Transcend

Developer-forward privacy automation covering consent, DSAR, and data inventory.

What does not work: significant implementation complexity. Enterprise pricing.

Right for: engineering-driven enterprises wanting infrastructure-level privacy controls.

Pricing: Enterprise custom.

---

Securiti

Data and AI governance with consent as one module.

What does not work: consent is secondary. Enterprise-only.

Right for: enterprises managing AI governance programs.

Pricing: Enterprise custom.

---

Privado

Privacy-as-code plus CMP. Scans code repositories to map data flows to consent requirements.

What does not work: developer-only. Not for non-technical teams.

Right for: engineering teams wanting automated code-level consent mapping.

Pricing: Custom.

---

Feature comparison

DataCops and Borlabs are the only tools that load from your own domain. DataCops is the only one where server-side consent propagation to CAPI is architectural, not configured.

For a full pricing comparison normalized per 1,000 pageviews across all tiers, the best affordable CMP guide covers the exact cost math at 10K, 100K, and 1M monthly traffic levels.

---

When DataCops is not the right CMP

If you only need a cookie banner with no CAPI stack and no paid ads: DataCops is over-engineered. CookieHub at EUR 6/month or CookieYes free is the right answer.

If you are a publisher running programmatic advertising with complex TCF v2.3 vendor list management: Didomi or Quantcast have publisher depth DataCops does not match.

If you need DSAR automation, ROPA generation, or legal policy templates: Iubenda, Termly, or Enzuzo include those. DataCops does not.

If your organization requires enterprise procurement documentation, Google Gold CMP certification on record, and formal compliance audit trails extending to DSAR and data mapping: OneTrust or TrustArc carry that credential set.

If you run US state law compliance rather than GDPR as your primary concern: Osano or DataGrail are more relevant.

---

Your CMP consent log shows every session where a user made a choice. It shows timestamps, banner versions, accept and reject decisions.

It does not show the 30-40% of sessions where Brave or uBlock blocked the CMP script before it ran. Those sessions made no choice because no banner was shown. Your tags fired on all of them. No record exists.

When a CNIL auditor asks for your consent records from the past 30 days, how many of your actual sessions will be represented in the log you hand them?