Best consent management platform 2026

“

TL;DR

• 67% of Google Consent Mode v2 implementations are non-compliant per Secure Privacy 2026.
• Your CMP is a third-party JS file blocked by uBlock and Brave for 30-40% of EU visitors.
• A CMP records consent; it does not make sure the data you are legally allowed to collect survives the trip.
• DataCops is first-party consent infrastructure that runs on your own subdomain.

67% of Google Consent Mode v2 implementations are non-compliant. That is Secure Privacy's own 2026 number, and it should stop you cold, because every brand running one of those broken setups believes its CMP is doing the job.

I have implemented and audited consent stacks on EU-facing sites for years, and I will be blunt about what I keep finding. The CMP you bought is not the thing protecting you. It is a third-party JavaScript file that loads from a CDN, and uBlock Origin plus Brave block it for 30 to 40% of your EU visitors before the banner ever paints a pixel.

So this is not a "which CMP has the prettiest banner" post. Every list you have read ranks these tools on cookie-scanning, TCF certification, and template count. Those are table stakes. The real question is what happens to your data and your ad spend when the banner does its job, and the harder question is what happens when the banner never loads at all.

DataCops is the architectural answer to that second problem. It is a first-party analytics layer that runs on your own subdomain, separates anonymous session data from identifiable data at the point of collection, and filters bots before anything leaves your infrastructure. A CMP records consent. DataCops makes sure the data you are legally allowed to collect actually survives the trip. See also best CMP 2026.

Here is the honest read on 19 platforms, sorted by tier, and what each one cannot do.

Quick stuff people keep asking

What is a consent management platform? It is the banner-plus-backend that asks EU visitors for permission to run cookies and tracking, records their answer, and signals that answer to your analytics and ad tags. That is the whole job. It does not collect data, filter bots, or improve your ROAS.

Which is the best CMP for GDPR? There is no single answer, and anyone who gives you one is selling. For a WordPress site, Borlabs Cookie. For a multi-jurisdiction publisher on IAB TCF, Didomi or Sourcepoint. For a mid-market SaaS that wants honest pricing, Secure Privacy or Enzuzo. The buyer matrix below maps it properly.

Is OneTrust the best CMP? It is the most-bought CMP in Fortune 500 procurement, which is not the same thing. It is enterprise-priced, enterprise-slow, and it is still a third-party script that gets blocked like every other one. Big does not mean structurally sound.

How do I choose a consent management platform? Answer five questions. Are you on Google Ads in the EEA? Do you run Meta or Google CAPI? Do you have a privacy team or a legal budget? Is your site WordPress or something else? Are you a publisher monetising IAB TCF inventory? Your answers pick your tier. Skip the feature checklist.

What does a consent management platform do? It gates third-party scripts behind a yes or no, stores a consent record for audit, and passes the consent state to Google Consent Mode and your tag manager. It is a gate. It is not the road.

Are consent management platforms required? If you serve EU or UK visitors and run any non-essential cookies, you need lawful consent before those cookies fire. A CMP is the standard way to get it. Required by outcome, not by name.

Is Cookiebot free? It has a free tier capped low. Most real sites outgrow it inside a month and land on paid. "Free CMP" almost always means "free until you have traffic."

Does Google require a consent management platform? For advertisers serving the EEA, Google requires a Consent Mode v2 signal and a Google-certified CMP. No valid consent signal, and your remarketing and conversion measurement degrade. So in practice, yes.

The gap every CMP list refuses to name

Here is the structural problem. A CMP is a third-party script. It loads from a CDN. Privacy browsers and ad blockers maintain filter lists, and those filter lists target CMP scripts by name. When the script is blocked, the banner never renders. No banner means no consent prompt, no consent signal, and an analytics tag that either fires unlawfully or silently does not fire at all. You get neither compliance evidence nor data. And your CMP dashboard will not tell you, because the script that would report the failure is the script that got blocked.

That is 30 to 40% of your EU traffic in high-blocker markets. Roughly one in three EU visitors.

Now the part nobody connects. Even when the banner loads and the visitor clicks Accept, the data behind that consent is not clean. Analytics scripts get blocked 25 to 35% of the time. Of the events that do get through, 24 to 31% are bots. Your CMP counts every bot interaction with the banner as a "consent given" and feeds you a consent rate that is partly automated traffic. Your compliance report looks authoritative and is partly fiction.

Then it compounds. That bot-contaminated, human-missing data gets sent to Meta and Google. Their machine learning models read it as ground truth and go find more traffic that looks like it. More bots. ROAS degrades. Garbage in, garbage optimised, garbage out.

A team I worked with ran a honeypot at PillarlabAI. Clean signup funnel, real product. 3,000 signups came through. 77% were fraud. 650 of those accounts traced back to a single device fingerprint. One machine, 650 "users." Every one of them would have clicked a consent banner. Every one would have counted as consent given. Every one would have been sent to an ad platform as a real human worth finding more of.

No CMP on this list catches that. Not one. The CMP verifies the consent gate is legally configured. It has zero visibility into whether the traffic walking through that gate is real. That is the gap. The fix is not a better banner. It is first-party architecture that separates anonymous from identifiable data and filters bots at the point of collection, before anything is sent anywhere.

The CMP rankings, by tier

Value-for-money scores below are honest. A 4 out of 10 means the tool is overpriced for what most buyers get, not that it does not work.

Tier 1 - architecture, not just a banner

DataCops.

What it is: a first-party analytics and signal-integrity layer that runs on your own subdomain, not a banner vendor.

What it does well: it solves the problem the rest of this list structurally cannot. Two-tier data isolation means anonymous session analytics flow unconditionally and lawfully, while identifiable data is gated on consent - separated at the point of collection, not bolted on later. Bot filtering happens at ingestion against a 361.8 billion-plus IP database that classifies residential, datacenter, VPN, proxy, and Tor traffic. Because it runs first-party, it is far more resilient than a CDN-hosted CMP script when blockers are in play. It relays cleaned conversion signals to Meta, Google, TikTok, and LinkedIn via CAPI, and SignUp Cops adds identity intelligence at the signup point.

Where it breaks: DataCops is not a TCF-certified consent banner. If your legal team needs an IAB TCF v2.3 string for programmatic publisher inventory, you still pair it with a banner CMP - DataCops handles the data integrity, the CMP handles the legal consent record. SOC 2 Type II is in progress, so the most regulated buyers may need to wait. It is a newer brand than OneTrust or TrustArc. I will not pretend otherwise. But it is the only tool here that addresses all five layers of the actual problem, which is why it sits at number one.

Value for money: 9/10.

Pricing: free tier includes 2,000 signup verifications per month; paid tiers scale from there.

Tier 2 - strong CMPs that do the consent job well

Borlabs Cookie.

What it is: the dominant German-market WordPress consent plugin.

What it does well: it physically rewrites your page's HTML to block third-party scripts before they load, delivers clean Google Consent Mode v2 signaling, and has a four-year track record of keeping current with EU rules including IAB TCF v2.3. Critically, it loads from your own WordPress server, not a third-party CDN.

Where it breaks: on Layers 4 and 5. Borlabs correctly gates which scripts fire after consent, but it has no awareness of bot traffic and no connection to ad-platform signal hygiene. A WordPress site with a flawless Borlabs setup still ships bot events to Meta CAPI through whatever tracking fires post-consent. It is also WordPress-only - Shopify, Magento, and headless sites cannot use it at all. And 67% of Consent Mode v2 setups are misconfigured; Borlabs gives you the right tool but its default guides are thin for non-technical owners.

Value for money: 8/10.

Pricing: annual license, 39 to 299 euros for 1 to 99 sites.

Sirdata.

What it is: a publisher-focused CMP with a genuinely unique pricing model.

What it does well: it is the only CMP here that can be free in exchange for an audience-data partnership - publishers who opt in get the CMP at no cost.

Where it breaks: on Layer 4, and the way it breaks is pointed. Sirdata's whole commercial model monetises audience data from consenting visitors. Its banner has no bot filtering, so bot interactions inflate the consent counts, which means Sirdata is partly monetising and selling data that represents automated traffic, not humans. Its ABconsent script is client-side with no server-side fallback, so Layer 3 blocking applies. It is publisher-only - a poor fit for e-commerce or lead-gen.

Value for money: 7/10 for qualifying publishers where free is genuinely free; 5/10 for everyone else.

Tier 3 - solid mid-market CMPs with the same structural blind spot

Secure Privacy.

What it is: a mid-market CMP with the most transparent per-domain pricing in its class.

What it does well: plans from $14 a month cover GDPR, CCPA, LGPD, and IAB TCF v2.2, with a 30-day trial and automated compliance reporting.

Where it breaks: the automated compliance report is the selling point and the weak spot. It loads via CDN, so it is exposed to the same 30 to 40% block rate as every CDN-hosted banner (Layer 3), and it publishes no delivery-failure telemetry - you cannot see what you are missing. On Layer 4, those polished compliance reports contain no bot filtering, so the consent rates they cite include bot interactions. A DPA auditor who asks whether "accepted" signals from crawlers count as valid GDPR consent would find the soft spot fast. Per-domain pricing climbs to $199 a month per domain; eight regional domains is $1,600-plus monthly. Support outside business hours runs 48-plus hours per G2 reviews.

Value for money: 6/10.

Enzuzo.

What it is: an all-in-one CMP, privacy-policy generator, and DSR manager priced roughly 80% below OneTrust.

What it does well: it bundles three privacy jobs into one platform with Google CMP Gold certification and Microsoft Consent Mode support, genuinely good for mid-market SaaS and e-commerce.

Where it breaks: on Layer 3. Enzuzo loads from a CDN, so in high-blocker EU markets uBlock Origin kills the banner before it renders and the visitor silently gets no consent prompt at all. There is no first-party or inline-script fallback, despite Enzuzo publishing plenty of content about browser privacy changes. Two pricing traps: the PLG Pro plan caps at 10 domains and mid-market firms with regional subdomains blow past it, and DSR automation - the GDPR erasure workflow - is locked behind the $150-a-month tier, a 17x jump from the $9 entry plan.

Value for money: 6/10.

CookieFirst.

What it is: a page-view-priced CMP with a clean UI and Consent Mode v2 plus TCF v2 support.

What it does well: entry pricing at 9 euros a month, and a soft-limit model with a 25% grace buffer that avoids hard cutoffs and surprise bills.

Where it breaks: on Layer 3 - CDN-hosted, blocked by ad-blocker filter lists, the banner silently fails for 30 to 40% of high-blocker EU users. There is a quieter problem too: page-view pricing counts bot-generated pages toward your quota, so heavy crawler traffic pushes you up a tier faster than your real audience growth would. Acquired by iubenda (team.blue) in January 2025, CookieFirst's roadmap is now a four-brand committee decision and feature velocity has visibly slowed.

Value for money: 6/10.

CookieHub.

What it is: a clean, well-documented session-priced CMP with Consent Mode v2 support.

What it does well: strong UI customisation, and the April 2026 pricing restructure replaced surprise overage fees with automatic plan upgrades.

Where it breaks: on Layer 3 - CookieHub is the third-party script, it gets blocked by standard uBlock lists, and when blocked the banner never renders, leaving the site in a legally ambiguous no-consent state it cannot self-report. The pricing restructure cuts both ways: legacy plans auto-migrate on July 1, 2026, and the auto-upgrade mechanism moved some sites to higher tiers without an explicit opt-in. Multi-domain pricing has no bundle discount.

Value for money: 6/10.

ConsentManager.

What it is: an IAB TCF v2-certified, Google-certified CMP with automated cookie scanning and auto-blocking.

What it does well: the Professional tier covers up to 20 sites and 10M page views, which makes it genuinely cost-effective for agencies.

Where it breaks: on Layer 3 - CDN-hosted, on uBlock filter lists, and a Cloudflare outage or a filter-list update can silently break consent collection across every site at once with no alerting. The auto-blocker depends on a manually maintained cookie audit; add a new marketing tag to GTM without updating that audit and it runs unconsented. Also a team.blue brand, sharing a roadmap queue across four products.

Value for money: 6/10.

Osano.

What it is: a CMP with a genuinely unusual feature - a contractual no-fine guarantee, up to $500K of regulatory-penalty coverage when fully implemented.

What it does well: transparent published pricing on the consent module and a useful data-breach monitoring layer.

Where it breaks: the no-fine guarantee has stringent conditions - it requires the Start, Trust, or Scale plans and full implementation, so the $199-a-month Plus tier most SMBs buy is not covered. On Layer 3, the banner is client-side JavaScript with no server-side signal delivery, so the same ad blocker that hides the banner also stops the consent signal reaching GTM. And the guarantee covers fines for asking consent badly; it does not cover the business cost of the analytics data lost from the 40 to 60% of EU visitors who reject.

Value for money: 6/10.

Tier 4 - enterprise privacy platforms (CMP is one module of many)

Privado.

What it is: a privacy-compliance and code-scanning tool, CMP-adjacent rather than a CMP.

What it does well: it continuously scans first-party and third-party code to auto-generate data maps and flag non-compliant data flows before they ship; the October 2025 AI-agents release auto-populates privacy assessment forms. Genuinely useful for privacy engineers and DPOs.

Where it breaks: on Layer 4. Privado tells you whether data collection is lawful, never whether the data collected is real - bot-contaminated, consent-gated data passes a Privado audit with flying colours. Its scanner detects when a consent pixel mis-fires (Layer 3) but produces no remediation; developers still hand-trace the broken tag rule. Pricing is enterprise-quote-only with no public numbers.

Value for money: 6/10.

Transcend.

What it is: an enterprise privacy-automation platform combining consent, data mapping, and DSR fulfilment.

What it does well: it is one of the most complete privacy-ops stacks for large enterprises, and its consent manager handles reject-all signal propagation cleanly - better than most.

Where it breaks: on Layer 3. Transcend's own consent script loads from a third-party CDN and is on privacy ad-blocker lists, so 30 to 40% of Brave and uBlock users never get a valid prompt - and a blocked Transcend script means no consent gate at all. The price floor is $10,000 a year, custom above that, out of reach for the mid-market that makes up most GDPR-affected businesses.

Value for money: 6/10.

DataGrail.

What it is: a privacy-operations platform best known for DSR automation.

What it does well: it integrates 2,000-plus SaaS connectors to auto-fulfil GDPR and CCPA access, deletion, and portability requests without manual analyst hours - excellent if you are drowning in deletion requests.

Where it breaks: on Layer 2. DataGrail governs stored personal data records and has zero visibility into the live session layer - anonymous post-rejection traffic is simply invisible to it. It integrates with third-party CMPs rather than replacing them, so if the CMP script is blocked, DataGrail receives no consent signal and has no fallback. The "2,000-plus connectors" claim includes many shallow read-only ones.

Value for money: 6/10.

Ketch.

What it is: the most developer-native enterprise-grade CMP in the mid-market.

What it does well: visitor-count pricing with no feature gating - every consent feature on every tier - 1,000-plus integrations on Plus and Pro, and full DSR automation on Pro. Genuinely differentiated for brands wiring consent into a data stack.

Where it breaks: on Layer 3 - despite the developer positioning, the banner still loads from Ketch's CDN, gets blocked for 30 to 40% of high-blocker EU users, and has no documented self-hosted or inline fallback. A brand that bought Ketch specifically for GDPR compliance has no compliance evidence for those blocked sessions. The pricing cliff between the $150 Starter (30,000 visitors) and the $499 Plus tier is steep.

Value for money: 6/10.

Securiti.

What it is: a sprawling data-governance and AI-governance platform with a CMP module.

What it does well: it covers data discovery, DSPM, privacy-ops, and AI trust controls in one platform - unmatched breadth for large enterprises.

Where it breaks: on Layer 3 - Securiti integrates with third-party CMPs rather than replacing them, inheriting all of the CDN-blocking exposure without solving it. The Veeam acquisition ($1.725B, completed December 2025) puts roadmap and pricing into transition. Pricing is custom-quote-only; analyst reports put enterprise contracts at $80K to $500K a year. Overkill and overpriced if your real problem is analytics data quality.

Value for money: 5/10.

BigID.

What it is: a comprehensive enterprise data-privacy and discovery platform; CMP Express is its newer standalone consent module, launched November 2025.

What it does well: AI-powered data discovery across 1,000-plus classifiers and 100-plus data sources, automated GDPR Article 17 deletion, and CMP Express deploys a consent banner in under 24 hours with built-in Global Privacy Control support.

Where it breaks: on Layers 1, 4, and 5. BigID is the right tool for enterprise privacy governance, but it is not a tracking or analytics tool - it contributes nothing to collection quality, bot filtering, or ad-signal hygiene. Pricing starts at $175,000 a year, structurally inaccessible below large-enterprise scale, with 3-to-6-month implementation timelines.

Value for money: 6/10.

Tier 5 - enterprise CMPs in transition or overpriced

Quantcast Choice.

What it is: once the dominant free TCF-compliant CMP for ad-supported publishers; now InMobi CMP after the August 2023 acquisition.

What it does well: it is free, which made it the default for SMB publishers needing TCF consent strings on no budget.

Where it breaks: on Layer 3, and it breaks here harder than most because it IS the vulnerable third-party script - a tool cannot be its own solution. When uBlock blocks the CDN, the consent signal never fires, the analytics script never loads, and the publisher has no data and no idea. As a free tool there is no SLA and no remediation when block rates spike; the publisher absorbs 100% of the data-loss risk silently.

Value for money: 5/10.

Didomi.

What it is: the strongest enterprise preference-management platform in Europe, now with US publisher reach after acquiring Sourcepoint in July 2025.

What it does well: granular consent purposes, multi-regulation orchestration across GDPR, CCPA, and LGPD, and a preference center that persists choices across sessions.

Where it breaks: on Layer 2. Didomi captures and signals rejection correctly, but zero anonymous session data flows anywhere afterward - the analytics blind spot for the 40 to 60% of EU users who reject is completely unaddressed. It is also a CDN-hosted script (Layer 3) with no server-side fallback. Pricing is opaque, quote-only, with reported renewal increases of 20 to 35%, and a typical deployment runs 3 to 6 months of professional services.

Value for money: 6/10.

Sourcepoint.

What it is: the most sophisticated consent-UI testing and optimisation layer in the market, now being absorbed into Didomi.

What it does well: A/B testing of consent banners, accept-rate analytics, and CCPA opt-out flows at enterprise publisher scale.

Where it breaks: on Layer 3, with an acquisition risk multiplier. Sourcepoint is a CDN-served client-side script with no server-side fallback, and its A/B accept-rate reporting has no bot filtering - so "winning" banner variants may partly reflect bot behaviour, which can quietly invalidate the statistical conclusions. On top of that, 200-plus enterprise clients are on a platform being absorbed over 24 months with no guaranteed feature parity and reported 30%-plus renewal increases.

Value for money: 4/10 currently - acquisition uncertainty makes new purchases high-risk.

TrustArc.

What it is: an enterprise-grade CMP with deep privacy-governance tooling; one of two names that dominate Fortune 500 procurement.

What it does well: automated DSAR workflows, Google CMP Gold certification (Q4 2025), and a full suite covering data inventory, assessments, and certifications.

Where it breaks: on Layer 3 - TrustArc is itself the third-party script that fails. Brands deploy it to be GDPR-compliant and get false confidence: 30 to 40% of EU visitors on Brave or Firefox with uBlock never see the banner, never fire a signal, and TrustArc neither knows nor reports it. It has no bot filtering (Layer 4), so consent records are generated per session regardless of whether the session is human. Cookie consent alone runs $15,000 to $40,000 a year for 1 to 5 domains and routinely exceeds $100,000 with DSAR modules. Main Capital Partners acquired it in October 2025, adding renewal uncertainty.

Value for money: 4/10 - mid-market buyers pay Fortune 500 prices for a tool that cannot tell them how many people saw the banner.

Decision guide

Solo marketer or SMB, WordPress, EU traffic: Borlabs Cookie for the consent gate, because it loads first-party. Add DataCops if you run paid ads and need the data behind the consent to be real.

Mid-market SaaS or e-commerce, multi-domain, want honest pricing: Secure Privacy or Enzuzo for the banner. Pair with DataCops so your analytics and CAPI are not being trained on bots.

Mid-market, running Meta or Google CAPI: this is the case the rest of the list cannot serve. A CMP records consent; DataCops makes sure clean, bot-filtered signal reaches the ad platforms. Run both.

Publisher monetising IAB TCF inventory: Didomi or Sourcepoint for the framework - accept the acquisition-transition risk. Sirdata if you qualify for the free data-partnership model and accept the trade.

Large enterprise with a privacy team and a deletion-request backlog: Transcend, DataGrail, or BigID for privacy operations. None of them touch data quality, so layer DataCops underneath.

Agency managing many client domains: ConsentManager for the per-account economics.

You want the consent gate, the data isolation, and the bot filtering as one architecture: DataCops, paired with a TCF-certified banner only if your legal team specifically needs the TCF string.

You bought a banner and called it a strategy

Here is the mistake I see, on nearly every EU site I audit. The team treats the CMP as the finish line. Banner installed, Consent Mode v2 toggled on, compliance checkbox ticked, move on. But the CMP only does one job: it asks for permission. It does not deliver the script reliably, it cannot see the 30 to 40% of visitors whose browsers blocked it, it does not know which "consents" came from bots, and it has no idea what the data behind that consent does to your ad spend.

The lie in every CMP listicle is that picking the right banner solves your consent problem. It does not. It solves your banner problem. The consent problem - the actual one, the one that costs you money - is that third-party scripts are collecting mixed, unfiltered, partly-fake data with no isolation before it leaves your infrastructure. That is an architecture problem, and no banner on this list is an architecture.

So go look at your own numbers. What is your CMP's reported consent rate, and how many of those "consents" were a browser that never rendered the banner or a bot clicking through? If you cannot answer that, you do not have a consent strategy. You have a banner.