Best GDPR consent tool 2026

The American Express fine was not about the banner.

In November 2025, CNIL fined American Express Carte France EUR 1.5M. The banner UI was compliant: visible, symmetric Accept and Reject buttons, clear language. What triggered the fine was simpler and more expensive. Tags kept loading after a user clicked Reject. Tags fired before any choice was made. Tags resumed firing after a user withdrew consent they had previously given.

The banner looked right. The downstream pipeline was broken.

This is the failure mode that most CMP comparison articles do not test, because testing it requires more than looking at the UI. You have to fire a network intercept, click Reject, and check whether the Google Ads tag, the Meta Pixel, and your CAPI endpoint stopped receiving data. Most tools pass the banner test and fail the withdrawal test. And CNIL has now demonstrated it will fine EUR 1.5M on that specific failure.

Total GDPR fines passed EUR 7.1 billion since 2018. CNIL issued 83 sanctions totalling approximately EUR 487M in 2025 alone. The September 2025 Google fine was EUR 325M. Shein: EUR 150M. The enforcement is not theoretical and it is not slowing down.

Meanwhile, the pricing structure of the CMP market broke apart in the past 12 months. Cookiebot doubled its SMB pricing in August 2025. OneTrust set a USD 10,000 minimum annual contract in Q2 2026. Thousands of mid-market sites are actively shopping. Most comparison articles are still listing prices that no longer exist.

I reviewed 24 GDPR consent tools against the question that matters: can you prove, to a CNIL auditor, that downstream tags stopped firing on withdrawal? Below is the honest read, organized by what each tool actually covers.

---

Quick answers

Is a GDPR consent tool required?

If you use non-essential cookies or third-party tracking for advertising or analytics, yes. Article 6 requires a documented lawful basis for each processing activity. Legitimate interest does not cover ad targeting after the CJEU Planet49 ruling in 2019 and subsequent enforcement. A consent tool is the practical mechanism for collecting that lawful basis and recording it.

What does GDPR-compliant consent look like?

Under Article 7, the controller must be able to demonstrate consent. That means a timestamped record showing what banner text was displayed, which vendor list version was active, what the user chose, when they chose it, and the withdrawal trail. A cookie in the browser is not evidence. A versioned, server-side log is. Most CMPs claim to produce this. Not all actually do in an auditor-readable format.

What is the withdrawal propagation failure?

The specific mechanism behind the AmEx fine: a user clicks Reject or withdraws previously given consent, and the downstream tags continue to fire anyway. The consent record says no. The tags did not listen. CNIL checks this by running a network intercept after a Reject click and verifying that advertising scripts stop sending data. Tools that do not have server-side enforcement of the consent signal fail this check.

Is implied consent valid under GDPR?

No. Planet49 (CJEU, 2019) confirmed that pre-ticked checkboxes and continued site use do not constitute valid consent. Scrolling, clicking to another page, and closing the banner are explicitly invalid as consent signals.

What is the TCF 2.3 deadline?

February 28, 2026. IAB TCF 2.3 is mandatory for any CMP used on EEA or UK sites running programmatic advertising. CMPs without TCF 2.3 support cause ad requests to default to Limited Ads, with immediate revenue impact and no cure period.

How do you prove consent in an audit?

Produce a consent record with: user identifier, timestamp, banner version, language, vendor list version shown, choice made, and withdrawal event if applicable. What regulators ask for is not the banner screenshot but proof the signal propagated: downstream tags stopped firing on withdrawal. That requires a server-side log linked to the event stream, not just a cookie.

How long must consent records be kept?

The GDPR does not specify an exact period. Article 5(2) accountability requires demonstrating compliance for as long as processing based on that consent continues. DPA enforcement precedent points to three years as a defensible minimum.

Are free GDPR consent tools compliant?

Some are. CookieHub's free tier includes proof of consent and Consent Mode v2. CookieYes free covers 15K pageviews with basic compliance. The question is not cost but whether the tool generates a verifiable audit record, supports TCF 2.3 if you run ads, and propagates withdrawal to downstream tags. Many free tiers skip the last point.

---

The GDPR article crosswalk

Most CMP comparisons stop at the banner. The audit starts at the article level.

The Art. 7 and Art. 17 intersection is where the AmEx fine lived. Consent captured. Withdrawal not propagated downstream.

---

Why most CMPs fail the withdrawal test without you knowing

Here is the specific mechanism. Your CMP loads a JavaScript banner from a third-party CDN. The user clicks Accept or Reject. The CMP writes a cookie with the consent signal. Your tag management layer reads that cookie and fires or suppresses tags accordingly.

Three failure points that are invisible in the dashboard.

First: the CMP script never loaded. OneTrust and Cookiebot load from third-party CDNs. uBlock Origin and Brave block those CDNs by name. 30-40% of privacy-conscious sessions never see the banner at all. No consent is recorded. Tags either fire without consent (legal exposure) or do not fire (data loss). The consent log shows nothing. You never see the failure.

Second: the withdrawal signal did not propagate. The cookie was updated to Reject. The Google Ads tag continued firing because the tag implementation reads the cookie asynchronously and the withdrawal update arrived after the tag already triggered for that session.

Third: the consent record is in the browser, not on the server. When an auditor asks for your Article 7 proof, you export a CSV from your CMP. It shows what your tool recorded. It does not show what actually happened to the downstream CAPI event, the Meta Pixel load, or the Google Ads Enhanced Conversion. If those ran after withdrawal, the CMP log is accurate and you are still fined.

The fix requires the consent enforcement to happen at the server layer, not the browser layer. If the consent signal and the CAPI event come from the same server-side pipeline, the audit log can prove not just that consent was captured but that the downstream event was suppressed or permitted at the same moment, by the same system.

This is the DataCops difference for GDPR consent. Not the banner. The provable chain from consent signal to event dispatch.

---

The tools

DataCops

DataCops is not primarily a CMP. It is the only tool in this comparison where the consent pipeline and the CAPI event pipeline are the same first-party infrastructure.

The CMP loads from datacops.yourdomain.com, your own subdomain. Not from OneTrust's CDN. Not from Cookiebot's CDN. Not on any ad-blocker filter list. The banner loads on every session including the 30-40% where a third-party CMP would have been silently blocked. TCF 2.2 certified. Consent is recorded server-side with timestamp, banner version, vendor list version, and user choice.

When a user clicks Reject, anonymous analytics continue unconditionally because anonymous session data requires no consent in any jurisdiction. Identifiable conversion parameters are suppressed at the server layer before any event reaches Meta CAPI or Google Ads Enhanced Conversions. The consent record and the suppressed CAPI event are the same pipeline. An auditor can trace the withdrawal signal directly to the absent CAPI event. That is Article 7 proof the AmEx architecture could not produce.

Bot filtering runs on the same pipeline before events are counted. First-party analytics on the same subdomain.

What does not work: DataCops is not a standalone CMP for sites that only need a cookie banner without CAPI or analytics. It is not a legal policy generator. No DSAR automation. No ROPA export. SOC 2 Type II in progress.

Right for: performance marketers running paid ads on Meta, Google, TikTok, and LinkedIn who need GDPR consent enforcement with a provable server-side audit trail.

Value for money: 9/10 for the bundle.

Pricing: Free (2,000 sessions/month, CMP included, no CAPI). Growth $7.99/month. Business $49/month: CAPI starts here, all four platforms. Organization $299/month. Enterprise custom.

---

Cookiebot (by Usercentrics)

The dominant SMB CMP until August 2025. Premium Small doubled from approximately EUR 15 to EUR 30 per domain per month in August 2025. Usercentrics force-migrated one-to-three domain customers from the old Small tier to the new Medium tier. Trustpilot rating sits at 2.3/5 primarily on billing transparency complaints. One reviewer: "Out of nowhere, the price was doubled from EUR 15 to EUR 30 per month. Cookiebot claimed they informed customers via a single email, but I never received it (triple checked)."

What works: auto-scanning, widely deployed (750,000+ sites), strong TCF publisher support, Google-certified CMP. Good compliance depth for mid-market publishers.

What does not work: third-party CDN loading, blocked on 30-40% of privacy-browser sessions. Billing changes without adequate notice are the dominant complaint. No server-side withdrawal propagation proof.

Right for: mid-market publishers with complex vendor lists who can absorb the pricing and need established TCF compliance.

Value for money: 6/10 post-price-increase.

Pricing: Premium Small from EUR 30/domain/month. Medium from EUR 50/domain/month.

---

OneTrust

The enterprise governance suite. Consent management is one module in a platform that covers DSAR automation, ROPA, vendor risk, and AI governance. Market leader for enterprise compliance programs.

What does not work: minimum annual contract raised to USD 10,000 in Q2 2026 across all tiers. Effectively priced SMBs out of the market in one move. Complex to implement without professional services. No server-side withdrawal propagation as standard. Third-party CDN loading subject to the same blocker problem.

Right for: enterprises with dedicated privacy operations teams who need the full GRC suite, not just a consent banner.

Value for money: 5/10 for the SMB buyer who just needs GDPR consent. 8/10 for enterprises already on the platform.

Pricing: USD 10,000 minimum annual contract.

---

Usercentrics

The enterprise parent of Cookiebot. Controls approximately 50% of the DACH CMP market post-Cookiebot merger. Enterprise pricing and capabilities. Opened NYC office for US expansion. Strong TCF support and publisher ad-tech integrations.

What does not work: enterprise pricing and complexity. Not the right tool for an SMB that just needs a banner. Third-party script loading subject to blocker exposure.

Right for: large publishers, media groups, and enterprises with complex consent workflows across multiple domains and languages.

Value for money: 7/10 for its target segment.

Pricing: Enterprise custom.

---

Didomi

Post-Sourcepoint and Addingwell acquisition, Didomi is the most vertically integrated CMP in the market: consent management plus server-side GTM plus the data layer infrastructure Addingwell built. TCF 2.3 certified ahead of the February 28, 2026 deadline.

What does not work: USD 2,000-15,000 per year pricing depending on traffic and domains. Enterprise-only in practice. The Addingwell sGTM integration is powerful but still roadmap-dependent as of mid-2026. Third-party script loading.

Right for: EU publishers and large advertisers who want CMP plus server-side infrastructure under one contract.

Value for money: 8/10 for the target enterprise buyer.

Pricing: USD 2,000-15,000/year depending on traffic and domains.

---

Sourcepoint

Acquired by Didomi in July 2025. Publisher-focused consent management with strong premium ad-tech integrations. Now operating under the Didomi umbrella.

What does not work: acquisition integration still ongoing as of mid-2026. Pricing and roadmap direction under Didomi. Not a standalone SMB option.

Right for: premium publishers already on Sourcepoint who are evaluating the Didomi migration path.

Pricing: Enterprise custom via Didomi.

---

Iubenda

Privacy compliance suite bundling cookie consent, privacy policy generation, and DPA generation. G2 reviews consistently praise responsive support and clear SMB UX. team.blue-owned.

What does not work: limited TCF publisher depth compared to Didomi or Usercentrics. No server-side withdrawal propagation. Third-party CDN loading.

Right for: SMBs and freelancers who want consent plus privacy policy generation in one subscription.

Value for money: 7.5/10

Pricing: From EUR 27/year for a single domain. Advanced plan from EUR 79/year.

---

ConsentManager (by Iubenda)

Iubenda-owned CMP with strong TCF support and publisher focus. Separate product from the main Iubenda suite.

What does not work: overlapping product positioning with Iubenda itself creates confusion about which product to choose. Third-party script loading.

Right for: publishers who need TCF-compliant consent with Iubenda's support quality.

Value for money: 7/10

Pricing: From approximately EUR 19/month.

---

CookieYes

Free tier with 15K pageviews per month, one domain, auto-scan. Native WordPress plugin with over one million active installs. Per-domain pricing is the ceiling issue: agencies pay $10/month Pro times the number of domains.

What does not work: no DSAR automation or API access on lower tiers. Per-domain pricing is expensive at scale. Third-party script loading.

Right for: single WordPress sites wanting free or low-cost GDPR compliance with an established plugin.

Value for money: 7/10 for single domains.

Pricing: Free for 15K pageviews/month per domain. Pro from $10/month per domain.

---

CookieHub

Session-based pricing instead of pageview metering. A visitor browsing 30 pages counts as one session. For content-heavy sites this is significantly cheaper than Cookiebot's per-pageview model. Free tier covers 1,000 sessions per month with proof of consent and Consent Mode v2.

What does not work: multi-domain administration is cumbersome per G2 reviews. No A/B testing on consent UI. Third-party script loading.

Right for: content-heavy sites where pageview-based pricing is prohibitive.

Value for money: 8/10 for the pricing model.

Pricing: Free for 1,000 sessions/month. Starter from $7/month.

---

Termly

Bundles legal policy generation (privacy policy, terms of service, disclaimer) with the CMP. Useful for freelancers who want one vendor for the full compliance stack.

What does not work: free and Starter tiers cap policy edits and scan frequency, pushing upgrade faster than expected. Multi-site agencies pay per domain. Third-party script loading.

Right for: freelancers and small teams wanting consent plus legal policy generation under one subscription.

Value for money: 7/10

Pricing: Starter $10/month, Pro+ $15/month.

---

Borlabs Cookie

WordPress-specific CMP. The WordPress CMP that most developers cite when asked for a self-hosted, privacy-respecting option. Self-hosted means the consent record stays on your server.

What does not work: WordPress-only. Requires developer comfort with configuration. No TCF publisher support. Self-hosting means you own the infrastructure maintenance.

Right for: WordPress developers who want self-hosted consent records without a SaaS subscription.

Value for money: 8/10 for the target use case.

Pricing: From EUR 39/year per domain.

---

Osano

US-state-law forward CMP covering CCPA, CPRA, Colorado, Virginia, and Connecticut alongside GDPR. Markets a "no-fine guarantee" though the guarantee covers regulatory defense costs, not the fine itself.

What does not work: breadth across US state laws adds complexity that EU-only sites do not need. No server-side withdrawal propagation as standard. Third-party script loading.

Right for: US companies with cross-jurisdiction compliance needs across GDPR and US state privacy laws.

Value for money: 7/10 for US-cross-jurisdiction buyers.

Pricing: Starter from $199/month. Growth from $399/month.

---

Secure Privacy

CMP plus cookie audit plus privacy policy generation. Positions on automation and compliance documentation depth.

What does not work: less established than OneTrust or Cookiebot. Documentation depth requires time investment to configure correctly. Third-party script loading.

Right for: compliance-focused teams who want documentation depth alongside the consent banner.

Value for money: 7/10

Pricing: Starter from $9/month. Pro from $35/month.

---

Enzuzo

CMP plus privacy policy generation. SMB-friendly pricing and US-market focus. Well-known for its comparative content on OneTrust and Cookiebot alternatives.

What does not work: limited TCF publisher depth. No server-side withdrawal propagation. Third-party script loading.

Right for: SMBs looking for OneTrust or Cookiebot alternatives at lower price points.

Value for money: 7.5/10

Pricing: Starter from $29/month.

---

TrustArc

Enterprise privacy management platform. Explicitly markets as a Google-certified CMP for EU consent changes. Enterprise-only in practice.

What does not work: not an SMB option. Complex implementation without professional services. Third-party script loading.

Right for: enterprises with existing TrustArc contracts or requiring Google-certified CMP status documentation.

Value for money: 6/10 outside enterprise.

Pricing: Enterprise custom.

---

Quantcast Choice

Free TCF-compliant CMP from the programmatic advertising company. Free in exchange for Quantcast collecting measurement data.

What does not work: the data-for-software trade-off requires review depending on your audience's privacy expectations. Limited configuration for non-programmatic sites.

Right for: publishers running programmatic ads who want a free TCF-compliant banner and are comfortable with the Quantcast measurement exchange.

Pricing: Free.

---

Sirdata

CMP for publishers with strong TCF 2.3 support and publisher-side monetization integrations. EU-based.

What does not work: publisher-focused, less relevant for direct-to-consumer advertisers without complex vendor lists.

Right for: EU publishers with complex IAB vendor list management requirements.

Value for money: 7/10

Pricing: Custom.

---

CookieFirst (team.blue)

team.blue-owned CMP. Cookie scanning, TCF support, Consent Mode v2. EU data storage.

What does not work: third-party script loading. Limited differentiation from other team.blue products (Iubenda, CookieFirst overlap in positioning).

Right for: EU-based SMBs wanting a simple compliant banner with EU data residency.

Value for money: 7/10

Pricing: From EUR 7/month.

---

Ketch

Privacy infrastructure platform covering consent, data discovery, and privacy-as-code workflows. Developer-first architecture.

What does not work: developer setup required. Enterprise pricing. Not a self-serve banner tool.

Right for: engineering-driven teams who want consent integrated into their data infrastructure rather than managed as a separate front-end tool.

Value for money: 7/10 for the target technical buyer.

Pricing: Enterprise custom.

---

Privado

Privacy-as-code plus CMP. Scans code repositories to identify data flows and maps them to consent requirements automatically.

What does not work: developer-only tool. Significant setup investment. Not useful for non-technical compliance teams.

Right for: engineering teams who want automated code-level consent mapping alongside the banner.

Pricing: Custom.

---

Transcend

Privacy compliance automation covering consent, DSAR, and data inventory. Developer-forward.

What does not work: significant implementation complexity. Enterprise pricing. Overkill for a site that needs a banner.

Right for: engineering-driven enterprises who want unified consent and data subject rights automation.

Pricing: Enterprise custom.

---

BigID

Data discovery and privacy operations platform. Consent management is one module in a data governance suite.

What does not work: primarily a data governance tool, not a consent banner tool. Enterprise-only. Setup complexity.

Right for: enterprises that need consent management as part of a broader data governance program covering data mapping, discovery, and classification.

Pricing: Enterprise custom.

---

DataGrail

Privacy operations platform covering DSAR automation and consent management. US-market focused.

What does not work: US privacy law emphasis over GDPR depth. Enterprise pricing. Not a standalone consent banner.

Right for: US enterprises needing integrated DSAR automation alongside consent.

Pricing: Enterprise custom.

---

Securiti

Data and AI governance platform with consent management as one module. Enterprise-only. Strong on AI governance, data classification, and consent orchestration for complex environments. G2 reviews rate it 4.8/5 on quality of support.

What does not work: consent is secondary to the data governance use case. Enterprise complexity and pricing. Third-party script loading.

Right for: enterprises managing AI governance and data classification who need consent as part of that broader program.

Pricing: Enterprise custom.

---

MineOS

The Silicon Valley mid-market favourite for privacy operations. 4.8/5 on G2 across 222 reviews, outscoring most enterprise competitors on ease of use and setup. No-code DSAR automation, consent management, data inventory, and data mapping without engineering resources. The Radar tool identifies products and sites processing end-user data across the organization. Used heavily by US tech companies and startups who need a modern privacy program without a large legal team.

What does not work: US-market focus means GDPR depth is adequate but not as deep as Didomi or Usercentrics for complex European publisher use cases. No TCF publisher support. No server-side withdrawal propagation. Pricing not publicly disclosed.

Right for: US mid-market tech companies and startups wanting modern privacy operations (DSAR automation, consent, data mapping) in one no-code platform.

Value for money: 8/10 for US mid-market.

Pricing: Custom. Free trial available.

---

Collibra Data Privacy

Enterprise data governance platform with privacy as a module inside a broader data intelligence suite. Used by the Global 2000. Visual data mapping shows exactly how sensitive information flows through the organization. Role-based views limit data exposure per team. The strongest option for organizations with complex, siloed data environments where consent is one piece of a larger data governance program.

What does not work: data governance is the primary product, consent management is secondary. Significant implementation effort. Not a self-serve consent banner. Third-party script loading.

Right for: Fortune 500 enterprises already using Collibra for data cataloging who want consent management in the same governance layer.

Value for money: 7/10 for its specific segment.

Pricing: Enterprise custom.

---

Feature comparison

DataCops is the only tool where the consent load, the consent record, and the downstream CAPI event suppression all run on the same first-party pipeline.

---

Decision matrix

Single WordPress site, no paid ads, budget under EUR 50/year: Borlabs at EUR 39/year for self-hosted consent records. CookieYes free for lowest friction.

SMB with paid ads on Meta and Google, EU traffic significant: DataCops Business at $49/month. First-party CMP loads on every session including blocked ones. Consent enforced server-side before CAPI events fire. ROAS signals stay clean on consented traffic.

Publisher running programmatic advertising, TCF 2.3 required: Quantcast Choice (free, TCF 2.3 native) or Didomi at the enterprise tier. DataCops is not a publisher-grade TCF implementation.

Mid-market migrating from Cookiebot after the price doubling: CookieHub for the session-based pricing advantage. DataCops if paid media CAPI signal quality is also a concern.

Enterprise, DSAR automation and ROPA also required: OneTrust, Didomi, or Transcend. DataCops does not do DSAR automation or ROPA export.

EU brand, Google Consent Mode v2 mandatory (June 15, 2026 deadline): Any tool in the table with Consent Mode v2 support. DataCops includes it. For a standalone-only banner need, CookieHub or CookieYes is cheaper.

---

When DataCops is not the right GDPR consent tool

If you only need a cookie banner and have no paid ads running CAPI, DataCops is over-engineered for the use case. CookieHub, CookieYes, or Borlabs are simpler and cheaper.

If you are a publisher running programmatic advertising with complex IAB vendor list management, Didomi or Usercentrics have TCF publisher depth that DataCops does not match.

If you need DSAR automation, ROPA generation, or legal policy templates bundled with your consent tool, Iubenda, Termly, or Transcend cover those. DataCops does not.

If your organization requires a Google-certified CMP with formal documentation for compliance reporting, TrustArc or OneTrust carry that certification with the enterprise paper trail. DataCops is completing SOC 2 Type II.

If you run a US-only operation with CCPA as the primary concern rather than GDPR, Osano's multi-state US law coverage is more relevant than DataCops' TCF 2.2 focus.

---

The AmEx banner passed every visual audit. The banner looked right. The tags kept firing after Reject.

CNIL checked the network traffic, not the screenshot. EUR 1.5M fine on the gap between what the consent record claimed and what the downstream pipeline actually did.

Your CMP has a consent log. It records every Accept and Reject. What it probably does not have is server-side proof that your Meta Pixel and Google Ads tags stopped receiving data at the exact moment that Reject was logged.

If a CNIL auditor ran a network intercept on your site today and clicked Reject, how many events would they see fire into your ad platforms in the next 30 seconds?