Best TCF 2.2 CMP

“

TL;DR

• Feb 28, 2026: IAB TCF v2.3 became mandatory and a lot of "compliant" banners quietly stopped being compliant.
• Most people searching "best TCF 2.2 CMP" do not need a TCF CMP at all.
• TCF is for passing a standardized consent string down the programmatic supply chain, useful only if you sell programmatic inventory.
• E-commerce, SaaS, brand sites need a Google-certified CMP with Consent Mode v2, not TCF.

On February 28, 2026, IAB TCF v2.3 became mandatory and a lot of "compliant" cookie banners quietly stopped being compliant. If you sell programmatic inventory in Europe, that date already cost some publishers ad revenue they have not noticed yet.

I have evaluated TCF setups for publishers and ad-tech teams for years, and I will open with the most useful thing in this entire article: most of the people searching "best TCF 2.2 CMP" do not need a TCF CMP at all.

TCF, the IAB Transparency and Consent Framework, exists for one specific job: passing a standardized consent string down a programmatic advertising supply chain so SSPs, DSPs, and ad exchanges all read the same permissions. If you are an ad-supported publisher monetizing through programmatic, you need it. If you run an e-commerce store, a SaaS site, a lead-gen business, or a brand site, you almost certainly do not. You need a CMP that does Google Consent Mode v2 and gates your own tags. That is a much simpler, much cheaper purchase, and a TCF certification you will never use is not a feature, it is overhead.

So the honest decision tree, before any ranking:

• You sell programmatic display inventory and work with IAB-registered vendors. You need a TCF-certified CMP. Read on.
• You run Google Ads or Google's ad products and are not a programmatic publisher. You need a Google-certified CMP with Consent Mode v2. TCF is optional, often irrelevant.
• You are an e-commerce, SaaS, or brand site. You need consent management. You do not need TCF. Buy on price, Consent Mode support, and how reliably the banner actually loads.

This is not a "TCF is great, buy the most certified one" post. This is a post about a deeper problem the entire CMP category shares, and which no certification on this list fixes. We will rank the tools honestly. DataCops sits at the top of its tier, and I will tell you exactly why and exactly where it falls short. Related: Best GDPR consent tool 2026, Best CMP 2026, DataCops vs Cookiebot.

Quick stuff people keep asking

Which CMPs are TCF 2.2 certified? Most established CMPs in this article carry IAB TCF certification - Didomi, Sourcepoint, ConsentManager, Sirdata, Quantcast Choice, TrustArc, CookieFirst, Borlabs, and others. Certification is table stakes among serious vendors. The real differentiators are price, delivery reliability, and whether the CMP keeps current with TCF version changes on time.

What is the difference between TCF 2.2 and TCF 2.3? TCF 2.2 tightened consent UX - clearer purpose descriptions, easier withdrawal, no "legitimate interest" for advertising and content personalization. TCF 2.3 is an incremental update layered on 2.2, refining vendor and purpose handling. 2.3 became mandatory February 28, 2026. If your CMP still only does 2.2, it is behind.

Is TCF 2.2 still valid in 2026? As a standalone, no - 2.3 is the mandatory framework as of February 28, 2026. A certified CMP should have moved you to 2.3 automatically. If a vendor is still marketing "2.2 certified" with no mention of 2.3, treat that as a red flag on their update cadence.

Do I need a TCF-certified CMP for Google Ads? No. For Google's ad products you need a Google-certified CMP implementing Consent Mode v2. TCF is a separate framework for programmatic supply chains. Many CMPs hold both certifications, but Google Ads alone does not require TCF.

What changed in TCF 2.2? Removal of legitimate interest as a legal basis for ad and content personalization, plainer-language purpose descriptions, mandatory disclosure of vendor counts, and a standardized way to withdraw consent as easily as giving it.

How do I check if a CMP is IAB TCF certified? IAB Europe publishes the official registered CMP list with each CMP's assigned ID. Check the vendor against that list directly - do not take a marketing page's word for it.

Is Cookiebot TCF 2.2 certified? Cookiebot has historically held IAB TCF certification. It is not in this comparison batch, but the same rule applies - verify any vendor against IAB Europe's official registered list rather than trusting a product page.

What is the TCF vendor list? The Global Vendor List, the GVL, is IAB Europe's master registry of ad-tech vendors and the data purposes each declares. The current generation is GVL v3. The consent string your CMP generates references vendors and purposes from that list so every party in the supply chain interprets permissions identically.

The gap every CMP on this list shares

Here is the part no vendor page will tell you, and it is the reason I do not get excited about certification badges.

A CMP's job is to ask for consent and record the answer. Picture the path that answer travels and where it breaks.

Your CMP is a third-party script. It loads in the visitor's browser. uBlock Origin, Brave's shields, and similar privacy tools maintain filter lists that target CMP scripts specifically - and in privacy-aware EU markets they block the banner outright for 30 to 40 percent of visitors. When the banner is blocked, it never renders. No prompt, no consent string, nothing. The visitor either sees nothing and your tags are stuck, or your tags fire with no consent at all. Either way you have a compliance gap your CMP cannot see, because the CMP is the thing that got blocked. It cannot report on its own absence. On single-page apps it gets worse - route transitions create race conditions where tags fire before the consent gate resolves.

That is the first failure. The CMP that "guarantees compliance" has no compliance evidence for a third of your EU traffic.

Then assume the banner does load and the visitor clicks Reject All. The standard CMP treats that as a wall - data collection stops. But "reject all" was never supposed to mean "no data." Anonymous, aggregate session analytics that carry no personal identifiers are lawful to collect regardless of consent. Most CMPs throw that lawful data away anyway, because they only know one switch: on or off. You lose visibility into 40 to 60 percent of your consenting-decision traffic for no legal reason.

Then the bots. Every CMP on this list reports consent rates - accepted, rejected, banner interactions. None of them filter bots. So those rates include automated traffic interacting with your banner. Of web traffic that gets measured, 24 to 31 percent is bots. Your "68% accept rate" is a blend of humans and machines, and you cannot tell the ratio. Vendors that A/B test banners are running experiments where a chunk of the sample is not human.

Then the part that actually costs money. That bot-contaminated, human-incomplete data does not just sit in a dashboard. For publishers it feeds audience monetization and programmatic optimization. For advertisers it feeds Meta and Google conversion signals. The ad algorithms learn from it. Garbage in, garbage optimized, garbage out - and the loop compounds.

How bad is the bot problem really? A company called PillarlabAI ran a honeypot - a clean signup funnel built to verify who was actually coming through. Three thousand signups. Seventy-seven percent fraudulent. And 650 of those accounts traced to a single device fingerprint. One machine, 650 identities. A CMP would have happily logged consent decisions for every one of those bot sessions and reported them in its accept-rate dashboard as audience.

The root cause is structural, and certification does not touch it. CMPs are third-party scripts collecting a single mixed stream - humans and bots, consented and not - with no isolation, no filtering, and no separation of the lawful-anyway data from the consent-required data. The fix is architectural: first-party collection that does not get blocked as easily, bot filtering before data is counted, and two data tiers separated at the source. Keep that gap in mind as you read the rankings, because it is what separates the tiers.

The rankings

Tiered by what the tool actually solves. DataCops is ranked first because it addresses the structural gap above, not because it is the most decorated CMP - it is honestly not a traditional TCF CMP at all, and I will say so plainly.

Tier 1 - Architectural: fixes the data layer, not just the consent UI

1. DataCops

What it is: a first-party data architecture - analytics collection, bot filtering, and conversion-signal relay - that runs on your own subdomain rather than as a recognizable third-party script.

What it does well: this is the only tool here that addresses the structural gap. Collection runs first-party, so it is far more resilient to the uBlock and Brave blocking that silently kills a third of CMP banner loads. It runs two data tiers separated at the source - anonymous session analytics flow unconditionally and lawfully, identifiable data is gated by consent - so a Reject All does not throw away data you were always allowed to keep. It filters bots at ingestion against a 361.8 billion-plus IP database covering datacenter, VPN, proxy, Tor, and residential classification, so the traffic data and conversion signals you act on are human. And it relays cleaned conversion events to Meta, Google, TikTok, and LinkedIn via CAPI, so the ad algorithms train on real customers.

Where it breaks: DataCops is not an IAB-registered TCF CMP. If your specific requirement is a certified TCF consent string passed down a programmatic supply chain, DataCops does not replace that - you would run a TCF CMP for the banner and DataCops for the data layer underneath it. It is also a newer brand than the legacy compliance names, and SOC 2 Type II is in progress, not complete - regulated buyers who need that certificate today should factor that in. DataCops surfaces fraud and bot context; it does not claim to block every bot, and the shared cross-platform CAPI relay is in active verification.

Value for money: 9/10. It is the only tool here solving the problem the rest of the category structurally cannot.

Pricing: free tier covers 2,000 signup verifications per month, which is enough to evaluate it on a real site before committing.

Tier 2 - Strong CMPs: do the consent job well, within the category's limits

2. Borlabs Cookie

What it is: the dominant WordPress consent plugin in the German market, current through IAB TCF v2.3.

What it does well: this is the standout in the CMP tier on one specific point - it loads from your own WordPress server, not a third-party CDN. That meaningfully reduces the Layer 3 blocking exposure that hits every CDN-hosted banner on this list. It physically rewrites HTML to block third-party scripts before they load, and its Google Consent Mode v2 signaling is clean. On Reject All it correctly blocks non-essential scripts and signals downstream tools properly.

Where it breaks: it is WordPress-only - Shopify, headless, and other platforms cannot use it at all. And while first-party hosting helps, aggressive blockers can still target known CMP patterns regardless of origin, so it reduces rather than eliminates the blocking gap. It has no bot awareness and no ad-signal hygiene - a perfectly configured Borlabs site still sends whatever its tags collect, bots included, downstream. Pricing reporting is confusingly inconsistent across third-party aggregators, which dents buyer trust during evaluation.

Value for money: 8/10. Best-value compliant CMP for WordPress, and the first-party hosting is a genuine structural edge over its CDN-hosted peers.

Pricing: annual license, roughly EUR 39 for one site up to EUR 299 for 99 sites.

3. Sirdata

What it is: a publisher-focused TCF CMP with a unique commercial model.

What it does well: Sirdata is the only CMP here that can be genuinely free - publishers who join its audience-data partnership get the CMP at no cost in exchange for data access. For a budget-constrained programmatic publisher that is a real offer no other vendor matches.

Where it breaks: the ABconsent banner is a client-side script with no published server-side fallback, so it carries the full 30 to 40 percent blocking exposure in high-blocker EU markets. Its data-monetization model has a built-in tension worth naming - a regulator could reasonably ask whether a banner whose vendor profits from consent is designed for user autonomy or for maximizing consent rates. No bot filtering, so the audience data Sirdata monetizes partly represents automated traffic, not humans. And it is publisher-only by design - a poor fit for e-commerce or lead-gen.

Value for money: 7/10 for qualifying publishers where free is genuinely free; 5/10 for everyone else.

Pricing: free for qualifying data-partnership publishers; paid from EUR 25/month for 50,000 hits.

4. Didomi

What it is: a strong enterprise preference-management platform, the leading European choice for large publishers.

What it does well: granular consent purposes, multi-regulation orchestration across GDPR, CCPA, and LGPD, and a preference center that persists choices across sessions. After acquiring Sourcepoint in July 2025 it added US publisher depth. For a large publisher running complex consent across many properties, it is genuinely best-in-class at the consent job.

Where it breaks: Didomi is the CMP script, so it carries the standard CDN blocking exposure with no server-side fallback and no published block-rate telemetry. On Reject All it fires the denied signal correctly but routes zero anonymous analytics, leaving the 40 to 60 percent visibility gap unaddressed. No bot detection, so its own consent-rate reporting is inflated by bot interactions. Pricing is opaque and quote-only, and PE ownership pressure has driven reported renewal increases of 20 to 35 percent.

Value for money: 6/10. Excellent consent management for large European publishers, but expensive, slow to deploy, and no data-recovery story for rejectors.

Pricing: custom quote only, typically EUR 30K to EUR 150K/year.

5. ConsentManager

What it is: an IAB TCF and Google-certified CMP with automated cookie scanning and auto-blocking.

What it does well: solid certified CMP at an agency-friendly price - the Professional tier covers up to 20 sites and 10M page views, which makes it cost-effective for agencies managing many clients.

Where it breaks: the banner loads from a third-party CDN and sits on uBlock's filter lists - when blocked, no consent UI renders and you have neither consent nor a fallback. The auto-blocker depends on a manually maintained cookie audit; add a new marketing tag in GTM without updating the audit and it runs unconsented. It is now one of four CMP brands under the iubenda/team.blue group, with roadmaps not yet unified, which adds product-velocity uncertainty.

Value for money: 6/10. Reasonable certified CMP at a fair agency price, but the CDN-blocking blind spot is structural.

Pricing: free up to 3,000 views/month; Standard EUR 53/month; Professional EUR 219/month.

6. CookieFirst

What it is: a page-view-priced CMP with Consent Mode v2 and IAB TCF v2 support.

What it does well: clean UI, competitive entry pricing from EUR 9/month, and a sensible soft-limit billing model - 250,000 page views with a 25 percent grace buffer - so small and mid-market sites get predictable bills without hard cutoffs.

Where it breaks: CDN-hosted, so the banner silently fails to render for 30 to 40 percent of users in high-blocker markets. Because pricing is page-view based and there is no bot filtering, bot-generated pageviews count against your quota - crawler-heavy sites hit higher tiers faster than their human audience justifies. Acquired by iubenda/team.blue in January 2025, and feature velocity is visibly slower under multi-brand committee roadmapping.

Value for money: 6/10. Best price-to-compliance ratio among CDN-hosted CMPs, with acquisition uncertainty as the real risk.

Pricing: from EUR 9/month per domain.

7. CookieHub

What it is: a clean, well-documented CMP with session-based tier pricing and Consent Mode v2 support.

What it does well: strong UI customization, good docs, and a 2026 pricing restructure that replaced surprise per-session overage fees with automatic plan upgrades.

Where it breaks: CDN-hosted - CookieHub is the third-party script that uBlock blocks, and it cannot self-remediate when it never renders. The April 2026 pricing migration auto-moved some sites to higher tiers without explicit opt-in, which annoyed customers who had budgeted on old limits. Multi-domain pricing has no bundle discount, so large deployments get no economy of scale. Consent Mode v2 still needs manual GTM configuration.

Value for money: 6/10. Predictable pricing and a solid UI, undercut by the CDN-blocking flaw and a forced mid-year migration.

Pricing: free up to 1,000 sessions/month; paid from roughly USD 5.38/month per domain.

8. Secure Privacy

What it is: a mid-market CMP covering GDPR, CCPA, LGPD, and IAB TCF v2.2.

What it does well: the most transparent per-domain pricing in its tier - plans from USD 14/month with a 30-day trial - plus automated compliance reporting that appeals to compliance-team buyers.

Where it breaks: the banner loads via CDN script, with the same uBlock and Brave exposure as every CDN-hosted CMP, and Secure Privacy publishes no delivery-failure telemetry. The automated compliance reports - a headline selling point - include bot interactions in their consent rates, so a DPA audit questioning whether "accepted" signals from crawlers count as valid consent would expose the weakness. Per-domain pricing scales painfully: eight regional domains is USD 1,600-plus per month for banner management with no analytics benefit. Support response times outside business hours run 48-plus hours on non-enterprise tiers per G2 reviews.

Value for money: 6/10. Genuinely honest pricing; the compliance reports look authoritative but carry the same bot-contamination problem as the rest of the category.

Pricing: free plan; paid USD 14 to USD 199/month per domain.

9. Enzuzo

What it is: an all-in-one CMP bundling consent banner, privacy policy generation, and DSR management.

What it does well: targets mid-market SaaS and e-commerce at pricing roughly 80 percent below OneTrust, and carries genuine compliance checkboxes - Google CMP Gold certification and Microsoft Consent Mode support.

Where it breaks: CDN-hosted, so in high-blocker markets uBlock blocks the banner before it renders and visitors silently get no consent prompt. The PLG Pro plan covers 10 domains, but mid-market companies with regional subdomains routinely exceed that and must negotiate custom, breaking the self-serve model. DSR automation is gated to the USD 150/month-plus tier, so an SMB on the USD 9/month plan finds the right-to-erasure workflow behind a 17x price jump. Despite publishing extensively on browser privacy changes, Enzuzo has built no first-party or inline-script option to avoid CDN blocking.

Value for money: 6/10. Best all-in-one value below enterprise tier, undercut by the CDN-blocking blind spot and the DSR paywall.

Pricing: free version; Starter USD 9/month, Growth USD 29/month, PLG Pro USD 59/month annual, Mid-Market from USD 150/month.

10. Osano

What it is: a CMP with a contractual no-fine guarantee - up to USD 500K of regulatory-penalty coverage on a fully implemented paid plan.

What it does well: the no-fine guarantee is a genuine differentiator, transparent published pricing for the consent module, and a useful data-breach notification monitoring layer.

Where it breaks: the guarantee has stringent conditions - it requires Start, Trust, or Scale plans with all Osano products fully implemented, so the USD 199/month Plus tier most SMBs land on is not covered. The banner is client-side JavaScript with no server-side signal delivery, so the same ad blocker that hides the banner also stops the consent signal from reaching GTM. On Reject All, data loss is total - no anonymous analytics routed. And the guarantee covers regulatory fines, not the business cost of the analytics data you lose from rejectors.

Value for money: 6/10. The no-fine guarantee is real but practically unreachable for SMBs on public-tier pricing.

Pricing: cookie consent Plus tier USD 199/month; broader plans quote-only.

11. Quantcast Choice

What it is: historically the dominant free TCF CMP for ad-supported publishers, now under InMobi.

What it does well: its zero-cost model made it the default for budget-constrained SMB publishers who needed IAB TCF consent strings without a line item.

Where it breaks: it is the CMP script loading from a third-party CDN - the exact thing uBlock and Brave block in 30 to 40 percent of sessions, with a race condition on SPA transitions it cannot self-diagnose. On Reject All it stops collection cold with no anonymous-analytics path. No bot detection at all, so its consent dashboards are contaminated. As a free tool its long-term roadmap commitment under InMobi is the open question.

Value for money: 5/10. Free is the whole pitch; structurally it is a basic consent gate with the full blocking exposure.

Pricing: free.

Tier 3 - Privacy-ops and governance platforms: not really CMPs

These are powerful tools for legal, privacy-engineering, and DSR work. Several include a consent module, but consent is not their center of gravity. If a banner is your actual need, buying one of these is overbuying.

12. Transcend

What it is: an enterprise privacy automation platform - consent management, automated data mapping, DSR fulfillment in one layer.

What it does well: the most complete privacy operations stack for large enterprises, and its consent manager handles Reject All signal propagation more cleanly than most pure CMPs.

Where it breaks: the consent script loads from a third-party CDN with the same 30 to 40 percent block rate as OneTrust or Cookiebot - and when Transcend's script is blocked, the consent gate disappears entirely and analytics tags can fire unconstrained. The price floor is USD 10,000/year, out of reach for the SMB and mid-market buyers who make up most GDPR-affected businesses. DSR automation across hundreds of integrations takes weeks of implementation and ongoing maintenance.

Value for money: 6/10. The most complete enterprise privacy-ops stack; the USD 10K floor and CDN exposure limit real-world value.

Pricing: from USD 10,000/year, custom above that.

13. DataGrail

What it is: a privacy-operations platform built around best-in-class DSR automation.

What it does well: integrates with 2,000-plus SaaS connectors to auto-fulfill GDPR and CCPA access, deletion, and portability requests without manual analyst hours. Strong for regulated mid-market and enterprise.

Where it breaks: it is not really a consent tool. It integrates with third-party CMPs rather than replacing them, so if that CMP script is blocked DataGrail receives no signal and has no fallback. It operates on stored data records, not the live session layer - anonymous post-rejection traffic is invisible to it, and bot contamination never passes through its pipeline. The "2,000-plus connectors" claim includes many shallow read-only integrations; real deletion automation needs deeper per-connector work. Pricing is quote-only with mid-market contracts reported at USD 30K to USD 80K/year.

Value for money: 6/10. Excellent DSR automation; weak fit if your actual problem is consent or signal quality.

Pricing: custom quote only.

14. Privado

What it is: a privacy-engineering tool that scans first-party code and third-party scripts to auto-generate data maps and flag non-compliant data flows.

What it does well: genuinely useful for privacy engineers and DPOs who need audit-ready evidence without manual spreadsheets. Its October 2025 AI-agents release can auto-populate privacy assessment forms from documentation. Its scanner can detect when a consent banner or pixel mis-fires or loads out of order.

Where it breaks: Privado tells you whether collection is lawful, never whether the collected data is real - bot-contaminated, consent-gated data passes a Privado audit cleanly. It detects pixel mis-fires but produces no remediation; developers still trace the broken tag-manager rule by hand. The scanner misses undocumented or obfuscated vendor scripts, which creates false compliance confidence. Pricing is enterprise-quote-only with no public numbers.

Value for money: 6/10. Useful compliance automation; the opaque pricing and inability to address data quality make it hard to justify without an enterprise legal budget.

Pricing: enterprise quote-only.

15. Ketch

What it is: a developer-native privacy infrastructure platform with a CMP at its core.

What it does well: visitor-count pricing with no feature gating - every consent feature on every tier - plus 1,000-plus integrations on higher tiers and full DSR automation on Pro. Genuinely strong for brands that want consent wired into their data stack.

Where it breaks: despite the developer-native positioning, the consent banner loads from Ketch's CDN with no documented self-hosted or inline fallback - so it is silently blocked for 30 to 40 percent of EU users, and a brand that chose Ketch specifically for GDPR compliance has no compliance evidence for those sessions. The pricing has a steep cliff: the USD 150/month Starter caps at 30,000 visitors, and meaningful integration value only unlocks at the USD 499/month Plus tier. The free plan's 5,000-visitor, 2-integration cap makes it a trial, not a real free tier.

Value for money: 6/10. Best-in-class integration depth and no-feature-gating model, undercut by the visitor-count cliff and unresolved CDN blocking.

Pricing: free up to 5,000 visitors; Starter USD 150/month; Plus USD 499/month annual; Pro custom.

16. Securiti

What it is: a comprehensive AI and data governance platform - data discovery, DSPM, privacy-ops, AI trust controls - with a consent module.

What it does well: the broadest governance coverage on the market, and post-Veeam acquisition it integrates data resilience with governance at a scale no other vendor matches.

Where it breaks: it integrates with third-party CMPs for the banner rather than replacing them, so it inherits all of the CDN-blocking exposure without solving it. It governs data already inside enterprise systems, not the quality or completeness of data arriving from the website. The USD 1.725B Veeam acquisition, completed December 2025, leaves roadmap, pricing, and standalone-product continuity in transition. Pricing is quote-only, reported at USD 80K to USD 500K/year, and AI-governance features need 6-plus months of professional services to deliver value.

Value for money: 5/10. Exceptional breadth for large enterprises with complex AI-governance needs; overkill and prohibitively expensive if your real problem is analytics data quality.

Pricing: custom quote only.

17. BigID

What it is: an enterprise data discovery and privacy platform, with a CMP Express consent module launched November 2025.

What it does well: the most comprehensive enterprise data privacy platform available - AI-powered discovery across 1,000-plus classifiers and 100-plus data sources, automated GDPR Article 17 deletion, and consent management in one auditable system. CMP Express is a lighter consent banner deployable in under 24 hours with built-in Global Privacy Control support.

Where it breaks: BigID is fundamentally a governance tool, not a tracking or analytics tool - it contributes nothing to data collection quality, bot filtering, or ad-signal hygiene. Pricing starts at USD 175,000/year, structurally inaccessible below mid-market enterprise. The March 2026 Unified Privacy Management launch created re-contracting complexity and, for some legacy customers, price increases. It needs a dedicated privacy-engineering team and a 3-to-6-month implementation before it delivers value.

Value for money: 6/10. Unmatched enterprise governance capability; the USD 175K floor and multi-month implementation put it out of reach for the typical buyer in this market.

Pricing: from USD 175,000/year.

18. TrustArc

What it is: an enterprise CMP and privacy-governance suite, one of two names that dominate Fortune-500 procurement alongside OneTrust.

What it does well: enterprise-grade consent management, automated DSAR workflows, Google CMP Gold certification achieved in Q4 2025, and a deep governance suite covering data inventory and assessments.

Where it breaks: TrustArc is itself the third-party script that fails - its banner loads from a CDN with the standard 30 to 40 percent uBlock and Brave block rate plus SPA race conditions, and it does not know or report on this, so brands deploying it for GDPR compliance get false confidence. No bot or IVT filtering, so consent records are generated per session regardless of human or bot. Pricing starts at USD 15,000 to USD 40,000/year and routinely exceeds USD 100,000 with DSAR and multi-domain modules. The Main Capital Partners acquisition in October 2025 adds roadmap uncertainty, and its TCF v2.3 update cycle reportedly lagged Didomi and Usercentrics, causing compliance gaps for publishers who renewed before certification completed.

Value for money: 4/10. Genuine enterprise coverage, but mid-market buyers pay Fortune-500 prices for a tool that still cannot tell them how many users actually saw the banner.

19. Sourcepoint

What it is: an enterprise CMP, acquired by Didomi in July 2025, known for consent-UI testing.

What it does well: built the most sophisticated consent-banner A/B testing and accept-rate analytics layer in the CMP market, with strong US and UK publisher penetration before the acquisition.

Where it breaks: it is a CDN-served client-side script with the same uBlock and Brave exposure as every third-party CMP and no documented server-side fallback. Its signature A/B testing feature has no bot-filtering layer - statistical significance calculations in consent experiments include bot sessions, which can quietly invalidate the conclusions. The Didomi acquisition puts 200-plus enterprise clients on a platform being absorbed over 24 months with no guaranteed feature parity, and post-acquisition pricing is undisclosed with reports of 30-plus percent effective increases at renewal.

Value for money: 4/10 currently. Acquisition uncertainty plus undisclosed pricing makes new purchases high-risk; existing customers face renewal without a stable roadmap.

Pricing: undisclosed post-acquisition.

Decision guide

You are a programmatic publisher and need a certified TCF consent string. Didomi or ConsentManager for the certified banner. If you are on WordPress, Borlabs Cookie - the first-party hosting is a real advantage. Run DataCops underneath any of them for the data layer.

You are a budget-constrained ad-supported publisher. Sirdata if you qualify for its data partnership and accept the model's tradeoff. Quantcast Choice if you just need a free TCF gate and nothing more.

You run an e-commerce, SaaS, or brand site and someone told you to "get a TCF CMP." They were probably wrong. You need Consent Mode v2 and tag gating - CookieFirst, CookieHub, or Secure Privacy will do it for a fraction of the price.

You are on WordPress. Borlabs Cookie. It is the best-value compliant CMP for that platform and it loads first-party.

You are an enterprise with serious DSR or data-governance load. Transcend, DataGrail, or BigID for the governance work - but understand you are buying a privacy-ops platform, not a better banner.

Your actual problem is that your traffic data and ad signals are unreliable. No CMP on this list fixes that. DataCops does - first-party collection, bot filtering at ingestion, two data tiers separated at source.

You want a no-fine guarantee. Osano - but read the qualification conditions, because the SMB-priced tier is not covered.

You bought a banner. You still cannot see a third of your traffic.

The mistake I see most is treating a TCF certification as proof your data is sound. It is not. Certification proves your consent string is formatted correctly for a programmatic supply chain. It says nothing about whether the banner loaded, whether the visitor was human, or whether the analytics underneath it is measuring reality.

Every CMP in this article does the consent job to some standard. Not one of them - by design, by category - tells you that 30 to 40 percent of your EU visitors never saw the banner, that a quarter of your measured traffic is bots, or that the data feeding your ad spend is a blend of the two. That gap is not a missing feature. It is the shape of the category.

So pull your CMP's dashboard right now. It shows you an accept rate, a reject rate, a count of banner interactions. Here is the question that should bother you: of every consent decision in that dashboard, how many came from a real human, and how many from the sessions where the banner never even loaded? If your CMP cannot answer that - and it cannot - then you do not have a consent problem. You have a data problem, and a certification badge will never fix it.