What Makes a Good Consent Management Platform
Key Takeaways
- 01Most CMPs add 200-500ms to page load, costing measurable drops in conversion rate
- 02Enterprise CMPs like OneTrust and TrustArc charge $300-500/mo for features most sites never use
- 03Geo-detection and automatic script blocking are the two features that separate real compliance from checkbox compliance
- 04Free tiers from Cookiebot, CookieYes, and Termly have page limits, view caps, or missing script blocking
- 05ConsentStack blocks scripts before execution and adds under 50ms to page load at $29/mo
1. Does it actually block scripts before consent? 59% of CMPs fail here because they use runtime blocking, locking the door after the burglar is inside. Parse-time blocking catches scripts before execution. Only 2 of the 10 CMPs in this comparison do this.
2. How much does it slow your site? If your CMP adds 200KB+ of JavaScript (OneTrust), injects 48,000 DOM elements (CookieYes), or has a 275ms click-response time (Osano), it's your biggest performance bottleneck.
3. What does it actually cost? Every CMP here is evaluated at 30,000 monthly visitors, 2 domains. We publish the actual number.
4. How many regulations does it cover? GDPR and CCPA are table stakes. What about LGPD, APPI, PIPEDA, PDPA, DPDPA, and the 20 US state privacy laws passed since 2020?
5. How long does setup take? If a CMP requires 13 configuration steps (Ketch) or a 2-4 week onboarding process, the implementation cost dwarfs the subscription fee.
6. Does it default to dark patterns? 72% of EU cookie banners contain at least one dark pattern (noyb 2024). The CMP's defaults reveal its values.
7. Does it signal consent to ad platforms? Google Consent Mode v2, Meta, TikTok, LinkedIn, Pinterest, Microsoft. 67% of GCM v2 setups are misconfigured. Built-in platform adapters eliminate this failure mode.
Learn how script blocking works
The 10 Best Consent Management Platforms in 2026
Modern / Lightweight
1. ConsentStack
Modern, performance-first consent management built for developers.
| Metric | Value |
|---|---|
| SDK size | 30 KB gzipped |
| Pricing | $29/site/mo Pro (30K visitors, 2 domains) |
| Regulations | 195+ (every tier) |
| Script blocking | Parse-time MutationObserver |
| Platform adapters | 7 (Google, Meta, TikTok, Microsoft Advertising, Microsoft Clarity, Pinterest, LinkedIn) |
| Free tier | Full compliance engine (with "Powered by ConsentStack" badge) |
| Setup time | Minutes |
Full disclosure: ConsentStack publishes this article.
Pros: 30 KB SDK gzipped. Parse-time script blocking. Self-serve from sign-up to live. 195+ regulations on every tier. 7 platform adapters on Pro. No dark patterns by design. 900+ tracker patterns auto-classified from open tracker databases. Transparent pricing: $0/$29/$79.
Cons: No TCF 2.0 support (sites needing TCF for programmatic ad bidding cannot use ConsentStack for that purpose). No DSAR workflows. No dedicated support tier.
Best for: Developers and growing companies who want full compliance without enterprise overhead. Try ConsentStack free
2. Transcend
Enterprise-grade network-level privacy layer for Fortune 500 companies.
| Metric | Value |
|---|---|
| SDK size | 54.3KB compressed (airgap.js core) + 342.5KB async UI |
| Pricing | ~$130,818/year average (Vendr) |
| G2 rating | 4.6/5 (112 reviews) |
Pros: Network-level script blocking via airgap.js, the most technically rigorous approach in the industry. Both client-side and backend consent governance. Clean ethical positioning. Strong G2 reviews.
Cons: ~$130K/year average contract. 54.3KB SDK plus 342KB async UI. Aggressive renewal pricing (documented 50% uplift attempts). Multi-session onboarding required.
Best for: Fortune 500 companies with dedicated privacy engineering teams and six-figure compliance budgets.
Established Enterprise
3. OneTrust
Market leader by revenue. Industry leader in complaints.
| Metric | Value |
|---|---|
| SDK size | 184KB+ |
| Median annual spend | $11,500/year (Vendr) |
| LCP impact | 1.43s to 3.61s (DebugBear) |
| Trustpilot rating | 1.5/5 |
Pros: Comprehensive privacy platform (data mapping, DSAR, AI governance). Largest market share. Widest integration ecosystem.
Cons: LCP jumps from 1.43s to 3.61s. Cookie banner was the LCP element for 50% of mobile pageviews in one RUMvision study. $11,500/year median for a 1.5/5 rated product. Honda's $632,500 CPPA settlement specifically named OneTrust as the misconfigured CMP.
"Horrible developer experience. Languages randomly stop updating, settings scattered across multiple parts of system, non-existent support." (Lukas, Trustpilot, Feb 2025)
Best for: Large enterprises (500+ employees) needing the full privacy operations platform. See ConsentStack vs OneTrust
4. TrustArc
The CMP listed on deceptive.design for fake processing delays.
| Metric | Value |
|---|---|
| Pricing | ~$10,000/year minimum |
| Trustpilot rating | 1.9/5 (92% one-star) |
| Opt-out processing delay | 30-60 seconds (artificial) |
Pros: Mid-pack INP (67ms). Established enterprise presence (~1,500 customers).
Cons: Fake 30-60 second opt-out processing delays (accepting is instant; network inspection confirms no actual server communication). Listed on deceptive.design. 1.9/5 Trustpilot with zero positive reviews. $200K FTC settlement in 2014 for fake privacy certifications. RabbitMQ reported consent taking over 2 minutes to load.
Best for: Difficult to recommend. If required by existing vendor relationships, push for contractual guarantees that fake delays will be removed.
5. Ketch
Enterprise data permissioning platform with a steep learning curve.
| Metric | Value |
|---|---|
| SDK size | 20.6KB minified |
| Pricing | $150/mo Starter (30K visitors) |
| Config steps to banner | 13 |
| Proprietary glossary terms | 56+ |
| G2 rating | 4.6/5 (92 reviews) |
Pros: Strong customer support. DSR automation is a genuine differentiator. Comprehensive regulatory coverage. Free tier available (5K visitors).
Cons: 13 configuration steps before a visitor sees your banner. 56+ proprietary terms requiring separate training (Ketch Academy). $150/month for 30K visitors (5.2x ConsentStack). 2-4 week onboarding. Zero organic community presence.
Best for: Enterprises needing DSR automation, data mapping, and AI governance alongside consent management. See ConsentStack pricing
Mid-Market
6. Cookiebot (by Usercentrics)
Scan-based CMP that doubled its prices in 2025.
| Metric | Value |
|---|---|
| SDK size | 34KB synchronous |
| Pricing | ~$34/mo per domain (Premium Medium) |
| DOM nodes injected | 209 (highest benchmarked) |
| Cache TTL | 11 minutes |
Pros: Quick WordPress setup. Google-certified for Consent Mode v2. Decent INP (57ms median).
Cons: Prices roughly doubled in August 2025 (30 days notice). Per-domain billing with no multi-domain discount. 209 DOM nodes (2.5x benchmark average). 11-minute cache TTL. Scanner inflates page counts and auto-upgrades billing.
"Increased the price of our plan by 78.6% out of the blue." (Sam, Trustpilot, Dec 2025)
Best for: WordPress sites needing EU focus and Google CMP certification. See ConsentStack pricing
7. Osano
Compliance-guarantee CMP with the worst click-response times in the industry.
| Metric | Value |
|---|---|
| Pricing | $199/mo (Plus tier, 30K consent views, 2 users, 3 domains) |
| INP (DebugBear, March 2026) | 225ms median, 10th of 11 CMPs |
| Free tier | Notification-only, does not block cookies |
Pros: "No Fines, No Penalties" pledge up to $500K (raised from $200K). Good static performance. 17,200+ customers.
Cons: 225ms median INP, 10th of 11 CMPs in DebugBear's March 2026 update (37.5x slower than Sourcepoint's 6ms). Accept button blocks the main thread for 448ms on the worst-tested site. $199/month Plus tier (nearly 7x ConsentStack at same traffic). Free tier doesn't block cookies, scan, or store consent.
Best for: Companies that value the compliance guarantee over performance and have the $199/month Plus-tier budget.
Budget
8. Termly
Budget consent tool that tanks WordPress performance.
| Metric | Value |
|---|---|
| Pricing | $14-20/mo per site |
| WordPress PageSpeed impact | 30-37 point drop |
| GTM compatibility | Auto Blocker does not work with GTM |
Pros: Affordable. Policy generators included. Google Gold CMP Partner.
Cons: 30-37 PageSpeed point drops on WordPress (Termly support recommended manually installing instead of using their own plugin). Auto Blocker does not work with GTM-deployed scripts. Per-website pricing. Real compliance features gated behind $20/mo Pro+.
Best for: Budget-conscious small sites not using GTM where PageSpeed is not a priority. Learn how script blocking works
9. CookieYes
Budget CMP with catastrophic DOM bloat.
| Metric | Value |
|---|---|
| Pricing | $10-55/mo per domain |
| DOM elements added | 48,000 |
| Mobile LCP | 6.5 seconds |
Pros: Affordable. Generous free tier (5,000 pageviews). Works on any website.
Cons: 48,000 DOM elements injected (Google recommends under 1,500). 6.5-second mobile LCP. Per-domain pricing. No branding removal below $55/month Ultimate plan.
Best for: Simple, low-traffic sites where performance is genuinely not a concern.
10. Complianz
WordPress-only CMP with a strong free tier and an unreliable banner.
| Metric | Value |
|---|---|
| Pricing | $0 (Free, unlimited sites) / $59-399/yr (Premium) |
| Installations | 1 million+ |
Pros: Strong free tier with real functionality and no pageview limits. Widest regulatory coverage among WP plugins.
Cons: Banner sometimes fails to render (a compliance-destroying bug). WordPress-only with zero portability. GTM Consent Mode import deletes all existing tags and variables without warning.
Best for: WordPress sites that will stay on WordPress, with technical ability to verify the banner renders consistently. See ConsentStack pricing
Performance Benchmark Comparison
| CMP | SDK Size | LCP Impact | INP (Median) | DOM Nodes | Script-Blocking Method |
|---|---|---|---|---|---|
| ConsentStack | 30 KB gzipped | Negligible | N/A (pre-launch) | Minimal | Parse-time MutationObserver |
| Transcend | 54.3KB compressed | Low | N/A | N/A | Network-level (airgap.js) |
| OneTrust | 184KB+ | 1.43s to 3.61s | 104ms | N/A | Runtime |
| TrustArc | N/A | 2+ min reported | 67ms | N/A | Runtime + fake delays |
| Ketch | 20.6KB min | Low | N/A | N/A | Smart Tag (defer) |
| Cookiebot | 34KB sync | Moderate | 57ms | 209 | Scanner-based, monthly |
| Osano | Small | Low | 225ms (10th of 11) | Low | Runtime |
| Termly | N/A | 30-37 pts drop | 69ms | N/A | Auto Blocker (breaks GTM) |
| CookieYes | N/A | 6.5s mobile | 81ms | 48,000 | Runtime |
| Complianz | N/A | Varies | N/A | N/A | WordPress hooks |
| Google Funding Choices | N/A | N/A | 468ms (worst of 11) | N/A | Runtime |
Only two CMPs use parse-time script blocking: ConsentStack and Transcend. Every other CMP uses runtime approaches that allow scripts to fire before consent.
See the full Core Web Vitals benchmark
Pricing Comparison (30K visitors, 2 domains)
| CMP | Monthly Price | Free Tier | Sales Call? |
|---|---|---|---|
| ConsentStack | $29 | Full compliance (1K visitors) | No |
| Cookiebot | ~$68 (2 domains) | 50 subpages, 1 domain | No |
| Osano | $199 (Plus) | Banner only, no blocking | No |
| Ketch | $150 | 5K visitors | No (Starter) |
| Termly | $28-40 (2 sites) | 10K banner views | No |
| CookieYes | $20-110 (2 domains) | 5K pageviews | No |
| Complianz | $0-33 (annual) | Full, unlimited sites | No |
| Transcend | ~$10,900 | None | Yes |
| TrustArc | ~$833 | None | Yes |
| OneTrust | ~$300+ | None | Yes |
ConsentStack at $29/month sits in the gap between enterprise ($300-$10,900/mo) and budget ($0-$55/mo), delivering enterprise compliance features without the procurement process. See pricing
Frequently Asked Questions
A consent management platform (CMP) is software that shows a consent banner, blocks tracking scripts until the visitor makes a choice, records their decision, and signals it to ad and analytics platforms. A good CMP handles this across multiple privacy regulations, automatically detecting which rules apply based on visitor location.
If your website has visitors from the EU, UK, Brazil, Canada, or any of the **20 US states** with privacy laws, and you use any tracking technologies, then yes. **Over $1.3 billion in fines** for cookie and consent violations and accelerating. "We didn't know" is not a defense regulators accept.
For 30,000 monthly visitors and 2 domains: **$29-$150/month** for a working CMP with real script blocking. Below $29, you're likely getting a decorative banner. Above $150, you're paying for enterprise features most companies don't need. If a CMP requires a sales call, expect $10,000+/year.
Google's framework for receiving consent signals from your CMP. Without it, your EU Google Analytics data is either non-compliant or nonexistent. With it, Google uses behavioral modeling to fill gaps from users who decline. **67% of setups are misconfigured.** CMPs with built-in adapters (ConsentStack, Cookiebot) handle this automatically.
A technique where the CMP installs a MutationObserver during HTML parsing, before any third-party scripts execute. Scripts are blocked before the browser can fetch or run them. Runtime blocking (the alternative) creates a window where scripts fire before the CMP catches them, which is why 59% of CMP-equipped sites still set cookies before consent. Only ConsentStack and Transcend use parse-time approaches in this comparison.
A basic banner takes a day. Real consent management requires geo-detection across 30+ jurisdictions, regulation-specific models, script blocking, consent storage, GCM v2 signaling, multiple ad platform adapters, and ongoing regulatory updates. Most teams that start custom switch to a CMP within 6 months.
Conclusion
The CMP market splits into enterprise ($300-$10,900/month, weeks of implementation) and budget ($0-$55/month, 30-37 point PageSpeed drops, 48,000 DOM elements, GTM incompatibility). Between these groups: almost nothing.
Every claim in this article comes from DebugBear benchmarks, Agence Web Performance studies, Vendr contract data, Trustpilot reviews, G2 reviews, WordPress.org plugin reports, and regulatory enforcement records.
ConsentStack fills the missing middle: 30 KB SDK, 195+ regulations, parse-time script blocking, 7 platform adapters, $29/site/month Pro pricing. Published on the website, no sales call required. Get started free
Try it free. No credit card. No sales call. No 4-hour setup video. Just compliance that works.
Related reading
- ConsentStack vs Cookiebot
- ConsentStack vs OneTrust
- ConsentStack vs Termly
- ConsentStack vs Osano
- ConsentStack vs TrustArc
- ConsentStack vs Ketch
- Cookie Consent Banners and Core Web Vitals
- GDPR Cookie Consent Requirements
- Compare ConsentStack vs every major CMP
- ConsentStack compliance engine
DebugBear data accurate as of 2026-03-17. CMP performance changes over time; figures will be re-verified each audit pass.