Key Takeaways
- Most CMPs add 200-500ms to page load, costing measurable drops in conversion rate
- Enterprise CMPs like OneTrust and TrustArc charge $300-500/mo for features most sites never use
- Geo-detection and automatic script blocking are the two features that separate real compliance from checkbox compliance
- Free tiers from Cookiebot, CookieYes, and Termly have page limits, view caps, or missing script blocking
- ConsentStack blocks scripts before execution and adds under 50ms to page load at $29/mo
What Makes a Good Consent Management Platform
1. Does it actually block scripts before consent? 59% of CMPs fail here because they use runtime blocking, locking the door after the burglar is inside. Parse-time blocking catches scripts before execution. Only 2 of the 10 CMPs in this comparison do this.
2. How much does it slow your site? If your CMP adds 200KB+ of JavaScript (OneTrust), injects 48,000 DOM elements (CookieYes), or has a 275ms click-response time (Osano), it's your biggest performance bottleneck.
3. What does it actually cost? Every CMP here is evaluated at 30,000 monthly visitors, 2 domains. We publish the actual number.
4. How many regulations does it cover? GDPR and CCPA are table stakes. What about LGPD, APPI, PIPEDA, PDPA, DPDPA, and the 19 US state privacy laws passed since 2020?
5. How long does setup take? If a CMP requires 13 configuration steps (Ketch) or a 2-4 week onboarding process, the implementation cost dwarfs the subscription fee.
6. Does it default to dark patterns? 72% of EU cookie banners contain at least one dark pattern (noyb 2024). The CMP's defaults reveal its values.
7. Does it signal consent to ad platforms? Google Consent Mode v2, Meta, TikTok, LinkedIn, Pinterest, Microsoft. 67% of GCM v2 setups are misconfigured. Built-in platform adapters eliminate this failure mode.
Learn how script blocking works
The 10 Best Consent Management Platforms in 2026
Modern / Lightweight
1. ConsentStack
Modern, performance-first consent management built for developers.
| Metric | Value |
|---|---|
| SDK size | <10KB gzipped |
| Pricing | $29/mo Pro (30K visitors, 2 domains) |
| Regulations | 32 |
| Script blocking | Parse-time MutationObserver |
| Platform adapters | 6 (Google, Meta, TikTok, Microsoft, Pinterest, LinkedIn) |
| Free tier | Full compliance engine |
| Setup time | Minutes |
Full disclosure: ConsentStack publishes this article.
Pros: <10KB SDK (20x smaller than OneTrust). Parse-time script blocking. Self-serve from sign-up to live. 32 regulations on every tier. 6 platform adapters on Pro. No dark patterns by design. 6,592 tracker domains auto-classified. Transparent pricing: $0/$29/$59.
Cons: Pre-launch (no years of enterprise track record). No TCF 2.0 yet (on roadmap; worth noting the Belgian DPA found IAB TCF itself violates GDPR). No DSAR workflows. No dedicated support tier.
Best for: Developers and growing companies who want full compliance without enterprise overhead. Try ConsentStack free
2. Transcend
Enterprise-grade network-level privacy layer for Fortune 500 companies.
| Metric | Value |
|---|---|
| SDK size | 54.3KB compressed (airgap.js core) + 342.5KB async UI |
| Pricing | ~$130,818/year average (Vendr) |
| G2 rating | 4.6/5 (112 reviews) |
Pros: Network-level script blocking via airgap.js, the most technically rigorous approach in the industry. Both client-side and backend consent governance. Clean ethical positioning. Strong G2 reviews.
Cons: ~$130K/year average contract. 54.3KB SDK plus 342KB async UI. Aggressive renewal pricing (documented 50% uplift attempts). Multi-session onboarding required.
Best for: Fortune 500 companies with dedicated privacy engineering teams and six-figure compliance budgets.
Established Enterprise
3. OneTrust
Market leader by revenue. Industry leader in complaints.
| Metric | Value |
|---|---|
| SDK size | 184KB+ |
| Median annual spend | $11,500/year (Vendr) |
| LCP impact | 1.43s to 3.61s (DebugBear) |
| Trustpilot rating | 1.5/5 |
Pros: Comprehensive privacy platform (data mapping, DSAR, AI governance). Largest market share. Widest integration ecosystem.
Cons: LCP jumps from 1.43s to 3.61s. Cookie banner was the LCP element for 50% of mobile pageviews in one RUMvision study. $11,500/year median for a 1.5/5 rated product. Honda's $632,000 CPPA settlement specifically named OneTrust as the misconfigured CMP.
"Horrible developer experience. Languages randomly stop updating, settings scattered across multiple parts of system, non-existent support." -- Lukas, Trustpilot, Feb 2025
Best for: Large enterprises (500+ employees) needing the full privacy operations platform. See our OneTrust alternative comparison
4. TrustArc
The CMP listed on deceptive.design for fake processing delays.
| Metric | Value |
|---|---|
| Pricing | ~$10,000/year minimum |
| Trustpilot rating | 1.9/5 (92% one-star) |
| Opt-out processing delay | 30-60 seconds (artificial) |
Pros: Mid-pack INP (67ms). Established enterprise presence (~1,500 customers).
Cons: Fake 30-60 second opt-out processing delays (accepting is instant; network inspection confirms no actual server communication). Listed on deceptive.design. 1.9/5 Trustpilot with zero positive reviews. $200K FTC settlement in 2014 for fake privacy certifications. RabbitMQ reported consent taking over 2 minutes to load.
Best for: Difficult to recommend. If required by existing vendor relationships, push for contractual guarantees that fake delays will be removed.
5. Ketch
Enterprise data permissioning platform with a steep learning curve.
| Metric | Value |
|---|---|
| SDK size | 20.6KB minified |
| Pricing | $150/mo Starter (30K visitors) |
| Config steps to banner | 13 |
| Proprietary glossary terms | 56+ |
| G2 rating | 4.6/5 (92 reviews) |
Pros: Strong customer support. DSR automation is a genuine differentiator. Comprehensive regulatory coverage. Free tier available (5K visitors).
Cons: 13 configuration steps before a visitor sees your banner. 56+ proprietary terms requiring separate training (Ketch Academy). $150/month for 30K visitors (5.2x ConsentStack). 2-4 week onboarding. Zero organic community presence.
Best for: Enterprises needing DSR automation, data mapping, and AI governance alongside consent management. See ConsentStack pricing
Mid-Market
6. Cookiebot (by Usercentrics)
Scan-based CMP that doubled its prices in 2025.
| Metric | Value |
|---|---|
| SDK size | 34KB synchronous |
| Pricing | ~$37/mo per domain |
| DOM nodes injected | 209 (highest benchmarked) |
| Cache TTL | 11 minutes |
Pros: Quick WordPress setup. Google-certified for Consent Mode v2. Decent INP (57ms median).
Cons: Prices roughly doubled in August 2025 (30 days notice). Per-domain billing with no multi-domain discount. 209 DOM nodes (2.5x benchmark average). 11-minute cache TTL. Scanner inflates page counts and auto-upgrades billing.
"Increased the price of our plan by 78.6% out of the blue." -- Sam, Trustpilot, Dec 2025
Best for: WordPress sites needing EU focus and Google CMP certification. See ConsentStack pricing
7. Osano
Compliance-guarantee CMP with the worst click-response times in the industry.
| Metric | Value |
|---|---|
| Pricing | $99/mo (Business, 30K consent views, 2 domains) |
| INP (DebugBear) | 275ms median, dead last of 9 CMPs |
| Free tier | Notification-only, does not block cookies |
Pros: "No Fines, No Penalties" pledge up to $200K. Good static performance. 17,200+ customers.
Cons: 275ms median INP (45x slower than Sourcepoint's 6ms). Accept button blocks the main thread for 448ms. $99/month (3.4x ConsentStack at same traffic). Free tier doesn't block cookies, scan, or store consent.
Best for: Companies that value the compliance guarantee over performance and have the $99/month budget.
Budget
8. Termly
Budget consent tool that tanks WordPress performance.
| Metric | Value |
|---|---|
| Pricing | $14-20/mo per site |
| WordPress PageSpeed impact | 30-37 point drop |
| GTM compatibility | Auto Blocker does not work with GTM |
Pros: Affordable. Policy generators included. Google Gold CMP Partner.
Cons: 30-37 PageSpeed point drops on WordPress (Termly support recommended manually installing instead of using their own plugin). Auto Blocker does not work with GTM-deployed scripts. Per-website pricing. Real compliance features gated behind $20/mo Pro+.
Best for: Budget-conscious small sites not using GTM where PageSpeed is not a priority. Learn how script blocking works
9. CookieYes
Budget CMP with catastrophic DOM bloat.
| Metric | Value |
|---|---|
| Pricing | $10-55/mo per domain |
| DOM elements added | 48,000 |
| Mobile LCP | 6.5 seconds |
Pros: Affordable. Generous free tier (5,000 pageviews). Works on any website.
Cons: 48,000 DOM elements injected (Google recommends under 1,500). 6.5-second mobile LCP. Per-domain pricing. No branding removal below $55/month Ultimate plan.
Best for: Simple, low-traffic sites where performance is genuinely not a concern.
10. Complianz
WordPress-only CMP with a strong free tier and an unreliable banner.
| Metric | Value |
|---|---|
| Pricing | $0 (Free, unlimited sites) / $59-399/yr (Premium) |
| Installations | 1 million+ |
Pros: Strong free tier with real functionality and no pageview limits. Widest regulatory coverage among WP plugins.
Cons: Banner sometimes fails to render (a compliance-destroying bug). WordPress-only with zero portability. GTM Consent Mode import deletes all existing tags and variables without warning.
Best for: WordPress sites that will stay on WordPress, with technical ability to verify the banner renders consistently. See ConsentStack pricing
Performance Benchmark Comparison
| CMP | SDK Size | LCP Impact | INP (Median) | DOM Nodes | Script-Blocking Method |
|---|---|---|---|---|---|
| ConsentStack | <10KB gzipped | Negligible | N/A (pre-launch) | Minimal | Parse-time MutationObserver |
| Transcend | 54.3KB compressed | Low | N/A | N/A | Network-level (airgap.js) |
| OneTrust | 184KB+ | 1.43s to 3.61s | 104ms | N/A | Runtime |
| TrustArc | N/A | 2+ min reported | 67ms | N/A | Runtime + fake delays |
| Ketch | 20.6KB min | Low | N/A | N/A | Smart Tag (defer) |
| Cookiebot | 34KB sync | Moderate | 57ms | 209 | Scanner-based, monthly |
| Osano | Small | Low | 275ms (worst) | Low | Runtime |
| Termly | N/A | 30-37 pts drop | N/A | N/A | Auto Blocker (breaks GTM) |
| CookieYes | N/A | 6.5s mobile | 81ms | 48,000 | Runtime |
| Complianz | N/A | Varies | N/A | N/A | WordPress hooks |
Only two CMPs use parse-time script blocking: ConsentStack and Transcend. Every other CMP uses runtime approaches that allow scripts to fire before consent.
See the full Core Web Vitals benchmark
Pricing Comparison (30K visitors, 2 domains)
| CMP | Monthly Price | Free Tier | Sales Call? |
|---|---|---|---|
| ConsentStack | $29 | Full compliance (1K visitors) | No |
| Cookiebot | ~$75 (2 domains) | 50 subpages, 1 domain | No |
| Osano | $99 | Banner only, no blocking | No |
| Ketch | $150 | 5K visitors | No (Starter) |
| Termly | $28-40 (2 sites) | 10K banner views | No |
| CookieYes | $20-110 (2 domains) | 5K pageviews | No |
| Complianz | $0-33 (annual) | Full, unlimited sites | No |
| Transcend | ~$10,900 | None | Yes |
| TrustArc | ~$833 | None | Yes |
| OneTrust | ~$300+ | None | Yes |
ConsentStack at $29/month sits in the gap between enterprise ($300-$10,900/mo) and budget ($0-$55/mo), delivering enterprise compliance features without the procurement process. See pricing
Frequently Asked Questions
A consent management platform (CMP) is software that shows a consent banner, blocks tracking scripts until the visitor makes a choice, records their decision, and signals it to ad and analytics platforms. A good CMP handles this across multiple privacy regulations, automatically detecting which rules apply based on visitor location.
If your website has visitors from the EU, UK, Brazil, Canada, or any of the **19 US states** with privacy laws, and you use any tracking technologies, then yes. **$2.3 billion in fines** and accelerating. "We didn't know" is not a defense regulators accept.
For 30,000 monthly visitors and 2 domains: **$29-$150/month** for a working CMP with real script blocking. Below $29, you're likely getting a decorative banner. Above $150, you're paying for enterprise features most companies don't need. If a CMP requires a sales call, expect $10,000+/year.
Google's framework for receiving consent signals from your CMP. Without it, your EU Google Analytics data is either non-compliant or nonexistent. With it, Google uses behavioral modeling to fill gaps from users who decline. **67% of setups are misconfigured.** CMPs with built-in adapters (ConsentStack, Cookiebot) handle this automatically.
A technique where the CMP installs a MutationObserver during HTML parsing, before any third-party scripts execute. Scripts are blocked before the browser can fetch or run them. Runtime blocking (the alternative) creates a window where scripts fire before the CMP catches them, which is why 59% of CMP-equipped sites still set cookies before consent. Only ConsentStack and Transcend use parse-time approaches in this comparison.
A basic banner takes a day. Real consent management requires geo-detection across 30+ jurisdictions, regulation-specific models, script blocking, consent storage, GCM v2 signaling, multiple ad platform adapters, and ongoing regulatory updates. Most teams that start custom switch to a CMP within 6 months. ---
Conclusion
The CMP market splits into enterprise ($300-$10,900/month, weeks of implementation) and budget ($0-$55/month, 30-37 point PageSpeed drops, 48,000 DOM elements, GTM incompatibility). Between these groups: almost nothing.
Every claim in this article comes from DebugBear benchmarks, Agence Web Performance studies, Vendr contract data, Trustpilot reviews, G2 reviews, WordPress.org plugin reports, and regulatory enforcement records.
ConsentStack fills the missing middle: <10KB SDK, 32 regulations, parse-time script blocking, 6 platform adapters, $29/month Pro pricing. Published on the website, no sales call required. Get started free
Try it free. No credit card. No sales call. No 4-hour setup video. Just compliance that works.