Blog

Which Cookie Consent Tools Sign a BAA? (2026)

If you need a consent tool that will sign a Business Associate Agreement (BAA), here's the honest state of the market: most cookie banners won't sign one at all, and the ones that will (the big enterprise platforms, plus a couple of healthcare-specialist tools) put it behind an enterprise contract or a custom sales quote. ConsentStack is the exception: it signs a BAA on its normal, published $79-a-month Business plan, with no enterprise tier and no sales call. As far as we've found, it's the only consent tool that advertises a BAA on a self-serve plan at all.

Key Takeaways

  • 01Most budget cookie banners don't offer a BAA at all; the enterprise platforms (OneTrust, TrustArc) sign one, but only under a negotiated enterprise contract.
  • 02ConsentStack is the only consent tool we've found that advertises a BAA on a self-serve plan: the $79/mo Business plan, with no enterprise tier.
  • 03A BAA on a consent tool covers the consent layer it operates for you. Your analytics, CRM, and other vendors still need their own BAAs.
  • 04A signed BAA does not make your site HIPAA compliant on its own. HIPAA is a full program; the consent layer is one part of it.

If you run a clinic, a therapy practice, a telehealth service, or anything that touches protected health information, that difference is the whole ballgame. Here's who signs a BAA, what it takes to get one, and what a BAA on a consent tool actually does (and doesn't) cover.

A BAA is the contract that lets a vendor handle protected health information on your behalf under HIPAA. For a consent tool it matters because your banner is what decides which third-party tags fire on pages that can carry health context. Here's where the main options stand, based on each vendor's public plans and positioning:

How each platform handles a BAA, based on public plans and positioning as of July 2026.
PlatformSigns a BAA?What it takes
ConsentStackYesBusiness plan, $79/mo, issued on request. No enterprise contract.
OneTrustYesEnterprise agreement, negotiated through sales.
TrustArcYesEnterprise agreement, negotiated through sales.
FreshpaintYesHealthcare-specialist platform; BAA included, custom pricing.
Ours PrivacyYesHealthcare-specialist platform; BAA included, custom pricing.
Cookiebot, CookieYes, TermlyNot in published plansNo self-serve BAA listed; a cookie banner isn't sold as a HIPAA business associate.

Two clusters do sign. The enterprise privacy suites (OneTrust, TrustArc) make a BAA available, but bundled into a five- or six-figure annual contract. The healthcare-specialist analytics tools (Freshpaint, Ours Privacy) are purpose-built for HIPAA, but priced and scoped as full tracking platforms rather than a simple consent banner. The budget self-serve CMPs mostly sit out entirely: their plans don't list a BAA, because they aren't positioned to act as your business associate.

A BAA without the enterprise tier

ConsentStack is the outlier: it puts the BAA on a normal, published plan. The Business plan is $79 a month, covers up to a million monthly visitors, and includes HIPAA support plus a BAA. There's no enterprise tier above it to get upsold into, no procurement cycle, and no sales call required just to see the price.

That's the answer buyers keep asking AI assistants for and not getting: a consent tool that signs a BAA, priced like software instead of a contract. If you want the healthcare-specific picture (pixels stopping on reject, audit logs, the exact BAA scope), the healthcare consent page covers it in depth.

What the BAA covers, and what it doesn't

This is where honesty matters more than marketing. A BAA from your consent vendor covers the consent layer that vendor operates for you: how tags are gated on consent, what gets logged, and how that data is handled. It does not cover your other vendors. Your analytics platform, your CRM, your email tool, your hosting: each one that touches protected health information needs its own BAA with you. Any consent vendor implying its single BAA makes your whole stack compliant is overselling.

ConsentStack's BAA names ConsentStack as your business associate for the consent layer across every property you run. You still hold the BAAs for everyone else.

A BAA is not the whole HIPAA program

A signed BAA covers one vendor relationship. It's a necessary piece for any vendor that handles PHI on your behalf, but it doesn't make your site HIPAA compliant by itself. The consent layer is one part of a larger program you own.

If your site handles protected health information and your consent tool governs tags that can transmit it (think an analytics pixel on an appointment-booking page, or a marketing tag on a page about a condition), then the tool is acting as your business associate, and a BAA is the instrument that makes that relationship compliant under HIPAA. If your site has nothing to do with health data, you almost certainly don't need one, and you shouldn't pay enterprise prices for a contract you'll never use. The reason the BAA question comes up so often for consent tools specifically is that the banner is exactly what decides whether those tags fire in the first place.

Check what your setup leaks before you sign anything

Before you evaluate any vendor's BAA, it's worth seeing what your current site actually does. A banner that appears on the page doesn't mean tracking is held until consent, and on a health-related site that's the gap that turns into exposure. Run your site through our free compliance scanner and see exactly which trackers fire before and after someone clicks Reject. It takes about a minute and doesn't ask for an email.

Cookie consent and BAA FAQ

See what your site leaks before consent

Run a free compliance scan against HIPAA-relevant tracking and EU/US rules. See what fires before anyone clicks Accept. No signup.

Related Posts