Most demand letters and audits we support trace back to the same gap: the site tells visitors one thing and the network does another, especially after opt-out. A CMP configures what should happen when visitors accept, reject, or send Global Privacy Control. It does not, by itself, guarantee enforcement. This guide compares leading CMPs, then focuses on what matters after deployment: whether reject and GPC actually stop tags, and who will maintain the CMP alongside GTM, blocking rules, and scripts that never went through the tag manager.
User rejects non-essential cookies in the consent banner
Banner vs network
What the banner says is not always what crosses the network.
CMP state
Non-essential: denied
Quick summary
What it does
CMPs collect consent choices, show notices and preference centers, maintain vendor lists, and signal allowed purposes to tags and ad partners.
What to look for
Require IAB TCF alignment where you use ad tech, explicit GPC handling, strong audit logs, EU infrastructure options, and a plan to validate tags with network-layer testing after every change.
Where Lokker fits
Lokker works with any CMP you choose: Privacy Edge inventories what still fires on your pages, Consent Validator proves behavior in each consent state including GPC, and Guardian blocks disallowed requests when the CMP and tag manager drift out of sync.
Quick answer
A consent management platform (CMP) collects cookie and tracking choices, maintains vendor purposes, and signals what tags may run. Compare vendors on IAB TCF 2.2 (if you use ad tech), Global Privacy Control handling, Google Consent Mode v2, auto-blocking versus manual categorization, preference center depth, EU hosting, and audit logs. In Lokker's work with enterprises, insurers, and defense counsel, most tracking and consent problems come down to two patterns: no CMP at all, or a CMP that records "opt out" while tags still fire on the wire. A polished privacy policy does not prevent a demand letter if reject and GPC states are not enforced. It does not matter which CMP you pick: you need ongoing maintenance across the tag manager, blocking rules, rescans, and network proof after every change.
Field perspective
Lokker supports enterprise privacy programs, insurance underwriters, and defense counsel when tracking and consent claims land. We are not trying to alarm anyone. We are reporting what we see repeatedly: teams invest in privacy policy and vendor selection, then discover the live site still sends data after a visitor clicks reject or sends Global Privacy Control.
The failure modes are usually simple. Sometimes there is no consent tool at all. More often a CMP is installed and the dashboard looks correct, but analytics, ads, session replay, or pixels still load in opt-out states because GTM fired first, a category was wrong, or marketing added a script straight to the page and bypassed the tag manager entirely. Back-door tags are common. Drift is the default unless someone owns maintenance.
That is the crux. You can run the right RFP and pick OneTrust, Cookiebot, Osano, or any vendor in this guide. Compliance still requires a team to keep the CMP, tag manager, and blocking rules aligned, rescan after releases, and prove reject and GPC behavior on real URLs. Lokker is agnostic on vendor. Privacy Edge finds what actually fires, Consent Validator documents each consent state for counsel and insurers, and Guardian can block when configuration lags so you can focus on the business instead of the next surprise letter.
On this page
Evaluation framework
Use this checklist when you compare vendors. The bar is not "we installed a banner." It is proof that opt-out and GPC states stop tracking on the wire, with a team maintaining the CMP, tag manager, and blocking rules over time.
The CMP should control which scripts and pixels load. Marketing and legal teams need proof that reject and GPC states stop high-risk calls, not only that the banner rendered.
Publisher and ad stacks often require IAB TCF 2.2 strings. US state laws expect valid treatment of Global Privacy Control and opt-out of sale or sharing where applicable.
Google Consent Mode v2 adjusts GA4 and Ads behavior from signals your CMP supplies. Miswired defaults can under-report or over-collect relative to visitor choice.
Most enterprises deploy the CMP alongside Google Tag Manager, Tealium, or Adobe. Container load order and trigger logic determine whether consent signals reach every vendor.
Operating model
A CMP records visitor choices. A tag manager deploys vendors. Compliance breaks when those layers disagree. This operating model is what privacy engineering teams use after the RFP, regardless of which CMP you select.
The CMP script (or server-side consent endpoint) should finish its first read of stored consent or regional defaults before GTM, Tealium, or hard-coded pixels run. Late CMP injection is a common root cause of pre-consent leakage.
Expose category or purpose flags the tag manager can read: analytics, ads, functional, and jurisdiction-specific opt-outs. Pair with Google Consent Mode default and update signals so Google tags respect the same state.
Treat GTM workspace publishes like production releases. Require a privacy reviewer when new tags, custom HTML, or third-party templates are added. Keep a changelog tied to CMP vendor list updates.
Run accept, reject, no interaction (where lawful), and GPC sessions against priority templates: home, checkout, logged-in account, and paywalled content. Capture HAR or automated network logs for legal and insurance evidence.
When marketing bypasses the CMP with a direct script or an old container version goes live, edge enforcement can block disallowed hosts until the stack is repaired. Lokker Guardian fills this gap without replacing your CMP.
The tools
8 leading tools covering free, mid-market, and enterprise tiers, cloud and self-hosted deployment, and a range of privacy and compliance postures.
OneTrust
Enterprise privacy, consent, and governance suite with Cookie Consent and PreferenceChoice.
TrustArc
Consent Manager with NIST-aligned privacy program tooling and enterprise assessments.
Cookiebot by Usercentrics
Scanner-led CMP with automatic cookie classification and multilingual banners.
Usercentrics CMP
App and web CMP with App Consent, server-side options, and Google Consent Mode v2 kits.
Osano
Consent Platform with no-hassle pricing, monitoring, and vendor risk scoring.
Ketch
Orchestration-first consent and preference APIs with programmatic policy enforcement.
Sourcepoint
Publisher-focused CMP and messaging with paid and ad-supported experience patterns.
Didomi
EU-founded consent and preference stack with strong TCF and mobile SDK coverage.
All product names and trademarks are property of their respective owners. Lokker is not affiliated with or endorsed by any of the companies listed. Pricing and feature information is based on publicly available data and may change; verify with each vendor before purchasing.
Feature comparison
How each tool compares across the dimensions that matter most for product, engineering, and privacy teams.
Focus the matrix
Showing 5 of 8 tools. Add vendors as needed, or show the full table when you want every column.
3 tools are hidden from the focused table. The full text matrix below keeps every capability visible in the page source.
| Capability | |||||
|---|---|---|---|---|---|
| IAB TCF v2 support | TCF 2.2 certified CMP strings and vendor list support | TCF-certified options for publisher and advertiser stacks | TCF integration for publishers; consent mode helpers for Google stacks | TCF 2.2 certified CMP with in-app extensions | TCF support on eligible plans with publisher-focused configuration |
| Global Privacy Control handling | GPC recognition with regional rule templates | GPC tied to jurisdiction templates and opt-out propagation | GPC support with Google Consent Mode bridging | GPC handling in web and app CMP configurations | GPC support with documentation for CCPA-style opt-outs |
| Site scanning and cookie inventory | CookieConsent scanner with scheduled rescans and categorization | Automated scanning with governance dashboards | Monthly scans with auto-blocking until consent on many plans | Scanning plus Custom Implementation Service for complex stacks | Discovery scans with vendor risk cards |
| Google Consent Mode v2 alignment | Templates and docs for Consent Mode default and update signals | Integration guidance for GA4 and Ads with regional rules | Native Consent Mode integration and tag recipes | Certified Google CMP partner patterns for v2 | Consent Mode support with configuration guides |
| Preference center and granular purposes | PreferenceChoice with granular toggles and policy linkage | Preference centers with jurisdiction-based purpose sets | Per-category toggles with auto-generated policy sections | Granular purposes with app and web parity | Simplified preference UX with category bundles |
| DSAR and privacy rights workflow coupling | Native OneTrust Privacy Rights Automation integration | TrustArc privacy rights module integration paths | Focused on consent; DSAR via Usercentrics suite partners | Usercentrics Preference Manager and Automation paths | Osano Subject Rights Management add-on |
| Regional hosting and DPA posture | Multi-region hosting with EU and US deployment options | Regional options with enterprise DPA packages | EU operator with strong EU hosting story | EU parent with regional hosting choices | US operator; SCC-based transfers for EU customers |
| Tag manager and GTM integration depth | Templates for GTM, Adobe, and Tealium with consent mode variables | Professional services patterns for complex tag stacks | GTM community templates and auto-blocking helpers | GTM template gallery and server-side consent bridges | GTM guidance with script blocking patterns |
| CMP analytics and A/B testing of banners | Analytics on banner performance and geo splits | Reporting dashboards for consent rates | Banner analytics and consent rate reporting | A/B testing for banner variants on higher tiers | Consent analytics dashboards |
| Typical entry motion | Enterprise contracts with modular SKUs | Enterprise sales-led | SMB-friendly tiers with domain-based pricing | Tiered by consents and apps | Transparent SaaS tiers |
Head-to-head
These three names appear often in enterprise and growth-company evaluations. None is universally "best." The right choice depends on ad stack complexity, who operates privacy day to day, and whether you need a full privacy suite or a focused consent layer.
| Dimension | OneTrust | Osano | Ketch |
|---|---|---|---|
| Best for | Global enterprises that want CMP plus assessments, RoPA, and DSAR in one vendor relationship | Mid-market and growth teams that want transparent SaaS pricing and ongoing compliance monitoring | Data-centric orgs that need consent and preference APIs piped to warehouses, apps, and orchestration layers |
| TCF / GPP and publisher ad stacks | Mature TCF 2.2 patterns for large publisher and advertiser programs | TCF on eligible plans; lighter lift for sites without heavy Prebid complexity | Orchestration-first; confirm TCF SKU and partner patterns for your ad footprint |
| Preference center and banner UX | PreferenceChoice with granular purposes; enterprise customization services | Simplified category bundles; faster time to first compliant banner | Programmable UIs via APIs; engineering-led preference experiences |
| Typical operating burden | Higher: cross-module governance, professional services for complex GTM stacks | Moderate: approachable admin, still requires tag discipline and rescans | Moderate to high: API-first teams must own tag and app parity themselves |
| Enterprise alternatives narrative | Incumbent in many RFPs; switching cost is program-wide, not just the banner | Common "simpler than OneTrust" shortlist for teams under privacy team capacity pressure | Often shortlisted when consent must sync to data platforms, not only marketing tags |
Head-to-head
Buyers often evaluate both when the RFP says "enterprise CMP plus privacy program." Compare on consent depth, assessments, DSAR coupling, and who will operate the modules after launch.
| Dimension | OneTrust | TrustArc |
|---|---|---|
| Best for | Global enterprises standardizing on OneTrust for consent, RoPA, assessments, and rights automation | Enterprises that want consent paired with NIST-aligned program tooling and assessment workflows |
| CMP and preference depth | Cookie Consent plus PreferenceChoice; deep TCF and regional template libraries | Consent Manager with jurisdiction templates; strong governance dashboards |
| Professional services | Large partner ecosystem; common for complex GTM and multi-brand rollouts | Consulting-heavy deployments for program maturity and banner customization |
| Typical switching friction | High when RoPA and DSAR already live in OneTrust; CMP is one module among many | High when assessments and vendor risk modules are embedded in TrustArc workflows |
| Proof after go-live | Admin audit logs are strong; network proof still requires independent testing | Same pattern: configuration truth does not equal wire-level enforcement |
Head-to-head
Media and publishing buyers shortlist these vendors for TCF-heavy stacks, paid consent experiences, and EU regulatory alignment. Advertiser sites with lighter ad tech may not need this depth.
| Dimension | Sourcepoint | Didomi |
|---|---|---|
| Best for | US and global publishers balancing subscriptions, ad-funded models, and Prebid complexity | EU-first publishers and brands prioritizing CNIL-style granularity and regional support |
| TCF and messaging | Deep TCF messaging, auctions, and experimentation on accept rates | TCF-first workflows with French and EU regulatory template emphasis |
| Paid and ad-supported UX | Mature patterns for paywalls, registration walls, and ad refresh consent | Granular purpose stacks for EU expectations; strong mobile SDK story |
| Operator profile | US operator with EU pathways; publisher ad ops often own day-to-day config | EU-founded; common choice when legal wants EU entity and hosting narrative |
| Maintainability note | Vendor list hygiene is weekly work when header bidding or Prebid changes | Same: TCF vendor tables must track live ad partners, not only marketing pixels |
Does your tool actually stop in reject and GPC states?
Lokker Consent Validator runs automated browser sessions across every consent state and confirms at the network layer whether tools in this category still send requests when they should not.
Privacy and compliance
The dimensions Lokker Privacy Edge evaluates when it detects consent management platforms on your properties. Use this scorecard alongside the capability matrix when making your vendor decision.
| Privacy dimension | ||||||||
|---|---|---|---|---|---|---|---|---|
| Vendor proves tags stop without separate testing product | ||||||||
| IAB Europe CMP certification path for TCF | ||||||||
| Documented default GPC treatment for US states | ||||||||
| EU legal entity or strong EU hosting story | ||||||||
| Auto-blocking of uncategorized scripts option | ||||||||
| Administrative audit logs for CMP changes | ||||||||
| Native mobile app CMP SDK | ||||||||
| Published sub-processor list | ||||||||
| Support for in-app WebView consent continuity |
Scores reflect publicly available product documentation as of 2026. Vendor capabilities change; verify current behavior with each vendor and through independent testing. "Partial" indicates the capability exists but requires non-default configuration, an additional plan tier, or has meaningful limitations.
Buyer guidance
Choosing among these consent management platforms depends on your industry, infrastructure, privacy posture, and budget. Use these decision guides to narrow your evaluation.
Sourcepoint, Didomi, and enterprise OneTrust setups often pair with complex header bidding. TCF string accuracy and vendor list updates become weekly work.
Lokker note: After CMP go-live, schedule Consent Validator runs whenever you change Prebid or ad refresh logic.
OneTrust and TrustArc bundle assessments, RoPA, and DSAR with consent. Budget for cross-module ownership so the CMP configuration does not drift from the RoPA.
Lokker note: Use Privacy Edge to catch uncatalogued tags that never entered the CMP vendor list.
Usercentrics, Ketch, and Didomi emphasize APIs and app SDKs. Divergent taxonomies between web GTM and native SDKs create silent over-collection.
Lokker note: Validate both surfaces with the same consent-state test matrix.
Cookiebot, Osano, and mid tiers of Usercentrics keep operational load lower. You still need tag order discipline and periodic rescans.
Lokker note: Automate quarterly Consent Validator evidence exports for your risk committee.
Ongoing operations
Vendors sell implementation. Privacy teams live in operations. It does not matter which CMP you license: without a named owner for rescans, GTM publishes, vendor lists, and reject/GPC testing, drift is predictable. Engineering moves on, marketing adds pixels, and scripts appear on the page outside the tag manager. Budget for people and process, not only license fees. These practices apply to every vendor in this comparison.
Run cookie and script discovery after major releases, A/B tests, and new landing pages. Uncategorized vendors are where auto-blocking and audit reports fail first.
When GTM adds a pixel marketing forgot to disclose, the CMP vendor table lies. Privacy Edge helps surface live third parties that never entered the CMP taxonomy.
Accept, reject, no interaction (where lawful), and GPC should be retested on priority URLs quarterly or on every container publish. Store network evidence for counsel and insurers.
Privacy policy and banner text must match what fires on the wire. DSAR and preference center promises should not outpace tag enforcement.
Name who approves CMP config changes, who publishes GTM, and who signs off on evidence exports. Ambiguous ownership is how drift survives audits.
Schedule ongoing scans, not only the implementation project. Privacy Edge and Consent Validator are built for teams that need to know when a new vendor appeared without a CMP category update.
Privacy context
A CMP plus an updated privacy policy is necessary work. It is not sufficient if opt-out does not match behavior on the wire. Plaintiffs, regulators, and insurers ask what actually fired after the visitor chose reject, not what the admin console recorded.
This is the pattern behind many demand letters we see. The CMP logs a reject or GPC signal, but analytics, ads, or replay vendors still receive requests. Counsel compares policy language, banner UX, and packet captures. "Configured correctly" in the CMP is not a defense if the tag manager or a hard-coded script ignored the signal.
When GTM or Tealium loads before the CMP resolves, tags can execute in pre-consent states even though the CMP record shows correct categories.
New third-party scripts appear after every sprint. If rescans lag, vendors stay uncategorized and default allow rules may apply.
Publishing a GPC response in the CMP is not the same as proving that every ad pixel stopped firing for that session.
Agencies, campaign landers, and hurried releases often add scripts directly to the template or a single page, not through GTM. Those tags never entered the CMP vendor list. Ongoing scans are how you catch them before they become the basis for a complaint.
Where Lokker fits
Lokker does not replace your CMP. We help you run the business without betting everything on a dashboard screenshot. Your vendor stays the system of record for consent strings; we show whether opt-out and GPC actually hold on the wire, surface back-door tags, and enforce blocking when the CMP and tag manager fall out of sync.
Privacy Edge scans pages and surfaces third-party requests that never made it into the CMP vendor list, including tag-manager aliases.
See Privacy EdgeConsent Validator runs scripted sessions for each CMP state and stores network-level proof for legal and insurance workflows.
See Consent ValidatorGuardian blocks disallowed hosts at the browser edge so a stale container cannot override the CMP decision.
See GuardianCommon questions
The most common questions from privacy teams, legal counsel, and buyers evaluating consent management platforms.
More comparison guides
Related to consent and tag orchestration
More comparison guides
Next step
Lokker confirms that the tool you choose stops collecting data in reject and GPC states, surfaces any gaps in your CMP configuration, and enforces blocking at the network layer so a misconfigured consent banner cannot result in an unauthorized data collection event.
Privacy policy guidance
Each guide explains what data the tool collects, illustrative policy language for discussion with counsel, jurisdiction notes, and a CMP configuration checklist.