Comparison: Consent Management Platforms

Best Consent Management Platforms Compared (2026): Features, Pricing, and Privacy

A CMP configures what should happen when visitors accept, reject, or send Global Privacy Control. It does not, by itself, prove that analytics, ads, and session replay actually stop at the network layer. This guide compares leading CMPs for enterprises and publishers, then scores each on the enforcement realities privacy teams see after deployment: GPC handling, TCF depth, regional hosting, and how much work still falls to tag order and server-side controls.

Audit your deployment See Privacy Edge

Quick summary

What to know before you choose

What it does

CMPs collect consent choices, show notices and preference centers, maintain vendor lists, and signal allowed purposes to tags and ad partners.

What to look for

Require IAB TCF alignment where you use ad tech, explicit GPC handling, strong audit logs, EU infrastructure options, and a plan to validate tags with network-layer testing after every change.

Where Lokker fits

Lokker works with any CMP you choose: Privacy Edge inventories what still fires on your pages, Consent Validator proves behavior in each consent state including GPC, and Guardian blocks disallowed requests when the CMP and tag manager drift out of sync.

The tools

Tools included in this comparison

Eight leading tools covering free, mid-market, and enterprise tiers, cloud and self-hosted deployment, and a range of privacy and compliance postures.

OneTrust

Enterprise privacy, consent, and governance suite with Cookie Consent and PreferenceChoice.

Enterprise pricingCloud + EU option

Visit site Privacy topics

TrustArc

Consent Manager with NIST-aligned privacy program tooling and enterprise assessments.

Enterprise pricingCloud + EU option

Visit site Privacy topics

Cookiebot by Usercentrics

Scanner-led CMP with automatic cookie classification and multilingual banners.

From ~$50/moCloud + EU option

Visit site Privacy topics

Usercentrics CMP

App and web CMP with App Consent, server-side options, and Google Consent Mode v2 kits.

From ~$200/moCloud + EU option

Visit site Privacy topics

Osano

Consent Platform with no-hassle pricing, monitoring, and vendor risk scoring.

From ~$50/moCloud (US)

Visit site Privacy topics

Ketch

Orchestration-first consent and preference APIs with programmatic policy enforcement.

Enterprise pricingCloud + EU option

Visit site Privacy topics

Sourcepoint

Publisher-focused CMP and messaging with paid and ad-supported experience patterns.

Enterprise pricingCloud + EU option

Visit site Privacy topics

Didomi

EU-founded consent and preference stack with strong TCF and mobile SDK coverage.

From ~$200/moCloud + EU option

Visit site Privacy topics

All product names and trademarks are property of their respective owners. Lokker is not affiliated with or endorsed by any of the companies listed. Pricing and feature information is based on publicly available data and may change; verify with each vendor before purchasing.

Feature comparison

Capability comparison matrix

How each tool compares across the dimensions that matter most for product, engineering, and privacy teams.

Focus the matrix

Showing 5 of 8 tools. Add vendors as needed, or show the full table when you want every column.

3 tools are hidden from the focused table. The full text matrix below keeps every capability visible in the page source.

Scroll sideways if you choose more columns than fit your screen. Sticky capability labels stay visible

Capability	OneTrust	TrustArc	Cookiebot by Usercentrics	Usercentrics CMP	Osano
IAB TCF v2 support	TCF 2.2 certified CMP strings and vendor list support	TCF-certified options for publisher and advertiser stacks	TCF integration for publishers; consent mode helpers for Google stacks	TCF 2.2 certified CMP with in-app extensions	TCF support on eligible plans with publisher-focused configuration
Global Privacy Control handling	GPC recognition with regional rule templates	GPC tied to jurisdiction templates and opt-out propagation	GPC support with Google Consent Mode bridging	GPC handling in web and app CMP configurations	GPC support with documentation for CCPA-style opt-outs
Site scanning and cookie inventory	CookieConsent scanner with scheduled rescans and categorization	Automated scanning with governance dashboards	Monthly scans with auto-blocking until consent on many plans	Scanning plus Custom Implementation Service for complex stacks	Discovery scans with vendor risk cards
Google Consent Mode v2 alignment	Templates and docs for Consent Mode default and update signals	Integration guidance for GA4 and Ads with regional rules	Native Consent Mode integration and tag recipes	Certified Google CMP partner patterns for v2	Consent Mode support with configuration guides
Preference center and granular purposes	PreferenceChoice with granular toggles and policy linkage	Preference centers with jurisdiction-based purpose sets	Per-category toggles with auto-generated policy sections	Granular purposes with app and web parity	Simplified preference UX with category bundles
DSAR and privacy rights workflow coupling	Native OneTrust Privacy Rights Automation integration	TrustArc privacy rights module integration paths	Focused on consent; DSAR via Usercentrics suite partners	Usercentrics Preference Manager and Automation paths	Osano Subject Rights Management add-on
Regional hosting and DPA posture	Multi-region hosting with EU and US deployment options	Regional options with enterprise DPA packages	EU operator with strong EU hosting story	EU parent with regional hosting choices	US operator; SCC-based transfers for EU customers
Tag manager and GTM integration depth	Templates for GTM, Adobe, and Tealium with consent mode variables	Professional services patterns for complex tag stacks	GTM community templates and auto-blocking helpers	GTM template gallery and server-side consent bridges	GTM guidance with script blocking patterns
CMP analytics and A/B testing of banners	Analytics on banner performance and geo splits	Reporting dashboards for consent rates	Banner analytics and consent rate reporting	A/B testing for banner variants on higher tiers	Consent analytics dashboards
Typical entry motion	Enterprise contracts with modular SKUs	Enterprise sales-led	SMB-friendly tiers with domain-based pricing	Tiered by consents and apps	Transparent SaaS tiers

Full text matrix for all tools

IAB TCF v2 support

OneTrust: TCF 2.2 certified CMP strings and vendor list support
TrustArc: TCF-certified options for publisher and advertiser stacks
Cookiebot by Usercentrics: TCF integration for publishers; consent mode helpers for Google stacks
Usercentrics CMP: TCF 2.2 certified CMP with in-app extensions
Osano: TCF support on eligible plans with publisher-focused configuration
Ketch: TCF via partner patterns; emphasis on orchestration APIs
Sourcepoint: Deep TCF messaging, auctions, and paid consent experiences
Didomi: TCF-first workflows with EU regulatory alignment focus

Global Privacy Control handling

OneTrust: GPC recognition with regional rule templates
TrustArc: GPC tied to jurisdiction templates and opt-out propagation
Cookiebot by Usercentrics: GPC support with Google Consent Mode bridging
Usercentrics CMP: GPC handling in web and app CMP configurations
Osano: GPC support with documentation for CCPA-style opt-outs
Ketch: Programmatic GPC hooks via preference and policy APIs
Sourcepoint: GPC patterns for US publishers with messaging variants
Didomi: GPC aligned with EU and US state templates

Site scanning and cookie inventory

OneTrust: CookieConsent scanner with scheduled rescans and categorization
TrustArc: Automated scanning with governance dashboards
Cookiebot by Usercentrics: Monthly scans with auto-blocking until consent on many plans
Usercentrics CMP: Scanning plus Custom Implementation Service for complex stacks
Osano: Discovery scans with vendor risk cards
Ketch: Discovery oriented toward data layer and system mapping
Sourcepoint: Vendor detection tailored to ad-heavy pages
Didomi: Scanning plus publisher-specific vendor taxonomies

Google Consent Mode v2 alignment

OneTrust: Templates and docs for Consent Mode default and update signals
TrustArc: Integration guidance for GA4 and Ads with regional rules
Cookiebot by Usercentrics: Native Consent Mode integration and tag recipes
Usercentrics CMP: Certified Google CMP partner patterns for v2
Osano: Consent Mode support with configuration guides
Ketch: Signals to downstream systems including Google tags via orchestration
Sourcepoint: Publisher patterns for ads personalization strings with Google stacks
Didomi: EU templates for Consent Mode and ad partner stacks

Preference center and granular purposes

OneTrust: PreferenceChoice with granular toggles and policy linkage
TrustArc: Preference centers with jurisdiction-based purpose sets
Cookiebot by Usercentrics: Per-category toggles with auto-generated policy sections
Usercentrics CMP: Granular purposes with app and web parity
Osano: Simplified preference UX with category bundles
Ketch: Highly programmable preference APIs for custom UIs
Sourcepoint: Advanced messaging for accept rates and subscription bundles
Didomi: Granular stacks for French CNIL-style expectations

DSAR and privacy rights workflow coupling

OneTrust: Native OneTrust Privacy Rights Automation integration
TrustArc: TrustArc privacy rights module integration paths
Cookiebot by Usercentrics: Focused on consent; DSAR via Usercentrics suite partners
Usercentrics CMP: Usercentrics Preference Manager and Automation paths
Osano: Osano Subject Rights Management add-on
Ketch: Ketch Rights API alongside consent orchestration
Sourcepoint: Partner-led DSAR; CMP focused on surface consent
Didomi: API-first preference and rights orchestration patterns

Regional hosting and DPA posture

OneTrust: Multi-region hosting with EU and US deployment options
TrustArc: Regional options with enterprise DPA packages
Cookiebot by Usercentrics: EU operator with strong EU hosting story
Usercentrics CMP: EU parent with regional hosting choices
Osano: US operator; SCC-based transfers for EU customers
Ketch: Regional deployment options on enterprise contracts
Sourcepoint: US operator with EU data pathways for publishers
Didomi: EU-founded hosting emphasis for EU publishers

Tag manager and GTM integration depth

OneTrust: Templates for GTM, Adobe, and Tealium with consent mode variables
TrustArc: Professional services patterns for complex tag stacks
Cookiebot by Usercentrics: GTM community templates and auto-blocking helpers
Usercentrics CMP: GTM template gallery and server-side consent bridges
Osano: GTM guidance with script blocking patterns
Ketch: API-first; engineering-led tag integration
Sourcepoint: Prebid and ad-server integration playbooks
Didomi: Tag manager integrations common in EU publisher stacks

CMP analytics and A/B testing of banners

OneTrust: Analytics on banner performance and geo splits
TrustArc: Reporting dashboards for consent rates
Cookiebot by Usercentrics: Banner analytics and consent rate reporting
Usercentrics CMP: A/B testing for banner variants on higher tiers
Osano: Consent analytics dashboards
Ketch: Programmatic experimentation via APIs
Sourcepoint: Strong experimentation for messaging and paywalls
Didomi: Variant testing for EU regulatory messaging

Typical entry motion

OneTrust: Enterprise contracts with modular SKUs
TrustArc: Enterprise sales-led
Cookiebot by Usercentrics: SMB-friendly tiers with domain-based pricing
Usercentrics CMP: Tiered by consents and apps
Osano: Transparent SaaS tiers
Ketch: Enterprise orchestration contracts
Sourcepoint: Enterprise publisher contracts
Didomi: Mid-market to enterprise EU pricing

Does your tool actually stop in reject and GPC states?

Lokker Consent Validator runs automated browser sessions across every consent state and confirms at the network layer whether tools in this category still send requests when they should not.

See Consent Validator Request a demo

Privacy and compliance

Privacy and compliance scorecard

The dimensions Lokker Privacy Edge evaluates when it detects consent management platforms on your properties. Use this scorecard alongside the capability matrix when making your vendor decision.

Yes

Partial

Unknown

Privacy dimension	OneTrust	Cookiebot by Usercentrics	Osano	Ketch	Sourcepoint
Vendor proves tags stop without separate testing product	CMPs configure intent; network proof requires tools like Lokker Consent Validator.
IAB Europe CMP certification path for TCF				Orchestration-first positioning; confirm TCF SKU for your deployment.
Documented default GPC treatment for US states
EU legal entity or strong EU hosting story			US-based operator; rely on SCCs and transfer assessments for EU subjects.
Auto-blocking of uncategorized scripts option	Available with correct script deployment patterns; not automatic without configuration.
Administrative audit logs for CMP changes
Native mobile app CMP SDK		Web-first heritage; app coverage via Usercentrics group products.
Published sub-processor list
Support for in-app WebView consent continuity					WebView patterns exist but publisher web stacks vary widely.

Scores reflect publicly available product documentation as of 2026. Vendor capabilities change; verify current behavior with each vendor and through independent testing. "Partial" indicates the capability exists but requires non-default configuration, an additional plan tier, or has meaningful limitations.

Buyer guidance

How to choose the right tool for your context

Choosing among these consent management platforms depends on your industry, infrastructure, privacy posture, and budget. Use these decision guides to narrow your evaluation.

If you run programmatic ads and Prebid

Sourcepoint, Didomi, and enterprise OneTrust setups often pair with complex header bidding. TCF string accuracy and vendor list updates become weekly work.

Lokker note: After CMP go-live, schedule Consent Validator runs whenever you change Prebid or ad refresh logic.

If you need CMP plus privacy program software

OneTrust and TrustArc bundle assessments, RoPA, and DSAR with consent. Budget for cross-module ownership so the CMP configuration does not drift from the RoPA.

Lokker note: Use Privacy Edge to catch uncatalogued tags that never entered the CMP vendor list.

If web and app must stay in sync

Usercentrics, Ketch, and Didomi emphasize APIs and app SDKs. Divergent taxonomies between web GTM and native SDKs create silent over-collection.

Lokker note: Validate both surfaces with the same consent-state test matrix.

If you are mid-market with a lean privacy team

Cookiebot, Osano, and mid tiers of Usercentrics keep operational load lower. You still need tag order discipline and periodic rescans.

Lokker note: Automate quarterly Consent Validator evidence exports for your risk committee.

Privacy context

The privacy reality of consent management platforms

CMPs are essential, but they are not autonomous enforcement engines. They emit signals that tags are supposed to respect. Any gap between the CMP UI, the tag manager container, and the actual network call creates liability. Plaintiffs and regulators increasingly ask what crossed the wire, not what the privacy dashboard claimed.

Tag manager order defeats CMP intent

When GTM or Tealium loads before the CMP resolves, tags can execute in pre-consent states even though the CMP record shows correct categories.

Auto-blocking lists rot without rescans

New third-party scripts appear after every sprint. If rescans lag, vendors stay uncategorized and default allow rules may apply.

GPC and opt-out sale signals need downstream enforcement

Publishing a GPC response in the CMP is not the same as proving that every ad pixel stopped firing for that session.

Where Lokker fits

How Lokker helps with whichever CMP you deploy

Lokker does not replace your CMP. OneTrust, TrustArc, Cookiebot, Usercentrics, Osano, Ketch, Sourcepoint, and Didomi remain the system of record for consent choices. Lokker proves that your tags honor those choices.

Privacy Edge: inventory every tag, including uncatalogued vendors

Privacy Edge scans pages and surfaces third-party requests that never made it into the CMP vendor list, including tag-manager aliases.

See Privacy Edge

Consent Validator: evidence for accept, reject, and GPC states

Consent Validator runs scripted sessions for each CMP state and stores network-level proof for legal and insurance workflows.

See Consent Validator

Guardian: enforce when CMP and GTM disagree

Guardian blocks disallowed hosts at the browser edge so a stale container cannot override the CMP decision.

See Guardian

Common questions

Consent Management Platforms: frequently asked questions

The most common questions from privacy teams, legal counsel, and buyers evaluating consent management platforms.

More comparison guides

Compare other MarTech categories

Session Replay Tools8 tools

Web Analytics Tools8 tools

Marketing Automation Platforms8 tools

Customer Data Platforms (CDPs)8 tools

Chat and Messaging Widget Platforms8 tools

A/B Testing and Experimentation Platforms8 tools

Tag Management Systems7 tools

View all comparison guides

Next step

Validate your consent management platforms deployment with Lokker

Lokker confirms that the tool you choose stops collecting data in reject and GPC states, surfaces any gaps in your CMP configuration, and enforces blocking at the network layer so a misconfigured consent banner cannot result in an unauthorized data collection event.

Request a demo See Privacy Edge