A practical guide to the leading tools that help organizations manage user consent, and why verifying what happens next matters just as much.

Cumulative GDPR fines passed €7.1 billion ($8.3 billion) in early 2026. At the same time, Reflectiz scans of more than 20,000 websites found that over 60% of critical alerts trace back to unauthorized apps accessing sensitive user data.

That contrast explains why Consent Management Platforms (CMPs) are both underused and badly needed. GDPR, CCPA, and a widening web of regional privacy laws keep tightening, and choosing the right CMP has never mattered more.

A CMP is the software layer that presents cookie banners and consent dialogues, records user choices, and passes those preferences to the scripts and trackers running on your site. It does one thing well. It tells your scripts what you intend to do with user data. It cannot tell you what actually happens once a visitor confirms their preferences.

Whether your third-party scripts honor those choices, or quietly send data to someone they shouldn’t, is a separate question. Answering it requires a different category of tool, which is the discipline of web privacy validation. We return to that gap in the final entry.

Below are six of the most widely deployed CMPs, followed by an essential seventh entry that covers what none of them can.

1. OneTrust

The market leader in enterprise privacy and consent management Enterprise

Website: onetrust.com

Summary

OneTrust is one of the most widely adopted enterprise CMPs, used by thousands of organizations worldwide. It reaches well beyond cookie banners into a full privacy operations suite: data mapping, vendor risk management, data subject access requests (DSARs), and policy management.

Key features

• Highly customizable consent banners with A/B testing
• Geolocation-based consent rules for multi-jurisdictional compliance
• Native integrations with Google Consent Mode, Adobe, Salesforce, and 300+ technology partners
• Automated cookie scanning and script categorization
• Robust consent record storage and audit trails for regulatory reporting
• Privacy management modules well beyond consent alone
• Consent management for mobile apps and OTT/CTV platforms (Apple TV, Roku, Amazon Fire)
• The largest pre-categorized cookie database available (45M+ cookies) for automated scanning and classification

Pricing

Subscription-based enterprise pricing. Basic tiers start at a few thousand dollars per year; complex enterprise deployments run into tens of thousands annually. Custom quotes for larger implementations. Free trial available.

Bottom line

The gold standard for enterprises that need consent management inside a broader, integrated privacy program. Powerful but complex, so expect a significant onboarding investment.

2. Cookiebot by Usercentrics

Europe’s favorite plug-and-play consent solution SMB / Mid-Market

Website: cookiebot.com

Summary

Cookiebot, now part of Usercentrics and formally branded Cookiebot by Usercentrics, has long been a go-to CMP for European businesses that want a straightforward, compliant solution. It remains a distinct product, widely praised for fast deployment (often a single script tag) and an automatic cookie scanning and categorization engine.

Key features

• Automatic monthly cookie scanning and categorization
• Lightweight implementation with minimal performance impact
• IAB TCF 2.3 support for programmatic advertising compliance (where applicable)
• Native Google Consent Mode v2 integration
• Multi-language banners that display automatically in the visitor’s browser language
• Full consent log for audit and legal evidence

Pricing

Tiered by page count. A free plan covers single-domain sites up to 50 pages. Paid plans start around €9/month for small sites, scaling to custom enterprise pricing for high-traffic properties.

Bottom line

Excellent value for European-focused organizations that need GDPR compliance fast, without complex setup. The free tier makes it accessible for startups and personal projects.

3. TrustArc

Enterprise compliance with deep regulatory expertise Enterprise

Website: trustarc.com

Summary

TrustArc is one of the most established names in privacy compliance, with roots in the late 1990s. Its CMP sits inside a broader compliance platform spanning privacy program management, risk assessment, and regulatory intelligence. It is a strong fit for organizations with complex, multi-regulation obligations.

Key features

• Multi-regulation support across GDPR, CCPA/CPRA, LGPD, PIPL, and more
• Automated preference center for users to manage ongoing consent
• Cookie consent integrated with broader privacy workflows
• Arc Intelligence: an AI layer offering cited, explainable compliance guidance drawn from 28+ years of privacy expertise and 1,000+ regulatory frameworks
• Detailed reporting dashboards for legal and compliance teams
• WCAG 2.2-aligned consent templates by default, with 20+ Indian languages and broad localization

Pricing

Enterprise SaaS pricing with custom quotes, generally at a premium tier. Best for organizations investing in a full privacy program platform rather than a standalone CMP. Contact for pricing.

Bottom line

A mature, highly regarded platform for organizations that treat privacy as a strategic priority. The breadth of the toolkit justifies the investment for complex regulatory environments.

4. Usercentrics

Developer-friendly consent with strong European pedigree SMB / Mid-Market

Website: usercentrics.com

Summary

The parent company of Cookiebot, Usercentrics is a powerful CMP in its own right, with a more customizable, developer-oriented experience. Especially strong in the DACH region (Germany, Austria, Switzerland), it has expanded globally and is a leading choice for teams that want granular control over consent flows plus solid analytics.

Key features

• Highly customizable UI with deep white-labeling
• Consent Analytics dashboard tracking opt-in/opt-out rates and revenue impact
• Server-side tagging integration for better data quality
• IAB TCF 2.3 and Google Consent Mode v2 support; covers GDPR, CCPA/CPRA, LGPD, POPIA, VCDPA, and additional US state laws (where applicable)
• App CMP for iOS and Android, plus server-side tagging for first-party data strategies
• Dedicated APIs for developer-led implementations

Pricing

Plans from roughly €60/month for smaller sites, scaling to custom enterprise pricing. Free trial available. Pricing is session-based, which matters for high-traffic sites.

Bottom line

A sophisticated CMP for teams that want more than a banner, especially the analytics on consent rates and the revenue impact of privacy choices. Developer experience is notably strong.

5. InMobi CMP (formerly Quantcast Choice)

Free, TCF-compliant consent for ad-supported publishers Publishers

Website: choice.inmobi.com

Summary

Originally built by Quantcast and acquired by InMobi in 2023, this CMP is now InMobi CMP (formerly Quantcast Choice). It remains free and is built around the IAB Transparency and Consent Framework, aimed at publishers and ad-supported sites that need TCF compliance without the cost of a premium platform. InMobi has kept the free commitment and folded the platform into its broader publisher SDK offering.

Key features

• Fully free with no page-view limits
• IAB TCF 2.3 support for programmatic ad ecosystem compliance (where applicable)
• Vendor list management for 500+ Google-certified and 800+ IAB-registered ad tech vendors
• Google Consent Mode integration
• Lightweight implementation with fast load times
• Basic but functional banner customization

Pricing

Free. No paid tiers. Quantcast may derive value from aggregated, consented data signals within its ecosystem, which is worth factoring into your data-sharing assessment.

Bottom line

Hard to argue with when it is free for TCF-focused publishers. There is an implicit data trade-off worth understanding, but for ad-dependent sites that need solid TCF compliance, InMobi CMP is a practical, widely trusted choice with strong publisher heritage.

6. Didomi

API-first consent with strong French and European market presence Mid-Market / Enterprise

Website: didomi.io

Summary

Didomi has grown from French origins into a global consent and privacy platform, named a G2 Leader for twelve consecutive seasons. Its API-first approach appeals to engineering-led organizations, and through the acquisitions of Sourcepoint and Addingwell it has expanded its US presence and server-side tracking capabilities. Beyond web consent, Didomi extends to mobile, connected TV, and other touchpoints, which makes it attractive for complex, multi-channel consent requirements.

Key features

• API-first architecture for deeply integrated, custom consent flows; Google CMP Partner with Gold status across web, mobile, and CTV
• Multi-channel consent: web, iOS, Android, CTV/OTT, and email
• Preference management center for ongoing user control
• Multi-regulation support including GDPR, CCPA, and emerging frameworks
• Real-time consent analytics, banner A/B testing, and Global Privacy Control (GPC) signal enforcement across supported US state laws
• IAB TCF 2.3 support, consent string interoperability with major ad tech platforms, and Advanced Compliance Monitoring (ACM) with expanded analytics dashboards

Pricing

Custom pricing based on traffic volume and modules required. No public tiers; contact Didomi for a quote. Generally competitive with mid-market enterprise CMP pricing. Free demo available.

Bottom line

A strong choice for organizations that need consent to work seamlessly across platforms, channels, and jurisdictions. Well regarded in Europe, and a serious contender in the US following the Sourcepoint acquisition. The Addingwell integration adds server-side tracking few CMPs can match.

The Verification Layer Every CMP Needs

7. Reflectiz

Continuous proof of what your scripts actually do Runtime Verification Layer

Website: reflectiz.com

Summary

Every CMP above does its core job well. It presents consent dialogues, records user choices, and passes those preferences to your tag manager and ad tech stack. None of them can tell you what happens next.

A CMP controls what you told your scripts to do. It cannot confirm they did it. Even platforms with script blocking or tag auditing assume scripts behave as configured, and that assumption is exactly where compliance exposure lives. No CMP reliably detects runtime drift, vendor-side changes, or fourth-party dependencies, so most have limited or indirect visibility into how scripts behave in the wild.

Vendor updates, unauthorized tag injections, fourth-party dependencies, and configuration drift all widen the gap between what your banner promises and what your scripts actually do in the live browser. That gap is your compliance exposure, and it is invisible to configuration-based tools. It does not take an attack to trigger it. A single cookie misconfiguration was enough to leave a major global retailer one oversight away from regulatory fines.

Reflectiz closes that gap. It is not a CMP. It is a runtime web privacy assurance platform that verifies whether your existing privacy tools are enforcing the consent they collect, by observing real browser behavior in production. It simulates real user journeys in a live browser and detects behavior your CMP, tag manager, and static scanners cannot see. There is no code to add to your site and no access to your infrastructure. You submit a URL and gain live visibility within 24 hours.

The model is simple:

• CMPs capture, record, and communicate user preferences.
• Scripts either honor them or they don’t.
• Reflectiz proves which.

Most privacy tools assume. Reflectiz assures.

Consent is one slice of the picture: the same runtime visibility extends across your entire third-party web estate as part of Reflectiz’s broader web exposure management platform.

Key features

• Continuous, agentless monitoring of every web script, with no code deployment
• Detection of consent violations: scripts firing outside their declared consent category
• Full inventory of first-, third-, and fourth-party dependencies across your web estate
• A Consent Dashboard that uses AI to audit your privacy banner copy, cookie classifications, and named vendors against live site activity, flagging discrepancies between what your policy says and what scripts actually do
• Compliance modules for GDPR, CCPA/CPRA, HIPAA, PIPEDA, and GPC signal enforcement, plus PCI DSS 4.0 (requirements 6.4.3 and 11.6.1)
• Alerts for behavioral changes in scripts, catching vendor updates before they become incidents
• Audit-ready reporting, exportable directly to legal and privacy teams
• Privacy Rating benchmarking to compare your posture against peer sites (Professional tier)

Pricing

Enterprise SaaS pricing based on web estate size and monitoring scope. A free 30-day trial of the PCI DSS dashboard is available. Contact Reflectiz for a custom quote.

Bottom line

No CMP, not even the strongest enterprise platform, can tell you whether your third-party scripts honor the consent signals they receive. Reflectiz can. CMPs capture intent. Reflectiz delivers proof.

Choosing the right combination

The CMP landscape offers real choice at every price point and scale, from InMobi CMP’s no-cost entry for publishers to OneTrust’s enterprise suite. The right CMP depends on your geography, your regulatory obligations, your technical team’s capabilities, and the level of consent management your program needs.

Whichever platform you choose, one question always remains: are your consent preferences actually being respected by the scripts running on your site? Regulators will be asking it. That is not a knock on any individual CMP. It is an architectural reality of how consent management works. CMPs capture intent. Verification tools like Reflectiz confirm execution.

The most privacy-mature organizations treat these as two complementary layers. A strong CMP gets you to compliant consent collection. Continuous verification of script behavior makes that consent mean something in practice, and gives you the evidence to prove it.

All pricing figures in this guide are indicative and subject to change. Always verify directly with vendors before making procurement decisions.