Tag and cookie consent management is in many ways the OG of website privacy compliance. Beginning in the mid-2010s, with updates and enforcement activity for the ePrivacy Directive in Europe, the world was introduced to the (often annoying) concept of “cookie banners”. The technology behind these cookie banners? Consent Management Platforms (CMPs). While many organizations have already implemented a CMP due to requirements for GDPR, CCPA, and other global regulations, a recent uptick in enforcement focus for tag/cookie consent as well as progressively stricter regulatory requirements in the United States have many organizations realizing their CMP architecture is lacking.
A sound CMP architecture is critical as it manages the user’s consent experience (important for fostering trust and getting user consent for tracking) as well as provides consent signals for the execution of tags and pixels (important to properly manage tags to respect user consent choices). All of this starts with having the right tool for the job. Luckily, this buying guide is here to help! Let’s explore some considerations when selecting a CMP, as well as some of the more widely adopted tools in the market.
What to consider when selecting a CMP?
There are many CMP options in the market with a wide variety of features and functionalities available. At this point, table stakes for all platforms are templated banner experiences with at least a moderate level of customization available to match a website’s brand preferences as well as maintenance of records of tag/cookie consent. Beyond these common features, CMPs can vary widely in their capabilities, ease of use, as well as integrations or functionality to support a privacy program more broadly. A few key considerations to keep in mind when doing any evaluation:
What level of support am I expecting from the vendor?
Different CMPs take very different approaches as it relates to both implementation support as well as ongoing support. Some platforms offer documentation and limited technical support while others offer comprehensive support for tag/cookie policy definition as well as configuration to respect said policy. Evaluate where you are in your privacy program maturity and select a solution with either direct managed support or third-party vendor support to sufficiently meet your needs.
How and where am I managing the marketing consent experience (i.e. records of consent when users provide persistent identifiers such as via a form submission or transaction)?
Tag and cookie consent is a foundational aspect of the broader consent management process—but it is just one aspect. Organizations also need a system to manage consent for things like marketing communications and using persistent identifiers provided through form submissions, registrations, and purchase funnels. The CMP (and device identifier consent for data collection via tags and pixels) should integrate with the broader consent management system. For some organizations, you may want to manage all of this in one platform, in which case ensure the CMP chosen has sufficient functionality for both. For other organizations, you may want to manage this via integration, in which case look for automatic build-in integrations and/or API support.
How do I manage additional aspects of my privacy platform?
More and more organizations that we work with are looking to consolidate the various technologies used to support the different components of their privacy program. If this is you, look for additional modules for things like DSR process and fulfillment, data mapping, and third-party risk management functionality alongside the CMP.
What is the level of effort required to implement the CMP? Consider both the CMP implementation as well as the configuration of tags and pixels to respect consent signals from the CMP.
While many CMPs will tout their auto-blocking functionality to automate the blocking of tags/pixels responsible for data collection and cookie placement, we have found that auto-blocking can lead to many dangers in reliable data collection. Put simply, for organizations with at least a moderately complex data collection architecture, it is not recommended. Instead, you will need to configure tags in your Tag Management System (or page source of the website) to load according to indications of consent provided by the CMP. Different CMPs provide these consent signals in different ways—from providing an indication in a data object on the page to storing the indication in a cookie. There are advantages and disadvantages to managing tags using each type of consent signal. Make sure that you understand not just the technical requirements for configuration of the CMP but also the technical requirements for the management of tags according to the CMP’s consent signals and if they will be sufficient for your situation.
Once you’ve collected requirements and considered these questions, now it’s time to start looking! Here’s a review of the more widely adopted CMPs to get started:
OneTrust (https://www.onetrust.com/)
Summary
OneTrust, the leader in comprehensive privacy compliance platforms from an adoption perspective, initially entered the market with a cookie consent solution. They now offer an expanded range of solutions to support a complete privacy program. Features include automated data mapping functionality, consent experience and management, risk assessment workflow management, automation of DSR processes, and incident response support.
Primary Value Propositions
Use Data & AI, Responsibly.
Our platform empowers you to collect, govern, and use data with complete visibility and control. We help you streamline risk management, enforce compliance, and optimize data strategies for innovation—all while meeting regulatory and customer demands.
Privacy Program Components Supported
- Risk assessment
- Data mapping
- Notice and disclosure
- Cookie compliance
- Consent compliance
- Data subject requests
- Information security protections
- Incident response
Tag/Cookie Consent Details
Banner experience
OneTrust offers both default consent banner experiences as well as many options for customization.
Core Features
Cookie scanning to auto-populate notices, consent management dashboards to analyze user interactions with the banner, and integrations with the broader consent module to maintain records of consent and pass those to other connected platforms.
Pricing model
OneTrust started with a site-based model for their cookie consent functionality. In some cases, for smaller organizations, there may still be a site-based pricing model. For most, the pricing model is now based upon the number of requests (i.e. number of times a banner experience is loaded). Pricing can vary widely depending upon bundling options with other OneTrust modules as well as the number of sites and site traffic. Receiving a specific quote requires the interaction with a member of the OneTrust sales team.
User Reviews
Generally, the OneTrust CMP is considered the most flexible, especially for larger enterprises managing multiple websites, different consent experiences, and different regulatory requirements for tag/cookie consent. Some users have reported challenges with the complexity of implementation as well as challenges with the level of support provided directly from OneTrust.
From a technical tag management perspective, there are several methods available to configure tags/pixels to respect the consent signals as indicated by OneTrust. The multiple options provide a lot of flexibility depending upon your Tag Management System and tagging architecture.
Osano (https://www.osano.com/)
Summary
Osano is a comprehensive platform with the functionality to facilitate all areas of a privacy program; however, it does not have the functionality for security protections or incident response. Osano is heavily focused on the privacy user, with the functionality primarily used for market penetration being tag/cookie consent. Osano features automate various workflows for a privacy program: data discovery, data mapping, and the DSR process and execution. Additionally, Osano provides templates for legal language. Osano also offers in-house managed services for privacy program management and legal guidance.
Primary Value Propositions
Increase trust. Stay compliant. Do the right thing.
Compliance doesn’t have to be complex. The Osano data privacy management platform supports, streamlines, and automates compliance in your organization—without the stress.
Privacy Program Components Supported
- Due diligence
- Risk assessment
- Data mapping
- Notice and disclosure
- Cookie compliance
- Consent compliance
- Data subject requests
Tag/Cookie Consent Details
Banner experience
Osano offers easy-to-implement consent banner templates along with multiple design options.
Core Features
Cookie scanning to auto-populate notices, compliance dashboards, and integration capabilities with other platforms to pass along records of consent.
Pricing Model
Osano’s offerings start with a free self-service cookie consent solution for a single domain and limited monthly visitors. There is an additional self-service cookie consent solution for small organizations for $199/month. Primary packages (which most organizations would need considering the traffic restrictions in the self-service tier) are bundles that include cookie consent along with additional value-add functionality at each progressive tier. Pricing for these packages requires a demo and discussion with the Osano sales team to customize for each organization.
User Reviews
Reviews from Osano users highlight the ease of setup as well as the value received with their range of ongoing support options. Some drawbacks cited include challenges with ‘advanced’ customization and features.
TrustArc (https://trustarc.com/)
Summary
The TrustArc platform is a comprehensive privacy program management solution marketed towards privacy teams. It began with cookie consent functionality but has grown to include full privacy program management, offering substantial workflow management capabilities and automated data discovery to aid data mapping and categorization.
Primary Value Propositions
Privacy compliance, custom-crafted for your business.
Forge a global privacy program that elevates compliance through automation and strengthens customer trust.
Privacy Program Components Supported
- Risk assessment
- Data mapping
- Notice and disclosure
- Cookie compliance
- Consent compliance
- Data subject requests
Tag/Cookie Consent Details
Banner Experience
TrustArc offers flexible and customizable consent banners that can be tailored to each organization’s needs.
Core Features
Tag/cookie consent, scanning for auto-categorization of cookies and trackers present on a website, auto-blocking of tags, dashboards to analyze banner interactions.
Pricing Model
Pricing for TrustArc varies widely depending upon the solutions bundled and contracted. Quotes are specific to each organization and require a discussion with a sales representative.
User Reviews
In reviews, users have cited the breadth of features and functionality available from the tool not just for tag/cookie consent but also across the other modules for privacy program management. In line with this, the drawbacks cited are primarily focused on complexity in navigating the tool and getting each of the modules configured.
Ketch (https://www.ketch.com/)
Summary
Ketch is a comprehensive platform designed to assist with all aspects of data collection from websites and applications. Its functionality includes automated data mapping, risk assessment workflows, consent management, and DSR intake to fulfillment automation. The primary market penetration product is the consent management functionality, with additional features available with their “Pro” enterprise/mid-market solution.
Primary Value Propositions
Sophisticated privacy compliance, simplified.
You can’t support modern requirements and responsible data initiatives with legacy, old-school tools. Ketch is next-generation privacy software for data-driven brands.
Privacy Program Components Supported
- Risk assessment
- Data mapping
- Cookie compliance
- Consent compliance
- Data subject requests
Tag/Cookie Consent Details
Banner Experience
Ketch provides dynamic consent banner templates with customization options to match organization branding.
Core Features
Tag/cookie consent, user-friendly application experience, reporting dashboards, and integration with other in-platform privacy program modules.
Pricing Model
Ketch’s packages start with a free tier for very low-traffic single websites with standard pricing up to the “Plus” package at $333/month (billed annually) for high-traffic single domains. “Pro” pricing for multiple sites, medium-to-enterprise brands, and additional feature bundles is custom per organization and requires a demo and discussion with a sales representative for a custom quote.
User Reviews
In reviews, users cite the well-designed and intuitive user experience, while drawbacks focus on limited integrations with existing platforms as well as some challenges in configuration for larger enterprises.
Cookiebot (https://www.cookiebot.com/)
Summary
Cookiebot, now rebranded and a part of Usercentrics’s product portfolio, is a consent management specific solution leveraged by many small websites via Wix and WordPress plugins. The tool has a marketing/advertising focus and focuses primarily on automatic consent management via auto-blocking functionality.
Primary Value Propositions
Your Path to Effortless Website Privacy Compliance.
Gain peace of mind. Achieve privacy compliance with an easy-to-use, automated and reliable consent solution for the GDPR and ePrivacy, Digital Markets Act (DMA), CCPA/CPRA and more.
Privacy Program Components Supported
- Cookie compliance
Tag/Cookie Consent Details
Banner Experience
Cookiebot offers pre-made banner templates with some customization features to match website branding.
Core Features
Automated cookie scanning for auto-classification and blocking, consent experience management, reporting features for banner interaction tracking.
Pricing Model
Positioned more for small- to medium-size organizations, Cookiebot offers standard price packages on a per-website model, which range from free (one domain, limited pages, limited functionality) to $50/domain/month for “Premium Large” (more than 3500 pages and all features).
User Reviews
Users often cite as positives the platform’s ease of use, but there are some concerns with limitations on customization and broader privacy program support capabilities.
From a technical perspective, Cookiebot primarily relies upon auto-blocking functionality. While this can simplify the management process as there is less of a need to configure tags/pixels to respect consent in a TMS or on a webpage, we have seen many challenges in data collection when auto-blocking functionality is used. For any organization with more than a small number of tags/pixels and a more advanced data collection architecture, challenges stemming from this type of functionality are to be expected.
Didomi (https://www.didomi.io/)
Summary
Didomi is an EU-based CMP that offers solutions for consent management, DSR process flow, compliance monitoring, and user preference management for consent. Unique to their suite of solutions are platform-specific consent tools for websites, CTV, and mobile applications.
Primary Value Propositions
Easy compliance, great experiences.
Access leading data privacy and consent solutions for global brands and publishers.
Privacy Program Components Supported
- Notice and disclosure
- Cookie compliance
- Consent compliance
- Data subject requests
Tag/Cookie Consent Details
Banner Experience
Customizable templates are offered for both an out-of-the-box solution as well as branding customizations.
Core Features
Multi-language support, APIs for integration with marketing platforms to pass consent indications, reporting analytics for banner interactions.
Pricing Model
Pricing for Didomi is dependent upon package bundles beginning with “Consent Essentials” through the “Privacy UX Plus” offering. Bundles differ in the progression of inclusion of features such as the privacy governance monitoring solution, notice template availability, and contracting of privacy preference center functionality. All quotes are custom for each organization and require a discussion with a Didomi sales representative.
User Reviews
In reviews, users often cite the ease of customization for various portions of the consent experience with drawbacks mostly focused on a lack of comprehensive support.
Conclusion
In the end, user consent on the website is critical to optimally collecting data to better understand user behavior, understand advertising campaign effectiveness, segment consumers for experience optimization and personalized advertising, and to power emerging AI initiatives. Often overlooked by organizations is the fact that the consent experience is the first consumer touchpoint you have with consumers on your website! It is imperative to have the right CMP in place to support the responsible collection and use of user data.
Always remember, it doesn’t stop there! Yes, the CMP manages the user’s consent experience, maintains records of consent, and integrates with other platforms to pass consent indications. But, there are additional configuration needs to ensure that all tags and pixels on your website are configured properly to only load when consent signals are provided by the CMP. This is the core reason for many of the enforcement actions and private litigation actions brought for non-compliance with consent requirements. Ensure your organization has the right CMP in place for your needs and the broader data collection architecture is properly configured to mitigate privacy compliance risk and optimize data collection.
