Choosing a consent management platform means evaluating six things. They are compliance coverage, cookie scanning, the banner and consent record, setup fit, consent-signal accuracy, and real pricing. The two costliest mistakes are buying a banner plugin instead of a full CMP, and comparing sticker prices instead of 12-month cost.
This guide breaks down each criterion with the signals to look for and the red flags to avoid. It also gives the exact questions to ask a vendor, the mistakes buyers make, and a step-by-step evaluation process.
What Should You Look for in a Consent Management Platform?
A consent management platform (CMP) is evaluated on six criteria. They are compliance coverage, cookie scanning and auto-blocking, the banner and consent record, setup fit, consent-signal accuracy, and pricing. Get any one wrong and the tool either fails an audit or costs more than the price suggested.
Most buyers compare feature checklists instead of testing evaluation criteria. Every vendor claims "GDPR compliant," "easy setup," and "great support," so those words carry no signal on their own. The single biggest trap is confusing a cookie banner plugin with a full CMP. A banner shows a notice, but a CMP blocks scripts before consent and keeps an audit-ready record of every choice. If your shortlist candidate cannot pass both tests in a trial, it is not a CMP yet.
If you want to skip straight to a ranked shortlist, see our guide to the best consent management platforms.
How to Evaluate Compliance and Framework Coverage
Good compliance coverage means two things: the laws that apply to your visitors, and the ad-tech certifications that gate your ad revenue. "Supports GDPR" alone is not a certification and proves nothing.
What to look for
Evaluate compliance coverage against five specific signals, not a vague "GDPR compliant" claim.
- A template set that matches your visitors' laws: GDPR and ePrivacy for the EU and UK, CCPA and CPRA for California, LGPD for Brazil, and Law 25 for Quebec.
- A verifiable Google-certified CMP listing. Google has required a certified CMP integrated with IAB TCF to serve personalized ads in the EEA and UK since January 16, 2024, and in Switzerland since July 31, 2024.
- Current IAB TCF registration. Publishers running programmatic ads need IAB TCF v2.3 by February 28, 2026, to keep serving personalized ads in the EEA and UK.
- Google Consent Mode v2 support, mandatory since March 2024 for EU Google Ads and GA4 measurement.
- Equal-prominence Accept and Reject buttons on the first layer, the standard EU regulators (CNIL, EDPB) enforce against dark patterns.
Red flags to avoid
Four warning signs mean a vendor's compliance claims will not hold up under scrutiny.
- "GDPR-ready" marketing copy with no certification listing you can independently verify.
- A self-declared Consent Mode integration that is not backed by a Google CMP Partner listing.
- A Reject option buried behind an extra click or a second layer, while Accept sits on the first screen.
- One fixed template that does not switch between opt-in and opt-out by visitor region.
Questions to ask a vendor
Ask these three questions in a demo to separate real certification from marketing language.
- "Are you listed in Google's CMP Partner Program, and which IAB TCF version do you run?"
- "Does the banner serve opt-in to EU visitors and opt-out to California visitors automatically, based on location?"
- "How do you handle US state signals like Global Privacy Control?"
Getting compliance and certification wrong is not a minor gap. A platform that quietly loses its Google-certified status also loses your ability to run personalized ads in the EEA and UK. No warning tells you why revenue dropped.
How to Evaluate Cookie Scanning and Auto-Blocking
Good scanning means automatic, scheduled rescans with accurate categorization, plus genuine prior blocking: non-essential scripts stay dark until a visitor consents. The auto-block test is what actually separates a real CMP from a banner plugin.
What to look for
Four signals separate genuine scanning and blocking from a cosmetic banner.
- Automatic full-site scans on a recurring schedule, not a single one-time scan at signup.
- Accurate categorization into strictly necessary, functional, analytics, and marketing, with an unclassified bucket that stays genuinely small.
- Verified prior blocking. Open your browser's developer tools during a trial and confirm analytics and marketing scripts stay dark before you click Accept.
- Coverage for scripts added later through a tag manager, not just scripts present at the original scan.
Red flags to avoid
Watch for these four signs that scanning is thinner than it looks.
- Manual-only or one-time scans, with no recurring schedule included on your tier.
- Trackers that fire before the visitor makes a choice, meaning the banner shows but nothing actually blocks.
- A persistently large unclassified-cookie bucket the vendor never resolves.
- Daily or frequent rescans sold as a paid add-on rather than included.
Questions to ask a vendor
These three questions expose the gap between a demo and a real installation.
- "How often do you rescan my site, and is that frequency gated by plan tier?"
- "Can you show me, in a trial on my own site, that analytics and marketing scripts stay blocked until I click Accept?"
- "How do you catch a new tracking script I add through Google Tag Manager next month?"
I tested this distinction directly: a vendor's demo environment can look identical to a real CMP while the trackers underneath fire freely. The dev-tools test takes two minutes and exposes the gap every time.
How to Evaluate the Banner, Consent Record, and User Experience
A good banner is fully brand-customizable, accessible, and multilingual, and it is backed by a complete, timestamped, exportable consent record. That record is the audit proof a regulator actually asks for under GDPR Article 7.
What to look for
Five signals separate a real consent record from a banner with no memory.
- Layout, color, font, and CSS control with a live preview before publishing.
- Coverage for the languages your visitors actually use, not just English plus one or two others.
- WCAG 2.2 AA accessibility built in, not an afterthought.
- A preference center that lets a visitor accept or reject by category, instead of a single all-or-nothing choice.
- An exportable consent log storing timestamp, notice version, and the visitor's exact choice.
Red flags to avoid
These four gaps mean the banner is cosmetic, not compliant.
- A fixed banner template with no real styling control.
- A banner that displays a choice but stores no retrievable record of it.
- Multilingual support locked behind a higher-priced tier.
- No revisit or withdrawal control, so a visitor cannot change their mind later.
Questions to ask a vendor
Ask these three questions before you trust the consent log.
- "Can I export the full consent log, and which fields does the export include?"
- "How many languages come with my plan, versus how many require an upgrade?"
- "Is the banner WCAG 2.2 AA accessible without extra configuration?"
How to Evaluate Setup and Platform Fit
Good setup means guided install paths that match your stack, deployed in minutes rather than filed as an engineering ticket. A native plugin, a Google Tag Manager template, or a one-line script are the three realistic paths.
What to look for
Three signals show a vendor built real setup paths for your platform.
- A native plugin or app for your platform (WordPress, Shopify), or a clean one-line script plus a Google Tag Manager template if no native option exists.
- Documented setup guides for your specific CMS and analytics or ad tools.
- Multi-site management from a single account if you run several domains, plus white-label or client sub-accounts if you resell compliance to clients.
Red flags to avoid
Four signs mean setup will cost more engineering time than advertised.
- Code-only installation with no guided walkthrough.
- A "WordPress plugin" that turns out to be a thin wrapper around the same generic script.
- No multi-site dashboard for agencies managing more than one domain.
- No documented way to swap a domain when a client site changes.
Questions to ask a vendor
These three questions reveal how real the integration actually is.
- "Is your WordPress or Shopify integration a native directory plugin or app, or a generic script wrapper?"
- "Can I manage every client site from one login, and can I white-label the dashboard?"
- "How long does a typical install take, start to first live banner?"
How to Evaluate Consent Signals and Lifecycle Accuracy
This is the criterion buyers skip most often. A CMP must collect consent, pass it accurately to Google and ad-tech platforms, pass it fast, and manage the full lifecycle: renewal, withdrawal, and retention.
What to look for
Three signals confirm consent is actually reaching downstream systems, not just the banner.
- Correct signal passing to Google's
ad_storageandanalytics_storageparameters, and to ad-tech platforms via TCF or GPP. - Low consent-script latency, so the script loads and resolves before ad bidding starts.
- Automated renewal prompts on a 6 to 12-month cycle, instant withdrawal handling, and data-retention flags tied to the visitor's choice.
Red flags to avoid
Four gaps mean consent is collected but never enforced.
- Consent that is collected on the banner but never actually propagated to your analytics or ad platforms.
- A heavy consent script that visibly delays page load or hurts Core Web Vitals.
- No automated renewal, leaving stale consent records past the point they should expire.
- Withdrawal that does not actually stop downstream processing.
Questions to ask a vendor
These three questions test signal accuracy and speed, not just banner appearance.
- "How fast does your consent signal resolve on page load, and do you publish a benchmark?"
- "Do you support GPP for multi-state US signaling, alongside IAB TCF?"
- "How do you automate consent renewal and instant withdrawal?"
One Reddit thread about OneTrust captured this exactly. A slow consent script was reported to delay ad load enough to cost measurable revenue in regions where consent was legally required. A banner that looks fine and a signal that arrives too late produce the same lost revenue.
How Much Does a Consent Management Platform Cost?
Consent management platforms range from free, thin-featured tiers to enterprise contracts exceeding $10,000 a year. The factor that decides your real bill is how the vendor meters usage: by domain, subdomain, subpage, or pageview. Whether it auto-upgrades you without asking matters just as much.
Pricing models in the CMP market
Five pricing models dominate the CMP market, and each rewards a different kind of buyer. The example prices below are entry points as of 2026, verified on each vendor's own pricing page.
| Model | How it meters | Who it hurts | Typical entry price (2026) |
|---|---|---|---|
| Free or freemium | One domain, a low subpage cap | Anyone who outgrows the ceiling fast | $0, then roughly $10 a month (CookieYes) |
| Per-domain | A separate charge for every domain, including subdomains | Agencies running several client sites | About $16 to $34 per domain a month (Cookiebot) |
| Per-subpage | Price rises in bands as your site grows | Growing sites near a tier boundary | Tiered by page count (Cookiebot Lite to XLarge) |
| Per-visit or session | Price scales with monthly traffic or consent actions | High-traffic sites on a metered plan | Session-based custom pricing (Usercentrics, Osano) |
| Flat capacity | One price per domain-and-pageview bracket | Nobody; the predictable option | Low hundreds of dollars a year, all features |
| Enterprise quote-only | Custom pricing, often five figures a year | Small teams paying for capacity they do not need | $10,000-plus a year (OneTrust) |
Hidden costs and billing traps to watch for
Five hidden costs turn an attractive sticker price into a much larger bill.
- Subdomains billed as separate domains. Cookiebot's own pricing page confirms it treats
example.com,it.example.com, anduk.example.comas three different domains, not one. - Auto-upgrade at the billing cycle. Cookiebot automatically moves you to the next tier if a scan finds more subpages than your current plan allows, without asking first.
- Paid daily-scan add-ons. Cookiebot charges an extra 99 euros a month for scans more frequent than the default schedule.
- Trial expiry that disables the banner, which drops you out of compliance the moment the trial ends, not just out of features.
- Core capabilities like multilingual support, IAB TCF, or geotargeting gated to an upper tier instead of included from the start.
What drives your real total cost of ownership
Five factors decide your total cost of ownership beyond the advertised monthly price.
- How many domains and subdomains you run, and whether the vendor counts them separately.
- Your traffic or pageview volume against the plan's ceiling.
- Whether the features you need are bundled in from the start or gated to a higher tier.
- Implementation and language-setup time.
- The cost of a compliance gap if the cheap option fails you. GDPR fines reach up to 20 million euros or 4% of global turnover, whichever is higher, and CPRA penalties run $2,500 to $7,500 per violation. Cumulative EU GDPR fines already approach 6 billion euros.
Compare the real prices side by side across the market in our cookie consent tools comparison.
Common Mistakes When Choosing a Consent Management Platform
Three mistakes cost buyers the most. Buyers buy a banner plugin instead of a full CMP, compare sticker prices instead of 12-month cost, or assume any CMP makes them legally compliant. Each traces to a real buyer story, not a hypothetical.
- Buying a cookie banner plugin, not a CMP. A banner plugin shows a notice, but it often never logs consent or blocks a single script. Run the auto-block test from a trial and confirm you can export a consent log before you buy.
- Comparing sticker prices, not cost as you scale. One buyer described switching CMPs specifically because per-subdomain and auto-upgrade billing balloon later. Model your real domain, subdomain, and subpage count over 12 months before you compare a single monthly price.
- Assuming a CMP makes you legally compliant. Some vendors leave legal interpretation to you, and privacy law changes fast. Confirm exactly what the vendor maintains automatically versus what stays your responsibility.
- Ignoring the Google-certified and IAB TCF requirement. Skip this check and you can quietly lose the ability to run personalized ads in the EEA and UK. Verify the Google CMP Partner listing and the exact TCF version before you buy, not after.
- Skipping performance. A slow consent script delays ad load, hurts Core Web Vitals, and can cost measurable ad revenue in regions where consent is legally required. Benchmark the consent-string load time during your trial.
- Picking on demo polish, not a real trial. A sales demo is built to impress. Run your own trial on your own site with your own trackers and your own banner template, not the vendor's rehearsed script.
How to Evaluate a Consent Management Platform: A Step-by-Step Process
Evaluating a CMP properly takes one to two weeks across five stages. Define your requirements, build a shortlist, and run a structured trial. Then model your real cost and check support before you decide.
- Define your requirements before you look at tools. List the laws your visitors trigger, the platforms and ad-tech you run, and your realistic site or traffic count over the next year.
- Build a shortlist of 2 to 4 CMPs that clear your compliance and certification bar. Drop anything that fails the Google-certified or IAB TCF check immediately.
- Run a structured trial on your real site. Test prior blocking with dev tools open, export the consent log, customize the banner to your brand, and time the consent-string load.
- Model the 12-month cost at your real domain, subdomain, and pageview count, including any overage or auto-upgrade behavior the vendor discloses.
- Check support and confirm the maintenance split, meaning exactly what the vendor keeps current automatically versus what you own, then decide.
Why Consently Is a Strong Choice for Cost-Conscious Teams and Agencies
Applying the criteria above, Consently is a strong general choice for cost-conscious site owners and multi-site agencies. It bundles every feature into every plan and prices by capacity. Our own review methodology scores it 3.7 out of 5 overall.
How Consently handles cost as you scale
Consently prices by capacity. Basic runs $99 a year for one domain and 100,000 monthly pageviews. Premium runs $199 a year for five domains and 1,000,000 pageviews. Enterprise runs $499 a year for ten domains and 3,000,000 pageviews. Every feature is available on every plan, with no tier-gated features. Subdomains fall under your root domain instead of billing as separate domains. Consently also states plainly that it will not upgrade your plan or charge you more without your action. That is the direct antidote to the traps this guide warned about above.
How Consently handles compliance and ad-tech signals
Consently ships GDPR opt-in and CCPA opt-out templates with automatic geotargeting, plus Google Consent Mode v2 and IAB TCF 2.3 on every plan. Two honest limits worth naming: Consently's Google CMP Partner listing is still pending, and it does not yet support Global Privacy Control signal detection. Weigh these against the criteria above if certified-partner status or GPC handling is a hard requirement for your site.
How Consently handles setup and multi-site management
Installation runs through a one-line script, an official WordPress plugin, Google Tag Manager, or a head-script embed for Shopify, Wix, and Squarespace. Premium and Enterprise plans include a multi-site dashboard from one login, matching the setup criterion above for agencies managing several domains. The honest gap: there is no native Shopify app yet, and no separate client sub-accounts or white-label dashboard.
Pricing and free trial
All three tiers, Basic, Premium, and Enterprise, include a 14-day free trial with full feature access and no credit card required.
Start your free trial and run it through the evaluation process above.
FAQs
What is the most important factor when choosing a consent management platform?
Genuine compliance coverage plus certification, meaning a Google-certified CMP and current IAB TCF registration, matters most because it gates your ad revenue directly. Every other criterion is secondary if the tool cannot keep you legal and keep your ads running.
How long does it take to evaluate a CMP?
Plan one to two weeks: a few days to define requirements and build a shortlist. Then run a 3 to 7-day trial on your real site to test prior blocking, the consent log export, and script performance.
How much should a consent management platform cost?
Prices range from free, thin tiers to enterprise contracts above $10,000 a year. Most small businesses and agencies land in the low hundreds of dollars per year. What matters more than the sticker price is how the vendor meters usage: per-domain and per-subpage pricing scales far faster than flat, capacity-based pricing.
Do I really need a third-party CMP, or is a banner plugin enough?
A banner plugin shows a notice but usually does not block scripts, log consent, or pass certified signals to Google. If you run analytics or ads, you need a real CMP, not a banner. See our breakdown of whether you need a cookie banner at all if you are still unsure your site needs one.
What is cookie auto-blocking?
Cookie auto-blocking is when a CMP intercepts non-essential scripts at the code level and holds them until a visitor consents. Analytics and marketing trackers stay dark until Accept is clicked. It depends entirely on scan accuracy: a newly added or uncategorized tracker can slip past it, so review your scan reports regularly.
Is Consently a good consent management platform?
Yes, for cost-conscious site owners and multi-site agencies who want every feature on every plan at predictable pricing. It scores 3.7 out of 5 on our methodology, strongest on pricing and setup, with honest gaps in scanning track record and GPC support. See the full Consently review and scorecard for the complete breakdown.

