Skip to main content

A 2024 Ranking of Top Cookie Banner (Consent Management Platform) Solutions

· 22 min read
Aleksandar Vucenovic
Aleksandar Vucenovic
Chief Growth Officer

featured image

  • I ranked the top Cookie Banners (Consent Management Platforms or CMPs) based on my own ranking criteria.
  • The top CMPs are Cookiebot, Cookie Script and OneTrust.
  • Read the ranking of all analyzed CMPs and the criteria in this article.

Jump to the ranking by following this link: CMP Ranking

Who is this blog post written for?

  • Website owners who want to choose the right CMP for their website.
  • Developers who want to integrate a CMP into a customers website.
  • CMP developers who want to improve their CMP.
  • Readers who are curious how scoring and ranking a CMP could look like.

Why I ranked CMPs

Simply said: Because I wanted to find out which CMPs are easiest to implement and maintain with a tracking code manager like our Pixel Manager.

It's been several years since I started adding support for various Consent Management Platforms (CMPs) in the Pixel Manager natively (supported CMPs). The logic is simple. The Pixel Manager is not a CMP, it is a tracking code manager. That's what the Pixel Manager is really good at. Today it is a requirement in many regions to manage visitor consent in a legally compliant way. That's what CMPs are for.

But, the Pixel Manager is not a CMP. Developing and maintaining a CMP in a compliant way is a huge task by itself. It requires a different set of skills and resources. That's why I decided not to develop a CMP, but to support the best and most popular CMPs on the market.

Over the years I've accumulated a lot of experience adding support for several CMPs into the Pixel Manager. I've seen the good, the bad and the ugly. I've seen CMPs that are easy to integrate and work well, and I've seen CMPs that are a nightmare to integrate and don't work well.

At minimum, I will provide a list of the criteria I used to rank the CMPs, so you can make your own ranking and informed decision what the best CMP is for your use case.

I hope that this ranking will help you choose the right CMP for your website.

What this article is NOT about

  • This article is not about the legal requirements of a CMP. I am not a lawyer and I don't give legal advice. I am a tracking code manager developer and I give technical advice.

  • This article is not about a judgement if certain consent categories make sense or not. There are some categories that have become a quasi standard, like "statistics", "marketing", "preferences" and "necessary". These might have their roots in the interpretation of the GDPR cookies policy. If they make sense or not is not a question this article answers. The article only focuses how easy it is to implement and maintain a CMP with these categories.

Ranking criteria

There are two main types of consent. Category based consent and vendor based consent. What do I mean by that?

  • Category based consent: The website uses multiple tracking pixels. Each tracking pixel, such as Google Analytics of Facebook Ads, is assigned to a category. For Google Analytics that would be "statistics" and for Facebook Ads that would be "marketing". The visitor can then choose to allow or disallow each category. If the visitor allows the "statistics" category, the Google Analytics pixel, including all other statistics pixels, are loaded. If the visitor disallows the "marketing" category, the Facebook Ads pixel, including all other marketing pixels, are not loaded. This is category based consent.

  • Vendor based consent: The website uses multiple tracking pixels. Each tracking pixel is from a vendor. The visitor can then choose to allow or disallow each vendor. If the visitor allows Google Analytics, only the Google Analytics pixel is loaded. If the visitor disallows Facebook Ads, only the Facebook Ads pixel is not loaded. This is vendor, or pixel based consent.

Category based consent is the most common type of consent. It is the most user-friendly type of consent. And it is the most easy one to implement with a tracking code manager like the Pixel Manager or the Google Tag Manager. That's why I prefer category based consent.

Vendor based consent is very difficult to implement with a tracking code manager. It is not necessarily the first time setup that's difficult, but the maintenance and the changes are. You see, website managers often add and remove tracking pixels. With vendor based consent you have to update the CMP and the tracking code manager every time, and test if everything works correctly. This is a lot of work and a lot of room for errors.

There is the question if vendor based consent might be required to be compliant with the GDPR. I personally don't think so (but don't take this as legal advice). Here are a few facts that help you make your own decision:

  • The GDPR requires that the visitor gives informed consent: GDPR on consent

    The GDPR policy states that the visitor must be informed what data is collected, trough which tracking pixel and for what purpose. But, it doesn't state that there is a requirement to be able to give consent for each vendor separately. So categorizing the tracking pixels, letting the visitor know which vendor belongs to which category and letting the visitor choose which category to allow or disallow is compliant with the GDPR.

  • There are many very popular and certified CMPs that only support category based consent. This means that the CMPs with category based consent are compliant with the GDPR, such as Cookiebot or OneTrust.

    • List of Google certified CMPs: Source
    • List of IAB certified CMPs: Source

While it is not wrong to use vendor based consent, I think that category based consent is the much better choice. It is more user-friendly, easier to implement and maintain and it is compliant with the GDPR.

Standardized categories

When CMPs standardize the categories, it is much easier to implement the tracking pixels and the consent logic in a tracking code manager. This is because the tracking code manager can be pre-configured with the standardized categories. This is a huge time saver and reduces the risk of errors.

Having implemented more than 10 CMPs in the Pixel Manager (and analyzed next to 20), I can tell you that not all CMPs have standardized the categories. This can be a pain point.

Most CMPs now use 4 different types of categories:

  • Statistics: Tracking pixels that set cookies for statistics and analytics, such as Google Analytics.
  • Marketing: Tracking pixels that set cookies for marketing purposes, such as Facebook Ads.
  • Preferences: Website features that set cookies to remember the visitor's choices, such as the language.
  • Necessary: Website features that set necessary cookies for the website to work properly, such as the login state.

Some CMPs use different names for these categories. That's not a big deal. That's easy to map.

But, some CMPs don't support all of these categories. They may not support the "preferences" category.

Other CMPs offer more categories that feel arbitrary and unnecessary.

Such deviations make it harder to implement a standardized consent logic in a tracking code manager.

I like CMPs that use the four standardized categories statistics, marketing, preferences, and necessary.

Google is usually leading the way with the standardized categories. They now added more categories with the Google Consent Mode v2, which give a bit more granular control. It would be great if CMPs would either support the 4 standardized categories and/or the Google Consent Mode v2 categories.

Script auto blocking

Some CMPs offer the option to block tracking scripts before the visitor has given consent. This is a very important feature and I think every CMP should support it. If the tracking scripts are not blocked before the visitor has given consent, the tracking scripts will run before the visitor has given consent. That would be a violation in some regions like for visitors from the European Union (GDPR).

There are several components of this feature that I want to discuss here:

Who blocks

  • Why not just use the Pixel Manager for that? The Pixel Manager can only block tracking scripts that are added through the Pixel Manager. It can't block tracking scripts that are added directly to the website. That's why it is important that the CMP has a way to block tracking scripts that are added directly to the website.

  • Why not just use the CMP auto-blocker for all tracking scripts? The CMP auto-blocker can only block or unblock the tracking code manager itself (the Pixel Manager in our case), but it can't block or unblock the tracking scripts separately that are added through the tracking code manager.

So a combination of both, the CMP auto-blocker and the tracking code manager's blocking mechanism is required for the best result.

How to block

There are several ways how the tracking scripts are blocked by the CMP:

  • HTML script tag adjustment: The CMP changes the HTML output and changes the <script> tag into an invalid <script> tag. One way is by adding an incompatible script type attribute like text/plain to the <script> tag which then looks like this <script type="text/plain">.

    The browser won't execute the script because it doesn't know how to handle the script type. This is a very effective way to block the script. Unblocking is done through some JavaScript and is very easy and reliable.

  • Pure JavaScript blocking: Some CMPs use just JavaScript to block the tracking script execution. They require that the CMP code is loaded before all other script tags and then blocks the tracking script execution on the fly. This works, but has disadvantages.

    Modern browsers prefetch the scripts before any JavaScript is executed. This means that the tracking script vendors already get visitor information before consent is given.

    You really need to make 100% sure that the CMP script is always loaded before any other script. There are plugins that may load scripts with a higher priority than the CMP script, which would place them above the CMP script and avoid the blocking.

    So, this method comes with a higher risk of errors.

CMPs that are added through a plugin to the website, which adjust the <script> tags in the HTML output are the most reliable way to block tracking scripts. Also, this allows for the most reliable way to exclude the blocking for tracking code managers like the Pixel Manager.

Disable auto blocking for the tracking code manager

To make sure that the Pixel Manger (or any tracking code manager) works properly with a CMP that uses script auto blocking, the CMP should offer a way to exclude the tracking code manager script from being blocked. This is important because the Pixel Manager, as a tracking code manager, should never be blocked. Only if the Pixel Manager loads an reads the CMP consent it can decide which tracking scripts to load or block.

There are several ways how the CMP can exclude the Pixel Manager script from being blocked:

  • CMP Settings: Settings in the CMP that allow you to exclude certain scripts from being blocked.

  • Comment based: Add a comment above and below the tracking code manager script that the CMP recognizes and excludes from being blocked.

    A comment based exclusion looks like this:

      <!-- CMP exclude start -->
      <script src="//example.com/app.js"></script>
      <!-- CMP exclude end -->

  • Script tag attribute based: Add a script tag attribute to the tracking code manager script that the CMP recognizes and excludes from being blocked.

    A script tag attribute based exclusion looks like this:

      <script data-cmp-exclude src="//example.com/app.js" ></script>

    or this:

      <script data-cmp-exclude="true">
          // Pixel Manager script content
      </script>

  • WordPress filter: Add a pattern to a WordPress filter, offered by the CMP, that excludes the tracking code manager script from being blocked.

    A good filter based exclusion filter offers a way to add any type of pattern that appears in the script tag or within the script.

    A filter based exclusion looks like this:

      add_filter('cmp_exclude_script', function($patterns) {
          $patterns[] = 'example.com/app.js';
          $patterns[] = 'pmwDataLayer';
          return $pattern_array;
      });

From experience I can say, the most effective and efficient ways are script tag based attributes and WordPress filters. With those, the tracking code manager can set the exclusions itself programmatically. Because it doesn't require any manual intervention by the website owner, the error rate is much lower.

I prefer CMPs that offer the script tag based attribute and WordPress filter based exclusions.

The Google Consent Mode has become an integral part of the Google services to track visitors in a compliant way. It allows to track visitors using cookies and when cookie consent is removed it falls back to a cookie-less tracking method. It therefore depends on the consent of the visitor given through a CMP.

While a Google Consent Mode script is not a technical requirement to allow compatibility with a tracking code manager, it should be an integral part of any modern CMP. If a website owner doesn't want to to integrate the Google Consent Mode trough a tracking code manager, he should at least be able to integrate it through the CMP.

Since the Google Consent Mode can be implemented through the Pixel Manager or the Google Tag Manager, I have not given this criteria a high weight. But, it is a good to have option.

More importantly to make the CMPs Google Consent Mode work well with a tracking code manager like the Pixel Manager, the CMP should offer a way to disable the Google Consent Mode script. This is important because the Pixel Manager can handle the Google Consent Mode script itself. And duplicating that script would cause issues.

Some CMPs offer ways to disable the Google Consent Mode script:

  • CMP Settings: Settings in the CMP that allow you to disable the Google Consent Mode script.

  • WordPress Filter: Add a filter condition that disables the Google Consent Mode script in the CMP.

    A good filter based exclusion filter offers a way to add any type of pattern that appears in the script tag or within the script.

    A filter based exclusion looks like this:

        add_filter('cmp_disable_google_consent_mode', '__return_true');

I prefer CMPs that offer a WordPress filter to disable the Google Consent Mode script. This reduces the risk of errors and makes the integration more reliable.

Unfortunately I haven't come across a CMP that offers a filter to disable the Google Consent Mode script. So we must rely on the website owner to disable the Google Consent Mode script manually. In some cases I have found workarounds, but a native solution would be much better.

Even more important is that the CMP offers a way to update the Google Consent Mode consent. The Pixel Manager can do that itself, but it makes assumptions about the mapping of the categories. Since Google's Consent Mode offers more granular categories, it is best if the CMP can update the consent itself. The Pixel Manager will process the updated consent and adjust the tracking accordingly.

If a CMP offers Google Consent Mode updates through the gtag command, it ensures the highest level of compatibility with the Google Consent Mode.

Geo location restrictions

Not every region has the same requirements for consent. The European Union has the GDPR, which requires consent for tracking pixels. The United States has the CCPA, which requires an opt-out for tracking pixels. Other regions don't have any requirements at all.

As a website owner, when using tracking pixels, you want to measure as much as possible and at the same time be compliant with the law. This means that you want to show the CMP only to visitors from regions that require consent and possibly have even different settings for each of those region.

To be able to do that, the CMP should offer a way to restrict the CMP to certain regions using geo location detection.

It is the only way to strike a good balance between measuring and compliance.

CMPs that offer geo location restrictions should be preferred.

Good documentation

Good documentation is key to a successful integration of a CMP (any software really), which is why I have given this criteria a high weight.

Good documentation should include:

  • Installation guide: A step by step guide how to install the CMP on your website.
  • Up to date: The documentation should be up to date with the latest version of the CMP.
  • Easy to read: The documentation should be easy to read and understand.
  • Comprehensive: The documentation should cover all aspects of the CMP.
  • Searchable: The documentation should be easy to search.
  • Examples: The documentation should include examples for common use cases.

I have seen so many documentations. So I know that it is possible to write documentation that is at the same time comprehensive, easy to read and easy to search. Any software developer should make the documentation a priority. It is one of the biggest selling points of good software, at least for me. Good documentation also shows that the developers care about the software's quality and the user experience. So I am much more forgiving if the software has has an issue here or there, as long as the documentation is good.

I clearly prefer CMPs that offer good documentation.

Easy to hook JavaScript events

Setting the correct initial consent is only the first step that a CMP should do. When using a CMP in combination with a tracking code manager, the CMP should also be able to signal consent changes without having to reload the page. Reloading the page would be a bad user experience. And since it is possible to signal consent changes using JavaScript events, this is the preferred way.

The Pixel Manager for example is able to listen to such JavaScript events and load or adjust tracking scripts based on the consent given.

Unfortunately not all CMPs offer this convenient way to signal consent changes. Some CMPs don't emit JavaScripts events at all and require a page reload to signal consent changes. Other CMPs emit JavaScript events, but don't signal the consent changes of the categories. Missing documentation made it really hard finding those JavaScript events. At the end, only a few of the analyzed CMPs emit JavaScript events with useful information and are well documented.

Having a CMP that emits JavaScript events with useful information and is well documented is a huge plus.

Ironically, all CMPs must set a cookie to remember the visitor's consent. This cookie is required to remember the visitor's consent and to load or block the tracking scripts accordingly.

The consent cookie should be easy to read when a third party tool like a tracking code manager wants to read it. This means that the consent cookie should be set in a way that it can be read by JavaScript.

The range of how well this is implemented is huge. Here are a few problems that I have encountered:

  • Cookie names change over time: There is one CMP that has changed the cookie names several times over the past years. This is very difficult to track and maintain.
  • Cookie value names not standardized: There are CMPs that allow the website owner to choose the name of the cookies. Why? There is no benefit in that, and it makes it impossible to read the cookie value in a standardized way.
  • Cookie values are formatted in a way that is hard to decode: There are CMPs that format the cookie values in a way that is hard to decode. Using a JavaScript object with JSON.stringify() and JSON.parse() is an excellent way to store and read the consent cookie values. Why not use that?
  • Cookie values are different than the JavaScript event values: Yeah. One CMP uses different category names when storing the consent in the cookie than when emitting the JavaScript events. This is very confusing and makes it hard to implement the consent logic in a tracking code manager.
  • Cookie names change if the visitor changes the website language: One CMP sets a different cookie when a visitor changes the website language. Why? The consent is the same.
  • Different cookie logic for different versions of the same CMP: One CMP offers a free and a paid version. And the cookie logic is different for each version. This only makes it harder to implement. And I guess they get regular support tickets from users who switch from the free to the paid version (or vice versa) and wonder why the consent is not remembered.
  • One cookie for each category: Various CMPs set separate cookies for each category. This is not necessary. One cookie containing the consent information for each category is easy to implement and avoids a mess in the cookie storage.

CMP cookies should:

  • Use consistent cookie names over time
  • Use standardized cookie names
  • Use JSON stringified JavaScript objects as cookie values
  • Use the same category names in the cookie as in the JavaScript events
  • Use the same cookie name for all website languages
  • Use the same cookie logic for all versions of the CMP
  • Use one cookie for all categories

CMPs that follow all or most of these rules get a higher score (and more respect) from me.

Google Tag Manager template available

The Google Tag Manager offers a way to add custom templates for CMPs. It's like a small app that offers a standardized interface to integrate the CMP into the Google Tag Manager. It is a very convenient, user-friendly and reliable way to integrate a CMP into the Google Tag Manager.

While the Pixel Manager doesn't depend on Google Tag Manager templates, it is a good indicator that the CMP is well maintained and up to date.

And I write this ranking not only for users of the Pixel Manager, but for all website owners and developers. So I think it is a good indicator for you too.

Creating and adding such templates to the Google Tag Manager template gallery is quite easy. So it should be a priority of any good CMP to offer such a template.

While not a requirement for our Pixel Manager, offering a GTM template it is a good indicator for a well maintained CMP.

Google certified CMP

Google offers a certification for CMPs. This certification is a good indicator that the CMP is compliant with not only Google requirements but more importantly with the GDPR and IAB Transparency and Consent Framework (TCF).

The list of Google certified CMPs can be found here.

Don't just take my word for it. This is a great third party quality indicator.

IAB certified CMP

The IAB also offers a certification for CMPs. This certification is a good indicator that the CMP has passed IABs compliance checks required by its CMP Compliance Programme.

The list of IAB certified CMPs can be found here.

This is another great third party quality indicator.

CMP Ranking

Click here to see the full ranking

The ideal CMP

The ideal CMP meets all the criteria I have listed above. It offers:

  • Category based consent
  • Standardized categories
  • Script auto blocking
  • Offers a programmatic way to disable auto blocking for the tracking code manager
  • Google Consent Mode script support
  • Offers a filter to disable Google Consent Mode script
  • Google Consent Mode consent updates
  • Geo location restrictions
  • Good documentation
  • Easy to hook JavaScript events
  • Easy to read consent cookie
  • Google Tag Manager template
  • Google certified
  • IAB certified

Conclusion

The top three CMPs are:

  1. Cookiebot
  2. Cookie Script
  3. OneTrust

After thoughts

I've been surprised how few installs high scoring CMPs, like OneTrust, and how many installs low scoring CMPs, like Cookie Compliance (by hu-manity.co) with over 1,000,000 installs, got on wordpress.org.

The active install count on wordpress.org is not a good indicator for the quality of a CMP. The scoring that I developed helped me a lot to see the differences between the CMPs in a much more objective way.

I was also startled to see that many of the CMP providers seem not to care at all about the technical implementation of their CMP. It seems to me most of them are too much focused on marketing and sales. In some cases it also seems they don't have a clear understanding of what a CMP should do. This is very concerning, because a CMP is a very important part of a website. A bad CMP and implementation may open you're website up to legal risks and fines.

Luckily there is a handful that solves this really well. I hope that this ranking will help you to choose the right CMP for your website.

Swiss Made Softwareto our50,000+daily users that trust us
Utility Links
Documentation
Plugins
About us
Swiss Made SoftwareSwiss Made Software
Copyright © 2024 by SweetCode