# Cookie Consent Vendors. Which One Actually Matches Your Legal Exposure Nine consent vendors run about 90 percent of the banners on the internet. Each one sits at a different intersection of price, legal rigor, and site-speed impact. Here's which one fits which site. Author: J.A. Watte Published: April 21, 2026 Source: https://jwatte.com/blog/blog-consent-vendor-selection/ --- Every site that serves visitors from the EU, UK, California, or the 12 other US states with comprehensive privacy laws needs a consent banner. Which vendor you pick matters more than most site owners realize. The [WordPress + WooCommerce Audit](/tools/wordpress-woocommerce-audit/) and [Site Migration Capture](/tools/site-migration-capture/) both detect which vendor is running, because changing vendor mid-migration is a legal event, not a design event. Nine consent vendors cover roughly 90 percent of the banners deployed on the open web. Here's the shape of each one. ## Cookiebot The rigor choice. Owned by Usercentrics. Runs a monthly automated scan of your site to discover new cookies and categorize them. IAB TCF 2.2 compliant. Full audit log of every consent decision. Priced per-domain at around 10 to 30 euros a month for small domains, more for multi-domain. Best for: B2B sites with a compliance-aware buyer. News sites that need to pass publisher ad-tech audits. Sites audited by their law firm quarterly. Tradeoff: heavy script, loads a 40-80 KB JS bundle. On a Core Web Vitals-sensitive site this is one of the top-three biggest speed hits you'll voluntarily install. ## OneTrust The enterprise choice. Covers consent, privacy rights management, vendor risk, and data mapping in one suite. Pricing is seat-based and starts around 10,000 dollars a year. The banner itself is just the visible tip of a large compliance platform. Best for: companies with a legal or privacy team, multi-jurisdiction operations, or regulated industries (healthcare, finance, education). Tradeoff: overkill for a site that only needs a cookie banner. Ten-thousand-dollar-a-year SaaS to solve a five-minute legal problem is a bad fit for small business. ## CookieYes The small-business choice. Priced from free (up to 25,000 monthly page views) to about 10 to 30 dollars a month for mid-traffic sites. Offers the WordPress plugin that most small WP sites ship. Covers GDPR, CCPA, LGPD, POPIA. Best for: SMB WordPress sites. Service businesses. Portfolio sites that technically need a banner but aren't ad-funded. Tradeoff: the free tier isn't truly free of tracking; CookieYes itself logs consent events back to their platform. Read their DPA before assuming "free" means "nothing leaves your site." ## Complianz The WordPress-native choice. Complianz is a WordPress plugin first and foremost. Self-hosted consent, meaning the consent decision never leaves your server. Pricing is per-site: free for basic, about 30 to 50 dollars a year for premium. Best for: WordPress sites that value self-hosting. Sites that specifically don't want a third-party call in the consent flow. Developers who'd rather write a filter than file a support ticket. Tradeoff: WordPress-only. If you're planning to migrate off WP, you're planning to replace Complianz. ## Borlabs Cookie The German-market choice. German-authored, German-compliant, strongly focused on TTDSG (the German supplement to GDPR). Self-hosted like Complianz. Pricing around 39 to 99 euros a year. Best for: German-language sites. Sites selling into DACH (Germany, Austria, Switzerland). Sites with a German data protection officer on staff. ## Iubenda The all-in-one policy-and-banner choice. Generates the privacy policy, cookie policy, terms of service, and the consent banner as a single bundle. Pricing from free (with their branding) to around 10 to 30 dollars a month per site. Best for: small sites that need both policy copy and the banner. Sites where the founder doesn't want to write privacy policy copy themselves. Tradeoff: the banner is fine but the policy-generation is the primary sell. If you already have policies, you're paying for something you don't need. ## Termly Similar to Iubenda. US-focused. Policy generator plus banner plus cookie scanner. Pricing from free to around 10 dollars a month. Best for: US-based SMB sites. Sites that want CCPA and US state-privacy law defaults rather than GDPR-first defaults. ## Cookie Script The minimal-script choice. Lightweight client-side library, one of the smallest bundles in the category. Self-hosted option available. Pricing from free (1,000 monthly visitors) to about 10 dollars a month. Best for: performance-sensitive sites where the consent banner is the single heaviest third-party script you can't remove. Sites that can trade compliance depth for speed. Tradeoff: lighter on features. You get a banner, you get consent logging, you don't get a full compliance dashboard. ## Osano The data-subject-rights choice. Strong DSAR handling, good Lighthouse scores (they optimized the script for Core Web Vitals), solid OneTrust alternative. Enterprise-tier pricing. Best for: mid-market SaaS companies that have outgrown CookieYes but don't want OneTrust pricing. ## How to pick Three questions narrow it down quickly: 1. What's your traffic tier? Under 25K monthly page views, CookieYes free or Cookie Script free is fine. 25K-500K, CookieYes paid, Complianz, or Osano. 500K plus, Cookiebot or OneTrust. 2. Do you need the policy copy too? If yes, Iubenda or Termly saves you a draft cycle. 3. Where are your buyers? EU-heavy: Cookiebot, Complianz, or Borlabs. US-heavy: CookieYes or Termly. Global: Cookiebot or OneTrust. ## The migration consideration If you're migrating platforms, pick a consent vendor that works on the target platform before the migration, not after. CookieYes and Iubenda work across WP, Eleventy, Hugo, Astro, and Gatsby with a simple script tag. Complianz is WordPress-only. Borlabs is WordPress-only. OneTrust works everywhere but costs enterprise money. ## Related reading - [WordPress + WooCommerce Audit](/tools/wordpress-woocommerce-audit/), detects which consent vendor is running - [Site Migration Capture](/tools/site-migration-capture/), captures consent vendor during migration prep - [Hosting + Indexing Health Checker](/blog/blog-hosting-indexing-health-checker/), the hosting-layer adjacent decision ## Fact-check notes and sources - IAB Transparency and Consent Framework (TCF) 2.2 specification for TCF-compliant vendor list. - EU GDPR Art. 6 and ePrivacy Directive Art. 5(3) for the legal grounding of the consent requirement. - California CCPA ยง1798.140 and the 12 state-level US privacy laws current as of April 2026. - Vendor pricing captured from public pricing pages as of April 2026. Verify at vendor site before committing. _This post is informational, not legal or compliance advice. Consent vendor selection depends on jurisdiction, data processing patterns, and buyer-privacy-risk specific to your business. Consult a qualified privacy attorney for binding guidance. Mentions of third-party vendors are nominative fair use. No affiliation is implied._ --- Canonical HTML: https://jwatte.com/blog/blog-consent-vendor-selection/ RSS: https://jwatte.com/feed.xml JSON Feed: https://jwatte.com/feed.json Hero image: https://jwatte.com/images/blog-consent-vendor-selection.webp