Every site that serves visitors from the EU, UK, California, or the 12 other US states with comprehensive privacy laws needs a consent banner. Which vendor you pick matters more than most site owners realize. The WordPress + WooCommerce Audit and Site Migration Capture both detect which vendor is running, because changing vendor mid-migration is a legal event, not a design event.
Nine consent vendors cover roughly 90 percent of the banners deployed on the open web. Here's the shape of each one.
Cookiebot
The rigor choice. Owned by Usercentrics. Runs a monthly automated scan of your site to discover new cookies and categorize them. IAB TCF 2.2 compliant. Full audit log of every consent decision. Priced per-domain at around 10 to 30 euros a month for small domains, more for multi-domain.
Best for: B2B sites with a compliance-aware buyer. News sites that need to pass publisher ad-tech audits. Sites audited by their law firm quarterly.
Tradeoff: heavy script, loads a 40-80 KB JS bundle. On a Core Web Vitals-sensitive site this is one of the top-three biggest speed hits you'll voluntarily install.
OneTrust
The enterprise choice. Covers consent, privacy rights management, vendor risk, and data mapping in one suite. Pricing is seat-based and starts around 10,000 dollars a year. The banner itself is just the visible tip of a large compliance platform.
Best for: companies with a legal or privacy team, multi-jurisdiction operations, or regulated industries (healthcare, finance, education).
Tradeoff: overkill for a site that only needs a cookie banner. Ten-thousand-dollar-a-year SaaS to solve a five-minute legal problem is a bad fit for small business.
CookieYes
The small-business choice. Priced from free (up to 25,000 monthly page views) to about 10 to 30 dollars a month for mid-traffic sites. Offers the WordPress plugin that most small WP sites ship. Covers GDPR, CCPA, LGPD, POPIA.
Best for: SMB WordPress sites. Service businesses. Portfolio sites that technically need a banner but aren't ad-funded.
Tradeoff: the free tier isn't truly free of tracking; CookieYes itself logs consent events back to their platform. Read their DPA before assuming "free" means "nothing leaves your site."
Complianz
The WordPress-native choice. Complianz is a WordPress plugin first and foremost. Self-hosted consent, meaning the consent decision never leaves your server. Pricing is per-site: free for basic, about 30 to 50 dollars a year for premium.
Best for: WordPress sites that value self-hosting. Sites that specifically don't want a third-party call in the consent flow. Developers who'd rather write a filter than file a support ticket.
Tradeoff: WordPress-only. If you're planning to migrate off WP, you're planning to replace Complianz.
Borlabs Cookie
The German-market choice. German-authored, German-compliant, strongly focused on TTDSG (the German supplement to GDPR). Self-hosted like Complianz. Pricing around 39 to 99 euros a year.
Best for: German-language sites. Sites selling into DACH (Germany, Austria, Switzerland). Sites with a German data protection officer on staff.
Iubenda
The all-in-one policy-and-banner choice. Generates the privacy policy, cookie policy, terms of service, and the consent banner as a single bundle. Pricing from free (with their branding) to around 10 to 30 dollars a month per site.
Best for: small sites that need both policy copy and the banner. Sites where the founder doesn't want to write privacy policy copy themselves.
Tradeoff: the banner is fine but the policy-generation is the primary sell. If you already have policies, you're paying for something you don't need.
Termly
Similar to Iubenda. US-focused. Policy generator plus banner plus cookie scanner. Pricing from free to around 10 dollars a month.
Best for: US-based SMB sites. Sites that want CCPA and US state-privacy law defaults rather than GDPR-first defaults.
Cookie Script
The minimal-script choice. Lightweight client-side library, one of the smallest bundles in the category. Self-hosted option available. Pricing from free (1,000 monthly visitors) to about 10 dollars a month.
Best for: performance-sensitive sites where the consent banner is the single heaviest third-party script you can't remove. Sites that can trade compliance depth for speed.
Tradeoff: lighter on features. You get a banner, you get consent logging, you don't get a full compliance dashboard.
Osano
The data-subject-rights choice. Strong DSAR handling, good Lighthouse scores (they optimized the script for Core Web Vitals), solid OneTrust alternative. Enterprise-tier pricing.
Best for: mid-market SaaS companies that have outgrown CookieYes but don't want OneTrust pricing.
How to pick
Three questions narrow it down quickly:
- What's your traffic tier? Under 25K monthly page views, CookieYes free or Cookie Script free is fine. 25K-500K, CookieYes paid, Complianz, or Osano. 500K plus, Cookiebot or OneTrust.
- Do you need the policy copy too? If yes, Iubenda or Termly saves you a draft cycle.
- Where are your buyers? EU-heavy: Cookiebot, Complianz, or Borlabs. US-heavy: CookieYes or Termly. Global: Cookiebot or OneTrust.
The migration consideration
If you're migrating platforms, pick a consent vendor that works on the target platform before the migration, not after. CookieYes and Iubenda work across WP, Eleventy, Hugo, Astro, and Gatsby with a simple script tag. Complianz is WordPress-only. Borlabs is WordPress-only. OneTrust works everywhere but costs enterprise money.
Related reading
- WordPress + WooCommerce Audit, detects which consent vendor is running
- Site Migration Capture, captures consent vendor during migration prep
- Hosting + Indexing Health Checker, the hosting-layer adjacent decision
Fact-check notes and sources
- IAB Transparency and Consent Framework (TCF) 2.2 specification for TCF-compliant vendor list.
- EU GDPR Art. 6 and ePrivacy Directive Art. 5(3) for the legal grounding of the consent requirement.
- California CCPA §1798.140 and the 12 state-level US privacy laws current as of April 2026.
- Vendor pricing captured from public pricing pages as of April 2026. Verify at vendor site before committing.
This post is informational, not legal or compliance advice. Consent vendor selection depends on jurisdiction, data processing patterns, and buyer-privacy-risk specific to your business. Consult a qualified privacy attorney for binding guidance. Mentions of third-party vendors are nominative fair use. No affiliation is implied.
