Picking cookie consent in 2026 is harder than installing a banner

I compared six cookie consent managers and CMPs that still show up in every “GDPR banner” thread: Cookiebot, Osano, Klaro, CookieYes, Complianz, and Termly. There is no single winner on every axis, and a lot of the “which free tool is good enough” discourse falls apart once you notice they do not ship the same compliance primitives.

For a modern EU/UK-facing site, a cookie banner is not the same thing as a compliant consent system. Regulators expect prior blocking of non-essential trackers, consent that is freely given, specific, informed, and granular, withdrawal that is as easy as granting consent, and the ability to demonstrate that valid consent was obtained. A tool that gives you a polished UI but cannot reliably block scripts, keep a defensible record, and support revocation is legal theater, not compliance.

For a Svelte or other non-WordPress web property, my default pick is Cookiebot paid. Not because the free tier is generous, but because the overall package for a web-centric CMP is unusually mature: automatic scanning, configurable blocking, consent logs with a Consent ID, IAB TCF, Google Consent Mode, GPC, cross-domain sharing, and domain-based pricing rather than traffic spikes. The catch is performance: Cookiebot’s own docs say auto-blocking requires the script to load first and should not be async or defer. Manual blocking is lighter, but you own more of the wiring.

If you need enterprise privacy operations beyond cookie consent, look at Osano paid. If you want credible hosted compliance at a lower SMB price, CookieYes Pro or Termly Pro+ are reasonable forks. If you want self-hosted code auditability and explicit Svelte/npm support, Klaro OSS can work, but only if you are willing to own scanning discipline and proof-of-consent operations yourself. If your stack is WordPress-native, Complianz Premium is the obvious in-ecosystem pick.

One trap worth naming up front: Osano’s free Cookie Consent product handles basic banners for about 5,000 monthly page views and, per Osano’s own page, does not include automated script-blocking or consent storage. Do not treat that free layer as a standalone EU/UK compliance answer.

You cannot compare these on “has a banner” alone

Before the tables, one warning: vendors do not meter or ship the same unit.

Some products sell banner UI. Others sell script blocking. Others sell scanner-driven classification, geotargeting, IAB TCF registration, immutable consent logs, or an entire privacy program. A perfect apples-to-apples feature table is impossible. Treat the matrix below as directional, then read the deployment footnotes for your actual jurisdiction and tag stack.

What regulators actually ask for is clearer than vendor marketing often implies. The EDPB consent guidelines require consent to be freely given and granular, with separate choices for separate purposes where appropriate. The ICO’s PECR cookie guidance says consent requests must be prominent, separate, clear, and easy to withdraw. The CNIL’s tracker recommendations emphasize that organizations must be able to prove consent was obtained. National regulators keep enforcing against banners that hide real choices behind dark patterns.

That has four consequences for tooling:

RequirementWhat breaks if your CMP ignores it
Proof of consentA client-side preference cookie alone is usually not enough if you are audited or challenged
GranularityPurpose-level toggles are table stakes; vendor-level disclosures matter for adtech and IAB TCF
RevocationA persistent “manage consent” path beats telling users to clear browser cookies
Tag governanceIf your scanner misses trackers, or GTM loads before the CMP, the UI can look compliant while behavior is not

This is where many free consent tools fail in practice. A banner without strong tag blocking, auditable consent records, region-specific behavior, and accurate vendor disclosures can satisfy an internal checklist while still failing the substantive standard regulators apply.

Free tiers and compliance depth at a glance

ToolFree tier realityCompliance depthSvelte / web fitPrivacy postureBottom line
CookiebotFree for a single domain under 50 pages; premium priced by domains/subpages, not traffic. Free lacks geotargeting and multiple domain groups.Strong: consent log database with Consent ID and state, one-year log retention, configurable expiry, cross-domain sharing, TCF, Google Consent Mode, GPC, revocation via Cookie Declaration or Privacy Trigger.Generic JS script/API install; no official Svelte SDK. Auto-blocking must load first; manual blocking is lighter on performance.Pre-consent IP processed for banner/geolocation; Cookiebot says it is not retained before banner serving. Proof uses Consent ID plus state.Real compliance for web if configured correctly; best non-enterprise default for Svelte and other JS stacks.
Osano paidEnterprise-leaning paid platform. Free Cookie Consent: ~5k pageviews, no automated blocking or consent storage.Paid: immutable hashed consent logs, archiving, search, APIs/SDKs, geolocation, GPC, IAB support, $500k “No Fines” guarantee.Strong developer docs; script expected early in document. No first-party Svelte SDK.Hosted records in EU/US depending on product path; another processor in the stack. Materials disclaim legal advice.Real compliance on the paid platform only. Free layer alone is high risk for EU/UK.
Klaro OSSOSS free forever on the client side; hosted plans add scans and managed consent records.Purpose and service-based consent, configurable storage/expiry, script control, GTM/Consent Mode tutorials. OSS alone stores consent locally; no hosted proof records without paid service or your own backend.Best Svelte fit here: explicit npm and Svelte integration; ~57 kB gzipped claim; defer-style install is straightforward.Best minimization when self-hosted; few third-party flows if you self-host assets. Test accessibility yourself; open GitHub issues report modal a11y gaps.Potentially real compliance only if you add scanning, proof, and governance yourself.
CookieYesFree: 5,000 pageviews, 100 pages per scan. Consent log on free tier; TCF, GPC, geotargeting on higher tiers. Pageview-metered paid growth.Solid SMB set: auto-blocking, granular control, consent logs and downloadable proof, consent expiration, TCF v2.3, Google Consent Mode, GTM.Generic JS/GTM integration; no first-party Svelte SDK. Script footprint not prominently documented.Masked visitor IP for proof-of-consent per privacy materials; public DPA available. Claims WCAG accessibility certification.Real compliance for small/medium sites, especially from Pro upward; strong value hosted option.
ComplianzFree WordPress plugin; Premium adds records of consent, Google Consent Mode, multi-region legal docs. Annual pricing by site count.Strong inside WordPress: region-aware banners, scans, integrations, records/proof in premium, TCF in premium/registered CMP path.Excellent for WordPress. Poor strategic fit for pure Svelte apps; plugin-centric, not framework-agnostic JS SaaS.Mostly local processing; Cookiedatabase.org integration may send cookie/plugin/domain data to enrich descriptions.Real compliance for WordPress, especially Premium. Wrong architecture for Svelte-first properties.
TermlyFree: banner, cookie policy, auto blocker, quarterly scans, cross-domain consent, 10k banner views. Detailed user consent logs are Pro+.Event API, consent state getter, category/cookie whitelist API, GPC, Google Consent Mode, regional IP-based rules, EU data center option.Generic JS integration; browser-level storage model (TERMLY_API_CACHE in localStorage). No first-party Svelte SDK.EU default for new EU accounts; visitor data includes consent logs and device identifiers. Disclaims legal advice.Real compliance from Pro+ upward; good policies-plus-CMP bundle, weaker audit story on free.

What the free tiers actually cost you later

Cookiebot: strong product, blocking tradeoff

Cookiebot is the most mature web-focused hosted CMP in this set. Automatic scanning, automatic or manual blocking, configurable consent retention, cross-domain consent sharing, geotargeting, and robust consent logging all live in the same product family.

Cookiebot stores a generated Consent ID plus consent state in its consent log database for audit purposes, keeps log entries for one year, and lets users change or withdraw consent via the Cookie Declaration or Privacy Trigger. It also supports Google Consent Mode, IAB TCF, Google Additional Consent, and GPC.

The technical caveat is performance. Cookiebot’s docs are explicit: auto-blocking requires the script to load first and should not be async or defer. Manual blocking has much less performance impact, but you need discipline in how tags are wired. Cookiebot is strong on compliance depth; the safest default configuration can cost some frontend flexibility.

Osano: two products, not one

Osano needs to be split mentally into the lightweight free Cookie Consent layer and the paid CMP/privacy platform.

The paid platform is serious. Osano markets searchable, audit-ready consent logs that are timestamped, hashed, and stored immutably, plus remote APIs and SDKs, geolocation and localization, broad regulatory coverage, and a $500,000 “No Fines, No Penalties” guarantee. Treat that guarantee as a contractual product promise, not substitute counsel and not general compliance insurance. Osano’s materials also say the platform is not legal advice.

The free tier is much weaker than many people assume. Osano Cookie Consent handles basic banners for about 5,000 monthly page views and does not include automated script-blocking or consent storage. For EU/UK opt-in regimes, that means the free tier alone is not a serious compliance answer unless you add your own blocking and records.

Osano is strongest when you want a privacy program platform, not just a banner.

Klaro OSS: self-host the UI, own the ops

Klaro is the cleanest open-source answer here. The frontend is BSD-3 licensed, explicitly supports npm and Svelte integration, has a public footprint claim of about 57 kB minified and gzipped, and gives you transparent control over storage method, expiry, purpose structure, and script blocking.

Klaro’s free OSS version is candid about the boundary: it is fully functional on the client side, but paid hosted plans monetize server-side extras such as scans and managed consent records. Out of the box, OSS stores consent in a cookie or localStorage. It does not give you hosted proof-of-consent records unless you buy Klaro’s hosted service or build your own backend.

Klaro is excellent if you value auditability of code and self-hosting, but it is not automatically more compliant than hosted SaaS unless you build the missing evidence and operations layer. On accessibility, Klaro presents itself as intuitive and mobile-friendly, but its public issue tracker contains open reports about modal dialog behavior and missing ARIA/focus handling. Test with your own keyboard and screen reader workflow rather than trusting marketing copy.

CookieYes: unusually capable free tier for SMBs

CookieYes is a notably capable SMB hosted CMP. Even the public pricing matrix shows more substance in lower tiers than many free competitors: the free plan includes auto-blocking, granular cookie control, consent logs, proof of consent, and consent expiration, capped at 5,000 pageviews and 100 pages per scan.

CookieYes records consent with fields such as Consent ID, country, status, and time, offers downloadable proof of consent, says it only collects a masked IP from visitors for proof-of-consent purposes, and supports IAB TCF, Google Consent Mode, GTM, and geotargeting in higher tiers.

The weakness is economics, not capability. Pageview-based pricing means traffic growth eventually forces upgrades, and features such as GPC, TCF, geotargeting, and subdomain consent sharing are not on the free end. Among lower-cost hosted CMPs, CookieYes is one of the least theatrical because it gives you actual records and blocking, not just a banner.

Complianz: WordPress-native, not framework-agnostic

Complianz is best understood as a serious WordPress-native privacy suite rather than a generic CMP. Inside WordPress, it is strong. The free plugin supports region-aware banner behavior, built-in scanning, customization, and broad WordPress integration. Premium plans add records of consent, Google Consent Mode, region-specific handling, and other privacy-suite features.

Complianz’s proof-of-consent model is more interesting than most plugin vendors’: a time-stamped proof that includes consent-relevant settings and a historical cookie-policy snapshot. Complianz keeps core code under GPL in its public repository.

Two caveats matter. If your app is Svelte-based rather than WordPress-based, Complianz is usually the wrong architectural choice. Its privacy posture is mostly local, with some optional remote help: the Cookiedatabase.org initiative may send found cookies, plugins, and the domain to enrich descriptions. That is not necessarily a bad trade, but “self-hosted” is not always “zero external data flow.”

Termly: policies plus CMP, logs behind Pro+

Termly sits between policy-generator suite and hosted CMP. Its free plan is stronger than many people expect: cookie banner, auto blocker, quarterly scans, cross-domain consent, and 10,000 monthly banner views. Its support docs make clear that detailed user consent logs are a Pro+ feature, not a free capability.

Technically, Termly is solid. It has a consent API documentation, consent state getter, consent API for cookie and category whitelists, GPC support, Google Consent Mode, regional IP-based banner configuration, and an EU data-center option that is default for new EU accounts.

The privacy model is more nuanced than competitors’. Termly says it does not store consent in cookies but at the browser level, aims to remain an anonymous consent manager, and uses user IDs in local storage (TERMLY_API_CACHE) to correlate actions to consent logs when needed. That is workable, but read the storage and proof story closely if you need formal evidence for a specific user. Termly repeatedly says it is not a law firm and does not provide legal advice.

Termly is best when you want bundled policies plus a decent CMP at modest cost. It is less compelling if your primary need is auditable, enterprise-grade consent evidence without stepping up to Pro+.

This is the baseline regulators expect, independent of which vendor you pick:

flowchart TD
    A[Visitor arrives] --> B{Geo / jurisdiction detection}
    B -->|EU/UK opt-in| C[Load CMP before non-essential tags]
    B -->|US opt-out or mixed regime| D[Load region-specific banner / protocol]
    C --> E{User choice}
    D --> E
    E -->|Reject| F[Only necessary services active]
    E -->|Granular accept| G[Enable selected purposes / vendors only]
    E -->|Accept all| H[Enable all configured non-essential services]
    F --> I[Store consent decision + banner/version metadata]
    G --> I
    H --> I
    I --> J[Preference center / withdraw anytime]
    J --> K[Update logs + disable future tracking]

And this is how responsibilities usually split between hosted and self-hosted stacks:

flowchart LR
    A[Website / App] --> B[CMP UI layer]
    B --> C[Consent storage]
    B --> D[Tag blocking / unblock logic]
    B --> E[Cookie scan / classification]
    B --> F[Audit export / proof of consent]
    B --> G[APIs / GTM / Consent Mode]

    subgraph HostedCMP [Hosted CMP]
      C
      E
      F
      G
    end

    subgraph SelfHostedCMP [Self-hosted CMP]
      D
      B
    end

    H[Legal / Privacy team] --> F
    I[Engineering] --> D
    J[Marketing / GTM] --> G

Real compliance means the product can help you discover trackers, block them before consent, record defensible user choices, localize by jurisdiction, reopen choices easily, and prove what the user saw and chose. Legal theater is everything else: a banner without enforcement, local-only state with no proof, a free plugin with no recordkeeping, or a flow whose UI says “reject all” while GTM still fires marketing tags.

What I would pick

flowchart TD
    start[EU/UK-facing site] --> wpQ{WordPress-only?}
    wpQ -->|Yes| complianz[Complianz Premium]
    wpQ -->|No| enterpriseQ{Need enterprise privacy platform?}
    enterpriseQ -->|Yes| osano[Osano paid]
    enterpriseQ -->|No| selfHostQ{Want self-hosted OSS?}
    selfHostQ -->|Yes| klaro[Klaro OSS plus your ops layer]
    selfHostQ -->|No| budgetQ{SMB budget priority?}
    budgetQ -->|Yes| cookieYes[CookieYes Pro or Termly Pro+]
    budgetQ -->|No| cookiebot[Cookiebot paid]

Hobby sites and solo developers: Cookiebot paid if you want the strongest web CMP defaults without building a privacy product yourself. CookieYes free is worth testing if you are under 5,000 pageviews and need blocking plus consent logs on day one. Klaro OSS if you already self-host everything else and accept the ops burden. Do not ship Osano free alone for an EU opt-in site.

Startups: Cookiebot paid for predictable domain-based pricing and mature consent logs. CookieYes Pro if pageview economics fit your traffic and you want strong lower-tier logging transparency. Termly Pro+ if you also want policy generation in the same vendor and can live with the browser-level storage model. Osano paid if privacy ops, immutable logs, and APIs matter more than cookie-banner simplicity. Klaro OSS only if engineering time is cheaper than SaaS and you will actually build proof and scanning discipline.

Enterprise evaluation: treat free tiers as proof-of-concept paths, not production destinations. Osano paid if you need a broader privacy program with searchable immutable logs and contractual guarantees. Cookiebot paid if the primary need is a mature web CMP with TCF and Consent Mode depth. Complianz Premium if WordPress is already your CMS control plane. Move quickly from free POC to paid tiers so blocking, logging, geotargeting, and support match your jurisdiction.

For a typical bootstrapped Svelte or SvelteKit site with EU visitors, I would ship on Cookiebot paid, wire manual blocking where auto-blocking hurts performance, and keep CookieYes Pro in mind as the first upgrade trigger if traffic-based pricing becomes painful. If the team refuses another SaaS processor in the stack, Klaro OSS plus a documented proof backend is the honest self-hosted path, not a banner library alone.

Gaps in the public docs

Most vendors in this set do not publish public SOC reports, external privacy audits, or third-party red-team results. I relied on regulator guidance, vendor documentation, pricing and terms pages, and open-source repositories. That is enough to compare architectures and claims, but not the same as independent assurance for every name on the list.

Osano free versus Osano paid is the most common confusion I see in practice. The free Cookie Consent product and the paid CMP platform share a brand but not the same compliance depth.

Klaro’s open GitHub issues around modal accessibility mean you should verify keyboard traps and focus management yourself before calling the banner WCAG-ready.

Termly’s browser-level storage model and Pro+ gating on detailed consent logs need close reading if your legal team expects per-user audit exports on day one.

Several vendors market “GDPR compliant” banners without documenting script footprint, retention, or proof mechanics with the same clarity as Cookiebot or CookieYes. When marketing language and feature docs disagree, trust the feature docs and your own tag-manager test run.

Sources

Regulators

EDPB consent guidelines
ICO PECR cookies guidance
CNIL cookie and tracker recommendations
Autoriteit Persoonsgegevens cookies theme

Cookiebot

Cookiebot
Cookiebot pricing
Consent log
Manual implementation and blocking
Google Consent Mode integration

Osano

Osano
Osano Cookie Consent (free)
Consent management platform
No Fines guarantee
Osano developer documentation

Klaro

Klaro
Klaro GitHub
Klaro
Svelte integration
Google Tag Manager integration

CookieYes

CookieYes pricing
Consent log documentation
Proof of consent documentation
CookieYes privacy policy
Google Tag Manager setup

Complianz

Complianz pricing
Records of consent
Complianz GitHub
Cookiedatabase.org

Termly

Termly pricing
Consent logs (Pro+)
Correlate user actions to consent records
Consent management solution docs
EU data center
Termly privacy policy

Standards

IAB Europe Transparency and Consent Framework
Google Consent Mode