The Best Consent Management Platforms

Consent management is a business requirement for companies that hold the personal data of customers, associates, or employees. The issue of getting consent for data management actions related to Personally Identifiable Information (PII). It is an issue for businesses that handle payment transactions, work with the US health care sector, or, in certain areas of the world, deal with members of the public in any way.

There are two particular types of activity that require businesses to seek consent from consumers. One is the storage of PII and the other is the use of cookies and tracking libraries on websites. Consent management platforms offer complete suites of functions to handle issues surrounding this field of activity.

Here is our list of the best consent management platforms:

1. OneTrust EDITOR’S CHOICE A privacy and governance platform that offers a long menu of services from cookie consent through to a legal bulletin. Addresses GDPR, California’s CCPA and CPRA, Virginia’s CDPA, Brazil’s LGPD, Canada’s PIPEDA, and South Africa’s POIA.
2. TrustArc Privacy Management Platform A list of privacy management modules that monitors PII and cookie handling functions. It covers GDPR, CCPA, and LGPD.
3. Osano Consent Manager This consent management platform offers legal advice bundled with its paid plans and there is also a free version. Works with GDPR, CCPA, and LGPD.
4. Cookiebot A consent management platform for cookie deployment that is available in free and paid versions. It addresses GDPR, CCPA, and the ePrivacy Directive.
5. CookieYes A straightforward cookie consent management service that is available within content management systems, such as WordPress. It covers GDPR requirements but doesn’t manage PII.
6. Quantcast Choice A free consent management service compliance that works alongside a targeted marketing system that offers user behavior tracking and is also free. Works with GDPR and CCPA.
7. Piwik Pro Consent Manager A cookie consent manager that can be self-hosted on a cloud platform in the location of your choice. For compliance with GDPR, CCPA, and LGPD.

CMP requirements

Although the US healthcare sector is very lucrative, the requirements of HIPAA, which is the US regulation on the management of Protected Health Information (PHI), don’t impact many businesses. The issue of cookie consent is much bigger.

Website creation tools make it easy for anyone to generate a site. However, these tools involve a lot of automation that relies on the use of pre-written libraries of functions. So, even if you create a website yourself, you probably won’t have any idea of what code went into it. Without realizing it, you have a site that uses cookies and if you don’t get consent for those, you could get into trouble.

If even the creator of a website doesn’t know what cookies and tracking libraries are used in the code, a business that commissions a new website from a Web development enterprise has even less chance of knowing what the site is doing behind the scenes. If you don’t know what cookies your site is downloading onto the computers of site visitors, you don’t know whether you have broken a law.

Consent legislation

The issue of user consent is not applicable everywhere in the world. However, websites are accessible from everywhere. So, if you just want to run a website without including consent management, your alternative strategy would be to block the site loading in the browsers of surfers located in several countries. That task is probably more complicated than deploying the services of a consent management platform.

The biggest legal requirement for PII management springs from the EU’s General Data Protection Regulation (GDPR). It is codified into the legislation of every EU member. There is also the ePrivacy Directive, which is an EU standard. In most EU countries, GDPR and ePrivacy legislation are bundled together. GDPR deals with the management and storage of PII and issues surrounding its movement. The ePrivacy Directive is really where the rules around cookie consent are formulated. However, as the same laws are implement both, consent management platforms refer to their cookie consent systems as being “GDPR compliant.”

The issues of PII and cookie management don’t stop at the EU’s frontier. California has the California Consumer Privacy Act (CCPA), which covers the use of PII, except for financial and health-related sectors, which are already covered by national PCI DSS and HIPAA rules.

CCPA doesn’t require businesses to gain consent for cookies. This legislation is focused on the use and sale of PII. However, websites have to inform visitors what data is going to be collected by its cookies and trackers and how that information is going to be used. If that data can be linked to a specific person or household, the storage and use of those records are covered by the act.

GDPR and CCPA are the two biggest headaches that a website owner has to worry about. However, the EU and California are not the only places in the world that has data and cookie consent requirements. Virginia’s Consumer Data Protection Act (CDPA), which comes into effect in 2023, covers the same requirements as CCPA.

Brazil’s Lei Geral de Proteção de Dados (LGPD) legislates on the management of PII but not cookies, unless they lead to the storage of PII. Canada has PIPEDA, which is the Personal Information Protection and Electronic Documents Act. Again, this covers PII and only relates to cookies in a PII context. South Africa’s Protection of Personal Information Act has been in force since 2020. POPIA is a very close copy of GDPR but not the ePrivacy Directive. This controls the use of PII and includes responsibilities for cookies and site trackers if they include the collection of PII in their functions.

Other countries around the world are currently formulating data privacy laws that will require consent management. These include India, Chile, and China.

Consent Management functions

Typically, a Consent Management Platform (CMP) will be integrated with other functions, such as data discovery and protection. However, strictly speaking, these protection measures are not part of consent management.

Consent management is specifically concerned with gaining approval from users for the storage of PII and consent for several different actions, such as transferring the data to other organizations or moving it outside of a particular location. For example, GDPR specifies that PII should not be moved out of the EU unless the person that information relates to gives consent.

The main task of a CMP is to identify which data types are subject to the ruling or, in the case of the ePrivacy Directive, which cookies and trackers are subject to legislation. In most cases, CMP will categorize cookies and trackers so that consent to their use can be sought in groups. Some sites include a very long list of cookies and trackers and listing them all would be off-putting to site visitors.

Once the presence of PII data stores or relevant cookies has been confirmed, the CMP should create an appropriate consent notification with options to allow the customer to accept or deny cookies. In the case of CCPA, the notification should inform the customer of data statuses and the individual’s rights.

All responses to consent requests should be recorded or, in the case of notifications, the fact that notification has been given should be noted. The consent database itself is subject to PII rulings and it has to identify each person in its records.

Cookie consent systems need to be able to block cookies and trackers from downloading if the site visitor does not give consent.

In the case of PII consent systems, the CMP needs to provide an avenue for users to enquire about the records held about them. This is called a Data Subject Access Request (DSAR). Users should also be allowed to request that their data is corrected if it is discovered to contain inaccuracies or even demand its removal. In the case of a removal of data, the business is within its rights to withdraw service from that user, should the retention of PII be a necessary element in the provision of that service.

The Best CMP Tools

The best consent management platform for you depends on the scope of your business. If you just want a cookie consent popup for your sites, you will have different requirements for businesses that run a targeted marketing tracking campaign or large corporations that have legal departments that want guidance on data privacy standards. A big difference in requirement spins around whether you hold PII or not.

In compiling this list, we looked for variations of services because not everyone needs all of the functions for consent management. For example, some businesses will need PII consent management, others won’t. Some businesses are looking for a full-service platform, others just want the bare minimum for as little money as possible. So, we put together a range of options.

1. OneTrust

OneTrust offers solutions to all aspects of consent management from its cloud-based platform. This service presents tools to identify, protect, and manage PII stores and others to seek consent for data usage, ask permission for cookies, manage cookies, and handle DSAR actions.

Key Features:

• Cloud-Based Platform: Offers a comprehensive suite of tools for consent management, including PII identification and DSAR handling.
• PII Management: Identifies and secures personally identifiable information across websites.
• Cookie Management: Automates the discovery and classification of cookies for compliance.
• Legal Compliance: Generates notifications that align with global data protection regulations.
• Expert Support: Access to legal advisors for guidance on data privacy issues.

Why do we recommend it?

The OneTrust platform is very comprehensive and it can produce consent forms that comply with the data privacy regulations of the EU, the UK, the USA, Canada, Brazil, South Africa, and many other locations. The service is backed by real legal experts who are available for advice and the functions of the service are automatically updated as new legislation is introduced or existing laws change. The package also supports the management of DSARs, which includes the provision of a toll-free number for members of the public.

The system includes legal services as well as IT systems. It also provides toll-free numbers, which are needed to provide cost-free access to customers enquiring about PII.

Who is it recommended for?

Every business that has a website that collects data on visitors will need this service. However, small businesses will find this tailored service a little expensive. The tool is able to scan through websites and identify the trackers and data input forms that they contain. This is particularly necessary for large websites but perhaps not a vital feature for small sites where manual assessment could be viable.

All of the digital services are hosted on the OneTrust server and are implemented through APIs or the cloud-based dashboard. Each service is charged separately, so you can tailor your package and only pay for the services that you need. The OneTrust system is available for a 14-day free trial.

2. TrustArc Privacy Management Platform  

TrustArc offers a menu of services from its Privacy Management Platform, so you can pick just the services that you need. This list of tools includes policy management, PII identification and management, and cookie consent management.

Key Features:

• Policy Management: Streamlines the creation and enforcement of privacy policies.
• PII Protection: Identifies and manages personally identifiable information to ensure privacy.
• Consent Mechanism: Facilitates the gathering and recording of user consent seamlessly.

Why do we recommend it?

TrustArc Privacy Management Platform is a very close competitor to OneTrust. Both of these tools have a menu of services and both are offered from cloud platforms as subscription services. However, the TrustArc system isn’t quite as detailed as that of One Trust. This means that the TrustArc system can be tailored down to a cheaper service and is appealing to budget-conscious buyers that can live without the premium features of the OneTrust service, such as its excellent DSAR support features.

The system offers data disclosure reporting tools and DSAR management services. There are legal support systems available plus consultancy and training services from TrustArc.

Who is it recommended for?

Being a slightly less comprehensive service than OneTrust, this tool is more accessible to companies that don’t require a full GRC suite. This makes it appealing to mid-sized companies that have many Web assets. However, it is probably still a little too feature-rich to supply the basic needs of small businesses. Websites that are delivered in many languages would benefit from the TrustArc system, which can deliver consent notifications in 45 languages.

You can get a 14-day free trial of the platform’s Cookie Consent Manager or ask for a demo of the wider system.

3. Osano Consent Manager  

The Osano Consent Manager is a platform of services that are offered as bundles in four editions. The lowest plan is free. All plans include cookie management features and the paid plans also include PII discovery and management services.

Key Features:

• PII Classification: Identifies and categorizes personally identifiable information for better management.
• Cookie Consent: Simplifies the process of obtaining user consent for cookie usage.
• Accessibility: Offers a free plan to accommodate businesses of all sizes.

Why do we recommend it?

Osano Consent Manager is one of the best consent platforms available and it could not be left off this list. The only problem with this service is that it is a little pricey and doesn’t stack up well in terms of plan throughput volumes with cheaper rivals.

The cookie consent system scans for existing cookies and trackers, generates a consent form, and then receives responses and stores them. You integrate this feature into your site by inserting a piece of code that fires up the processes running on the Osano server. The system can also assist with DSAR requests.

Who is it recommended for?

If Osano could tweak up its traffic throughput volumes per plan, this would be a great choice for small businesses. The Business plan is limited to serving 30,000 site visits per month. Although that amounts to 1,000 visitors a day, a successful advertising campaign or an opportunistic media mention could easily bust that limit.

You can get a 30-day free trial of a paid plan from the Osano Consent Manager.

4. Cookiebot

CookieBot focuses on cookie consent functions and doesn’t include PII management services. This is an API-based system that you integrate into your websites by inserting a line of code. That code is specific to your site and is generated by the CookieBot dashboard after a scan of your website.

Key Features:

• Automated Discovery: Identifies cookies and classifies them according to purpose and type.
• Consent Integration: Creates and manages consent forms tailored to site-specific needs.
• Free Tier Available: Offers a no-cost option for small websites with under 100 pages.

Why do we recommend it?

Cookiebot is a very similar service to Osano Consent Manager, although the Osano system is slightly better. However, Cookiebot gets its pricing model right and should attract a lot of customers away from Osano. This system is priced per domain and not be site visitor. However, it scores sub-domains as a separate site that incurs another charge. However, the service includes PII and cookie discovery and a tailored consent form that is appropriate to the discovered conditions and the purpose of the site.

The CookieBot system includes policy notification banners and cookie consent forms and it will collect responses and store them.

Who is it recommended for?

Small businesses that have websites that each contain less than 100 pages can use the Cookiebot system for free. The lower paid tier is very affordable and each site with that plan can contain up to 500 pages. That’s a lot of pages and should cater to most of the websites in the world. The next plan up will cover a site with 5,000 pages, which will surely cover all but the biggest sites in the world for a very low subscription price.

CookieBot is free to manage one site with up to 100 pages and three paid editions cater to successively larger sites. You can get a one-month free trial of the paid service.

5. CookieYes

CookieYes is another cookie management system; it won’t give you PII management. The big marketing advantage that CookieYes has is that it is available from the plug-in marketplaces of all the major content management systems.

Key Features:

• CMS Integration: Directly connects with all major content management systems for easy setup.
• Cookie Management: Offers discovery and management of site cookies to comply with regulations.
• Free Version Available: Provides basic consent form generation and cookie blocking at no cost.

Why do we recommend it?

CookieYes is a very popular service that is currently in service from more than a million websites. This tool isn’t as comprehensive as the consent management tools reviewed above because it doesn’t include site code scanning to produce a tailored consent form. However, it will record responses and it is very easy to integrate into a site. The tool is available as an add-on for all the major content management systems, such as WordPress and that is probably the reason for its tearaway success.

You can load it directly into your site in WordPress, Drupal, Magneto, Blogger, Joomla, and Wix.

Who is it recommended for?

This consent management system is probably the first choice for businesses that build their sites on WordPress, Drupal, or other CMSs. It is very easy to set up within the CMS menu.

There is a free version of CookieYes and three paid plans. The free system provides a consent form generator and will block cookies that haven’t been consented to. The higher plans include customizable consent banners plus geo-location targeting and multiple languages. The paid editions can be accessed on a 14-day free trial.

6. Quantcast Choice

Quantcast Choice is a consent management service that partners with targeted marketing and consumer tracking service called Quantcast Audience. These two modules can operate separately or as a bundle and both are free to use.

Key Features:

• Comprehensive Free Service: Offers cookie management and DSAR handling without any cost.
• Market Analysis Tool: Includes a free module for analyzing consumer behavior and market trends.
• Integrated DSAR Support: Facilitates the management of Data Subject Access Requests efficiently.

Why do we recommend it?

Quantcast Choice has the ability to wipe all of the other consent management services on this list off the beard. It is a very sophisticated tool that is completely free to use. Better still, the system includes a DSAR management service and it can be linked to a market analysis tool, which is also free to use. The cookie consent forms that this service provides are tailored to cookies that are revealed by a scan and the tool will also store visitor responses.

The features in Quantcast Choice identify all cookies and tracking libraries used in a site and then generate a consent popup for them. The system also includes a DSAR management service. Of course, many of those trackers might have been created by Quantcast Audience, so if you are going to use that marketing tool, you will need the consent manager as well. The Quantcast Choice service also includes a partner business risk assessment system.

Who is it recommended for?

Every business would be tempted by the Quantcast offer. Small businesses will like that the consent management service gets them compliant and costs nothing, while mid-size and large businesses need the site scanning and DSAR management features. Any website owner that wants to improve a site’s attractiveness will be glad to link in the audience intelligence tool of the Quantcast Measure module. Quantcast aggregates the usage activity of the sites that it serves for its own market analysis reports. Although that might put some businesses off using this service, you should know that the extracted data is anonymized.

7. Piwik Pro Consent Manager

Piwik Pro is a marketing and consumer tracking service that uses cookies and includes a consent manager to get those cookies and trackers approved by the site visitor. The service will also spot cookies and trackers that it didn’t generate itself.

Key Features:

• Audience Tracking: Integrates a visitor tracking system for detailed audience analysis.
• Cookie Consent: Manages consent for cookies, especially those used by Piwik Pro’s tracking system.
• DSAR Capability: Includes a platform for efficiently managing Data Subject Access Requests.

Why do we recommend it?

Piwik Pro Consent Manager is a similar tool to Quantcast. However, this is not as generic a service as Quantcast Consent. Piwik Pro is primarily an audience analysis tool and its Consent Manager only operates for the tracking cookies that the Piwik Pro system uses. However, like Quantcast Measure, the Piwik Pro analysis service is free to use.

The consent management platform is comprehensive. It also includes functions for managing PII and has a DSAR system that is implemented through a self-service portal. The Customer Data Platform, which serves DSAR requests also includes an analytical function that lets you assess approval rates and buyer journeys through your sites.

Who is it recommended for?

This tool is a market analysis system, so if you want to look into how your site is used by visitors and how it can be made more appealing, you should consider the Piwik Pro service alongside the rival offering from Quantcast. However, if you only want a cookie consent manager, Piwik Pro is not for you.

Piwik Pro is available for a demo.