Key Takeaways
- $0 until you exceed 50 pages (week 2)
- Engineering time to discover non-compliance: ~$800
- Migration cost when prices increase: ~$400
- Total: ~$1,563+ plus performance and compliance risk
- At 5K visitors, upgrade to Pro: $29/month
What "Free" Actually Means for Most CMPs
Banner Display Without Script Blocking
This is the most critical failure, and it's nearly universal. 59% of websites with CMPs still set cookies before consent is collected. A banner without enforcement is consent theater. Regulators know the difference.
Limited Pages or Visitors
Cookiebot limits you to 50 subpages. CookieYes limits you to 100 pages. Termly caps at 10,000 banner views. These limits are designed to be outgrown quickly. Some CMPs silently stop displaying the banner when you hit the cap. Others auto-upgrade your account.
Single Regulation Coverage
GDPR alone is not enough if you have visitors from California or any of the other US states with privacy laws. Free tiers typically support one regulation. ConsentStack covers 32 regulations on every tier, including free.
No Geo-Detection
Without geo-detection, you either show the most restrictive experience to everyone (reducing data collection from non-regulated visitors) or show a less restrictive experience globally (non-compliant for stricter jurisdictions). Free tiers almost never include geo-detection.
Branding, Ads, and Data Harvesting
Free tiers inject "Powered by" badges or ads into your banner. Some monetize by aggregating your visitor consent data. The irony: your privacy compliance tool is creating a new privacy problem.
Free Tier Breakdown
Osano Free
A notification banner. No script blocking, cookie scanning, consent storage, or geo-detection. Worse than having no CMP, because it creates the appearance of compliance while doing nothing to enforce it. Paid plan starts at $99/month. Even when you upgrade, Osano's INP is 275ms median, dead last of 9 CMPs benchmarked.
Termly Free
A consent banner with 10,000 views/month and ads injected into the banner. No Google Consent Mode v2, IAB TCF, custom styling, or regional consent rules. Auto Blocker (script blocking) is not included on free, and even on paid plans, it does not work with GTM-deployed scripts. WordPress plugin causes 30-37 point PageSpeed drops.
CookieYes Free
Up to 100 pages and 5,000 pageviews/month on a single domain. When CookieYes' IAB TCF loads, it injects roughly 48,000 DOM elements (Google recommends under 1,500). Mobile LCP: 6.5 seconds. Even upgrading to paid plans doesn't fix the DOM bloat. It's architectural.
"The banner adds about 48,000 elements to the DOM. On mobile, the banner is the LCP, with an immense 6.5 seconds." -- stefanchetan, WordPress.org, May 2024
Cookiebot Free
1 domain and 50 subpages with monthly scanning. The 50-page limit is enforced by a scanner that counts every URL, including pagination and URL variations. Users report being auto-upgraded after adding payment details.
"Simply by adding payment details, Cookiebot's system automatically upgraded our entire account... $396 without authorization" -- 土狗 浪漫, Trustpilot, Jan 2026
Also: 209 DOM nodes per page, 34KB synchronous script, 11-minute cache TTL. Prices doubled in August 2025.
Free Tier Comparison Table
| CMP | Free Limit | Script Blocking | Geo-Detection | Regulations | Key Catches |
|---|---|---|---|---|---|
| Osano | 5K views/mo | No | No | Limited | Notification-only. Does not block, scan, or store consent. |
| Termly | 10K views/mo | No | No | 1 | Ads in banner. Auto Blocker breaks GTM even on paid. |
| CookieYes | 100 pages | Limited | No | GDPR only | 48K DOM elements. 6.5s mobile LCP. |
| Cookiebot | 50 subpages | Scanner-based | No | GDPR | 11-min cache. Auto-upgrade traps reported. |
| ConsentStack | 1K visitors/mo | Yes (parse-time) | Yes | 32 | Full compliance engine on free. Not a demo. |
The Compliance Gap: Why a Banner Without Enforcement Is Worse Than No Banner
A website with no banner is non-compliant. Everyone knows it. A website with a banner that doesn't block scripts is also non-compliant, but now with a dangerous layer of false confidence. When a regulator audits, the banner demonstrates awareness of consent requirements. The failure to enforce demonstrates negligence. Awareness plus negligence is worse than ignorance.
What Regulators Actually Look For
- Pre-consent script execution. Do tracking scripts fire before the visitor makes a choice?
- Asymmetric consent options. Is "Reject" as easy as "Accept"? noyb has filed 500+ complaints targeting cookie banner violations. Google fined $165 million. Facebook $66 million.
- Consent storage and proof. Can you demonstrate a specific visitor gave consent at a specific time?
- Geo-appropriate consent models. GDPR requires opt-in. CCPA requires opt-out. Wrong model = violation.
Most free tiers fail all four tests.
GDPR cookie consent requirements
The Honda Precedent
The CPPA fined Honda $632,000 for consent violations and specifically named the misconfigured CMP (OneTrust) as the cause. Having a CMP that doesn't work properly is not a defense. It's evidence of a compliance failure.
The Hidden Costs of Free Cookie Consent
Engineering Time
When a free CMP's blocking doesn't work, someone discovers the gap. The debugging and migration cycle typically consumes 4-8 hours at $100-200/hour. The "free" CMP just cost $400-1,600 before the first bill from the replacement.
Regulatory Risk
noyb has filed 500+ complaints. The average GDPR fine has increased every year since 2018. A free CMP that doesn't block scripts creates a false paper trail suggesting you tried to comply and failed.
Performance Tax
CookieYes: 48,000 DOM elements. Cookiebot: 209 nodes with 34KB synchronous script. Termly: 30-37 PageSpeed point drops. Osano: 275ms INP. These penalties affect Core Web Vitals (SEO rankings), conversion rates (~1% drop per 100ms delay), and user experience.
Cookie consent banner performance benchmarks
Forced Upgrades and Price Lock-In
Cookiebot doubled prices in August 2025 with 30 days notice. Users reported jumps from $8.25/month to $33/month, and some were forced from monthly to annual billing without consent.
"Increased the price of our plan by 78.6% out of the blue, with no additional features or benefits." -- Sam, Trustpilot, Dec 2025
The Real Math: Free CMP vs. Paid Compliance
Free CMP path (Cookiebot, 5K monthly visitors):
- $0 until you exceed 50 pages (week 2)
- Forced upgrade: ~$33/month
- 12-month cost: ~$363
- Engineering time to discover non-compliance: ~$800
- Migration cost when prices increase: ~$400
- Total: ~$1,563+ plus performance and compliance risk
ConsentStack path:
- $0 up to 1,000 visitors
- At 5K visitors, upgrade to Pro: $29/month
- 12-month cost: $348 (or $278 annual)
- Real script blocking from day one
- Total: $278-348 with actual compliance
The "free" CMP costs 4-5x more than the paid one that works.
ConsentStack: What a Free Tier Should Look Like
ConsentStack's free tier includes:
- 1,000 visitors/month, 1 domain
- Real script blocking (parse-time MutationObserver, same mechanism as paid plans)
- 32 regulations (GDPR, CCPA/CPRA, LGPD, PIPEDA, APPI, 17 US state laws)
- Geo-detection via Cloudflare headers
- No ads, no third-party branding
- Under 10KB SDK with zero dependencies
- 6,592 auto-classified tracker domains
- No dark patterns (symmetric buttons, no pre-checked categories)
The free tier is limited by scale, not by compliance features. A site with 500 monthly visitors on free has the same consent enforcement as a site with 500,000 on Business.
Paid tiers when you outgrow free:
| Plan | Price | Visitors | Domains | Platform Adapters |
|---|---|---|---|---|
| Free | $0 | 1K/mo | 1 | None |
| Pro | $29/mo | 30K/mo | 2 (+$5/each) | 6 (Google, Meta, TikTok, Microsoft, Pinterest, LinkedIn) |
| Business | $59/mo | 1M/mo | 3 (+$5/each) | 6 |
For context: Osano charges $99/month for 30K views. Ketch charges $150/month for 30K visitors. OneTrust starts at $300/month.
Frequently Asked Questions
In sticker price, yes. In total cost, no. Free tiers universally compromise compliance (no script blocking, no geo-detection), degrade performance (DOM bloat, synchronous scripts), or create hidden costs (engineering time, forced upgrades, data harvesting). ConsentStack's free tier is the closest to "truly free" because it includes the same compliance engine as paid plans, limited by scale (1,000 visitors), not functionality.
Only if the free tier blocks scripts before consent. GDPR requires that tracking does not occur until affirmative consent is given. Of the free tiers reviewed, Osano does not block cookies. Termly does not include its Auto Blocker on free. CookieYes is capped at 100 pages. Cookiebot at 50. ConsentStack's free tier includes parse-time script blocking for up to 1,000 visitors.
Arguably, no. A banner without enforcement creates false confidence. When a regulator investigates, the banner demonstrates awareness of consent requirements without enforcement. Awareness plus inaction is a worse legal position than ignorance.
Cookiebot: 1 domain, 50 subpages, monthly scanning, no geo-detection, scanner-based blocking, 209 DOM nodes, 34KB synchronous code, 11-minute cache. ConsentStack: 1 domain, 1,000 visitors, parse-time script blocking, geo-detection across 19 US states, 32 regulations, <10KB SDK. One is reactive. The other is preventive.
In order of importance: (1) Real script blocking that prevents tracking before consent. (2) Geo-detection for jurisdiction-appropriate consent models. (3) Multi-regulation support beyond GDPR. (4) Consent storage for audit proof. (5) Minimal performance impact. If a free tier fails on point one, everything else is irrelevant. ---
Conclusion
59% of websites with CMPs still set cookies before consent. Most of those sites believe they are compliant. Most of them started with a free tier.
The real cost of free cookie consent is the engineering time discovering the gap, the regulatory exposure you carry unknowingly, the performance penalty your visitors absorb, and the forced upgrade at a price set by the vendor.
ConsentStack's free tier was built to break this pattern. One thousand visitors. One domain. Parse-time script blocking. Thirty-two regulations. Geo-detection. No ads. No branding. The same compliance engine as paid plans, limited by scale, not functionality.
Most free CMPs are demos. ConsentStack's free tier is a product.
Try it free. No credit card. No sales call. No surprises.