Key Takeaways
- Median annual spend: $11,500/year (Vendr, based on 325 purchases)
- Cookie Consent alone: $300/month for a single domain
- GDPR compliance bundle: $2,275/month
- <10KB SDK: 20x smaller than OneTrust. Zero dependencies. IIFE bundle.
- Parse-time script blocking. MutationObserver catches and blocks scripts before they execute. This is how 59% of CMPs fail, and ConsentStack doesn't.
Why Teams Leave OneTrust
Performance Impact
OneTrust's JavaScript SDK is one of the heaviest in the CMP industry. DebugBear measured OneTrust's impact on Largest Contentful Paint: the banner text itself became the LCP element, jumping load times from 1.43 seconds to 3.61 seconds. A RUMvision case study found the cookie banner was the LCP element for 50% of mobile pageviews, with LCP values hitting 4,721ms.
The Accept button has a P75 processing time of 113ms on mobile. Only 31% of Accept interactions rated "good" by Core Web Vitals standards. When a user clicks Accept, the updateGtmMacros function alone takes 190ms of main thread time, and one real-world site loaded 73 additional third-party requests after a single accept click.
"The only change we made was adding OneTrust. The Lighthouse score dropped 15 points." -- Developer, Reddit
Learn more about CMP performance impact
Pricing Opacity
OneTrust has no public pricing. Every plan requires a sales call. Here's what the data shows:
- Median annual spend: $11,500/year (Vendr, based on 325 purchases)
- Cookie Consent alone: $300/month for a single domain
- GDPR compliance bundle: $2,275/month
OneTrust shifted from per-domain to traffic-based pricing, with users reporting uplifts of 500% when forced to switch. No month-to-month option. Early termination penalties.
"Used their product in production for one week... still tried to charge us for another full year." -- Tristan Pfannschmidt, Trustpilot, Nov 2025
"They change their subscription model and you are forced into it. When you don't accept right away they just stop the service with 2 days notice." -- Niek Goo, Trustpilot, Aug 2025
For a growing company with 30K monthly visitors and 2 domains, OneTrust's cookie consent module alone costs a minimum of $300/month. See ConsentStack pricing. ConsentStack Pro covers the same traffic with 2 domains included for $29/month, published on the website, no sales call required.
Developer Experience
"Must be the absolutely worst developer experience I've ever had with any tool, and I've been a developer for 10 years now." -- Anonymous, Trustpilot
"Useless. Zero customer service. Bulky and overly complicated to use." -- Thomas Robert, Trustpilot, Jul 2024
GitLab's public handbook documents their OneTrust implementation as a multi-step engineering project. Users report needing to "watch 4-hour videos to get started." 67% of Google Consent Mode v2 setups are misconfigured across the industry, and when the CPPA fined Honda $632,000, they specifically named OneTrust as the misconfigured CMP.
Dark Patterns
"The only option to confirm and continue is 'accept all and continue'... turns back on data collection." -- KHP, Trustpilot, Feb 2025
"Optional choices are always locked to the on position... nothing happens" -- mrsjackofall, Trustpilot, Sep 2023
The broader enforcement context: noyb has filed 500+ GDPR complaints targeting cookie consent violations. Google was fined $165M for asymmetric accept/reject buttons. Facebook $66M. Microsoft $66M. Honda was fined $632,000 using OneTrust, with the CPPA specifically naming the CMP configuration as the cause.
Read more about dark patterns in cookie banners
The 8 Best OneTrust Alternatives
1. ConsentStack
Modern, performance-first consent management built for developers.
| Metric | Value |
|---|---|
| SDK size | <10KB gzipped |
| Pricing | $29/mo Pro (30K visitors, 2 domains) |
| Regulations | 32 (GDPR, CCPA/CPRA, 17 US state laws, LGPD, APPI, PIPEDA, more) |
| Script blocking | Parse-time MutationObserver |
| Platform adapters | 6 (Google, Meta, TikTok, Microsoft, Pinterest, LinkedIn) |
| Free tier | Full compliance engine (script blocking, geo-detection, all consent models) |
| Sales call required | No |
Pros:
- <10KB SDK: 20x smaller than OneTrust. Zero dependencies. IIFE bundle.
- Parse-time script blocking. MutationObserver catches and blocks scripts before they execute. This is how 59% of CMPs fail, and ConsentStack doesn't.
- Self-serve from sign-up to live. No sales calls, no contracts, no 2-4 week onboarding.
- 32 regulations on every tier, including 19 US states. Geo-detection automatic via Cloudflare headers.
- 6 platform adapters on Pro: Google Consent Mode v2, Meta Pixel, TikTok, Microsoft Clarity/UET, Pinterest, LinkedIn.
- No dark patterns by design. Symmetric accept/reject buttons on every layout.
- 6,592 tracker domains auto-classified from DuckDuckGo Tracker Radar.
- Transparent pricing: $0 (free, 1K visitors), $29/mo (Pro, 30K visitors), $59/mo (Business, 1M visitors).
Cons:
- Pre-launch. No years of enterprise deployments or thousands of case studies yet.
- No TCF 2.0 yet. On the roadmap. Worth noting: the Belgian DPA found IAB TCF itself violates GDPR.
- No DSAR workflows. ConsentStack focuses on consent management, not the full privacy suite.
- No dedicated support tier. Self-serve by design.
Best for: Developers and growing companies who want full compliance without enterprise overhead or budget-tool compromises.
2. Cookiebot (by Usercentrics)
Scan-based CMP for WordPress sites needing quick EU compliance.
| Metric | Value |
|---|---|
| SDK size | 34KB synchronous |
| Pricing | ~$37/mo per domain |
| DOM nodes injected | 209 (highest benchmarked) |
| INP (DebugBear) | 57ms median |
| Cache TTL | 11 minutes (shortest benchmarked) |
Pros: Quick WordPress setup, Google-certified CMP, automatic cookie scanning, decent INP (57ms).
Cons: Price doubled in August 2025. Per-domain billing with no multi-domain discount. 209 DOM nodes injected. 11-minute cache TTL forces re-downloads. Daily scanning costs an extra $115/month.
"Increased the price of our plan by 78.6% out of the blue, with no additional features or benefits." -- Sam, Trustpilot, Dec 2025
Best for: WordPress sites needing quick EU setup with Google CMP certification. Be prepared for price increases.
3. Osano
Compliance-guarantee CMP with the worst click-response times in the industry.
| Metric | Value |
|---|---|
| Pricing | $99/mo (Business, 30K consent views, 2 domains) |
| INP (DebugBear) | 275ms median, dead last of 9 CMPs |
| CPU blocking time | 448ms |
| Free tier | Notification-only, does not block cookies |
Pros: "No Fines, No Penalties" pledge up to $200K. Good static performance. 17,200+ customers.
Cons: 275ms median INP, dead last. $99/month for 30K consent views. Free tier doesn't block cookies, scan, or store consent.
Best for: Companies that value the compliance guarantee over performance and have the budget for $99/month.
4. Ketch
Enterprise data permissioning platform with a steep learning curve.
| Metric | Value |
|---|---|
| SDK size | 20.6KB minified |
| Pricing | $150/mo Starter (30K visitors) |
| Config steps to banner | 13 |
| Proprietary glossary terms | 56+ |
| Typical onboarding | 2-4 weeks |
| Average enterprise contract | ~$26,257/year (Vendr) |
Pros: Strong customer support. DSR automation is a real enterprise differentiator. Comprehensive regulatory coverage. Progressive Consent (2025) is innovative.
Cons: 13 configuration steps before a visitor sees your banner. 56+ proprietary terms. $150/month for 30K visitors. 2-4 week onboarding. Zero organic community presence.
"The platform's comprehensive features may be overwhelming for smaller organizations." -- Anonymous, G2
Best for: Enterprises needing DSR automation, data mapping, and AI governance alongside consent management.
5. Termly
Budget consent tool that tanks WordPress performance.
| Metric | Value |
|---|---|
| Pricing | $14-20/mo per site |
| WordPress PageSpeed impact | 30-37 point drop |
| GTM compatibility | Auto Blocker does not work with GTM |
Pros: Affordable starting at $10/month. Policy generators included. Google Gold CMP Partner.
Cons: 30-37 PageSpeed point drops on WordPress. Auto Blocker does NOT work with GTM. Per-website pricing. Real compliance features gated behind $20/mo Pro+ plan.
Best for: Budget-conscious small sites not using Google Tag Manager, where PageSpeed isn't a priority.
6. CookieYes
Budget CMP with catastrophic DOM bloat.
| Metric | Value |
|---|---|
| Pricing | $10-55/mo per domain |
| DOM elements added | 48,000 |
| Mobile LCP | 6.5 seconds |
Pros: Affordable. Generous free tier (5,000 pageviews). Works on any website.
Cons: 48,000 DOM elements (Google recommends under 1,500 total). 6.5-second LCP on mobile. Per-domain pricing. No branding removal below $55/month.
"The banner adds about 48,000 elements to the DOM. On mobile, the banner is the LCP, with an immense 6.5 seconds." -- stefanchetan, WordPress.org, May 2024
Best for: Simple sites with low traffic needing the cheapest possible cookie consent option.
7. Transcend
Enterprise-grade network-level privacy layer for Fortune 500 companies.
| Metric | Value |
|---|---|
| SDK size | 54.3KB compressed (airgap.js core) |
| Pricing | ~$130,818/year average (Vendr) |
| G2 rating | 4.6/5 (112 reviews) |
Pros: Network-level script blocking via airgap.js. Both client-side and backend consent governance. Clean ethical positioning.
Cons: ~$130,000/year average contract. 54.3KB compressed SDK. Aggressive renewal pricing.
Best for: Fortune 500 companies with dedicated privacy engineering teams and six-figure compliance budgets.
8. TrustArc
The CMP that publishes "Avoid Dark Patterns" while being listed on deceptive.design.
| Metric | Value |
|---|---|
| Pricing | ~$10,000/year minimum |
| Trustpilot rating | 1.9/5 (92% one-star) |
| Opt-out processing delay | 30-60 seconds (artificial) |
Cons: Fake 30-60 second opt-out processing delays. Listed on deceptive.design. 1.9/5 Trustpilot with 92% one-star reviews. FTC-fined for fake privacy certification. RabbitMQ filed a public GitHub issue because TrustArc took over 2 minutes to load.
"Deliberately delivers a poor customer experience ('processing' wait time for cookie rejection) to try and persuade users to accept cookies." -- Tom, Trustpilot, Oct 2023
Best for: Difficult to recommend. If required due to vendor relationships, push for removal of fake processing delays.
Performance Benchmark Comparison
| CMP | SDK Size | LCP Impact | INP (Median) | Script-Blocking Method |
|---|---|---|---|---|
| ConsentStack | <10KB gzipped | Negligible | N/A (pre-launch) | Parse-time MutationObserver |
| Cookiebot | 34KB sync | Moderate | 57ms | Scanner-based, monthly |
| Osano | Small footprint | Low | 275ms (worst) | Runtime |
| Ketch | 20.6KB min | Low (defer) | N/A | Smart Tag (defer) |
| Termly | N/A | 30-37 pts PageSpeed drop | N/A | Auto Blocker (breaks GTM) |
| CookieYes | N/A | 6.5s mobile LCP | 81ms | Runtime |
| Transcend | 54.3KB compressed | Low | N/A | Network-level (airgap.js) |
| TrustArc | N/A | 2+ min load reported | 67ms | Runtime + fake delays |
| OneTrust (ref) | 184KB+ | 1.43s to 3.61s | 104ms | Runtime |
Key takeaway: Only two CMPs use parse-time script blocking: ConsentStack (MutationObserver) and Transcend (network-level airgap.js). Every other CMP uses runtime approaches that allow scripts to fire before consent is collected. This is why 59% of sites with CMPs still set cookies before consent.
Pricing Comparison
| CMP | Monthly Price (30K MAU) | Free Tier | Sales Call? |
|---|---|---|---|
| ConsentStack | $29 | Full compliance (1K visitors) | No |
| Cookiebot | ~$37/domain | 50 subpages, 1 domain | No |
| Osano | $99 | Banner only, no blocking | No (Business) |
| Ketch | $150 | 5K visitors, 2 integrations | No (Starter) |
| Termly | $14-20/site | 10K banner views | No |
| CookieYes | $10-55/domain | 5K pageviews | No |
| Transcend | ~$10,900 | None | Yes |
| TrustArc | ~$833 | None | Yes |
| OneTrust (ref) | ~$300 (consent only) | None | Yes |
There's a gap between $55/month (CookieYes Ultimate) and $150/month (Ketch Starter) where no major CMP offers a comprehensive solution. ConsentStack Pro at $29/month with 32 regulations, 6 platform adapters, and real script blocking sits in that missing middle.
Parse-Time vs Runtime Script Blocking
59% of websites with CMPs still set cookies before consent is collected. This happens because most CMPs use runtime script blocking: they load, initialize, and then try to prevent scripts that have already been injected from executing.
Parse-time blocking installs a MutationObserver during the HTML parsing phase, before any third-party scripts execute. The observer watches the DOM for new <script> elements and blocks them before the browser can fetch or execute them. Scripts are checked against 6,592 tracker domains and held until the user grants consent.
| Approach | CMPs |
|---|---|
| Parse-time blocking | ConsentStack (MutationObserver), Transcend (network-level airgap.js) |
| Runtime / tag manager | OneTrust, Cookiebot, Osano, Ketch, Termly, CookieYes, TrustArc |
When evaluating an OneTrust replacement, ask this question first: does the CMP block scripts before they execute, or after?
Learn how script blocking works
Frequently Asked Questions
No. OneTrust's median annual spend is **$11,500/year**, with cookie consent alone starting at **$300/month per domain**. ConsentStack Pro covers 30K visitors and 2 domains for **$29/month** with 32 regulations, 6 platform adapters, and parse-time script blocking.
**CookieYes** starts at $10/month per domain. **Termly** starts at $10/month (annual) per site. Both come with performance tradeoffs: CookieYes adds 48,000 DOM elements, and Termly drops WordPress PageSpeed by 30-37 points. **ConsentStack** offers a free tier with real script blocking and a Pro plan at $29/month that includes features most budget CMPs gate behind premium tiers.
**ConsentStack** ships a **<10KB SDK**, roughly 20x smaller than OneTrust's 184KB+ bundle, with parse-time script blocking. Among established CMPs, **Ketch** loads with a `defer` attribute, and **Cookiebot** has decent INP at 57ms. Avoid **Osano** (275ms INP, dead last), **CookieYes** (48,000 DOM elements), and **Termly** (30-37 PageSpeed point drops).
Your existing consent records remain in OneTrust. They don't transfer. When you switch CMPs, returning visitors see your new consent banner and provide fresh consent. The new CMP starts collecting records independently. There's no compliance gap during migration as long as both CMPs aren't running simultaneously.
TCF 2.0 is primarily required for programmatic advertising networks in the EU. If you run Google Ads, Meta Ads, or direct ad relationships, Google Consent Mode v2 is what matters, and most CMPs support it without TCF. The **Belgian DPA found IAB TCF itself violates GDPR**, so the framework's legal foundation is contested.
**67% of Google Consent Mode v2 setups are misconfigured.** The smoothest integrations come from CMPs with built-in platform adapters. **ConsentStack** includes Google as one of 6 platform adapters on Pro. **Cookiebot** is Google-certified. Avoid **Termly's** Auto Blocker if you use GTM, because it doesn't work with GTM-deployed scripts. [See our Google Consent Mode v2 setup guide](https://consentstack.io/blog/google-consent-mode-v2-setup). ---
Conclusion
The consent management market in 2026 has a missing middle. Enterprise tools like OneTrust ($11,500/year median), Ketch ($150/month), and Transcend ($130K/year average) require weeks of implementation and procurement processes. Budget plugins like Termly, CookieYes, and CookieScript cost $10-20/month but destroy site performance and gate real compliance features.
ConsentStack was built to fill the gap: <10KB SDK, 32 regulations, parse-time script blocking, 6 platform adapters, and $29/month Pro pricing, published on the website, no sales call required. Try ConsentStack free.
Try it free. No credit card. No sales call. No 4-hour setup video.