Buying a CMP subscription is not the same as achieving compliance. All three of the major CMPs — Cookiebot, OneTrust, Axeptio — can block pre-consent tracking. None of them do it by default. The difference between a GDPR fine and a clean audit is not which tool you picked. It is whether the tool is configured to suppress network requests before consent fires.
TL;DR
- All three CMPs ship in a permissive state. Blocking must be explicitly enabled.
- The test is not whether the banner appears — it is whether tracker network calls are suppressed before user interaction.
- Cookiebot has the most mature script-blocking, but GTM race conditions still bite it.
- The CMP is not where compliance lives. GTM tag gating is.
Verdict
No CMP makes your site compliant on installation. Every one of them requires deliberate configuration of both the tool itself and the GTM container it is supposed to control. If your GTM tags are not gated against consent signals, the banner is decoration.
The test that actually matters
Most compliance checks look at the wrong thing. They inspect the HTML for a consent banner, check whether it appears on load, and call it done.
The question regulators ask is different: did any tracker transmit data before the user interacted with the consent UI? That is a network-level question, not a visual one. A cookie banner can render correctly while GA4 fires at 180ms, before the CMP has finished initialising.
The only way to answer it is to intercept outbound network requests during page load — before any click — and check what went out. That is what a forensic scan does. That is not what a CMP installation check does.
Cookiebot
Cookiebot ships with a cookie scanner that auto-categorises scripts. Its prior-consent blocking mode genuinely suppresses script execution before consent fires — when enabled.
The catch: prior-consent blocking is not the default. Out of the box, Cookiebot runs in a mode where scripts are tagged but not blocked. An agency that installs Cookiebot, configures the banner, and pushes to production without enabling blocking is running a compliant-looking banner over a non-compliant tag stack.
When properly configured, Cookiebot rewrites third-party script tags with type="text/plain", which prevents the browser from executing them before consent. This works — for scripts loaded directly in the HTML.
The failure mode is GTM. If a client loads tags through GTM rather than directly in the HTML, Cookiebot’s script blocking does not reach into the container. You need GTM Consent Mode v2 properly wired — with each tag gated on the correct consent signal — for Cookiebot’s consent decisions to propagate. GTM Consent Mode v2 explained →
Your site is leaking data before consent.
Free headless-browser scan. Catches GA4, Meta Pixel, TikTok and more firing before the click. Results in 10 seconds.
Run a free scan →OneTrust
OneTrust is the enterprise choice. It is also the most commonly misconfigured CMP in production.
The platform handles consent management, cookie auditing, preference centres, data subject requests, and a dozen other compliance functions. That scope is also what makes it dangerous to deploy without dedicated expertise. The configuration surface is enormous, and the script-blocking layer requires explicit setup that is entirely separate from the banner setup.
The result: large brands with OneTrust installed are routinely caught in enforcement actions. The CMP was present. The tag blocking was not configured. The data was transmitted. The fine was issued.
OneTrust’s technical implementation for script blocking is solid when configured correctly — it supports both direct script management and GTM consent mode integration. But “correctly” is doing a lot of work in that sentence. Agencies deploying OneTrust for clients without dedicated implementation experience should treat the default state as non-compliant until proven otherwise.
Axeptio
Axeptio is lighter, faster, and more opinionated in its UX than the other two. It is popular with French agencies in particular — the company is French, and it is genuinely easier to implement than OneTrust.
The script-blocking capability is functional but less mature. Axeptio handles direct script tags well. Its GTM integration is improving but has historically been weaker than Cookiebot’s. If a client’s tag stack runs through GTM — which most do — Axeptio requires careful manual configuration of consent triggers per tag.
For small sites with simple tag stacks and no GTM, Axeptio is a reasonable choice. For complex GTM containers with 15+ tags, Cookiebot or OneTrust give you more configuration depth and a larger body of documented edge cases to draw on. Axeptio is not the right call for an enterprise client.
The myth that will get your client fined
“We installed Cookiebot” is not a compliance statement. Neither is “we have OneTrust.”
Every one of these CMPs requires:
- Script blocking enabled — not just the banner
- GTM tags gated on consent signals — not just running in the container
- The gating tested under real browser conditions — not just configured and assumed
A CMP handles consent collection. It does not automatically enforce that consent decision downstream unless you have explicitly wired it to do so. An agency that delivers an OneTrust implementation and considers the compliance work done has not resolved the liability — both the agency and the client remain exposed until the tag-blocking layer is verified.
How to verify any CMP is actually blocking
Assume the configuration is wrong until the network proves otherwise. Load the site in a clean browser session, open DevTools → Network, and do not interact with the banner. Watch what fires.
A site with blocking correctly configured shows nothing to google-analytics.com, connect.facebook.net, or any ad network domain during that window. A leaking site shows requests within the first 500ms — before any consent click is possible.
If you see a POST to google-analytics.com/g/collect at 180ms, the CMP is not blocking GA4. It does not matter which CMP is installed or what the dashboard says.
The faster path is a forensic scan that instruments a headless browser to intercept every outbound request during an unconsented session — and flags exactly which trackers fired, which domains they hit, and at what timestamp. How to test if your cookie banner is GDPR compliant →
Your site is leaking data before consent.
Paste any URL and get a forensic read on what fires before the click — no signup, no install, 10 seconds.
Run a free scan →Further Reading