Best CMPs for News Publishers: Reviews, Pricing, and Setup Guide (2026)

Quick Overview

• Regional news publishers across the US are receiving legal demand letters citing unlicensed use of tracking pixels like Meta Pixel and Google Analytics; two Georgia outlets were sued under SIPA in early 2026
• A CMP built for publishers needs geolocation-based consent rules, multi-domain support, Google Consent Mode v2, and audit-ready consent logs
• OneTrust starts at $10,000+/year, while purpose-built mid-market options cover most publisher use cases for $300–500/month
• Installing a cookie banner doesn't make you compliant; the best way is to set up consent management is via Google Tag Manager  

In early 2026, regional news publishers across Georgia, Arizona, and California started receiving legal demand letters from privacy litigation firms. The letters cited specific incidents: a pixel ID, an IP address, a date and timestamps showing that a tracking technology fired on a site visitor without their consent.

Two Georgia outlets were sued under the state's Senate Bill 473 (SIPA). Similar claims have been filed in California under CIPA, the California Invasion of Privacy Act.

If you run a news website and you're loading Google Analytics, Meta Pixel, or any programmatic ad script without a consent management platform in place, you're exposed to exactly this kind of claim.

This guide is for independent local newspapers, regional media groups, and digital news outlets that need to get compliant, fast. It covers what publishers specifically need in a consent management platform (CMP), how the four leading options compare, and what implementation actually looks like for a newsroom without a dedicated developer.

Enzuzo wrote this guide. We've worked with regional publishers across Georgia, Arizona, and the Pacific Northwest to get their sites compliant, and the patterns in those conversations shaped every section below.

Why news publishers have a different compliance problem 

Most CMP guides are written for e-commerce or SaaS companies. Publishers have a meaningfully different setup, and the differences matter when you're evaluating tools.

You're running ad tech that most websites don't

A typical e-commerce company runs analytics and maybe a social pixel. News publishers run a more complex stack: Google Analytics 4, Google Ad Manager for display ad delivery, programmatic ad networks like Empower Local or Broadstreet, and often retargeting pixels from Meta or other platforms. Every one of those scripts is a potential claim vector in a demand letter.

Privacy litigation firms scan publisher sites and document every technology that fires on page load without a prior consent signal. The demand letter then lists each instance,  pixel ID, timestamp, IP address, and calculates a damages figure based on the number of occurrences. The larger your traffic and the more ad tech you're running, the higher the exposure.

A CMP solves this by intercepting those scripts before they fire and allowing them to run only once a visitor has given consent or declined it, depending on the state they're visiting from.

State privacy laws treat consent differently, affecting your analytics

This is the part that surprises most publishers when they first start evaluating CMPs.

California operates under an opt-in model for CIPA purposes. Nothing fires until the user explicitly says yes. Georgia, Arizona, and most other US states that have passed privacy laws use an opt-out model, where the banner appears but scripts fire unless the user actively declines.

Why this matters for your numbers: when you deploy a consent banner, you will see a drop in your GA4 data. This is expected and unavoidable. The question is how large the drop is, and that depends on how much of your traffic comes from opt-in states like California.

A banner non-interaction rate of around 50% is common across publisher deployments, meaning roughly half of all visitors either dismiss the banner or navigate past it without clicking accept or decline. In opt-in states, non-interaction equals no consent, which equals no GA4 tracking for that visitor.

This is not a CMP problem. It is the cost of compliance. The right way to evaluate it is to look at your California traffic as a share of total traffic and plan accordingly. A publisher getting 5% of its traffic from California will see a much smaller impact than one with 20%.

A good CMP gives you the reporting to understand exactly where you're losing attribution and why, rather than leaving you staring at a drop in sessions with no explanation.

Many publishers have been blocking EU traffic as a workaround

This came up repeatedly in conversations with publishers who were evaluating CMPs for the first time. Years ago, when GDPR enforcement began ramping up, many regional news sites were advised by their hosting companies or CMS vendors to simply block all traffic from EU and UK IP addresses. It was a blunt solution, but it stopped the compliance risk at the border.

The problem is that many of those publishers never revisited the decision. They're still blocking EU visitors in 2026, which means they're turning away readers and missing potential ad impressions from those markets.

A properly configured CMP handles EU traffic correctly: it shows a compliant GDPR consent banner, blocks non-essential scripts for visitors who decline, and logs consent records for audit purposes. Once that's in place, there's no compliance reason to maintain the blanket block. You get the traffic back and stay compliant.

If you've been blocking EU visitors, getting a CMP in place is also the path to reopening that channel.

Multi-property publishers need consent that scales across domains

Regional media groups typically own several newspaper titles under one corporate entity. A group might run five to fifteen separate news domains, each with its own readership and branding. Managing compliance across that portfolio is an operational challenge that single-domain CMP guides never address.

The important thing to understand is that each domain needs its own consent log. This is not just a technical consideration, it's a legal one. If a demand letter arrives citing a specific domain, you need to be able to produce that domain's consent records cleanly. If you've been routing all your properties through one shared consent configuration, those records are intermingled and difficult to separate.

The correct architecture for a multi-property publisher is separate consent containers per domain or per sub-group of properties, managed from a single dashboard. That gives you the operational convenience of centralized management without compromising the integrity of your audit trail.

Your CMS vendor may be injecting scripts you don't know about

Publishers using managed CMS platforms should run a cookie scan before configuring any CMP. It's not unusual for a CMS vendor to inject third-party consent or analytics scripts on some properties as part of their standard setup. In one case we've seen, a CMS vendor had silently loaded a consent management cookie on a subset of a publisher group's properties.

If you configure your consent banner without knowing what's actually loading on your sites, you risk either missing scripts that should be under consent control or creating conflicts between competing consent tools. The scan takes minutes and gives you an accurate baseline before you touch anything else.

What to look for in a CMP for publishers 

Not all CMPs are built to handle the publisher use case. Here are the eight criteria worth evaluating before you commit to a platform.

A note on TCF 2.3: For most regional publishers running Google Ad Manager to serve display ads, you don't need TCF 2.3. That framework is relevant if you're operating as a supply-side platform, reselling audience data to DSPs, or working with ad tech intermediaries who require it contractually.

If you're a news publisher monetizing through standard display and programmatic networks, ask any vendor you're evaluating whether their non-TCF configuration covers your use case. For most of the publishers in this segment, the answer is yes.

The four best CMPs for news publishers

At a glance: how the four platforms compare

The table below covers the criteria that matter most for the publisher use case, based on real conversations with regional news publishers across the U.S.

Pricing model: CookieYes charges per domain, which looks cheap at one domain and expensive at ten. Enzuzo charges based on total traffic across all domains, so a publisher group with several properties pays one rate regardless of how many titles are under the account. For multi-property publishers, this distinction changes the total cost of ownership significantly.

North American hosting: some publishers who've been blocking EU traffic have also been cautious about using EU-domiciled vendors for consent management. Enzuzo is headquartered in Canada; Osano is US-based. Both are reasonable choices for publishers who want to keep their consent infrastructure on this side of the Atlantic.

TCF 2.3: listed here for completeness. As noted in the evaluation criteria section, most regional publishers don't need it. The row is relevant for any publisher group exploring relationships with DSPs or SSPs that require TCF signalling.

Now, let's dive into the tools.

Enzuzo

Enzuzo is built for mid-market publishers and regional media groups that need full US state compliance without enterprise pricing or enterprise complexity. It's the platform we've seen adopted most frequently by independent and regional news publishers over the past year.

The core strengths for publishers are geolocation-based consent that updates automatically as new state laws pass, native Google Consent Mode v2 support via a GTM template, and consent analytics that break down not just accept/reject rates but the no-interaction rate, which is the metric most publishers wish they'd been watching from day one. The multi-domain dashboard lets you manage a portfolio of properties centrally while keeping consent logs separate per domain.

Pricing starts at around $300/month for up to 250,000 monthly visitors across multiple domains, with onboarding included. For a publisher group with several properties sharing that traffic volume, the all-in cost is meaningfully lower than per-domain alternatives. If your traffic exceeds the base tier, you can add temporary overages for a single high-traffic month without permanently upgrading your plan.

Publishers without GTM access can deploy via direct script injection, which a managed CMS vendor can typically handle in under an hour.

Two honest limitations worth knowing about before you evaluate: Enzuzo doesn't currently support native iOS and Android app SDKs, only webview-based mobile apps. And TCF 2.3 support is in development for publishers who need it for programmatic ad partnerships. 

Book a complimentary strategy call to see how Enzuzo can power your organization

OneTrust

OneTrust is the enterprise standard in consent management, and it's usually the first vendor regional publishers get a quote from, largely because it's the most recognizable name in the category.

The platform is comprehensive. It covers consent management, data mapping, internal privacy governance, DSAR management with integrations, and a long list of enterprise features that large media conglomerates with dedicated privacy teams genuinely use. If you're a large media group with a privacy officer on staff and a legal team that requires a specific enterprise vendor, OneTrust is worth evaluating seriously.

For independent or regional publishers, the economics don't work. Pricing starts above $10,000/year, implementation typically requires an external consultant, and the majority of the feature surface area is built for use cases most regional publishers will never encounter. The publishers in this segment who looked at OneTrust all reached the same conclusion quickly and moved on.

Worth knowing about, but also balancing the implementation and onboarding costs.

Osano

Osano is a credible mid-market option and a North American company, which matters for publishers who've historically avoided EU-domiciled vendors. Its privacy program suite goes beyond consent management to cover data mapping and some internal governance functionality, which can be useful if your compliance needs extend beyond the website consent layer.

For publishers whose primary requirement is a CMP, Osano's pricing is higher than Enzuzo, typically starting above $1,000/month at the entry tier. The broader feature set is the justification for that price, but if you're buying a CMP and don't need internal data governance, you're paying for modules you won't use. Worth getting a comparison quote if you want a second mid-market option alongside Enzuzo in your evaluation.

CookieYes

CookieYes is a self-serve, low-cost option that handles basic GDPR and CCPA banner requirements. For a single-domain publisher where budget is the primary constraint and the primary use case is straightforward, it's worth a look.

The limitations become more visible at scale. Consent analytics are lighter than mid-market alternatives, making it harder to understand the real impact on your GA4 data. There's no dedicated onboarding support. Pricing is per-domain, which adds up if you're managing more than two or three properties. And if you ever need to produce detailed consent logs in response to a legal demand, the record-keeping capabilities are less robust than what you'd get from a purpose-built mid-market tool.

For a one-person operation running a single news site on a tight budget, CookieYes is a reasonable starting point. For any publisher managing multiple properties or operating in a state with active litigation pressure, the upgrade to a more capable platform is worth the cost.

How to implement a CMP on a news site 

This section walks through the implementation process using Enzuzo. The steps assume you have either Google Tag Manager access or a CMS vendor who can add a script to your site. No developer background required.

Step 1: Run a cookie scan before you configure anything

Sign up for Enzuzo. Before you touch any settings, run an automated cookie scan on every domain you're planning to cover. The scan crawls your site and returns a list of every cookie and script loading on page load, categorised by purpose.

Don't assume you know what's there. Scripts get added during CMS updates, ad network integrations, and third-party plugin installations without always being formally documented. The scan output is what you'll use to configure your consent categories and write your banner copy. Starting without it means you'll likely miss something.

Step 2: Configure your geolocation rules

Once you know what's loading on your site, set up your consent rules by location:

• California: set to opt-in. Nothing fires on page load until the visitor explicitly accepts. This is the right setting given the CIPA litigation environment, even though California's base law technically permits opt-out. The conservative configuration removes your exposure.
• Other US states with active privacy laws (Virginia, Colorado, Texas, Georgia, and others): set to opt-out. The banner appears and tags fire unless the visitor declines.
• US states with no active law: default to the country rule, which should be opt-out or no banner depending on your preference.
• Worldwide: set to don't show. Most international regions have no applicable law and showing a banner unnecessarily trains visitors to dismiss it.
• EU/UK: if you've been blocking this traffic, configure GDPR rules here instead. Set non-essential scripts to block by default until the visitor accepts. You can then lift the IP block and start receiving EU traffic again.

Step 3: Deploy via Google Tag Manager

In GTM, add the Enzuzo template from the community template gallery. Set it as a consent initialization tag so it loads first, before any other tag in the container fires.

Google's own tags (GA4, Google Ads, Floodlight) have built-in consent checks and will automatically respect the signals Enzuzo sends. For any custom HTML tags, including Google Ad Manager impression scripts and third-party ad network tags, you'll need to add a firing condition. Create a custom event trigger using enzuzo_consent_update and add it as a required trigger for each of those tags. This ensures they only fire when Enzuzo confirms the visitor has consented.

If your site doesn't use GTM and you manage everything through a CMS, the alternative is direct script injection. Copy the Enzuzo script tag and add it to the head section of your site. For most managed platforms, this is a 30-minute task. Once it's there, the banner will load automatically based on your geolocation configuration.

Running a news site with multiple domains and an ad tech stack? Book a 20-minute call, and we'll audit your current setup, flag your exposure, and show you what a proper implementation looks like. 

Step 4: Separate containers for multi-property groups

If you're managing multiple newspaper domains, do not route all of them through a single Enzuzo consent ID. Create a separate configuration per domain or per sub-group of properties that share a CMS and GTM setup.

This keeps your consent logs clean and domain-specific. When a legal request arrives asking for consent records tied to a specific publication, you can produce them without having to filter through a combined log from all your properties. The operational overhead is minimal: a few extra configurations in the dashboard, each generating its own GTM script.

Step 5: Test before you go live

Use a VPN to simulate visitors from California, Georgia, and a state with no active privacy law. Confirm that GA4 is blocked on page load for California visitors until they accept, that GA4 fires normally for Georgia visitors unless they decline, and that no banner appears for states with no applicable law. Also check that your ad delivery scripts are responding correctly to consent state changes.

Verify that the banner inherits your publication's fonts and colour scheme. Enzuzo's banner pulls CSS values from your site automatically, so it should look native rather than like a third-party widget. If the styling looks off, the configuration has a field for manual colour hex values.

Once testing passes, push the container changes live.

For a detailed walkthrough of the Google Consent Mode v2 configuration, see our Google Consent Mode v2 setup guide.

Common mistakes news publishers make 

Treating the banner as sufficient proof of compliance

Having a cookie banner on your site does not mean your site is compliant. The banner is the user-facing interface. The GTM configuration beneath it controls whether scripts fire or are blocked.

If your Google Ad Manager tag or Meta Pixel is not wired through a consent trigger in GTM, it will fire on every page load regardless of what the visitor clicks on the banner. You can have a banner that looks perfectly correct and still be loading tracking scripts without consent for every California visitor to your site.

After deployment, run a validation check. Use browser developer tools or a tag-auditing extension to confirm that your ad and analytics scripts are genuinely blocked. If they're still firing, the GTM configuration needs to be corrected before you're actually covered.

Using one consent ID across all domains in a shared GTM container

This is the most common mistake for multi-property publisher groups: managing one GTM container for all your sites is significantly simpler than managing separate containers. The problem is what happens to your consent logs.

When all your properties share one Enzuzo consent ID, every consent record is stored under the primary domain associated with that ID. If you receive a demand letter asking for records from a specific newspaper in your group, your logs are mixed together with records from all your other properties. Producing a clean audit trail for that one domain becomes difficult.

Create separate Enzuzo configurations per domain or per sub-group. You can manage them all from one Enzuzo dashboard, so the operational overhead is minimal. The logs stay clean and separable.

Choosing a vendor based on name recognition without checking publisher-specific needs

OneTrust is the most recognized name in consent management. That recognition is earned for enterprise customers with complex multi-product privacy programs. For a regional news publisher, you're paying for a platform depth you'll never use, at a price that reflects that depth.

The features that actually matter for your operation, geolocation-based consent rules, GTM integration, consent log storage, and GA4 impact reporting, are available from purpose-built mid-market tools at a fraction of the cost. Start your evaluation with the specific capabilities you need, not the brand name, and the right choice becomes much clearer.

FAQs

Do news websites need a consent management platform?

Yes. If your site loads any third-party analytics or advertising technology and receives traffic from California or other US states with active privacy laws, you need a consent management platform. Running Google Analytics or Meta Pixel without a consent mechanism in place is the basis for CIPA and SIPA demand letters. A CMP gives you the technical infrastructure to block those scripts until consent is obtained and to log consent records you can produce if you receive a legal claim.

What is CIPA and how does it affect online publications?

CIPA is the California Invasion of Privacy Act. Privacy litigation firms have used it to target websites that load tracking technologies like Meta Pixel or session recording tools on California visitors without prior consent. A typical demand letter cites specific instances of the technology firing, references the relevant statute, and requests a settlement. News publishers with California readership are a common target because their ad tech stacks are easily visible and many haven't had consent management in place.

Will adding a cookie consent banner reduce my Google Analytics data?

Yes, to some extent. When you deploy a banner, some portion of visitors will decline consent or not interact with the banner at all. In opt-in states like California, non-interaction means no tracking. In opt-out states, non-interaction means tracking continues unless the visitor actively declines.

The size of the impact depends on your traffic mix. A publisher getting 5% of traffic from California will see a modest drop. One with 20% California traffic will see a more significant one. A good CMP will show you the breakdown so you understand where the gap is coming from, rather than leaving you to guess why sessions fell.

We have been blocking EU traffic for years. Can we open it up once we have a CMP?

Yes. The blanket EU traffic block was a workaround for GDPR compliance uncertainty. A properly configured CMP handles EU visitors correctly: it shows a GDPR-compliant consent banner, blocks non-essential scripts for visitors who decline, and stores consent records. Once that's in place, there's no compliance reason to maintain the block. You can re-open EU traffic, serve those visitors compliantly, and recover ad impressions and readership from those markets.

How much does a CMP cost for a regional news publisher?

For a regional publisher with one to five domains and under 250,000 combined monthly visitors, expect to pay in the range of $250–$400/month from a mid-market provider like Enzuzo or Osano. That's $3,000–$4,800/year. OneTrust starts above $10,000/year. Self-serve tools like CookieYes start lower but offer less in terms of consent analytics, onboarding support, and multi-domain capabilities.

Do regional news publishers need TCF 2.3?

Most don't. TCF 2.3 (the IAB Transparency and Consent Framework) is required if you're operating as a supply-side platform, reselling audience data through programmatic ad intermediaries, or working with DSPs that contractually require it. If you're monetizing through Google Ad Manager and standard display networks, you're not in that category. Ask any vendor you're evaluating whether their standard configuration covers your programmatic setup. For most regional publishers, the answer is yes.

Can I manage multiple newspaper websites from one CMP account?

Yes, and a good CMP will let you do this from a single dashboard. The important thing is to create separate consent configurations per domain or per sub-group of properties rather than routing all of them through one shared consent ID. This keeps your consent logs clean and separable by domain, which matters if you ever need to produce records for a specific publication in response to a legal request.

Our CMS vendor manages our website. Can they deploy a CMP for us?

Yes. If your CMS vendor can add a script to the head section of your site, they can deploy Enzuzo. The implementation is a single script tag. Most managed CMS vendors can do this in under an hour once you give them the go-ahead. You configure the settings in Enzuzo's dashboard, copy the generated script, and hand it to your vendor for deployment. There's no need for custom development work.

What happens if I receive a CIPA or SIPA demand letter without consent logs?

Without consent logs, you have limited ability to contest the specific claims in the letter. Demand letters typically cite IP addresses, timestamps, and pixel IDs as evidence that tracking occurred without consent. If you can't produce records showing that consent was properly obtained or that the technology in question was blocked, your legal options narrow to either settling or mounting a factual defence that becomes difficult without documentation. Consent logs are your primary evidence in either scenario.

We are a small, family-owned newspaper. Is this too complex for us to set up?

No, a family-owned regional paper in Georgia, deployed Enzuzo in an afternoon working with their CMS vendor. The vendor added the script to the site's head section, and the configuration was handled entirely in Enzuzo's dashboard without any custom development. If you have a managed hosting provider or CMS vendor who can make basic site changes, that's all the technical access you need. The onboarding call walks you through every setting before anything goes live.

Ready to get your news site compliant?

If you've been watching the CIPA and SIPA lawsuits hit other publishers and wondering whether you're next, getting a CMP in place is the practical answer. Enzuzo has worked with regional news publishers across Georgia, Arizona, and the Pacific Northwest to go from no coverage to fully compliant in days.

Book a 20-minute call and we'll audit your current tracking setup, walk you through your exposure by state, and show you exactly what the implementation would look like for your specific domains.