Polaris Audit

Case #007 · 01 May 2026 · 7 min read

Cookiebot vs OneTrust vs Axeptio: Which Actually Blocks Pre-Consent Tags?

Your site is leaking data before consent. We audited the three leading Consent Management Platforms (CMPs) to see which one actually stops trackers in their tracks—and which ones just provide a UI.

TL;DR

  • Most CMPs act as a UI layer, not a technical firewall
  • Cookiebot relies on auto-blocking but misses trackers added via GTM
  • OneTrust requires complex manual configuration to truly block tags
  • Axeptio excels in UX but relies heavily on correct GTM implementation

Verdict

No CMP is a magic bullet. If your trackers are in GTM, the CMP is just a signal. Cookiebot is the closest to "plug-and-play" blocking, but for enterprise precision, OneTrust + strict GTM variables is the only way to achieve 0% leakage.

The UI vs. The Firewall

A common mistake agencies make is assuming a "compliant" banner means a compliant site. A banner is just a <div> with buttons. GDPR compliance, specifically the "zero-load" requirement, happens in the network tab.

We ran all three CMPs through a forensic trace to see how many "essential" trackers were actually essential—and how many "optional" ones were firing anyway.

Cookiebot: The Auto-Blocking Mirage

Cookiebot marketed "Auto-blocking" as their killer feature. It works by scanning your site and automatically rewriting script tags on the fly.

The Reality: It works well for scripts hard-coded into the HTML. However, if you use Google Tag Manager (GTM), Cookiebot cannot "auto-block" tags firing inside the GTM container. If your marketing team adds a Meta Pixel to GTM and forgets to add the Cookiebot trigger, that Pixel fires instantly. The banner is irrelevant.

Your site is leaking data before consent.

Free headless-browser scan. Catches GA4, Meta Pixel, TikTok and more firing before the click. Results in 10 seconds.

Run a free scan

OneTrust: Enterprise Complexity

OneTrust is the industry heavyweight. Their "Cookie Compliance" module is incredibly granular.

The Reality: OneTrust doesn’t "block" anything by default. You have to tell it what to block. This requires mapping every single cookie to a category and then configuring GTM to listen for specific OneTrust events (e.g., OneTrustGroups). It is the most robust solution, but it has the highest "human error" risk during setup.

Axeptio: UX at the Expense of Security?

Axeptio is widely loved for its friendly, non-intrusive design. It feels less like a legal hurdle and more like a brand experience.

The Reality:Like Axeptio’s competitors, it relies on developers to correctly implement the blocking logic. In our tests, sites using Axeptio were most likely to have "leaky" GA4 configurations because the setup process often prioritizes the "Accept/Decline" logic over the "Zero-Load" requirement.

The Only Way to Be Sure

Regulators don’t care which CMP you pay for. They care if facebook.com/tr/ appears in the network log before a user clicks.

To truly audit your CMP, you need to stop looking at your dashboard and start looking at your packet transmissions.

Further Reading

← All posts