Cookie Consent Banners vs. True CMPs: What SaaS teams need to know before legal or regulatory scrutiny hits 😬

Many teams assume that having a cookie banner on their website means they are compliant. In reality, many free tools only provide a visual notice — not legal-grade proof of consent. Given that many of our clients regularly request guidance on this topic, this article explains the real differences between common free banners and true Consent Management Platforms (CMPs).

Note: Given that Zabal is a web design, development, and performance marketing agency, we want to note that this article represents the information that we have validated and researched around cookie consent banners, using open web resources, our internal counsel and our (most importantly) our trusted technology partners in the Data Privacy and Consent Management space.

What Compliance Actually Requires

To prove compliance under GDPR, ePrivacy, CCPA/CPRA, or similar regulations, organizations must be able to demonstrate:

• A true Consent Management Platform (CMP)
• Granular consent categories (analytics, marketing, functional)
• Prior blocking of non-essential cookies
• Proof of consent:
    – Accept / reject decision
    – Timestamp
    – Jurisdiction
    – Policy version shown
• An auditable consent log
• Exportable records for regulators or legal teams
• Absence of dark patterns, similarity in choice 
• Transparency of processing in Privacy Policy or Cookie Policy
  
  

HubSpot Cookie Banner

What HubSpot Cookie Banner does well ✅

• Free and easy to enable
• Native to HubSpot CMS
• Basic region detection
• Can suppress HubSpot-owned cookies
• Clean UI that looks compliant

What HubSpot actually logs ⚠️

• Stores a visitor’s consent state (accept / decline by category) in-browser
• Exposes consent state via HubSpot’s JavaScript API
• Uses consent state to control HubSpot-owned cookies and tracking behavior
• Allows basic segmentation or list creation based on banner interaction
• timestamp is captured for each consent

Important: this data is intended for analytics behavior and marketing logic — not legal proof.

HubSpot Cookie Banner’s Limitations & compliance risks ❌

• Not a certified Consent Management Platform (CMP)
• No durable, backend consent database
• No exportable, regulator-ready consent records
• No tracking of which privacy or cookie policy version was shown
• No jurisdiction-tagged consent audit trail
• Limited control over third-party scripts unless manually configured
• No legal coverage, indemnification, or compliance guarantee
  
  

Additional Info: HubSpot’s cookie consent banner cannot track all cookies. It can block some HubSpot cookies, but not all. Necessary cookies, for example, will still be dropped regardless of the cookie banner settings. The banner can also block cookies from integrations like Google Analytics and Google Tag Manager, but only if those integrations are used through HubSpot. However, HubSpot cannot automatically block cookies from scripts you manually place on the page, which may be a limitation if you're using custom code.

If a regulator or legal team asks:
“Show consent records for this specific visitor on this specific date,” HubSpot cannot reliably produce audit-grade proof.

Relevant HubSpot Cookie Consent documentation:

• Cookie banner setup & behavior: https://knowledge.hubspot.com/privacy-and-consent/set-up-a-consent-banner-with-the-new-editor
• Cookie banner JavaScript API: https://developers.hubspot.com/docs/api/events/cookie-banner

Finsweet Cookie Banner (Webflow)

What Finsweet’s Cookie Banner does well ✅

• Free (core version)
• Clean UX
• Easy Webflow implementation
• Good for visual preference toggles

How Finsweet consent is stored & accessed ⚠️

• The free Finsweet Cookie Consent solution stores consent preferences in browser cookies
• Consent data is device- and browser-specific, not tied to a verified user
• Consent values are simple true/false preference states

How to access this data:

• Open browser Developer Tools
• Navigate to Application → Cookies
• Locate the Finsweet consent cookie and inspect stored values

If cookies are cleared or the user switches devices, the consent record is lost.

Extending Finsweet consent beyond the browser ❌

• The free Finsweet solution does not provide backend consent storage or audit logs
• Persisting consent externally requires custom engineering:
    – Custom JavaScript to read cookie values
    – A custom API and database to store consent
    – Secure handling, timestamps, and access controls

This typically requires:

• A front-end engineer (JavaScript / Webflow)
• A back-end engineer or DevOps resource (APIs, databases)
• Security or compliance oversight

Even with custom engineering, this does not create a certified CMP or legal coverage.

Finsweet Consent Pro (upgrade path) ⚠️

• Allows consent data to be sent to a server-side endpoint
• Requires teams to build and maintain backend infrastructure
• Does not include CMP certification, regulatory guarantees, or indemnification
• Compliance responsibility remains with the site owner

Relevant Finsweet documentation:

• Cookie Consent overview: https://finsweet.com/cookie-consent
• How it works: https://finsweet.com/cookie-consent/learn/how-does-finsweet-cookie-consent-for-webflow-work
• Consent Pro documentation: https://consentpro.com/docs/how-to-store-consents

Why Zabal Recommends Osano

Zabal regularly refers clients to Osano as a preferred Consent Management Platform partner. This recommendation is based on real-world implementation experience, client outcomes, and Osano’s ability to consistently hold up under legal and compliance scrutiny.

Why Osano stands out ✅

1. Comprehensive compliance coverage

Osano supports major global privacy regulations, including GDPR, ePrivacy/Cookie requirements, CCPA/CPRA, and other emerging U.S. and international privacy laws. Their platform is designed to keep websites aligned as regulations evolve.

2. Exceptional customer and compliance support

Clients have access to Osano’s support team and network of compliance professionals, including experienced privacy and compliance leaders. Osano also provides free compliance documentation, guides, and newsletters — unlike some competitors that gate resources behind paid tiers.

3. Faster product updates for regulatory change

Osano ships product updates quickly when global privacy laws change, helping teams stay compliant without long implementation delays common with larger, slower-moving platforms.

4. No Fines, No Penalties Guarantee

Osano is the only CMP in the market that offers a No Fines, No Penalties Guarantee. If a customer is fined or penalized for consent-related non-compliance while properly using Osano, Osano commits to covering those penalties under the terms of their guarantee.

Side-by-Side Cookie Consent Provider Comparison

*Source: https://support.google.com/admanager/answer/13554116?hl=en#certified-cmps

For existing Zabal clients, please reach out to your project manager to discuss CMP options. Prospective clients can contact us via our website.