Cookie Consent Management: Beyond the Banner
A cookie banner is not a consent management solution. Here's what you actually need — and how to get there without enterprise pricing.
The Cookie Banner Illusion
Here's a scenario that plays out thousands of times a day: a small business owner installs a cookie consent banner plugin, sees the popup appear on their site, and checks "GDPR compliance" off their list.
Except they're probably not compliant.
A cookie banner — the popup that says "This site uses cookies" with an Accept button — is the visible tip of a much larger iceberg. Real consent management involves:
- Detecting every cookie and tracker on your site
- Blocking non-essential ones until consent is given
- Categorizing them (necessary, analytics, marketing, functional)
- Recording proof of consent with timestamp and specifics
- Honoring consent choices across page loads and sessions
- Allowing withdrawal of consent at any time
- Syncing consent signals with third-party tools (Google Consent Mode v2)
- Adapting to the visitor's jurisdiction (GDPR opt-in vs. CCPA opt-out)
Most cookie banner tools handle maybe two or three of these. That's why "we have a cookie banner" and "we have proper consent management" are very different statements.
What GDPR Actually Requires for Cookie Consent
GDPR's consent requirements are specific and strict. Valid consent must be:
Freely Given
The visitor must have a genuine choice. That means:
- "Accept All" and "Reject All" must be equally prominent — no hiding the reject option behind a "Manage Preferences" link with three more clicks
- Access to your website cannot be contingent on accepting cookies (no cookie walls, with limited exceptions)
- Pre-checked boxes don't count as consent
Specific
Consent must be given for each distinct purpose. Bundling everything into one "I agree" button isn't specific consent. Your banner should separate:
- Strictly necessary cookies (no consent needed — these just work)
- Analytics cookies (understanding how people use your site)
- Marketing cookies (advertising, retargeting, social media)
- Functional cookies (preferences, chat widgets, personalization)
Informed
Before consenting, the visitor needs to know:
- What cookies you're using (specific names, not just categories)
- What data they collect
- Who receives that data (third parties, by name)
- How long the cookies persist
- How to withdraw consent later
Unambiguous
Consent requires a clear affirmative action. Scrolling, continuing to browse, or closing the banner doesn't count. The visitor must actively click a consent button.
Demonstrable
You need to prove that consent was given. That means logging:
- When consent was given (timestamp)
- What was consented to (which categories)
- How consent was given (which version of the banner)
- The visitor's jurisdiction at the time
GDPR vs. CCPA: Different Models, Different Requirements
Adding complexity: GDPR and CCPA take fundamentally different approaches to consent.
GDPR: Opt-In
Under GDPR, non-essential cookies cannot be set until the visitor actively opts in. No consent = no cookies. This is the stricter model.
CCPA: Opt-Out
Under CCPA/CPRA, you can set cookies by default but must give California residents the ability to opt out of the "sale" or "sharing" of their personal information. This means you need a "Do Not Sell or Share My Personal Information" link.
The Practical Challenge
If your website serves visitors from both regions — and most websites do — you need a consent mechanism that adapts based on the visitor's location:
- EU visitors: show an opt-in banner, block cookies until they consent
- California visitors: cookies can load, but provide a clear opt-out mechanism
- Other US visitors: follow applicable state laws (Virginia, Colorado, Connecticut, etc. each have their own variations)
This jurisdiction-aware behavior is something most basic cookie banner tools simply don't offer. They show the same popup to everyone.
Google Consent Mode v2: Why It Matters
In 2024, Google made Consent Mode v2 a requirement for advertisers using Google Ads with audiences from the European Economic Area. If you run Google Ads and target EU users, this isn't optional.
What Consent Mode Does
Google Consent Mode is a framework that lets your consent banner communicate with Google tags (Analytics, Ads, etc.). Instead of simply blocking or allowing Google scripts, Consent Mode tells them the user's consent status:
-
ad_storage: consent for advertising cookies -
analytics_storage: consent for analytics cookies -
ad_user_data: consent for sending user data to Google for advertising -
ad_personalization: consent for personalized advertising
Why It Matters for Small Businesses
Without Consent Mode v2:
- Your Google Analytics data from EU users will have gaps
- Your Google Ads remarketing audiences won't build properly
- You may lose access to certain Google Ads features
- Google may flag your account for non-compliance
With Consent Mode v2:
- Google adjusts its behavior based on consent status
- You still get modeled/estimated analytics data even when users don't consent
- Your ads campaigns continue to function (with adjustments) regardless of consent choices
- You demonstrate compliance to Google's standards
Implementation
Consent Mode v2 requires your cookie banner to send the right signals to Google's tag. Basic cookie banner tools that just block/allow scripts don't support this — they need specific Consent Mode integration.
What a Real Consent Management Solution Looks Like
Here's what separates a proper cookie consent management tool from a basic banner:
1. Automatic Scanner
The tool should crawl your website and automatically discover all cookies and trackers. You shouldn't have to manually list every cookie — that's error-prone and goes stale immediately.
2. Script Blocking Engine
Non-essential scripts must be blocked before consent is given, not just hidden behind a banner while they load anyway. This requires the consent tool to intercept and control script loading at the browser level.
3. Jurisdiction Detection
The banner should adapt based on where the visitor is located. An EU visitor gets GDPR-compliant opt-in. A California visitor gets CCPA-compliant opt-out. Someone from a US state without a privacy law might see a simplified notice.
4. Granular Consent Categories
Visitors should be able to consent to analytics but not marketing, or functional but not analytics. All-or-nothing consent is not GDPR-compliant.
5. Consent Record Storage
Every consent event should be logged with timestamp, choices made, banner version, and visitor jurisdiction. This is your proof of compliance if challenged.
6. Google Consent Mode v2 Integration
For any business running Google Analytics or Google Ads, Consent Mode v2 support is essential.
7. Withdrawal Mechanism
Visitors must be able to change their consent preferences at any time. A persistent "Cookie Settings" link (typically in the footer) that re-opens the preference panel is the standard approach.
8. Sync with Privacy Policy
Your consent banner categorizes cookies and trackers. Your privacy policy describes them. If these two documents tell different stories, you have a compliance gap. The best solutions keep them in sync automatically.
The Cost Problem
Enterprise consent management platforms like OneTrust and Cookiebot Pro deliver most of these capabilities. But the pricing reflects their enterprise focus:
- OneTrust: Custom pricing, typically $5,000–$50,000+/year
- Cookiebot CMP: €12–€40/month for basic, but advanced features and higher traffic tiers escalate quickly
- Usercentrics: Similar range, with enterprise tiers for full features
- TrustArc: Enterprise pricing, typically $10,000+/year
For a 10-person SaaS startup or a small e-commerce store, these prices are hard to justify — especially when you need the full compliance stack (consent + policy + monitoring + DSARs), not just a banner.
How Custodia Handles Cookie Consent Management
Custodia takes a different approach: consent management as part of a complete privacy compliance platform, priced for small businesses.
Scan-Driven Banners
Custodia's consent banner isn't configured from a template. It's generated from an actual scan of your website. The scanner detects every cookie and tracker, classifies them by purpose, and the banner reflects exactly what's on your site.
When your site changes — new trackers appear, old ones are removed — the banner updates automatically based on the next scan.
Jurisdiction-Aware Logic
Custodia detects visitor location and adapts the consent experience:
- EU visitors: Full GDPR opt-in banner with granular categories, script blocking until consent, and easy rejection
- California visitors: CCPA-compliant notice with opt-out of sale/sharing
- Other jurisdictions: Adapted to applicable state laws as they come into effect
Google Consent Mode v2 Built In
Consent Mode v2 signals are sent automatically based on visitor consent choices. No additional configuration needed. Your Google Analytics and Ads continue to function properly in both consented and non-consented scenarios.
Integrated with Everything Else
Your consent banner, privacy policy, and compliance dashboard all draw from the same scan data. Add a new tracker to your site, and:
- The next scan detects it
- The consent banner adds it to the right category
- The privacy policy updates to disclose it
- The compliance dashboard flags any new issues
Everything stays in sync without manual effort.
Pricing That Makes Sense
Custodia Starter includes full consent management at $29/month. One site, consent banner, privacy policy, compliance dashboard, and weekly scans. No per-page-view pricing. No hidden tiers for essential features.
See every cookie and tracker on your site in 60 seconds. No signup required.
Last updated: March 2026
Originally published at Custodia Privacy Blog
Top comments (0)