<?xml version="1.0" encoding="UTF-8"?>
<rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:dc="http://purl.org/dc/elements/1.1/">
  <channel>
    <title>DEV Community: Jonas Nielsen</title>
    <description>The latest articles on DEV Community by Jonas Nielsen (@jonasnielsen).</description>
    <link>https://dev.to/jonasnielsen</link>
    <image>
      <url>https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F4012126%2Fdc056020-d410-495c-9f4a-bbc8710062b7.png</url>
      <title>DEV Community: Jonas Nielsen</title>
      <link>https://dev.to/jonasnielsen</link>
    </image>
    <atom:link rel="self" type="application/rss+xml" href="https://dev.to/feed/jonasnielsen"/>
    <language>en</language>
    <item>
      <title>Cookie Consent in 2026: What's Actually Required (And What's Overkill)</title>
      <dc:creator>Jonas Nielsen</dc:creator>
      <pubDate>Thu, 02 Jul 2026 10:47:44 +0000</pubDate>
      <link>https://dev.to/jonasnielsen/cookie-consent-in-2026-whats-actually-required-and-whats-overkill-1740</link>
      <guid>https://dev.to/jonasnielsen/cookie-consent-in-2026-whats-actually-required-and-whats-overkill-1740</guid>
      <description>&lt;h2&gt;
  
  
  The consent banner problem
&lt;/h2&gt;

&lt;p&gt;Every website has one. That giant cookie popup that slides in, blocks half the page, and makes you click through three screens of toggles before you can read a single paragraph. We've all accepted this as normal.&lt;/p&gt;

&lt;p&gt;It's not normal. It's broken.&lt;/p&gt;

&lt;p&gt;I've been building websites for over a decade, and the state of cookie consent in 2026 is embarrassing. Most implementations are slower than the pages they're supposed to protect. They load 200KB+ of JavaScript, make external API calls, and ironically set their own tracking cookies before you even click "Accept."&lt;/p&gt;

&lt;p&gt;Let me break down what's actually required by law, what's pure theater, and how I built something that handles it in 4KB.&lt;/p&gt;

&lt;h2&gt;
  
  
  What GDPR and ePrivacy actually require
&lt;/h2&gt;

&lt;p&gt;The rules are simpler than the consent industry wants you to believe. Here's the short version:&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;1. Prior consent for non-essential cookies&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;Before you set any cookie that isn't strictly necessary for the site to function, you need explicit consent. That means analytics cookies, marketing pixels, and social media trackers all need a "yes" before they fire.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;2. Granular categories&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;Users must be able to accept or reject cookies by category. At minimum: necessary, analytics, marketing. You can't bundle everything into a single "Accept All" with no alternative.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;3. Equal prominence for accept and reject&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;The "Reject All" option must be as easy to find and use as "Accept All." No dark patterns. No hiding the reject button behind a "Manage Preferences" submenu while "Accept All" is a big green button.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;4. Informed consent&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;Users need to know what they're consenting to. A brief description of each category is enough. You don't need a 47-page privacy novel in a modal.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;5. Revocable consent&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;Users must be able to change their mind later. A link in the footer to re-open preferences is sufficient.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;6. No cookie walls&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;You can't block access to content unless someone accepts cookies. Consent must be freely given.&lt;/p&gt;

&lt;p&gt;That's it. Six rules. None of them require a 300KB JavaScript bundle or a third-party SaaS platform phoning home to some server in Virginia.&lt;/p&gt;

&lt;h2&gt;
  
  
  What most consent tools get wrong
&lt;/h2&gt;

&lt;p&gt;The cookie consent industry has turned a straightforward legal requirement into an enterprise software category. Here's what's actually happening:&lt;/p&gt;

&lt;h3&gt;
  
  
  They're massive
&lt;/h3&gt;

&lt;p&gt;The average consent management platform (CMP) loads 150-300KB of JavaScript. For context, that's heavier than React itself. On a simple blog or portfolio site, the consent banner can be the single heaviest asset on the page.&lt;/p&gt;

&lt;p&gt;Run a Lighthouse audit on any site using a major CMP. Watch the performance score drop. That consent tool is costing you real users who bounce because your page took 4 seconds to load instead of 1.&lt;/p&gt;

&lt;h3&gt;
  
  
  They track you to ask if they can track you
&lt;/h3&gt;

&lt;p&gt;This one kills me. Many CMPs set their own cookies, send data to their own analytics, and make API calls to their servers before you've consented to anything. They're literally violating the regulation they're supposed to help you comply with.&lt;/p&gt;

&lt;p&gt;I've seen consent tools that load Google Fonts, embed iframes, and inject third-party scripts. All before consent. The irony is painful.&lt;/p&gt;

&lt;h3&gt;
  
  
  They're privacy theater
&lt;/h3&gt;

&lt;p&gt;A 12-toggle preference center with categories like "Functional Enhancement Cookies" and "Social Media Interaction Cookies" looks impressive. It also overwhelms users into clicking "Accept All" because the alternative is reading 800 words of legalese in a modal window.&lt;/p&gt;

&lt;p&gt;This is the opposite of informed consent. It's complexity as a dark pattern.&lt;/p&gt;

&lt;h3&gt;
  
  
  They don't integrate with Google Consent Mode
&lt;/h3&gt;

&lt;p&gt;Google Consent Mode v2 became mandatory for Google Ads and Analytics in the EU back in March 2024. If your consent tool doesn't fire the right &lt;code&gt;gtag('consent', 'update', {...})&lt;/code&gt; calls, your Google tags are either broken or non-compliant. Many popular tools still handle this poorly or charge extra for it.&lt;/p&gt;

&lt;h2&gt;
  
  
  What a consent tool actually needs to do
&lt;/h2&gt;

&lt;p&gt;Strip it down to the real requirements:&lt;/p&gt;

&lt;ol&gt;
&lt;li&gt;Show a banner with Accept/Reject options and category toggles&lt;/li&gt;
&lt;li&gt;Store the user's choice (a simple cookie works fine)&lt;/li&gt;
&lt;li&gt;Block scripts until consent is given (or allow them based on category)&lt;/li&gt;
&lt;li&gt;Fire Google Consent Mode signals if you use Google tags&lt;/li&gt;
&lt;li&gt;Let users change their preference later&lt;/li&gt;
&lt;li&gt;Load fast and not break your site&lt;/li&gt;
&lt;/ol&gt;

&lt;p&gt;That's a small, focused problem. It doesn't need a SaaS platform.&lt;/p&gt;

&lt;h2&gt;
  
  
  Building CookieBoss: consent in 4KB
&lt;/h2&gt;

&lt;p&gt;I built &lt;a href="https://cookieboss.io" rel="noopener noreferrer"&gt;CookieBoss&lt;/a&gt; because I was tired of recommending bloated consent tools to clients. The core idea: compile a per-site consent script at the edge that does exactly what's needed and nothing more.&lt;/p&gt;

&lt;p&gt;Here's what that looks like in practice:&lt;/p&gt;

&lt;h3&gt;
  
  
  Adding it to your site
&lt;/h3&gt;



&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight html"&gt;&lt;code&gt;&lt;span class="nt"&gt;&amp;lt;script
  &lt;/span&gt;&lt;span class="na"&gt;src=&lt;/span&gt;&lt;span class="s"&gt;"https://cdn.cookieboss.io/cb.js?id=YOUR_SITE_ID"&lt;/span&gt;
  &lt;span class="na"&gt;defer&lt;/span&gt;
&lt;span class="nt"&gt;&amp;gt;&amp;lt;/script&amp;gt;&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;One script tag. That's the entire integration. The script is compiled specifically for your site's configuration, so it only contains the code paths you actually need.&lt;/p&gt;

&lt;h3&gt;
  
  
  How script blocking works
&lt;/h3&gt;

&lt;p&gt;CookieBoss uses the &lt;code&gt;type="text/plain"&lt;/code&gt; pattern to prevent scripts from executing until consent is granted:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight html"&gt;&lt;code&gt;&lt;span class="c"&gt;&amp;lt;!-- This script won't execute until the user consents to analytics --&amp;gt;&lt;/span&gt;
&lt;span class="nt"&gt;&amp;lt;script
  &lt;/span&gt;&lt;span class="na"&gt;type=&lt;/span&gt;&lt;span class="s"&gt;"text/plain"&lt;/span&gt;
  &lt;span class="na"&gt;data-cookieboss=&lt;/span&gt;&lt;span class="s"&gt;"analytics"&lt;/span&gt;
  &lt;span class="na"&gt;src=&lt;/span&gt;&lt;span class="s"&gt;"https://www.googletagmanager.com/gtag/js?id=G-XXXXXX"&lt;/span&gt;
&lt;span class="nt"&gt;&amp;gt;&amp;lt;/script&amp;gt;&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;When a user accepts the analytics category, CookieBoss changes the type back to &lt;code&gt;text/javascript&lt;/code&gt; and the browser executes it. No consent? The script never runs. Simple, reliable, no race conditions.&lt;/p&gt;

&lt;h3&gt;
  
  
  Google Consent Mode integration
&lt;/h3&gt;

&lt;p&gt;CookieBoss handles GCM v2 out of the box. Default state is set before any Google tags load:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight javascript"&gt;&lt;code&gt;&lt;span class="c1"&gt;// CookieBoss sets this automatically on page load&lt;/span&gt;
&lt;span class="nf"&gt;gtag&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="dl"&gt;'&lt;/span&gt;&lt;span class="s1"&gt;consent&lt;/span&gt;&lt;span class="dl"&gt;'&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt; &lt;span class="dl"&gt;'&lt;/span&gt;&lt;span class="s1"&gt;default&lt;/span&gt;&lt;span class="dl"&gt;'&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt; &lt;span class="p"&gt;{&lt;/span&gt;
  &lt;span class="dl"&gt;'&lt;/span&gt;&lt;span class="s1"&gt;analytics_storage&lt;/span&gt;&lt;span class="dl"&gt;'&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt; &lt;span class="dl"&gt;'&lt;/span&gt;&lt;span class="s1"&gt;denied&lt;/span&gt;&lt;span class="dl"&gt;'&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;
  &lt;span class="dl"&gt;'&lt;/span&gt;&lt;span class="s1"&gt;ad_storage&lt;/span&gt;&lt;span class="dl"&gt;'&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt; &lt;span class="dl"&gt;'&lt;/span&gt;&lt;span class="s1"&gt;denied&lt;/span&gt;&lt;span class="dl"&gt;'&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;
  &lt;span class="dl"&gt;'&lt;/span&gt;&lt;span class="s1"&gt;ad_user_data&lt;/span&gt;&lt;span class="dl"&gt;'&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt; &lt;span class="dl"&gt;'&lt;/span&gt;&lt;span class="s1"&gt;denied&lt;/span&gt;&lt;span class="dl"&gt;'&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;
  &lt;span class="dl"&gt;'&lt;/span&gt;&lt;span class="s1"&gt;ad_personalization&lt;/span&gt;&lt;span class="dl"&gt;'&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt; &lt;span class="dl"&gt;'&lt;/span&gt;&lt;span class="s1"&gt;denied&lt;/span&gt;&lt;span class="dl"&gt;'&lt;/span&gt;
&lt;span class="p"&gt;});&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;When the user consents, CookieBoss fires the update:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight javascript"&gt;&lt;code&gt;&lt;span class="c1"&gt;// Triggered automatically when user accepts&lt;/span&gt;
&lt;span class="nf"&gt;gtag&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="dl"&gt;'&lt;/span&gt;&lt;span class="s1"&gt;consent&lt;/span&gt;&lt;span class="dl"&gt;'&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt; &lt;span class="dl"&gt;'&lt;/span&gt;&lt;span class="s1"&gt;update&lt;/span&gt;&lt;span class="dl"&gt;'&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt; &lt;span class="p"&gt;{&lt;/span&gt;
  &lt;span class="dl"&gt;'&lt;/span&gt;&lt;span class="s1"&gt;analytics_storage&lt;/span&gt;&lt;span class="dl"&gt;'&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt; &lt;span class="dl"&gt;'&lt;/span&gt;&lt;span class="s1"&gt;granted&lt;/span&gt;&lt;span class="dl"&gt;'&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;
  &lt;span class="dl"&gt;'&lt;/span&gt;&lt;span class="s1"&gt;ad_storage&lt;/span&gt;&lt;span class="dl"&gt;'&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt; &lt;span class="dl"&gt;'&lt;/span&gt;&lt;span class="s1"&gt;granted&lt;/span&gt;&lt;span class="dl"&gt;'&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;
  &lt;span class="dl"&gt;'&lt;/span&gt;&lt;span class="s1"&gt;ad_user_data&lt;/span&gt;&lt;span class="dl"&gt;'&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt; &lt;span class="dl"&gt;'&lt;/span&gt;&lt;span class="s1"&gt;granted&lt;/span&gt;&lt;span class="dl"&gt;'&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;
  &lt;span class="dl"&gt;'&lt;/span&gt;&lt;span class="s1"&gt;ad_personalization&lt;/span&gt;&lt;span class="dl"&gt;'&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt; &lt;span class="dl"&gt;'&lt;/span&gt;&lt;span class="s1"&gt;granted&lt;/span&gt;&lt;span class="dl"&gt;'&lt;/span&gt;
&lt;span class="p"&gt;});&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;No manual configuration. No forgetting to wire up consent signals. It just works.&lt;/p&gt;

&lt;h3&gt;
  
  
  The architecture
&lt;/h3&gt;

&lt;p&gt;CookieBoss runs on Cloudflare's edge network. When you configure your site through the dashboard, a compiler worker builds a custom script with only the features you need. That compiled script gets stored on the CDN and served from the edge location closest to your visitors.&lt;/p&gt;

&lt;p&gt;The result: a consent script that's typically under 4KB gzipped, served from a CDN with sub-50ms response times globally. Compare that to the 200KB+ bundles from traditional CMPs that phone home to a central server.&lt;/p&gt;

&lt;h2&gt;
  
  
  "But I need enterprise features"
&lt;/h2&gt;

&lt;p&gt;Do you though? Let's check:&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Cookie scanning?&lt;/strong&gt; Walk through your site once and list the cookies. If you're adding new third-party scripts monthly, you have a bigger problem than consent management.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Consent receipts?&lt;/strong&gt; The GDPR requires you to be able to demonstrate consent. A timestamped cookie with the consent state is sufficient evidence. You don't need a centralized consent receipt database unless you're running a site at massive scale.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Multi-language support?&lt;/strong&gt; CookieBoss supports this. But also, a consent banner has maybe 50 words in it. You can translate 50 words.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;IAB TCF compliance?&lt;/strong&gt; If you're in the programmatic advertising space and need TCF, yes, you need a CMP that supports it. For everyone else (which is most websites), TCF is irrelevant overhead.&lt;/p&gt;

&lt;h2&gt;
  
  
  The performance argument
&lt;/h2&gt;

&lt;p&gt;I keep coming back to performance because it matters more than most people think. Every 100ms of load time costs conversions. Google uses Core Web Vitals as a ranking signal.&lt;/p&gt;

&lt;p&gt;A consent tool that adds 500ms to your page load is actively harming your business to "protect" your users. Users who, by the way, just want to read your content.&lt;/p&gt;

&lt;p&gt;CookieBoss loads in under 50ms from the edge. It doesn't block rendering. It doesn't make API calls. It doesn't load external fonts or stylesheets. It's a single, compiled JavaScript file that does its job and gets out of the way.&lt;/p&gt;

&lt;h2&gt;
  
  
  Getting started
&lt;/h2&gt;

&lt;p&gt;If you're running a website in the EU (or serving EU visitors, which is basically everyone), you need consent management. You don't need it to be complicated.&lt;/p&gt;

&lt;ol&gt;
&lt;li&gt;Sign up at &lt;a href="https://cookieboss.io" rel="noopener noreferrer"&gt;cookieboss.io&lt;/a&gt;
&lt;/li&gt;
&lt;li&gt;Configure your cookie categories in the dashboard&lt;/li&gt;
&lt;li&gt;Add the script tag to your site&lt;/li&gt;
&lt;li&gt;You're done&lt;/li&gt;
&lt;/ol&gt;

&lt;p&gt;No npm packages. No build step. No framework integration required. Works with WordPress, Next.js, Astro, plain HTML, anything that can include a script tag.&lt;/p&gt;

&lt;p&gt;There's also a WordPress plugin if you're running WordPress, which handles the script injection automatically.&lt;/p&gt;

&lt;h2&gt;
  
  
  The bottom line
&lt;/h2&gt;

&lt;p&gt;Cookie consent is a solved problem being made artificially complex by an industry that profits from that complexity. The legal requirements are clear and reasonable. The technical implementation is straightforward.&lt;/p&gt;

&lt;p&gt;Stop shipping 200KB of consent theater. Your users deserve better, and so does your Lighthouse score.&lt;/p&gt;

</description>
      <category>gdpr</category>
      <category>privacy</category>
      <category>webdev</category>
      <category>javascript</category>
    </item>
  </channel>
</rss>
