The consent banner problem
Every website has one. That giant cookie popup that slides in, blocks half the page, and makes you click through three screens of toggles before you can read a single paragraph. We've all accepted this as normal.
It's not normal. It's broken.
I've been building websites for over a decade, and the state of cookie consent in 2026 is embarrassing. Most implementations are slower than the pages they're supposed to protect. They load 200KB+ of JavaScript, make external API calls, and ironically set their own tracking cookies before you even click "Accept."
Let me break down what's actually required by law, what's pure theater, and how I built something that handles it in 4KB.
What GDPR and ePrivacy actually require
The rules are simpler than the consent industry wants you to believe. Here's the short version:
1. Prior consent for non-essential cookies
Before you set any cookie that isn't strictly necessary for the site to function, you need explicit consent. That means analytics cookies, marketing pixels, and social media trackers all need a "yes" before they fire.
2. Granular categories
Users must be able to accept or reject cookies by category. At minimum: necessary, analytics, marketing. You can't bundle everything into a single "Accept All" with no alternative.
3. Equal prominence for accept and reject
The "Reject All" option must be as easy to find and use as "Accept All." No dark patterns. No hiding the reject button behind a "Manage Preferences" submenu while "Accept All" is a big green button.
4. Informed consent
Users need to know what they're consenting to. A brief description of each category is enough. You don't need a 47-page privacy novel in a modal.
5. Revocable consent
Users must be able to change their mind later. A link in the footer to re-open preferences is sufficient.
6. No cookie walls
You can't block access to content unless someone accepts cookies. Consent must be freely given.
That's it. Six rules. None of them require a 300KB JavaScript bundle or a third-party SaaS platform phoning home to some server in Virginia.
What most consent tools get wrong
The cookie consent industry has turned a straightforward legal requirement into an enterprise software category. Here's what's actually happening:
They're massive
The average consent management platform (CMP) loads 150-300KB of JavaScript. For context, that's heavier than React itself. On a simple blog or portfolio site, the consent banner can be the single heaviest asset on the page.
Run a Lighthouse audit on any site using a major CMP. Watch the performance score drop. That consent tool is costing you real users who bounce because your page took 4 seconds to load instead of 1.
They track you to ask if they can track you
This one kills me. Many CMPs set their own cookies, send data to their own analytics, and make API calls to their servers before you've consented to anything. They're literally violating the regulation they're supposed to help you comply with.
I've seen consent tools that load Google Fonts, embed iframes, and inject third-party scripts. All before consent. The irony is painful.
They're privacy theater
A 12-toggle preference center with categories like "Functional Enhancement Cookies" and "Social Media Interaction Cookies" looks impressive. It also overwhelms users into clicking "Accept All" because the alternative is reading 800 words of legalese in a modal window.
This is the opposite of informed consent. It's complexity as a dark pattern.
They don't integrate with Google Consent Mode
Google Consent Mode v2 became mandatory for Google Ads and Analytics in the EU back in March 2024. If your consent tool doesn't fire the right gtag('consent', 'update', {...}) calls, your Google tags are either broken or non-compliant. Many popular tools still handle this poorly or charge extra for it.
What a consent tool actually needs to do
Strip it down to the real requirements:
- Show a banner with Accept/Reject options and category toggles
- Store the user's choice (a simple cookie works fine)
- Block scripts until consent is given (or allow them based on category)
- Fire Google Consent Mode signals if you use Google tags
- Let users change their preference later
- Load fast and not break your site
That's a small, focused problem. It doesn't need a SaaS platform.
Building CookieBoss: consent in 4KB
I built CookieBoss because I was tired of recommending bloated consent tools to clients. The core idea: compile a per-site consent script at the edge that does exactly what's needed and nothing more.
Here's what that looks like in practice:
Adding it to your site
<script
src="https://cdn.cookieboss.io/cb.js?id=YOUR_SITE_ID"
defer
></script>
One script tag. That's the entire integration. The script is compiled specifically for your site's configuration, so it only contains the code paths you actually need.
How script blocking works
CookieBoss uses the type="text/plain" pattern to prevent scripts from executing until consent is granted:
<!-- This script won't execute until the user consents to analytics -->
<script
type="text/plain"
data-cookieboss="analytics"
src="https://www.googletagmanager.com/gtag/js?id=G-XXXXXX"
></script>
When a user accepts the analytics category, CookieBoss changes the type back to text/javascript and the browser executes it. No consent? The script never runs. Simple, reliable, no race conditions.
Google Consent Mode integration
CookieBoss handles GCM v2 out of the box. Default state is set before any Google tags load:
// CookieBoss sets this automatically on page load
gtag('consent', 'default', {
'analytics_storage': 'denied',
'ad_storage': 'denied',
'ad_user_data': 'denied',
'ad_personalization': 'denied'
});
When the user consents, CookieBoss fires the update:
// Triggered automatically when user accepts
gtag('consent', 'update', {
'analytics_storage': 'granted',
'ad_storage': 'granted',
'ad_user_data': 'granted',
'ad_personalization': 'granted'
});
No manual configuration. No forgetting to wire up consent signals. It just works.
The architecture
CookieBoss runs on Cloudflare's edge network. When you configure your site through the dashboard, a compiler worker builds a custom script with only the features you need. That compiled script gets stored on the CDN and served from the edge location closest to your visitors.
The result: a consent script that's typically under 4KB gzipped, served from a CDN with sub-50ms response times globally. Compare that to the 200KB+ bundles from traditional CMPs that phone home to a central server.
"But I need enterprise features"
Do you though? Let's check:
Cookie scanning? Walk through your site once and list the cookies. If you're adding new third-party scripts monthly, you have a bigger problem than consent management.
Consent receipts? The GDPR requires you to be able to demonstrate consent. A timestamped cookie with the consent state is sufficient evidence. You don't need a centralized consent receipt database unless you're running a site at massive scale.
Multi-language support? CookieBoss supports this. But also, a consent banner has maybe 50 words in it. You can translate 50 words.
IAB TCF compliance? If you're in the programmatic advertising space and need TCF, yes, you need a CMP that supports it. For everyone else (which is most websites), TCF is irrelevant overhead.
The performance argument
I keep coming back to performance because it matters more than most people think. Every 100ms of load time costs conversions. Google uses Core Web Vitals as a ranking signal.
A consent tool that adds 500ms to your page load is actively harming your business to "protect" your users. Users who, by the way, just want to read your content.
CookieBoss loads in under 50ms from the edge. It doesn't block rendering. It doesn't make API calls. It doesn't load external fonts or stylesheets. It's a single, compiled JavaScript file that does its job and gets out of the way.
Getting started
If you're running a website in the EU (or serving EU visitors, which is basically everyone), you need consent management. You don't need it to be complicated.
- Sign up at cookieboss.io
- Configure your cookie categories in the dashboard
- Add the script tag to your site
- You're done
No npm packages. No build step. No framework integration required. Works with WordPress, Next.js, Astro, plain HTML, anything that can include a script tag.
There's also a WordPress plugin if you're running WordPress, which handles the script injection automatically.
The bottom line
Cookie consent is a solved problem being made artificially complex by an industry that profits from that complexity. The legal requirements are clear and reasonable. The technical implementation is straightforward.
Stop shipping 200KB of consent theater. Your users deserve better, and so does your Lighthouse score.
Top comments (1)
I'm curious about the "legitimate interest" exemption mentioned in the GDPR, how do you think it applies to cookie consent banners, would love to hear your thoughts on this.