DOWNLOAD
Home Features For Vibe Coders For Developers Pricing Documentation Services Contact
← Back to blog
November 20, 2025

Cookie banners are doing nothing for you

SiteCMD

3 min read

Every cookie banner you’ve ever clicked is a fiction. Yours probably is too.

I’m not going to tell you to remove them. GDPR is real, ePrivacy is real, fines are real. But the typical implementation is performative. You can do this better.

The bargain that doesn’t exist

The implicit deal is: site asks for consent, user makes informed choice, cookies are set or not set based on the choice. The reality:

  • Most banners load tracking scripts before the user clicks anything.
  • “Reject all” is hidden behind two more clicks.
  • Consent strings are stored, but tracking happens regardless.
  • The banner itself loads from a third-party CDN that fingerprints the user.

If this is your setup, you don’t have a consent system. You have a legal liability with a confirmation dialog.

The minimal correct version

If you’re going to do this, do it like this:

  1. Block all non-essential scripts before the page renders. They do not load. They do not exist in the DOM until the user opts in.
  2. Show a simple banner with two buttons of equal weight: “Accept” and “Reject”. No “Manage preferences” trickery.
  3. Store the choice in a first-party cookie. Not localStorage. Cookies survive iframes. localStorage does not.
  4. If accepted, inject the tracking scripts now. If rejected, never inject them.
  5. Let the user revisit their choice. A small “Cookie settings” link in the footer is enough.

That’s it. No banner provider. No consent management platform. No third-party widget. Maybe 40 lines of JavaScript.

The cookies you actually need

For a typical SaaS:

  • Auth session cookie (essential, no consent needed)
  • CSRF token cookie (essential, no consent needed)
  • Theme preference (essential under “user explicitly chose”, no consent needed)
  • Cart state (essential for ecommerce, no consent needed)

The only cookies that need consent are: marketing analytics that track across sessions, advertising pixels, third-party tracking. If you don’t have those, you don’t need a cookie banner. You need a privacy policy that says “we don’t track you” and a cup of coffee.

The cookies you think you need but don’t

Plausible analytics. No cookies. No personal data. No banner.

Fathom. Same.

Cloudflare Web Analytics. Same.

Self-hosted Umami in privacy mode. Same.

There are at least four production-grade analytics products that need zero consent because they track no one. If you’re using Google Analytics in 2026, you’re choosing the harder path. The data isn’t materially better. The compliance overhead is enormous.

What to ship today

Audit your site. Open DevTools, Application panel, Cookies. Read every cookie. For each one, answer: do I need this? If not, kill it.

Open the Network tab, filter by domain. Every third-party domain is a tracker until proven otherwise. Some of them you forgot were there. Marketing added a tag last year, the service was discontinued, the script is still loading from a 404.

Do that audit once a quarter. The first time will horrify you. After that it gets quick.

The wider point

Cookie banners are a symptom of a broader pattern: shipping compliance theater instead of compliance. The banner makes lawyers happy. It doesn’t make users private. It doesn’t reduce legal risk meaningfully. It just adds a dialog.

If you actually care about user privacy, the move is fewer trackers, not more dialogs. The banner can come off the next time you do a privacy audit and find you don’t need it.

Join the feed

Get feature releases and engineering updates delivered to your inbox.