Consent management has quietly become one of the most expensive line items in marketing technology.
Not because the software is hard to build, but because the industry has convinced businesses that compliance requires a $10,000+/year SaaS subscription. It doesn’t.
This article walks through the full picture: what the laws actually require, what a consent management platform does, how to decide whether you need a commercial one, and how to build a fully compliant, self-hosted consent system using an open-source banner wired into Google Consent Mode v2.
Disclaimer: I’m not a lawyer and this isn’t legal advice. Privacy regulations vary by jurisdiction, industry, and the specifics of your data processing. Everything described here is technical and operational guidance based on production implementations, but it’s your responsibility to validate legal requirements with a qualified privacy attorney before acting on any of it.
Why Privacy & Consent Management Matters
Privacy regulation is the rare area of martech where getting it wrong has a direct, quantifiable cost. GDPR fines have surpassed €6 billion across roughly 2,590 cases since 2018, with an average fine of about €2.36 million. Meta was hit with a €1.2 billion penalty in 2023 for unlawful data transfers. In the US, CCPA violations carry civil penalties of $2,663 to $7,988 per violation with no cap on the total, meaning a single incident affecting 100,000 users can theoretically reach hundreds of millions of dollars in exposure.
The enforcement climate is not theoretical anymore. California’s attorney general secured a $1.55 million settlement against Healthline in 2025 for, among other things, failing to honor opt-out requests and maintaining an ineffective cookie banner. The California Privacy Protection Agency fined Honda $632,500 for making it difficult for consumers to opt out, hit Tractor Supply Company with a $1.35 million settlement, then broke that record in February 2026 with a $2.75 million settlement against a streaming company for opt-out failures. Texas secured a settlement of over $1 billion against a major technology company under its Data Privacy and Security Act. Connecticut’s attorney general settled with an online ticket provider for $85,000 under the CTDPA. Reported fines and penalties against US-based companies reached an estimated $1.4 billion in 2025 alone.
Notice the pattern in those enforcement actions: cookie banners and opt-out mechanisms. Regulators aren’t chasing exotic data breaches. They’re testing whether the consent banner on your homepage actually does what it claims. A banner that displays but doesn’t block tags, or an opt-out link that doesn’t work, is the low-hanging fruit of privacy enforcement.
There’s a second cost that never shows up in a settlement press release: broken data. A poorly implemented consent system silently destroys your analytics and advertising performance. Conversion tracking falls apart, GA4 fills with gaps, remarketing audiences shrink, and customer acquisition costs climb because ad platforms lose the signals they optimize against. The goal is to comply with the law and preserve the data your business runs on. Both are achievable at the same time, and neither requires an expensive platform.
The Compliance Landscape
Before touching any technology, you need a working map of the laws in play. The US and EU take fundamentally opposite approaches to consent, and within the US the rules now vary meaningfully from state to state. Here’s the landscape as it stands in 2026, and where it’s headed.
California: CCPA & CPRA
California remains the most consequential US privacy jurisdiction, both because of its market size and because it enforces. The California Consumer Privacy Act (CCPA), as amended by the CPRA, applies to for-profit businesses that do business in California and meet at least one of these thresholds: over $25 million in annual gross revenue, buying/selling/sharing the personal information of 100,000+ consumers or households, or deriving 50%+ of annual revenue from selling or sharing personal information.
California follows an opt-out model. You can generally collect and process data by default, but consumers have the right to opt out of the “sale” or “sharing” of their personal information, and “sharing” is defined broadly enough to cover cross-context behavioral advertising, which is exactly what most marketing pixels do. Practically speaking, if you run Meta Pixel, Google Ads remarketing, or LinkedIn Insight on your site, you’re “sharing” under the CPRA and need a functioning opt-out mechanism.
Two California-specific requirements trip up a lot of implementations:
- Global Privacy Control (GPC). California requires businesses to honor the GPC browser signal as a valid opt-out request. If a visitor’s browser broadcasts GPC, your site must treat it as an opt-out automatically, no banner interaction required.
- New 2026 regulations. CCPA regulations covering automated decision-making technology, mandatory risk assessments, and cybersecurity audits became applicable January 1, 2026. The Delete Act’s DROP platform also launched, letting California residents file a single deletion request against hundreds of data brokers at once.
The Rest of the US: A 19-State Patchwork
There is still no comprehensive federal privacy law. Efforts like the American Data Privacy and Protection Act (ADPPA) and the American Privacy Rights Act (APRA) stalled in Congress, so the states have filled the vacuum. As of January 1, 2026, when Indiana, Kentucky, and Rhode Island’s laws took effect, nineteen states have comprehensive consumer privacy laws in force: California, Colorado, Connecticut, Delaware, Florida, Indiana, Iowa, Kentucky, Maryland, Minnesota, Montana, Nebraska, New Hampshire, New Jersey, Oregon, Rhode Island, Tennessee, Texas, Utah, and Virginia (Florida’s law is narrower in scope than the others). Combined, these laws cover more than half of the US population.
Most follow the Virginia template: they apply to businesses that control or process the personal data of at least 100,000 state residents annually, or 25,000 residents if more than 50% of revenue comes from selling personal data. But the thresholds vary in ways that matter:
- Texas has effectively no minimum threshold. If you do business in Texas and aren’t a small business as defined by the SBA, the law likely applies regardless of how many records you process.
- Rhode Island and Maryland have notably low thresholds of 35,000 consumers, or 10,000 if more than 20% of revenue comes from data sales.
- Maryland goes further than most with a data minimization mandate, requiring businesses to limit collection to what’s reasonably necessary from the outset.
All of these are opt-out regimes for standard tracking, with opt-in consent typically required for sensitive data categories (health, biometrics, precise geolocation, children’s data). A growing bloc, including California, Colorado, Connecticut, Delaware, Maryland, Minnesota, Montana, New Jersey, New Hampshire, Oregon, and Texas, also requires businesses to honor universal opt-out mechanisms (UOOMs) like GPC.
Enforcement mechanics matter too. Most states enforce exclusively through the attorney general with civil penalties in the $7,500 to $10,000 per-violation range, and the “cure periods” that gave businesses 30 to 60 days to fix violations before penalties are expiring: Delaware’s ended December 31, 2025, Montana’s expired April 1, 2026, and New Jersey’s expires mid-2026. The grace-period era is closing.
GDPR: The Opt-In Standard
The EU’s General Data Protection Regulation, working alongside the ePrivacy Directive, is fundamentally different from every US law: it’s opt-in. No non-essential cookies or tracking scripts may execute before the visitor gives affirmative, informed, freely given consent. Pre-ticked boxes don’t count. “Continued browsing implies consent” doesn’t count. Cookie walls generally don’t count. The visitor must be able to reject as easily as they accept, and withdraw consent at any time.
GDPR applies to any organization processing the personal data of people in the EU/EEA, regardless of where the business is located. A Massachusetts B2B company with EU traffic and a Meta Pixel firing on page load is in scope. Penalties run up to €20 million or 4% of global annual revenue, whichever is higher, and European data protection authorities have shown repeatedly that they’ll pursue cookie consent violations specifically. France’s CNIL alone has issued hundreds of millions of euros in fines against Google, Amazon, and Meta over cookie consent practices.
If you serve both US and EU visitors, you’re operating two consent models simultaneously: opt-out by default for US traffic, opt-in required for EU traffic. Your consent architecture needs to handle both, which is exactly what the region-aware Consent Mode setup later in this article does.
What’s Coming Next
The trend lines are clear even where the specifics aren’t:
- More effective dates in 2026 and 2027. Connecticut’s tightened sensitive data definitions and youth protections took effect July 1, 2026, alongside Arkansas’s new protections for minors and Utah’s amendments. Oregon’s ban on selling precise geolocation data and its UOOM mandate took effect January 1, 2026. Additional state laws and age-appropriate design code measures are queued for 2027, and California’s automated decision-making opt-out provisions activate January 1, 2027.
- A shift from legislation to enforcement. 2025 was the first year in five with no new comprehensive state privacy law enacted. State AGs are now coordinating enforcement, and what California enforces today tends to set the expectations other states apply tomorrow.
- Expanding data categories. Neural data, consumer health data, and precise geolocation are being pulled into sensitive-data definitions across multiple states, each carrying opt-in consent requirements.
The practical takeaway for a business owner: don’t build for a single law. Build a consent architecture that can express different defaults per region, honor GPC, and adapt as new jurisdictions come online, because they will.
What Is a Consent Management Platform?
A consent management platform (CMP) is software that sits between your visitors and your tracking stack. At its core, every CMP does four things:
- Presents a consent interface, usually a banner or modal, that discloses what tracking occurs and lets visitors accept, reject, or customize by category.
- Blocks non-essential scripts and cookies until the visitor’s choice permits them, and clears cookies when consent is withdrawn.
- Stores a record of consent: what was consented to, when, and under which version of your disclosure, so you can demonstrate compliance if a regulator asks.
- Signals consent state to your tags, typically through integrations with Google Tag Manager, Consent Mode, and the IAB’s TCF framework.
Commercial CMPs (OneTrust, Cookiebot, CookieYes, Usercentrics, and dozens more) layer on cookie scanning, geo-targeted banner rules, hosted consent logs, legal template libraries, and dashboards. That convenience is what you’re paying for. OneTrust starts around $827/month for its Consent & Preference Essentials plan and climbs past $2,275/month with GDPR modules; enterprise customers routinely pay $10,000+ per year. Cookiebot runs $13 to $90/month per domain depending on page count. Even the budget options compound across multiple domains and years.
Do You Actually Need One?
This is a decision only you (and your attorney) can make, but here are the factual inputs that drive it:
Factors that point toward needing consent management of some kind:
- You run any third-party marketing or analytics tags: GA4, Google Ads, Meta Pixel, LinkedIn Insight, HubSpot tracking, and so on. Under GDPR these can’t fire for EU visitors without opt-in consent, and under US state laws they generally constitute “sharing” that requires a working opt-out.
- You have meaningful traffic from the EU/EEA or UK. GDPR’s opt-in requirement applies regardless of where your business is located.
- You meet the applicability thresholds of one or more state laws. Check the specific states: 100,000 consumers is the common bar, but Texas has virtually none, and Rhode Island/Maryland sit at 35,000.
- You operate in a scrutinized vertical. Health-adjacent content (see Healthline), financial services, and anything touching children’s data draws disproportionate enforcement attention.
- You need to honor GPC, which several states now mandate.
Factors that point away:
- Your site sets no non-essential cookies and runs no third-party trackers. A brochure site with no analytics genuinely may not need a banner at all. Consent banners on sites with nothing to consent to are noise.
- You fall below every applicable threshold and have negligible EU traffic. Many small businesses are legitimately outside the scope of every current state law. Note that HIPAA- and GLBA-regulated entities often have entity- or data-level exemptions under state laws as well.
- You use only server-side, first-party analytics with no cross-site sharing. The obligations shrink considerably, though disclosure requirements may still apply.
The separate question: do you need a commercial CMP?
Here’s the distinction that vendors blur: needing consent management is not the same as needing a consent management subscription. What the laws require is functioning consent behavior: proper disclosure, real blocking, honored opt-outs, recorded choices. None of that requires SaaS. It requires a banner that works and tags that respect it. Commercial platforms make sense when you have dozens of domains, need hosted audit-ready consent logs at scale, want automated cookie scanning, or your legal team requires a vendor to point at. For a business running a handful of WordPress sites with a known, finite set of tags in GTM, a self-hosted implementation delivers the same compliance behavior with zero recurring cost, and that’s what the rest of this article builds.
Google Consent Mode v2
Google Consent Mode is the API through which your consent banner communicates visitor choices to Google’s entire tag ecosystem: GA4, Google Ads, Floodlight, and everything managed through Google Tag Manager.

Version 2, which Google made mandatory in March 2024 for anyone using audience or measurement features with EEA traffic (driven by the EU’s Digital Markets Act), defines four consent signals:
ad_storage: Permission to use cookies for advertising (Google Ads, remarketing).analytics_storage: Permission to use cookies for analytics (GA4).ad_user_data: Permission to send user data to Google for advertising purposes (enhanced conversions). New in v2.ad_personalization: Permission for personalized advertising and remarketing audiences. New in v2.
How It Compartmentalizes Tag Consent
This is the part that makes Consent Mode genuinely valuable as an architecture, not just a Google requirement. Before Consent Mode, consent enforcement meant custom trigger logic scattered across your GTM container: blocking triggers, exception triggers, dataLayer flags, all hand-maintained and all fragile. Consent Mode replaces that with a standardized contract between the banner and the tags.
The compartmentalization works on two levels:
- Consent is split into orthogonal categories. Analytics consent and advertising consent are independent signals. A visitor can grant analytics while denying marketing, and every tag responds to exactly the signals relevant to its function. Your banner categories (necessary, analytics, marketing) map cleanly onto the four parameters.
- Enforcement moves into GTM itself. Every tag in a GTM container carries a consent configuration. Google’s own tags have built-in consent checks: GA4 automatically respects
analytics_storage, Google Ads tags automatically respectad_storage,ad_user_data, andad_personalization. You don’t wire anything. For non-Google tags (Meta Pixel, LinkedIn Insight, TikTok), you set additional consent checks in each tag’s Advanced Settings > Consent Settings, declaring which signals must be granted before the tag fires.
The result is a clean separation of responsibilities. Developers own the consent code on the site. Marketers own tags in GTM, and adding a new pixel means one extra step: setting its consent requirements. Legal can open the container and see exactly which tags fall under which consent category. Nobody maintains custom blocking logic, and nothing breaks when a new tag is added, provided the consent settings step is treated as mandatory.
The Benefits of Following It as a Standard
- Conversion modeling recovers lost data. When consent is denied, Google tags don’t go dark. They enter Advanced Consent Mode and send cookieless pings: anonymous signals with no cookies or identifiers. Google’s modeling uses these, combined with patterns from consented visitors, to estimate conversions you’d otherwise lose entirely, typically recovering 15-25% more conversions than a hard-blocking setup. Modeling activates once you have at least 700 ad clicks over 7 days per country/domain pair.
- Retroactive hit recovery. If an EU visitor grants consent after the page loads, the cookieless pings from the current page are automatically upgraded to full, attributed hits. The pageview isn’t lost.
- It’s required anyway. If you advertise to EEA users, Consent Mode v2 isn’t optional; without valid signals, Google Ads audience building and measurement degrade or stop for that traffic.
- It future-proofs the container. Because consent requirements live on the tags rather than in custom triggers, adapting to a new state law usually means adjusting regional defaults in one script, not re-architecting the container.
I’ve covered the full GTM-side implementation, including tag-by-tag consent classifications and what happens second-by-second when an EU visitor opts in late, in my earlier article, Consent Mode for Google Tag Manager. What follows focuses on the banner side of the equation.
CookieConsent v3: The Self-Hosted Banner
CookieConsent (vanilla-cookieconsent) by Orest Bida is an open-source consent banner written in plain JavaScript. MIT licensed, zero dependencies, roughly 5,500 GitHub stars, and actively maintained. No signup, no subscription, no page view limits, no third-party servers involved. You host the JS and CSS yourself (or serve it from a CDN), and you own the entire implementation.
Feature-for-feature, it covers what the paid platforms charge for on the consent-collection side: customizable banner and modal layouts, granular category management, per-service toggles within categories, multi-language support, preference persistence, automatic clearing of cookies when consent is revoked, and accessibility (a11y) compliance out of the box. You can try every layout and configuration option in the official playground, which generates the config code for you.
What it deliberately doesn’t do is host consent logs on someone else’s servers or scan your site for cookies. Consent records live in the visitor’s browser (in the cc_cookie cookie, 182-day expiration by default), and you’re responsible for knowing what tags run on your own site, which, frankly, you should be anyway.
Worth mentioning: Osano, one of the commercial CMP vendors, also maintains a free open-source cookie banner (3,600+ GitHub stars) that’s been around since the early EU cookie law days. It’s a lightweight, well-known option and a legitimate starting point for a basic notice banner. The reason it’s not the recommendation here is architectural: it’s a simpler notice-and-dismiss style banner without the granular category model (necessary/analytics/marketing) or the callback structure that maps cleanly onto Consent Mode v2’s four signals, so wiring it into GTM consent means writing that bridge logic yourself. Orest Bida’s library gives you those categories and callbacks natively, which is exactly what the integration below relies on.
How It Maps to Consent Mode v2
CookieConsent’s category model maps directly onto Google’s consent parameters:
| CookieConsent category | Consent Mode v2 signals |
|---|---|
necessary (read-only, always on) |
none — exempt from consent |
analytics |
analytics_storage |
marketing |
ad_storage, ad_user_data, ad_personalization |
The integration has three moving parts, executed in this order:
1. Consent Mode Defaults (Before GTM Loads)
In the document <head>, before the GTM container script, set the default consent state. Deny everything globally, then grant by default for US visitors, matching the opt-in vs. opt-out split between GDPR and US state law:
window.dataLayer = window.dataLayer || [];
function gtag(){dataLayer.push(arguments);}
gtag("consent", "default", {
ad_storage: "denied",
analytics_storage: "denied",
ad_user_data: "denied",
ad_personalization: "denied",
wait_for_update: 500
});
gtag("consent", "default", {
ad_storage: "granted",
analytics_storage: "granted",
ad_user_data: "granted",
ad_personalization: "granted",
region: ['US']
});
wait_for_update: 500 tells Google tags to hold for 500ms so CookieConsent can read a returning visitor’s saved preferences and push an update before tags execute. The region array accepts ISO 3166-2 codes, so you can get as granular as ['US-CA'] if you want California-specific defaults. Ordering matters: if these defaults load after GTM, tags behave as if Consent Mode doesn’t exist.
2. The Banner and the Consent Bridge
Load CookieConsent’s CSS and UMD bundle, then run it with categories that mirror your GTM consent structure. The bridge between the banner and Google is a single handler that translates the visitor’s category choices into a gtag("consent", "update") call, wired to both the onConsent callback (fires on load when a choice exists) and onChange (fires when the visitor updates preferences):
/**
* ConsentGTM
*
* Bridges CookieConsent category choices to Google
* Consent Mode v2 and honors GPC signals.
*/
class ConsentGTM {
constructor() {
this.gpc();
this.banner();
}
gpc() {
if (navigator.globalPrivacyControl === true) {
gtag("consent", "update", {
ad_storage: "denied",
ad_user_data: "denied",
ad_personalization: "denied",
});
}
}
consent({ cookie }) {
const analytics = cookie.categories.includes("analytics");
const marketing = cookie.categories.includes("marketing");
gtag("consent", "update", {
analytics_storage: analytics ? "granted" : "denied",
ad_storage: marketing ? "granted" : "denied",
ad_user_data: marketing ? "granted" : "denied",
ad_personalization: marketing ? "granted" : "denied",
});
}
banner() {
if (!window.CookieConsent) return;
window.CookieConsent.run({
categories: {
necessary: { enabled: true, readOnly: true },
analytics: {},
marketing: {},
},
onConsent: (data) => this.consent(data),
onChange: (data) => this.consent(data),
});
}
}
The GPC check satisfies California’s requirement to honor universal opt-out signals: visitors broadcasting GPC get advertising consent denied automatically, even in regions where the default is granted. Banner text, layouts, and translations are all configured in the same run() call; the playground will generate that block for you.
3. Consent Checks on Every GTM Tag
The final piece lives in GTM. Google’s own tags already enforce the right signals through built-in consent checks. For every non-Google tag, open Advanced Settings > Consent Settings and require the appropriate signals: analytics_storage for analytics tools, ad_storage + ad_user_data + ad_personalization for advertising pixels. When in doubt, classify a tag as marketing; requiring consent unnecessarily costs some data, while firing a pixel without consent is what shows up in AG settlements. Make consent configuration a mandatory step of tag creation, no exceptions.
With those three pieces in place, the behavior is exactly what commercial CMPs sell: EU visitors see a compliant opt-in banner with nothing firing until they consent (while Google models what it can from cookieless pings), US visitors get tracked by default with a working opt-out and automatic GPC handling, returning visitors’ preferences are applied within the 500ms wait_for_update window with zero data loss, and revoking consent clears cookies and flips every relevant tag to denied.
Conclusion
The privacy landscape in 2026 is genuinely demanding: nineteen state laws with divergent thresholds, GDPR’s opt-in regime for any EU traffic, GPC mandates, expiring cure periods, and attorneys general who have moved from warnings to seven-figure settlements aimed squarely at broken cookie banners and opt-out flows. That’s the part you can’t shortcut, and it’s worth a conversation with a privacy attorney to understand which of these laws actually apply to your business.
The technology, though, is the part the industry has oversold. A compliant consent system needs a banner that discloses and blocks honestly, a standardized way to signal choices to your tags, and enforcement on every tag in your container. Google Consent Mode v2 provides the signaling standard and compartmentalizes consent enforcement inside GTM itself, while recovering 15-25% of conversions through modeling that hard-blocking setups lose outright. CookieConsent v3 provides the banner: open-source, self-hosted, accessible, and mapping cleanly onto Consent Mode’s four signals through a bridge that’s about thirty lines of JavaScript.
Together they replace an $800-to-$2,000+/month CMP subscription for the common case of a business running a known set of tags through GTM. You own the code, you control the behavior, and there’s no third-party dependency that can change its pricing or go down. Evaluate whether your scale and legal requirements genuinely demand a commercial platform, and if they don’t, this architecture has been running in production across multiple jurisdictions and holds up.
Need a CMP/Cookie Compliance Implementation Specialist?
I’ve implemented dozens of successful, compliant self-hosted consent management systems built on Consent Mode v2, covering GDPR opt-in requirements, CCPA/CPRA opt-out flows, and automatic GPC handling. These implementations run in production for enterprise WordPress sites, B2B SaaS companies, and marketing teams that needed to satisfy legal review without signing up for another five-figure SaaS contract — and without losing the analytics and conversion data their businesses depend on.
If you’re staring down a consent compliance project, an audit finding, or a broken banner that legal flagged, I can help. That includes auditing your existing GTM container tag-by-tag, architecting the region-aware consent defaults, wiring CookieConsent into Consent Mode v2, and validating that every pixel actually respects the choices your visitors make. Get in touch and tell me what you’re working with.
References
- Consent Mode for Google Tag Manager — Kevinleary.net
- CookieConsent v3 GitHub repository — Orest Bida
- CookieConsent v3 interactive playground
- CookieConsent v3 documentation
- Osano Cookie Consent GitHub repository
- Google Consent Mode overview — Google Developers
- All of the Comprehensive Privacy Laws That Take Effect in 2026 — MultiState
- New Year, New Rules: US State Privacy Requirements Coming Online as 2026 Begins — IAPP
- US State Privacy Legislation Tracker — IAPP
- Data Privacy in 2026: State Enforcement Takes Center Stage — Smith Anderson
- US State Privacy Law Tracker (2026): Enforcement Updates & Compliance Playbook — Secure Privacy
- U.S. Privacy Laws That Take Effect or Become Enforceable in 2026 — Vault JS
- 2026 U.S. Data Privacy Developments — Gunster
- Which States Have Consumer Data Privacy Laws? — Bloomberg Law
- Data Privacy Laws: What to Expect for 2026 — Ketch
- Global Privacy Control
- Cookies, the GDPR, and the ePrivacy Directive — GDPR.eu