Self-Hosted Cookie Consent Management

How to use an open-source cookie banner with GTM's Consent Mode v2

Consent management has quietly become one of the most expensive line items in marketing technology.

Not because the software is hard to build, but because the industry has convinced businesses that compliance requires a $10,000+/year SaaS subscription. It doesn’t.

This article walks through the full picture: what the laws actually require, what a consent management platform does, how to decide whether you need a commercial one, and how to build a fully compliant, self-hosted consent system using an open-source banner wired into Google Consent Mode v2.

Disclaimer: I’m not a lawyer and this isn’t legal advice. Privacy regulations vary by jurisdiction, industry, and the specifics of your data processing. Everything described here is technical and operational guidance based on production implementations, but it’s your responsibility to validate legal requirements with a qualified privacy attorney before acting on any of it.

Privacy regulation is the rare area of martech where getting it wrong has a direct, quantifiable cost. GDPR fines have surpassed €6 billion across roughly 2,590 cases since 2018, with an average fine of about €2.36 million. Meta was hit with a €1.2 billion penalty in 2023 for unlawful data transfers. In the US, CCPA violations carry civil penalties of $2,663 to $7,988 per violation with no cap on the total, meaning a single incident affecting 100,000 users can theoretically reach hundreds of millions of dollars in exposure.

The enforcement climate is not theoretical anymore. California’s attorney general secured a $1.55 million settlement against Healthline in 2025 for, among other things, failing to honor opt-out requests and maintaining an ineffective cookie banner. The California Privacy Protection Agency fined Honda $632,500 for making it difficult for consumers to opt out, hit Tractor Supply Company with a $1.35 million settlement, then broke that record in February 2026 with a $2.75 million settlement against a streaming company for opt-out failures. Texas secured a settlement of over $1 billion against a major technology company under its Data Privacy and Security Act. Connecticut’s attorney general settled with an online ticket provider for $85,000 under the CTDPA. Reported fines and penalties against US-based companies reached an estimated $1.4 billion in 2025 alone.

Notice the pattern in those enforcement actions: cookie banners and opt-out mechanisms. Regulators aren’t chasing exotic data breaches. They’re testing whether the consent banner on your homepage actually does what it claims. A banner that displays but doesn’t block tags, or an opt-out link that doesn’t work, is the low-hanging fruit of privacy enforcement.

There’s a second cost that never shows up in a settlement press release: broken data. A poorly implemented consent system silently destroys your analytics and advertising performance. Conversion tracking falls apart, GA4 fills with gaps, remarketing audiences shrink, and customer acquisition costs climb because ad platforms lose the signals they optimize against. The goal is to comply with the law and preserve the data your business runs on. Both are achievable at the same time, and neither requires an expensive platform.

The Compliance Landscape

Before touching any technology, you need a working map of the laws in play. The US and EU take fundamentally opposite approaches to consent, and within the US the rules now vary meaningfully from state to state. Here’s the landscape as it stands in 2026, and where it’s headed.

California: CCPA & CPRA

California remains the most consequential US privacy jurisdiction, both because of its market size and because it enforces. The California Consumer Privacy Act (CCPA), as amended by the CPRA, applies to for-profit businesses that do business in California and meet at least one of these thresholds: over $25 million in annual gross revenue, buying/selling/sharing the personal information of 100,000+ consumers or households, or deriving 50%+ of annual revenue from selling or sharing personal information.

California follows an opt-out model. You can generally collect and process data by default, but consumers have the right to opt out of the “sale” or “sharing” of their personal information, and “sharing” is defined broadly enough to cover cross-context behavioral advertising, which is exactly what most marketing pixels do. Practically speaking, if you run Meta Pixel, Google Ads remarketing, or LinkedIn Insight on your site, you’re “sharing” under the CPRA and need a functioning opt-out mechanism.

Two California-specific requirements trip up a lot of implementations:

  1. Global Privacy Control (GPC). California requires businesses to honor the GPC browser signal as a valid opt-out request. If a visitor’s browser broadcasts GPC, your site must treat it as an opt-out automatically, no banner interaction required.
  2. New 2026 regulations. CCPA regulations covering automated decision-making technology, mandatory risk assessments, and cybersecurity audits became applicable January 1, 2026. The Delete Act’s DROP platform also launched, letting California residents file a single deletion request against hundreds of data brokers at once.

The Rest of the US: A 19-State Patchwork

There is still no comprehensive federal privacy law. Efforts like the American Data Privacy and Protection Act (ADPPA) and the American Privacy Rights Act (APRA) stalled in Congress, so the states have filled the vacuum. As of January 1, 2026, when Indiana, Kentucky, and Rhode Island’s laws took effect, nineteen states have comprehensive consumer privacy laws in force: California, Colorado, Connecticut, Delaware, Florida, Indiana, Iowa, Kentucky, Maryland, Minnesota, Montana, Nebraska, New Hampshire, New Jersey, Oregon, Rhode Island, Tennessee, Texas, Utah, and Virginia (Florida’s law is narrower in scope than the others). Combined, these laws cover more than half of the US population.

Most follow the Virginia template: they apply to businesses that control or process the personal data of at least 100,000 state residents annually, or 25,000 residents if more than 50% of revenue comes from selling personal data. But the thresholds vary in ways that matter:

All of these are opt-out regimes for standard tracking, with opt-in consent typically required for sensitive data categories (health, biometrics, precise geolocation, children’s data). A growing bloc, including California, Colorado, Connecticut, Delaware, Maryland, Minnesota, Montana, New Jersey, New Hampshire, Oregon, and Texas, also requires businesses to honor universal opt-out mechanisms (UOOMs) like GPC.

Enforcement mechanics matter too. Most states enforce exclusively through the attorney general with civil penalties in the $7,500 to $10,000 per-violation range, and the “cure periods” that gave businesses 30 to 60 days to fix violations before penalties are expiring: Delaware’s ended December 31, 2025, Montana’s expired April 1, 2026, and New Jersey’s expires mid-2026. The grace-period era is closing.

GDPR: The Opt-In Standard

The EU’s General Data Protection Regulation, working alongside the ePrivacy Directive, is fundamentally different from every US law: it’s opt-in. No non-essential cookies or tracking scripts may execute before the visitor gives affirmative, informed, freely given consent. Pre-ticked boxes don’t count. “Continued browsing implies consent” doesn’t count. Cookie walls generally don’t count. The visitor must be able to reject as easily as they accept, and withdraw consent at any time.

GDPR applies to any organization processing the personal data of people in the EU/EEA, regardless of where the business is located. A Massachusetts B2B company with EU traffic and a Meta Pixel firing on page load is in scope. Penalties run up to €20 million or 4% of global annual revenue, whichever is higher, and European data protection authorities have shown repeatedly that they’ll pursue cookie consent violations specifically. France’s CNIL alone has issued hundreds of millions of euros in fines against Google, Amazon, and Meta over cookie consent practices.

If you serve both US and EU visitors, you’re operating two consent models simultaneously: opt-out by default for US traffic, opt-in required for EU traffic. Your consent architecture needs to handle both, which is exactly what the region-aware Consent Mode setup later in this article does.

What’s Coming Next

The trend lines are clear even where the specifics aren’t:

The practical takeaway for a business owner: don’t build for a single law. Build a consent architecture that can express different defaults per region, honor GPC, and adapt as new jurisdictions come online, because they will.

A consent management platform (CMP) is software that sits between your visitors and your tracking stack. At its core, every CMP does four things:

  1. Presents a consent interface, usually a banner or modal, that discloses what tracking occurs and lets visitors accept, reject, or customize by category.
  2. Blocks non-essential scripts and cookies until the visitor’s choice permits them, and clears cookies when consent is withdrawn.
  3. Stores a record of consent: what was consented to, when, and under which version of your disclosure, so you can demonstrate compliance if a regulator asks.
  4. Signals consent state to your tags, typically through integrations with Google Tag Manager, Consent Mode, and the IAB’s TCF framework.

Commercial CMPs (OneTrust, Cookiebot, CookieYes, Usercentrics, and dozens more) layer on cookie scanning, geo-targeted banner rules, hosted consent logs, legal template libraries, and dashboards. That convenience is what you’re paying for. OneTrust starts around $827/month for its Consent & Preference Essentials plan and climbs past $2,275/month with GDPR modules; enterprise customers routinely pay $10,000+ per year. Cookiebot runs $13 to $90/month per domain depending on page count. Even the budget options compound across multiple domains and years.

Do You Actually Need One?

This is a decision only you (and your attorney) can make, but here are the factual inputs that drive it:

Factors that point toward needing consent management of some kind:

Factors that point away:

The separate question: do you need a commercial CMP?

Here’s the distinction that vendors blur: needing consent management is not the same as needing a consent management subscription. What the laws require is functioning consent behavior: proper disclosure, real blocking, honored opt-outs, recorded choices. None of that requires SaaS. It requires a banner that works and tags that respect it. Commercial platforms make sense when you have dozens of domains, need hosted audit-ready consent logs at scale, want automated cookie scanning, or your legal team requires a vendor to point at. For a business running a handful of WordPress sites with a known, finite set of tags in GTM, a self-hosted implementation delivers the same compliance behavior with zero recurring cost, and that’s what the rest of this article builds.

Google Consent Mode is the API through which your consent banner communicates visitor choices to Google’s entire tag ecosystem: GA4, Google Ads, Floodlight, and everything managed through Google Tag Manager.

Google Tag Manager's Consent Mode v2

Version 2, which Google made mandatory in March 2024 for anyone using audience or measurement features with EEA traffic (driven by the EU’s Digital Markets Act), defines four consent signals:

This is the part that makes Consent Mode genuinely valuable as an architecture, not just a Google requirement. Before Consent Mode, consent enforcement meant custom trigger logic scattered across your GTM container: blocking triggers, exception triggers, dataLayer flags, all hand-maintained and all fragile. Consent Mode replaces that with a standardized contract between the banner and the tags.

The compartmentalization works on two levels:

  1. Consent is split into orthogonal categories. Analytics consent and advertising consent are independent signals. A visitor can grant analytics while denying marketing, and every tag responds to exactly the signals relevant to its function. Your banner categories (necessary, analytics, marketing) map cleanly onto the four parameters.
  2. Enforcement moves into GTM itself. Every tag in a GTM container carries a consent configuration. Google’s own tags have built-in consent checks: GA4 automatically respects analytics_storage, Google Ads tags automatically respect ad_storage, ad_user_data, and ad_personalization. You don’t wire anything. For non-Google tags (Meta Pixel, LinkedIn Insight, TikTok), you set additional consent checks in each tag’s Advanced Settings > Consent Settings, declaring which signals must be granted before the tag fires.

The result is a clean separation of responsibilities. Developers own the consent code on the site. Marketers own tags in GTM, and adding a new pixel means one extra step: setting its consent requirements. Legal can open the container and see exactly which tags fall under which consent category. Nobody maintains custom blocking logic, and nothing breaks when a new tag is added, provided the consent settings step is treated as mandatory.

The Benefits of Following It as a Standard

I’ve covered the full GTM-side implementation, including tag-by-tag consent classifications and what happens second-by-second when an EU visitor opts in late, in my earlier article, Consent Mode for Google Tag Manager. What follows focuses on the banner side of the equation.

CookieConsent v3: The Self-Hosted Banner

CookieConsent (vanilla-cookieconsent) by Orest Bida is an open-source consent banner written in plain JavaScript. MIT licensed, zero dependencies, roughly 5,500 GitHub stars, and actively maintained. No signup, no subscription, no page view limits, no third-party servers involved. You host the JS and CSS yourself (or serve it from a CDN), and you own the entire implementation.

Feature-for-feature, it covers what the paid platforms charge for on the consent-collection side: customizable banner and modal layouts, granular category management, per-service toggles within categories, multi-language support, preference persistence, automatic clearing of cookies when consent is revoked, and accessibility (a11y) compliance out of the box. You can try every layout and configuration option in the official playground, which generates the config code for you.

What it deliberately doesn’t do is host consent logs on someone else’s servers or scan your site for cookies. Consent records live in the visitor’s browser (in the cc_cookie cookie, 182-day expiration by default), and you’re responsible for knowing what tags run on your own site, which, frankly, you should be anyway.

Worth mentioning: Osano, one of the commercial CMP vendors, also maintains a free open-source cookie banner (3,600+ GitHub stars) that’s been around since the early EU cookie law days. It’s a lightweight, well-known option and a legitimate starting point for a basic notice banner. The reason it’s not the recommendation here is architectural: it’s a simpler notice-and-dismiss style banner without the granular category model (necessary/analytics/marketing) or the callback structure that maps cleanly onto Consent Mode v2’s four signals, so wiring it into GTM consent means writing that bridge logic yourself. Orest Bida’s library gives you those categories and callbacks natively, which is exactly what the integration below relies on.

CookieConsent’s category model maps directly onto Google’s consent parameters:

CookieConsent category Consent Mode v2 signals
necessary (read-only, always on) none — exempt from consent
analytics analytics_storage
marketing ad_storage, ad_user_data, ad_personalization

The integration has three moving parts, executed in this order:

1. Consent Mode Defaults (Before GTM Loads)

In the document <head>, before the GTM container script, set the default consent state. Deny everything globally, then grant by default for US visitors, matching the opt-in vs. opt-out split between GDPR and US state law:

window.dataLayer = window.dataLayer || [];
function gtag(){dataLayer.push(arguments);}

gtag("consent", "default", {
  ad_storage: "denied",
  analytics_storage: "denied",
  ad_user_data: "denied",
  ad_personalization: "denied",
  wait_for_update: 500
});

gtag("consent", "default", {
  ad_storage: "granted",
  analytics_storage: "granted",
  ad_user_data: "granted",
  ad_personalization: "granted",
  region: ['US']
});

wait_for_update: 500 tells Google tags to hold for 500ms so CookieConsent can read a returning visitor’s saved preferences and push an update before tags execute. The region array accepts ISO 3166-2 codes, so you can get as granular as ['US-CA'] if you want California-specific defaults. Ordering matters: if these defaults load after GTM, tags behave as if Consent Mode doesn’t exist.

2. The Banner and the Consent Bridge

Load CookieConsent’s CSS and UMD bundle, then run it with categories that mirror your GTM consent structure. The bridge between the banner and Google is a single handler that translates the visitor’s category choices into a gtag("consent", "update") call, wired to both the onConsent callback (fires on load when a choice exists) and onChange (fires when the visitor updates preferences):

/**
 * ConsentGTM
 *
 * Bridges CookieConsent category choices to Google
 * Consent Mode v2 and honors GPC signals.
 */
class ConsentGTM {
  constructor() {
    this.gpc();
    this.banner();
  }

  gpc() {
    if (navigator.globalPrivacyControl === true) {
      gtag("consent", "update", {
        ad_storage: "denied",
        ad_user_data: "denied",
        ad_personalization: "denied",
      });
    }
  }

  consent({ cookie }) {
    const analytics = cookie.categories.includes("analytics");
    const marketing = cookie.categories.includes("marketing");

    gtag("consent", "update", {
      analytics_storage: analytics ? "granted" : "denied",
      ad_storage: marketing ? "granted" : "denied",
      ad_user_data: marketing ? "granted" : "denied",
      ad_personalization: marketing ? "granted" : "denied",
    });
  }

  banner() {
    if (!window.CookieConsent) return;
    window.CookieConsent.run({
      categories: {
        necessary: { enabled: true, readOnly: true },
        analytics: {},
        marketing: {},
      },
      onConsent: (data) => this.consent(data),
      onChange: (data) => this.consent(data),
    });
  }
}

The GPC check satisfies California’s requirement to honor universal opt-out signals: visitors broadcasting GPC get advertising consent denied automatically, even in regions where the default is granted. Banner text, layouts, and translations are all configured in the same run() call; the playground will generate that block for you.

3. Consent Checks on Every GTM Tag

The final piece lives in GTM. Google’s own tags already enforce the right signals through built-in consent checks. For every non-Google tag, open Advanced Settings > Consent Settings and require the appropriate signals: analytics_storage for analytics tools, ad_storage + ad_user_data + ad_personalization for advertising pixels. When in doubt, classify a tag as marketing; requiring consent unnecessarily costs some data, while firing a pixel without consent is what shows up in AG settlements. Make consent configuration a mandatory step of tag creation, no exceptions.

With those three pieces in place, the behavior is exactly what commercial CMPs sell: EU visitors see a compliant opt-in banner with nothing firing until they consent (while Google models what it can from cookieless pings), US visitors get tracked by default with a working opt-out and automatic GPC handling, returning visitors’ preferences are applied within the 500ms wait_for_update window with zero data loss, and revoking consent clears cookies and flips every relevant tag to denied.

Conclusion

The privacy landscape in 2026 is genuinely demanding: nineteen state laws with divergent thresholds, GDPR’s opt-in regime for any EU traffic, GPC mandates, expiring cure periods, and attorneys general who have moved from warnings to seven-figure settlements aimed squarely at broken cookie banners and opt-out flows. That’s the part you can’t shortcut, and it’s worth a conversation with a privacy attorney to understand which of these laws actually apply to your business.

The technology, though, is the part the industry has oversold. A compliant consent system needs a banner that discloses and blocks honestly, a standardized way to signal choices to your tags, and enforcement on every tag in your container. Google Consent Mode v2 provides the signaling standard and compartmentalizes consent enforcement inside GTM itself, while recovering 15-25% of conversions through modeling that hard-blocking setups lose outright. CookieConsent v3 provides the banner: open-source, self-hosted, accessible, and mapping cleanly onto Consent Mode’s four signals through a bridge that’s about thirty lines of JavaScript.

Together they replace an $800-to-$2,000+/month CMP subscription for the common case of a business running a known set of tags through GTM. You own the code, you control the behavior, and there’s no third-party dependency that can change its pricing or go down. Evaluate whether your scale and legal requirements genuinely demand a commercial platform, and if they don’t, this architecture has been running in production across multiple jurisdictions and holds up.

I’ve implemented dozens of successful, compliant self-hosted consent management systems built on Consent Mode v2, covering GDPR opt-in requirements, CCPA/CPRA opt-out flows, and automatic GPC handling. These implementations run in production for enterprise WordPress sites, B2B SaaS companies, and marketing teams that needed to satisfy legal review without signing up for another five-figure SaaS contract — and without losing the analytics and conversion data their businesses depend on.

If you’re staring down a consent compliance project, an audit finding, or a broken banner that legal flagged, I can help. That includes auditing your existing GTM container tag-by-tag, architecting the region-aware consent defaults, wiring CookieConsent into Consent Mode v2, and validating that every pixel actually respects the choices your visitors make. Get in touch and tell me what you’re working with.

References