Cookie Consent Management in 2026, Part 1: Overview

I’ve noticed a trend. Over the last few months, multiple customers have asked us to help with cookie consent compliance. Either it is a mighty coincidence or something has caused companies to start taking privacy compliance more seriously.

I think the renewed interest is because ambitious lawyers have started sending threatening letters to companies that aren’t in compliance with the California Consumer Privacy Act (CCPA) and the EU’s General Data Protection Regulation (GDPR) provisions. I know of at least one company with over $100k in related legal fees.

Last month, California won a $2.75M settlement with Disney over CCPA violations. CCPA fines can add up quickly. They start at $2,663 per incident. The fines increases to $7,988 per incident for willful violations or violations involving people under 16.

It’s not limited to CCPA and GPDR. Enterprising lawyers have dusted off the 1967 California Invasion of Privacy Act (CIPA) and applied it to web technology. The law firm Varnum explains:

Plaintiffs’ attorneys are using CIPA to challenge common website technologies, including cookies, analytics tools, session replay software, and chat features. Many companies are caught off guard when they receive a demand letter alleging unlawful website tracking, followed by the threat of litigation.

Thousands of CIPA website tracking claims have been asserted, and filings continue to rise.

So it’s not surprising that companies are trying to get their cookie house in order. I may be a glutton for punishment, but I’ve enjoyed working on these cookie consent projects, and thought I’d share some of the things I’ve learned. In part one, I’ll share some high-level thoughts. In part 2, I’ll dig into some technical details.

When an organization implements cookie consent management for the first time, the impact on their analytics and marketing initiatives can be dramatic. If people can opt out of being tracked, a significant percentage will choose to do so. If your marketing relies on tracking, it will suffer.

I know of an organization that backtracked on cookie compliance because of the impact on marketing. Doing so creates legal exposure, but it’s understandable how a company that sees their sales drop might panic.

So my first piece of advice is to talk to marketing ahead of time to understand what tools are being used. Determine which are most likely to be impacted by cookie banners, and see what you can do to mitigate them. Sign up now for a GPDR-compliant, cookie-less analytics service like Plausible or Umami so you have a baseline of analytics information. You can use these services track trends before and after you implement a consent banner.

Unfortunately, in a lot situations, there isn’t much you can do to alleviate the data loss. If someone doesn’t want to be tracked and your marketing tools depend on tracking data, then the tools are going to be less effective. But helping your marketing colleagues anticipate where cookie consent will impact them will not only help mitigate data loss, but it will also prepare the team for their new reality.

I’m not a lawyer. If you’re reading this, you’re probably not either. You need knowledgable legal counsel to help you decide how cookies should be categorized. Only a lawyer can help an organization make sure they are in compliance and understand the risks of various choices.

Plus, if you’re the person leading the privacy charge, then the people are going to resist you. Instead, if a lawyer tells your organization what they need to do, then you don’t have to argue with co-workers about whether their favorite service’s cookies should be defined as essential or not. You get to be the hero helping the organization while the lawyer plays the bad cop.

I find cookie consent banners annoying. As a user, I didn’t care what solution a website used so long as I could dismiss it quickly.

But after working with a few different cookie consent solutions for our clients, I now have a list of features I consider critical:

• GPDR compliant: You may only care about CCPA right now, but CCPA is evolving towards GPDR. In fact, even though one of our clients is based in California and doesn’t sell in Europe, their lawyers advised them to use a GPDR-style cookie consent banner where you can select specific categories of cookies instead of a CCPA-compliant one where you either accept or reject cookies.
• Regular scanning of your site: What cookies are being used on your site may change over time without you knowing about it either because a new third-party service is added to the site or an existing one adds a new cookie. You need regular scans to tell you if a cookie has been discovered so you can categorize it.
• Identifies local storage, session storage, and IndexDB in addition to cookies: Even though everyone talks about cookies, the privacy laws don’t care what technical mechanism is used to track people. You need a tool that looks at all of the ways people can be tracked.
• Intuitive web-based reports: We’ve worked with one cookie consent manager where account managers send periodic spreadsheets that appear to be manually generated. By contrast, my favorite provider has an easy-to-use web report that shows what cookies their scans have discovered and how to take action on them.
• A solution that is lightweight and fast: Cookie consent banners have to load early on the page and block other scripts. Therefore, any performance issues they have are magnified.

On that last point, I asked the web performance Slack community if anyone had recommendations for a performant cookie solution. The kind folks at RUMVision shared data from across their customer base:

Because I have a performance hammer and everything is a nail, I started my explorations with CookieYes (That’s an affiliate link. If you sign up, we get a tiny kickback.) It is almost twice as fast as the nearest competitor in the RumVision data.

I’ve been quite happy with CookieYes. It is reasonably priced. The administrative dashboard is easy to work with. The scans surface cookies we need to address. Most importantly, their support has been fast and knowledgeable.

Complying with privacy laws requires some form of ongoing vigilance. Unless you are not using any third-party services, the cookies being used on your site may change without your knowledge. Therefore, you need regular scans and people who are responsible for addressing any new issues that arise.

In larger organizations, you have to keep an eye out for other teams creating new websites. These websites need to be integrated with your main cookie consent solution. If someone opts out on one of your websites, their decision should carry over to others. This may require all company websites to use subdomains so cookie consent decisions can be more easily shared between them.

The privacy laws themselves change. As of January this year, CCPA not only requires websites to honor a user’s Global Privacy Control (GPC) setting, but also explicitly notify them that it has been honored.

The good news is that while you do need to monitor cookies and privacy laws to make sure you remain in compliance, the ongoing work is minimal once you tackle the initial audit, categorization, and implementation of a cookie consent banner.

In part 2 of this series, I’ll share some technical tips and tricks I learned for identifying the source of cookies.