A recent discussion in the Mastodon tech community highlighted something important: confusion about when websites actually need those annoying cookie consent banners. The reality is that most small business websites don’t need them—at all!

That said, just about every site you visit has a cookie notice that interrupt the user experience and potentially hurt conversion rates. It’s as if the enter web—or at least the web in the US—collectively decided that privacy laws require these pop-ups and banners. The truth is far more nuanced.

Let me break down what’s really going on and why your business website may not even need a cookie consent banner.

What Cookies Actually Do

Let’s clear up what we’re talking about first.

Cookies are small text files that websites store on your browser. They serve different purposes:

Essential cookies handle basic site functionality such as keeping you logged in, remembering things in your shopping cart, or maintaining your session as you navigate between pages. These are necessary for the website to work properly.

Tracking cookies are the problematic ones. These are the creepy ones that follow you around the web, building profiles of your behavior online to serve targeted ads or collect data for third-parties. This is what privacy laws are actually concerned about.

The key distinction here is that if you’re not tracking people or sharing their data with third parties, you likely don’t need a cookie banner.

What Laws Actually Say

GDPR and similar privacy laws don’t mandate cookie notices. They do require consent for data processing that violates user privacy. Here’s the breakdown:

You DON’T need consent for:

• Cookies that are strictly necessary for your website to function
• First-party cookies used just for your own analytics (in most cases)
• Session cookies that expire when someone closes their browser

You DO need consent for:

• Third-party tracking cookies like Google Analytics, Facebook Pixel, and a million other creepy marketing tools
• Cookies that share user data with other companies
• Advertising or behavioral tracking cookies

To comply with the regulations governing cookies under the GDPR and the ePrivacy Directive you must: Receive users' consent before you use any cookies except strictly necessary cookies. 
— GDPR.eu

In the United States, the situation is different but often a bit simpler. There’s no federal cookie consent law in the US. Several states, however, have enacted privacy laws that do affect cookie usage, including California (CCPA/CPRA), Virginia (VCDPA), Colorado (CPA), and Connecticut (CTDPA).

Most US state privacy laws use a backwards "opt-out" model rather than requiring upfront consent. For CCPA/CPRA compliance without requiring cookie consent banners, you need:

1. A Privacy Policy page that contains a notice of data collection with categories of personal information collected, purposes for its use, and a description of consumer rights.
2. A "Do Not Sell or Share My Personal Information" link that must be clearly visible, typically placed in the footer of a website.
3. Global Privacy Control Support that honors browser-level opt-out signals.

This means that most US businesses can avoid cookie consent banners entirely by focusing on clear disclosure and honoring opt-out requests. (Or you know, you could just not use software that tracks people. 🤷♀️)

The Real Problem: Surveillance Capitalism

In case it hasn’t been clear up to this point, the reason cookie consent banners are seemingly everywhere is not because laws require them. It’s because most websites have become surveillance machines. They’re packed with tracking scripts that monitor every click, scroll, and interaction all in the name of analytics and profit—privacy be damned.

Google Analytics, Facebook pixels, advertising networks, heat mapping tools, chatbots, social media widgets—each one typically drops at least one (usually multiple) tracking cookies that require consent. The solution isn’t better cookie consent banners; it’s questioning whether you need all that tracking in the first place.

Build Websites That Respect User Privacy

It isn’t difficult. Really. Here’s how to create effective websites without the cookie consent overhead:

Use privacy-focused analytics. Tools like Fathom Analytics and Plausible provide the insights you need without invasive tracking. They don’t use cookies, don’t track individuals, and they comply with privacy laws by default.

Host your own content. Instead of embedding videos from YouTube (yes, even I’m guilty of this) or using third-party fonts from Google, host these kinds of assets your self. Your visitors will thank you for the faster loading times too.

Rethink your tools. Do you really need that chatbot that tracks users across sessions? Could you use a simple contact form instead? Every third-party script is a potential privacy liability.

Keep essential functions local. Shopping carts, user sessions, and form data can all be handled with first-party cookies that don’t require consent.

Privacy as a Competitive Advantage

Beyond checking off a legal compliance checkbox, there are compelling business reasons to avoid unnecessary cookies:

• Better user experience: No annoying cookie consent pop-ups interrupting the customer journey
• Faster websites: Fewer third-party scripts mean better performance
• Higher conversion rates: Visitors can focus on your content instead of cookie choices
• Competitive advantage: Privacy-conscious consumers increasingly value businesses that respect their data
• Simplified compliance: No need to maintain complex consent management systems

Getting Started with Privacy-First

The transition to a privacy-first approach doesn’t have to happen overnight. But the sooner you start, the better. Start by auditing what you’re actually using:

1. Check your analytics. Yes, this is a bit ironic if you’re using Google Analytics. But are you actually using all that detailed behavioral data, or would aggregate statistics serve your needs just as well? If aggregate stats works just as well, give Fathom a go.
2. Review your plugins and widgets. Each third-party tool should justify its privacy cost with clear business value. Otherwise, ditch it or, if feasible, bring it in-house.
3. Test without tracking. Try running your website without third-party cookies for a week or two. You might be surprised how little you miss them.

If you do need a cookie consent banner, I recommend using CookieConsent by Orest Bida. I’ve used it on multiple client sites with much success. It’s lightweight, customizable, and doesn’t require any external dependencies.

That said, cookie consent banners should be the exception, not the rule. The web doesn’t have to be, nor should it be, a surveillance system. By choosing privacy-respecting tools and questioning unnecessary tracking, you can have a website that serves your business goals while treating visitors with respect.

Your customers will appreciate the cleaner experience and you’ll appreciate the simplified compliance. It really is a win-win that makes the web a little bit better for everyone.

Please note: I'm not a lawyer, and this article doesn't constitute legal advice. Privacy laws are complex and vary by jurisdiction. For specific compliance questions related to your business, consult with a qualified attorney who specializes in privacy law.

Ready to build a website that puts user privacy first? At Block 81, we specialize in creating fast, effective websites that work beautifully without invasive tracking. Our privacy-by-design approach means better user experiences and simpler compliance. Let's talk about your project.