Cookie Consent — Your Options

Every website that uses analytics, advertising pixels, or personalization needs a cookie consent banner. GDPR requires it in Europe. CCPA requires disclosure in California. And as of March 2024, Google requires Consent Mode v2 for any site running Google Ads or GA4 in the EEA.

The question isn’t whether you need one — it’s which one to use.

I’ve spent time evaluating the options and recently set up a fully self-hosted solution for this site. Here’s what I found.

The three approaches

1. Self-hosted open source

You download the library, host the files on your own server, and configure it yourself. No external dependencies, no monthly fees, no third-party scripts loading on your site.

Best for: Developers and technically minded marketers who want full control, maximum performance, and zero ongoing cost.

2. Managed SaaS platforms

A third-party service hosts the banner, scans your site for cookies, and provides a dashboard for configuration. You add a script tag and they handle the rest.

Best for: Teams that want a turnkey solution, automatic cookie scanning, and compliance reporting without touching code.

3. Tag manager plugins

Some consent management is built into or tightly integrated with tag management platforms like Google Tag Manager. You configure consent rules alongside your tags.

Best for: Sites already heavily invested in GTM that want everything in one place.

Open-source options (free, self-hosted)

GitHub — MIT License

This is what I use on this site. It wraps the popular orestbida/cookieconsent library and adds:

  • Google Consent Mode v2 support out of the box
  • Storage categories aligned with Google’s standard (analytics, ad, personalization, functionality, security)
  • 20+ built-in translations
  • Optional GTM template if you want to manage it through Tag Manager
  • Self-hosting friendly — just copy the /dist folder to your server

The total footprint is about 102 KB (83 KB JS + 19 KB CSS). No external requests after the initial page load.

Configuration is done in JavaScript — you define which storage types to show, their default state, and what event triggers to fire when consent is granted. The library handles the gtag('consent', 'update', ...) calls automatically.

I wrote a complete setup guide: Self-Hosted Cookie Consent Guide

Pros:

  • Free, MIT licensed
  • Self-hosted — no CDN dependency
  • Google Consent Mode v2 built in
  • Lightweight (~100 KB total)
  • GTM integration available

Cons:

  • No automatic cookie scanning — you need to know what cookies your site sets
  • No compliance dashboard or audit trail
  • Configuration requires basic JavaScript knowledge

orestbida/cookieconsent

GitHub — MIT License

The underlying library that 68publishers wraps. If you don’t need Google Consent Mode integration and just want a clean, accessible consent modal, this is the most popular open-source option.

  • WCAG 2 accessible
  • Highly customizable layout and theming
  • No dependencies
  • ~40 KB total

Pros:

  • Even smaller than the 68publishers wrapper
  • Very mature, well-documented
  • Supports cookie auto-clearing

Cons:

  • No built-in Google Consent Mode support (you’d wire it up manually)
  • No GTM template

The original “cookie consent” JavaScript library. Still widely used but has been largely superseded by orestbida’s version in terms of features and active development.

Managed SaaS platforms (paid)

Cookiebot (by Usercentrics)

One of the most established consent management platforms. Used by 1.5M+ websites.

  • Automatic cookie scanning and categorization
  • Google Consent Mode v2 certified
  • IAB TCF 2.2 support
  • Compliance reports and audit logs

Pricing: Free for up to 1 page. Paid plans start around $14/month for small sites, scaling up based on page count and features.

Pros:

  • Automatic cookie detection and categorization — you don’t need to manually list cookies
  • Compliance documentation for audits
  • Google CMP partner

Cons:

  • External script dependency (~200-400 KB)
  • Monthly cost
  • Cookie scanning can sometimes miscategorize cookies

OneTrust

Enterprise-grade consent management used by many Fortune 500 companies.

  • Full privacy program management (not just cookie consent)
  • Cookie scanning and classification
  • Consent receipts and audit trails
  • Multi-language, multi-regulation support

Pricing: Starts around $50/month for small businesses. Enterprise pricing is custom.

Pros:

  • Comprehensive compliance suite
  • Handles GDPR, CCPA, LGPD, and more
  • Advanced features like preference centers and data subject requests

Cons:

  • Expensive for small sites
  • Heavy — can add 500 KB+ to page weight
  • Complex setup for simple sites

Iubenda

Privacy compliance suite focused on ease of use.

  • Cookie consent banner with auto-scanning
  • Privacy policy and terms generator
  • Google Consent Mode support

Pricing: Free tier available. Pro starts at ~$29/year.

Pros:

  • Good value for money
  • Privacy policy generator included
  • Lighter than OneTrust

Cons:

  • Auto-scanning isn’t always accurate
  • Limited customization on lower tiers

CookieYes

Popular mid-market option with a strong free tier.

  • Free for up to 100 pages
  • Automatic cookie scanning
  • Google Consent Mode support
  • WordPress plugin available

Pricing: Free tier covers small sites. Pro from ~$10/month.

Pros:

  • Generous free tier
  • Easy setup
  • Good WordPress integration

Cons:

  • External dependency
  • Free tier has CookieYes branding

What I chose and why

I went with 68publishers/cookie-consent, self-hosted. Here’s my reasoning:

  1. Performance — The banner loads from my own server. No DNS lookups to external CDNs, no third-party script blocking the page. For a static site built with Astro, this matters.

  2. Privacy consistency — It would be ironic to load a third-party script to ask users about third-party scripts. Self-hosting means the consent check itself doesn’t create a privacy issue.

  3. Cost — Free. Forever. MIT license.

  4. Google Consent Mode v2 — The 68publishers wrapper handles this automatically. When a user grants analytics consent, the analytics_storage signal updates and GA4 starts collecting. No manual wiring needed.

  5. I know what cookies my site uses — I built it. I don’t need a scanner to tell me that GA4 sets _ga and _ga_* cookies. For sites where you control the tech stack, automatic scanning is overhead you don’t need.

The trade-off is that I don’t get automatic cookie scanning or compliance audit trails. For a personal site and blog, that’s fine. For an enterprise site handling EU customer data at scale, a managed solution like Cookiebot or OneTrust might be worth the cost.

Quick decision guide

Use self-hosted open source if:

  • You’re a developer or have one on the team
  • Performance matters (static sites, Core Web Vitals)
  • You know exactly what tracking you’ve implemented
  • You want zero ongoing cost

Use a managed SaaS if:

  • You need automatic cookie scanning
  • You need compliance documentation for legal/audit purposes
  • You don’t have developer resources for setup and maintenance
  • You’re running a large site with many third-party integrations

If you want to set up the self-hosted approach, I’ve written a complete guide: Self-Hosted Cookie Consent — Setup Guide. It covers installation, configuration, Google Consent Mode v2, and custom styling.

Built by Jesper Astrom & Claude Code (Opus 4.6)