The Notebook · Vol. I, Issue № 03
May 2026 · Gilbert, Arizona
Notes from a software consultancy.
RSS · Mastodon · Bluesky

WEB · PRIVACY · · ~5 min read

Consent Without the Banner

Why cookie banners are failing their purpose, and how to implement meaningful consent at the point of use.

Most websites greet you with a cookie consent banner before you’ve even had a chance to read the first paragraph. It’s become a bit of a reflex … we click “Accept All”, close the modal, and carry on without a second thought. But, really, the banner has just become a legal checkbox, rather than a meaningful moment of informed consent.

So, then, I’ve been trying a different approach on both fascination.works and headius.com: don’t ask for consent until there’s actually something to consent to.

Cookie banners exist because third-party services – Google Analytics, embedded YouTube videos, social media widgets, contact forms hosted by Google – drop cookies and tracking pixels the moment a page loads. The GDPR (and similar regulations) rightly say you need consent before that happens. So the industry’s answer was to shove a banner in front of everything and ask permission upfront, before the visitor has any context about why those cookies exist or whether they’ll even encounter the features that need them.

The result is that most people either blindly accept (defeating the purpose) or refuse everything (and then wonder why the contact form doesn’t work). Neither outcome is great.

The idea is straightforward: if a visitor never interacts with a third-party feature, they never get asked about it. No banner. No modal. No dark pattern “Reject” button that’s mysteriously harder to find than “Accept All”.

On fascination.works, I’ve applied this to the newsletter signup form. The form uses Google reCAPTCHA to keep spam out, which means Google’s scripts and cookies come along for the ride. But instead of loading reCAPTCHA on every page, the form shows a notice explaining that signing up will load content from Google, with a link to Google’s privacy policy, and a button to proceed. Only when you click that button does the reCAPTCHA script actually load. If you never visit the newsletter section, Google never knows you were here.

On headius.com, I’ve taken this further with a reusable consent component. The site has embedded YouTube videos (conference talks, mostly) and a Google Forms contact form. Each embed shows a placeholder – a play button for videos, a form icon for the contact form – with a tooltip that says something like “Clicking play will load content from YouTube and set cookies.” Click it, and the iframe loads. Don’t click it, and YouTube has no idea you exist. The consent is stored per-provider in localStorage, so once you’ve said yes to YouTube, all the video embeds work without asking again.

Overkill, but I also used youtube-nocookie.com for embeds, which is YouTube’s enhanced privacy mode. It’s not perfect since YouTube still sets cookies once you play a video, but it avoids the tracking that happens with regular youtube.com embeds just from the iframe being present on the page.

Workarounds matter

The other piece of this – and I think it’s often overlooked – is providing alternatives. If someone doesn’t want to load Google Forms, they should still be able to reach Headius. So the contact page has a plain mailto: link right alongside the embedded form. Email me directly. No cookies, no tracking, no third party involved.

For videos, there’s a direct link to watch on YouTube. It’s less private in the sense that you’re now on YouTube’s site, but at least YouTube isn’t dropping cookies on my site while you’re trying to read about something else entirely. The tracking stays contained to the platform you’ve chosen to visit.

How it works, technically

The implementation is simpler than you might expect. On fascination.works, it’s a bit of inline JavaScript that checks localStorage for a consent flag before loading the reCAPTCHA script. On headius.com, there’s a Bridgetown component (ConsentEmbed) that wraps any third-party iframe. It’s not exactly rocket science – it just takes a provider name and an embed URL and holds everything back until the user explicitly asks for it.

The reason this works is that localStorage isn’t a cookie. It doesn’t get sent to the server with every request; it’s just client-side state that remembers “this person said yes to YouTube” so they don’t have to click through the placeholder every time they visit a page with a video on it. There’s no fancy consent management platform (which would be deliciously ironic, wouldn’t it?) – just a bit of state that stays on your device.

Self-hosted fonts

Another thing that’s commonly overlooked is your fonts. Google Fonts and other providers can collect telemetry from the fonts you load on your site using their CDN. So you should host the fonts yourself and, in fact, this has become the recommendation anyway not just for reasons of privacy. There are performance advantages to hosting the fonts yourself under the right conditions. This is also true for other assets loaded from CDNs.

The reality for small businesses

It’s seriously difficult for a small business to avoid third parties entirely. I could build my own contact form backend, run my own analytics, host my own video content. But I’m one person running a consultancy, and there are only so many hours in the day. Google Forms1 gives me a working contact form in minutes. YouTube hosts conference talks that I want to share. reCAPTCHA keeps bots from flooding my newsletter signup. And for small businesses that aren’t also a software engineer with three decades of experience in web development, it’s even more difficult.

Is this perfect?

The Mastodon comments on this blog load from CDNs without explicit consent, though they don’t set cookies or track visitors. And there’s a philosophical question about whether localStorage itself constitutes “storage” that requires consent under the ePrivacy Directive. The legal consensus seems to be that strictly necessary storage doesn’t, but consent preferences are a grey area.

But it’s better. It’s better than a banner that nobody reads. It’s better than loading tracking scripts on every page and asking forgiveness. And it respects the visitor enough to give them context at the moment it actually matters – when they’re about to interact with something that involves a third party – rather than when they’re just trying to read a blog post.

  1. Note: Since this post was authored, we have removed the Google Form from headius.com entirely.